What is a Policy Administration Point (PAP)?

A Policy Administration Point (PAP) is a component of a policy engine that allows administrators to define and administer the policies of a policy engine. In the context of a dynamic authorization policy engine, the PAP works with the other components of the policy engine, including Policy Enforcement Points (PEPs), Policy Decision Points (PDPs), Policy Retrieval Points (PRPs) and Policy Information Points (PIPs) to provide controlled access to sensitive, protected resources.


A PAP tracks PDPs, supporting the deployment of PDP groups and the deployment of policies across those PDP groups. Policies can be created using the policy API, but are deployed and managed by the PAP. The PAP manages policies within the policy database (or PRP) and the deployment of policies to PDPs, which are the components that ultimately allow or deny access. PAPs also manage access to the contents of a PIP and provide read, modify, and write access to the content within the PIP.

A PAP is often used by enterprise administrators to define fine-grained access entitlements for the enterprise users who need access to managed software components and provides centralized policy administration, management, and monitoring of access policies through the PAP administration control center.

Key capabilities of the PAP include:

  • Defining policies to provide fine-grained access entitlements to files for users, user groups, and roles using dynamic rules and contexts.
  • Creating and configuring users, user groups, roles, and resources.
  • Importing and synchronizing users and user groups in external data repositories
  • Checking entitlements for Users/Roles/Groups/Resources by associating the PDP with an application.
  • Creating and configuring attribute-based rules that include external attributes that exist in external data sources like external databases, LDAP directories, Java classes, and web services.
  • Checking entitlement policies for entities, viewing admin and runtime logs.
  • Creating PAP users and delegating full or partial authorization to use the PAP.

Visit our product technology page to find out more about NextLabs products and how PAP is used by organizations to protect their sensitive data.