Policy Enforcement Point (PEP)

Pomerium functions as the Policy Administration Point (PAP), Policy Enforcement Point (PEP), and Policy Decision Point (PDP) for access control deployments.

A Policy Enforcement Point is a component within an access control system that is responsible for enforcing access control decisions made by the Policy Decision Point (PDP). The PEP acts as a gateway or intermediary between users or systems attempting to access resources and the PDP, which evaluates and makes decisions based on predefined access control policies.

If it helps, think of the PAP as the rulebook, the PDP as the judge, and the PEP as the bouncer.

Key characteristics of a Policy Enforcement Point:

1. Enforcement of Decisions: The primary role of the PEP is to enforce access control decisions made by the Policy Decision Point. This involves allowing or denying access to resources based on the evaluation of access requests against established policies.
2. Interception of Access Requests: When a user or system attempts to access a resource, the PEP intercepts the access request before it reaches the resource. This interception allows the PEP to consult the PDP for a decision.
3. Communication with Policy Decision Point (PDP): The PEP communicates with the PDP to obtain decisions on access requests. The PDP evaluates the request against predefined policies and provides a decision to the PEP, which the PEP then enforces.
4. Real-Time Decision Implementation: The PEP operates in real-time to implement access control decisions. If the PDP grants access, the PEP allows the request to proceed; if access is denied, the PEP blocks the request.
5. Integration with Access Control Infrastructure: PEP is typically integrated into the broader access control infrastructure of a system or network. It ensures that access decisions are consistently applied across various resources.
6. Logging and Reporting: PEP may log access attempts and outcomes for auditing and reporting purposes. This helps in tracking access activities and understanding how access control policies are being enforced.

Pomerium logs on a per-request basis, meaning Pomerium’s role as PEP ensures every single request and action is evaluated by the PDP and PAP for context before allowing or denying.