Policy Administration Point (PAP)

Pomerium functions as the Policy Administration Point (PAP), Policy Enforcement Point (PEP), and Policy Decision Point (PDP) for access control deployments.

A Policy Administration Point is a component within an access control system that is responsible for defining, creating, and managing access control policies. It serves as a central authority where administrators can establish rules and conditions governing how users or systems are granted or denied access to resources within a network or system. It is a critical component in NIST’s publications on access control.

If it helps, think of the PAP as the rulebook, the PDP as the judge, and the PEP as the bouncer.

Key characteristics of a Policy Administration Point:

1. Policy Definition and Management: PAP is where access control policies are created, defined, and managed. Administrators use PAP to establish rules and conditions that specify who can access what resources and under what circumstances.
2. Centralized Authority: PAP serves as a centralized point of control for access policies. This centralization ensures consistency and coherence in the application of access control rules across an organization’s IT infrastructure.
3. Policy Configuration: Administrators use PAP to configure various aspects of access control policies, including user permissions, roles, and conditions for access. It provides a user interface or an application programming interface (API) for policy definition.
4. Policy Updates and Maintenance: PAP facilitates the ongoing maintenance and updating of access control policies. As security requirements evolve, administrators can modify existing policies or create new ones to adapt to changing conditions.
5. Integration with Policy Decision Point (PDP): PAP often works in conjunction with the Policy Decision Point (PDP), which evaluates access requests against the defined policies. PAP communicates policy definitions to the PDP, ensuring that the decision point has the latest information.
6. Policy Distribution: PAP may involve mechanisms for distributing policy information to various Policy Enforcement Points (PEP) within the network. This ensures that access control decisions are consistently applied across different parts of the system.
7. User and Role Management: PAP often includes features for managing users and roles within the access control framework. This allows administrators to associate policies with specific users or groups, streamlining the assignment of access rights.
8. Auditing and Compliance: PAP may include auditing capabilities to track and log changes made to access control policies. This supports compliance efforts by providing a record of who made changes, when they were made, and what changes were implemented.

Pomerium brings context-awareness into this role by leveraging external data sources. This means that the PAP can pass contextual information to the PDP so a context-aware access decision can be made. Read How Context Drives Full Access Decision-making for more information.