In the XACML architecture, the policy information points (PIP) are the system entity that act as a source of attribute values.
XACML is an OASIS Open standard and stands for “eXtensible Access Control Markup Language”. It is an XML-based markup language designed specifically for Attribute-Based Access Control (ABAC). The standard defines a declarative fine-grained, attribute-based access control policy language, an architecture, and a processing model describing how to evaluate access requests according to the rules defined in policies.
A XACML architecture is made up of 5 major component types: Policy Administration Points (PAPs), Policy Decision Points (PDPs), Policy Information Points (PIPs), Policy Retrieval Points (PRPs), and Policy Enforcement Points (PEPs).
How does a policy information point work?
You may be wondering exactly how the policy information points interact with the other components of the XACML architecture. If there are missing attributes in the XACML request which is sent by PEP, PIP would find them for the PDP to evaluate the policy. Essentially, the PIP attempts to resolve information required by the policy to execute. These pieces of information are called attributes.
Why are policy information points neccessary?
The PIP is made up of Attribute Value Providers which each provide a variety of information. For instance, there may be a value provider that provides user identity claim attributes, another may provide information about the purchase order limit of the requester. The attributes delivered may come from a relational database, requests to REST APIs, LDAP, or any other source of information.
If you’d like to read more about the other components of the XACML architecture, read our previous blogs on PDP, PAP, and PEP.