A Policy Decision Point (PDP) is mechanism that evaluates access requests to resources against the authorization policies that apply to all requests for accessing that resource to determine whether specific access should be granted to the particular user who issued the request.
A PDP is just one component of the attribute-based access control (ABAC) architecture. ABAC, also known as policy-based access control for IAM, defines an access control paradigm whereby a subject’s authorization to perform a set of operations is determined by evaluating attributes associated with the subject, object, requested operations, and, in some cases, environment attributes.
ABAC comes with a recommended architecture which is as follows:
- The PEP or Policy Enforcement Point: it is responsible for protecting the apps & data you want to apply ABAC to. The PEP inspects the request and generates an authorization request from which it sends to the PDP.
- The PDP or Policy Decision Point is the brain of the architecture. This is the piece which evaluates incoming requests against policies it has been configured with. The PDP returns a Permit/ Deny decision. The PDP may also use PIPs to retrieve missing metadata.
- The PIP or Policy Information Point bridges the PDP to external sources of attributes e.g. LDAP or databases.
- The PAP or Policy Administration Point feeds policy to the PDP. It provides a centralize depository to manage policy especially for the enterprise architecture.
How does a policy decision point work?
When a user requests access to a resource, they make a request to the PEP which is the component that protects that resource. The PEP will form a request based on the requester’s attributes, the resource in question, the action, and other information pertaining to the request. Next, the PEP will send this request to the PDP, which will evaluate the request and the policy that applies to the request and return its decision about whether access should be granted. The PDP considers data from the PRP and the PIP before issuing access decisions. Then, that answer is returned to the PEP, which can then allow or deny access to the requester.
Why is a policy decision point necessary?
A Policy PDP is a crucial component in network and information security architectures. It serves as a decision-making entity responsible for evaluating access requests and determining whether to permit or deny them based on predefined policies. The PDP considers various factors such as user credentials, resource attributes, and environmental conditions to make access control decisions. In the context of policy-based systems, the PDP plays a central role in enforcing and implementing policies across a network or system. It acts as the authority that evaluates the conditions and rules specified in the policies, ensuring that access to resources aligns with the organization’s security objectives and regulatory requirements.
If you’d like to read more about the other components of the ABAC architecture, read our previous blogs on PIP, PAP, and PEP