<meta charset="UTF-8">
<meta name="robots" content="noindex,nofollow" />
<link rel="shortcut icon" type="image/x-icon" href="/wiki/images/favicon.ico" />
<link rel="icon" type="image/x-icon" href="/wiki/images/favicon.ico" />

<pre>
!!! Overview
[{$pagename}] is a [Framework] in which an [Access Request] received by a [Policy Enforcement Point] ([PEP]) is presented to a [Policy Decision Point] which retrieves the [Authorization] [Policy] [data] from a [Policy Retrieval Point] along with [data] on the [Entity] requesting access and [data] on the [Target Resource] from [Policy Information Point](s) and renders a decision to the [Policy Decision Point].


Generally, any of the [AAA] [Servers] (or [Access Control Engines]) transactions may retrieve a [policy] or evaluate a [Access Control Policy], and any of the Service Equipment may enforce a policy. [Policy Retrieval Points] ([Policy] Repositories) may reside on any of the [Access Control Engines] or be located elsewhere in the network.

[Data] against which [Access Control Policy] conditions are evaluated (such as [resource] status, [session] [state], or time of day) are accessible at [Policy Information Points] ([PIPs]) and might be accessed using [Policy Information Blocks] ([PIB]s).

A [{$pagename}] consists of four main functional Non_normative elements: (following [RFC 2904], except for [PAP]) [2]
%%zebra-table
%%sortable
%%table-filter
||ABBR||Term||Description
|[PAP]|[Policy Administration Point]|Point which manages [access] [authorization] policies
|[PDP]|[Policy Decision Point]|Point which evaluates access requests against authorization policies before issuing access decisions
|[PEP]|[Policy Enforcement Point]|Point which intercepts user's access request to a resource, makes a decision request to the [PDP] to obtain the access decision (i.e. access to the resource is approved or rejected), and acts on the received decision
|[PIP]|[Policy Information Point]|The system entity that acts as a source of [attribute] values (i.e. a [resource], subject, environment)
|[PRP]|[Policy Retrieval Point]|Point where the [XACML] access [authorization] policies are stored, typically a database or the filesystem. (Not in DIagram below)
/%
/%
/%

[Policy Based Management System/XACML_Architecture_&amp;_Flow.png]

[Policy] sets, rules and [requests] all use [subjects], [resources], [environments], and [Resource Action].
* A [subject] ([Alice]) element is the [entity] requesting access. A subject has one or more [attributes].
* The [resource] element is a [data], [service] or system component. A [resource] has one or more [attributes].
* An [Resource Action] element defines the type of [access] requested on the [resource]. Actions have one or more [attributes].
* An [environment] (or [Context]) element can optionally provide additional [attributes].

The Resulting [policies|Policy] are stored in a [Policy Retrieval Point]

When new policies have been added in the [Policy Retrieval Point], or existing ones have been changed, the [Policy Administration Point] [MUST] update the relevant [Policy Retrieval Points]

When an [actionable event|Actionable Intelligence] is encountered at the [Policy Enforcement Point] contacts the [Policy Decision Point] which interprets the [policies|Policy] from the [Policy Retrieval Points] and the [Policy Information Point] and then communicates the appropriate decision to be exercised by the [Policy Enforcement Point]

The most well known policy-based management architecture was specified jointly by the [IETF] and the [DMTF]. This consists of four main functional elements:[1] 
* the Policy Management Tool (PMT) which we refer to as the [Policy Administration Point] ([PAP])
* Policy Repository which we refer to as the [Policy Information Point] ([PIP])
* [Policy Decision Point] ([PDP])
* [Policy Enforcement Point] ([PEP]).
The preferred choice for communicating policy decisions between a [PDP] and network devices ([PEP]s) is the [Common Open Policy Service] ([COPS]) or [SNMP], and [LDAP] for the [PAP]/[PDP]–[PIP] communication.

!! [{$pagename}] [Examples]
Many modern [Organizational Entity]s have implementaitons:
* [Google Cloud Platform] - [BeyondCorp] 
* [Netflix] - (uses [PADME] and [Open Policy Agent]) [Netflix OSS Meetup Season 5 Episode 1 - Security|https://youtu.be/dim85J5cLq4|target='_blank']
* [Secure Production Identity Framework For Everyone] ([SPIFFE])
* [Policy Access Decision Management Engine]
* [Open Policy Agent]
* [Istio]

!! More Information
There might be more information for this subject on one of the following:
[{ReferringPagesPlugin before='*' after='\n' }]
----
* [#1] - [Policy-based management|Wikipedia:Policy-based_management|target='_blank'] - based on information obtained 2015-10-10
* [#2] - [XACML|Wikipedia:XACML|target='_blank'] - based on information obtained 2017-10-04

</pre>