Overview#

The Policy Enforcement Point (PEP) is where the is actually enforced.

The digital representation of the policy is provided by the policy Information Point to the policy Decision Point which then passes the decision to the Policy Enforcement Point where the access is permitted or denied.

Obviously in some systems, all of the entities:

• policy Information Point
• policy Decision Point
• Policy Enforcement Point

May reside within the same application of the same host.

Password Policies#

For Password policies, each point where an entry is permitted to change their password, should be able to enforce the password policy.

When performing Consistent Sign On this implies that the point at which the password is changed should be able to enforce the same password policy that is used for the entire organization. Typically, we have found it is best to limit the Policy Decision Points (PDP) to as few as possible as each PDP may interprut the policy slightly different or you may have to duplicate the policy within another system.

RFC 2753#

"Policy Enforcement Point (PEP): The point where the policy decisions are actually enforced."

NIST#

The concept of Policy Enforcement Point (also known as Access Control Enforcement Function) is where a policy decision is used to grant or deny access to a protected resource. A Policy Enforcement Point typically exists within an application or resource.

More Information#

There might be more information for this subject on one of the following:

• API-Gateway
• Access Control
• Access Control Models
• Access Proxy
• Application-centric
• Attribute Based Access Control
• Authorization
• Authorization Server
• Cloud Access Security Broker
• Common Open Policy Service
• Digital Key
• Draft-behera-ldap-password-policy
• Entitlement Example
• Entitlement Management System
• Glossary Of LDAP And Directory Terminology
• IDM The Application Developers Dilemma
• Identity Aware Proxy
• Key
• Lock
• Organizational-centric
• PEP
• Password Management Considerations
• Password Maximum Length
• Password Minimum Length
• Password Modification Policy
• Password Validator
• Policy
• Policy Based Management System
• Policy Decision Point
• Policy Enforcement Point
• Policy Information Point
• REST Profile of XACML
• Resource Inventory Service
• Resource Server
• User-Managed Access

---

Draft stuff#

"Policy Enforcement Point", is the logical entity or place on a server that enforces policies for admission control and policy decisions in response to a request from a user wanting to access a resource on a computer or network server.

PEP is a component of policy-based management. When a user tries to access a file or other resource on a computer network or server that uses policy-based access management, the PEP will describe the user's attributes to other entities on the system. The PEP will give the Policy Decision Point (PDP) the job of deciding whether or not to authorize the user based on the description of the entity's attributes. Applicable policies are stored on the system and are analyzed by the PDP|DefinitionPolicyDecisionPoint]. The PDP|DefinitionPolicyDecisionPoint] makes it's decision and returns the decision. The PEP will let the entity know whether or not he has been authorized to access the requested resource.