XACML PAP PDP Separation

With my previous post,  i went through XACML PDP (Policy Decision Point) architecture by using WSO2 Identity Server.  In this blog post, i am hoping to go through how PDP and PAP have been separated each other.

In some implementation (specially with older Identity server versions),  there is no any separation with PAP (Policy Administrator Point) and PDP components. PAP has been used as an administration point for PDP policy store.  Basically there is only one policy store where it has been shared with PAP and PDP. You can directly define policies from administrator console and once you enable the policy then it is available for evaluation in PDP. Therefore this older model has some of the disadvantages such as followings.

1. Sharing same policy space by PAP and PDP.

In large enterprises, there can be people who are creating and updating authorization policies (XACML) frequently in a collaborative manner. There can be several versions of policies. To make sure  that policies have been correctly defined, There must be a way to test policies individually.

With older model, if  policy administrators  add or update policies and test them,  it would directly effect to run time evaluation. Therefore best way is to make a separate space for creating, updating and trying out the policies rather than using run time policy space.

2. No work flows or processes are associated to manage policies in the PDP run time.

Say, Once administrator creates or updates a policy,  administrator needs to put it in to the PDP.  There must be some process for it. (such as Approval process). If not,  people who are  create policies, can just put them in to the PDP run time directory

3. Policy Distribution with multiple PDPs is not supported

Say, You have distributed setup where you have several PDP clusters. There can be one administrator point that you are managing policies.  Therefore we can not couple PAP with one PDP only.

4. Policy space of PDP run time is not configurable.

With older model,  Policy is stored by default carbon registry location which is not configurable. But there can be cases,  where you want to read policies from some other resources. (If you already have existing policies)

WSO2 Identity Server has decouple the PAP and PDP to over come with above disadvantages. To achieve this decouple,  WSO2 Identity server, uses two policy stores.  one store is called as “PAP Policy Store”, other one is called as “PDP Policy Store”.  Basically PAP policy store, is to store any policy that is created from UI and imported from UI.   PDP store contains the policies that are actually evaluated in run time.  To make the bridge between PAP store and PDP store,  there is component called “Policy publisher”  Idea of this component to, syn policies from PAP policy store to PDP policy store. Policy publisher is an extensible component,  where you can use to publish policies from Identity serve’s PAP store to any place that you wish.


Discuss this article on Stack Overflow


  1. Hi,

    Thanks for this post. I am tying to do something like what you describe, with 2 WSO2 IS instances (see http://stackoverflow.com/questions/23356913/publish-policy-from-one-identity-server-pap-to-pdp-on-another-identity-server), but when I try to publish, I am getting a 302 error. I think (guess) that the problem may be that I have the URL in the Basic Auth Publisher module (currently set to https://:9443/carbon) wrong, but I can’t find any info about what that URL SHOULD be.

    Do you know?

    Thanks again,

  2. Hi Asela,

    That was a seriously fast reply! Thanks!

    I just tried the /services/ (https://:9443/services/) but got the same 302 error.

    Re. clustering, in this case, we wouldn’t be doing clustering as the idserver2 PDP would be remote and we’d want to selectively publish policies to it.


    1. The format of the URL didn’t get through correctly. Obviously, the URL has a hostname (or in my case and IP address). Would it make a difference if I use an IP address maybe, i.e., must the URL have a fully-gualififed hostname?

  3. Hi,

    Sorry about the earlier posts – I was able to publish the policy successfully!

    I went back and checked that the URI was “/services/” in the idserver1 PAP, but it was not changed, so I chanaged it again in the idserver1 PAP. I then tried to publish a test XACML policy to the idserver2, and the publish was successful.

    I’m assuming that this (push/publish policies to a remote PDP) could be automated, e.g., via an app?

    Thanks again,

      1. Asela,

        Thanks. I have a followup question. When I was testing actually using the PDP (sending in requests using Tryit), that after a policy was published to the remote PAP/PDP, in order for the policy to actually work, I had actually “Enable” it on the remote PAP. Would that step (enabling the newly-published policy) also be something that could be done via web services API?

      2. Sorry – I hadn’t looked at your sample code earlier, but have now, so regarding my last question re. enabling the policy in the remote PDP, it appears that the answer to that is “yes, you can”, since you do that in the sample in PolicyAdminClient.


  4. Yes.. there are physically stored in the database (by default there is embedded H2 database) But Identity Server has something called “Registry” which is like an some layer that is on top the database. you can browse this “Registry” from Identity Server management console. When you browser it, you can find the PAP policies from “/_system/governance/repository/identity/entitlement/policy/pap” location and PDP policies from “/_system/governance/repository/identity/entitlement/policy/pdp”

  5. Thanks Asela
    I am using WSO2i.s on my windows 7, that’s why I can’t find above mentioned paths “/_system/governance/repository/identity/entitlement/policy/pap”

    Can you help me in this regards ?

    Further, I want to store both policies of pap & pdp on my mysql database instead of embedded h2.

  6. I have explored all tables of database , but can’t find PDP and PAP polices in database tables. Can you tell me that which table (s) of database are used to store PDP & PAP policies. Thanks in advance

  7. As i mentioned earlier.. It is stored in “Registry” you can browser it using the Identity Server management console (Not from the File system or database). “Registry” has separate data model to communicate with database. Therefore it is difficult to fine the policies from the H2 database. If you need to configure Identity Server to MySQL, Please configure the database configuration in master-datasource.xml file and start the server with -Dsetup… then all tables would be created in MySQL database and “Registry” would use the MySQL

    1. Thanks for your detailed answer. Actually I want to generate delegation policies through my own server and I also want to see that how access policies and delegated policies are treated and stored in database?. Whether is it required to be stored in Database or not ?
      Furthermore, let me know that Is there any open source product for delegation of access rights, which uses XACML Administration and Delegation Profile v3.0?

      Thanks again for your guidance !

Leave a Reply

Your email address will not be published. Required fields are marked *