Policy Decision Point (PDP) evaluates policies against access requests provided by Policy Enforcement Points (PEP). To provide the decisions, PDP may also need to query a Policy Information Point (PIP) to gather descriptive attributes about the user or any other missing attribute in the request. Policy Administration Point (PAP) is used to manage the PDP and PIP functionality.
XACML terminology
The XACML reference architecture illustrated above is comprised of the following four 'building blocks'.
- Policy Enforcement Point (PEP): The system entity that performs access control by making decision requests and enforcing authorization decisions. Basically this is the entity that sends the XACML request to the Policy Decision Point (PDP) and receives an authorization decision.
- Policy Decision Point (PDP): The system entity that evaluates an applicable policy and returns an authorization decision.
- Policy Information Point (PIP): The system entity that acts as a source of attribute values. Basically if there are missing attributes in the XACML request that is sent by PEP, PIP would find them for the PDP to evaluate the policy.
- Policy Administration Point (PAP): The system entity that creates a policy or policy set and manages them.
XACML engine architecture (PDP)
The WSO2 Identity Server is a major player in the XACML and open source world. The Identity Server supports XACML 3.0, which is based on Balana XACML implementation. As the source code, distribution and documentation are available for free, it is possible to analyze and understand the architecture behind it. This section provides some information regarding the architecture of the XACML engine (or the entitlement engine) of the WSO2 Identity Server.
The XACML engine of the WSO2 Identity Server has two major components, i.e., PAP and PDP. This section focuses on Policy Decision Policy (PDP) only.
The following diagram represents the component architecture of the PDP.
