Policy Decision Point (PDP)

Pomerium functions as the Policy Administration Point (PAP), Policy Enforcement Point (PEP), and Policy Decision Point (PDP) for access control deployments.

A Policy Decision Point is a critical component within an access control system that is responsible for evaluating access requests against predefined policies and making access control decisions. It plays a central role in the authorization process, determining whether a user or system should be granted or denied access to a specific resource based on established rules and conditions.

If it helps, think of the PAP as the rulebook, the PDP as the judge, and the PEP as the bouncer.

Key characteristics of a Policy Decision Point:

1. Decision Making: The primary function of a PDP is to make access control decisions. It evaluates incoming access requests and compares them against the policies that have been defined and configured.
2. Policy Evaluation: PDP assesses access requests by considering factors such as user identity, roles, permissions, and contextual information. It checks whether the request aligns with the conditions specified in the access control policies.
3. Centralized Authority: PDP serves as a centralized authority for access control decisions. It ensures that access policies are consistently applied across the organization’s IT infrastructure, promoting uniformity and security.
4. Communication with Policy Administration Point (PAP): PDP often communicates with the Policy Administration Point (PAP), which is responsible for defining and managing access control policies. PAP informs PDP of any updates or changes to policies.
5. Real-Time Decision Making: PDP operates in real-time, providing prompt decisions on access requests. It ensures that users receive immediate feedback based on the evaluation of their attempts to access resources.
6. Integration with Policy Enforcement Point (PEP): PDP works in conjunction with the Policy Enforcement Point (PEP), the component responsible for enforcing access control decisions. Once PDP makes a decision, it communicates this decision to the PEP for enforcement.
7. Context-Aware Decision Making: PDP considers contextual information, such as the time of access, location, and user behavior, when making access control decisions. This allows for more nuanced and context-aware authorization.
8. Logging and Reporting: PDP may log access decisions for auditing purposes. This logging functionality helps organizations track access activities, investigate security incidents, and maintain compliance with security policies.

Pomerium brings context-awareness into this role by leveraging external data sources. This means that the PAP can pass contextual information to the PDP so a context-aware access decision can be made. Read How Context Drives Full Access Decision-making for more information.