A Policy Decision Point (PDP) is mechanism that evaluates access requests to resources against the authorization policies that apply to all requests for accessing that resource to determine whether specific access should be granted to the particular user who issued the request.
A PDP is just one component of the XACML architecture. XACML is an OASIS Open standard and it stands for “eXtensible Access Control Markup Language”. It is an XML-based markup language designed specifically for Attribute-Based Access Control (ABAC). The standard defines a declarative fine-grained, attribute-based access control policy language, an architecture, and a processing model describing how to evaluate access requests according to the rules defined in policies. XACML policy-based systems are implemented independently of software system and its associated security policy. This separation limits the risk of incorrect policy implementation that arises when the policy is hard-coded.
XACML architecture is based on the following components:
- Policy Administration Point (PAP)
- Policy Decision Point (PDP)
- Policy Enforcement Point (PEP)
- Policy Information Point (PIP)
- Policy Retrieval Point (PRP)
How does a policy decision point work?
When a user requests access to a resource, they make a request to the PEP which is the component that protects that resource. The PEP will form a request based on the requester’s attributes, the resource in question, the action, and other information pertaining to the request. Next, the PEP will send this request to the PDP, which will evaluate the request and the policy that applies to the request and return its decision about whether access should be granted. The PDP considers data from the PRP and the PIP before issuing access decisions. Then, that answer is returned to the PEP, which can then allow or deny access to the requester.
Why is a policy decision point necessary?
Part of the PDP’s responsibility is to find a policy that applies to a given request. To do this, XACML provides another feature called a target. A Target is basically a set of simplified conditions for the Subject, Resource and Action that must be met for a policy set, policy, or rule to apply to a given request. If all the conditions of a Target are met, then its associated policy set, policy, or rule applies to the request. Aside from evaluating applicability, Target information also provides a way to index policies, which can be useful to store many policies and efficiently filter through them to find which ones are applicable. For example, a policy may contain a Target that only applies to requests on a specific service. When a request to access that service is made, the PDP will know where to look for policies that might apply to this request because the policies are indexed based on their Target constraints.
For more information on XACML, read our Business User’s Guide to XACML.