XACML PAP PDP Separation

With my previous post,  i went through XACML PDP (Policy Decision Point) architecture by using WSO2 Identity Server.  In this blog post, i am hoping to go through how PDP and PAP have been separated each other.

In some implementation (specially with older Identity server versions),  there is no any separation with PAP (Policy Administrator Point) and PDP components. PAP has been used as an administration point for PDP policy store.  Basically there is only one policy store where it has been shared with PAP and PDP. You can directly define policies from administrator console and once you enable the policy then it is available for evaluation in PDP. Therefore this older model has some of the disadvantages such as followings.

1. Sharing same policy space by PAP and PDP.

In large enterprises, there can be people who are creating and updating authorization policies (XACML) frequently in a collaborative manner. There can be several versions of policies. To make sure  that policies have been correctly defined, There must be a way to test policies individually.

With older model, if  policy administrators  add or update policies and test them,  it would directly effect to run time evaluation. Therefore best way is to make a separate space for creating, updating and trying out the policies rather than using run time policy space.

2. No work flows or processes are associated to manage policies in the PDP run time.

Say, Once administrator creates or updates a policy,  administrator needs to put it in to the PDP.  There must be some process for it. (such as Approval process). If not,  people who are  create policies, can just put them in to the PDP run time directory

3. Policy Distribution with multiple PDPs is not supported

Say, You have distributed setup where you have several PDP clusters. There can be one administrator point that you are managing policies.  Therefore we can not couple PAP with one PDP only.

4. Policy space of PDP run time is not configurable.

With older model,  Policy is stored by default carbon registry location which is not configurable. But there can be cases,  where you want to read policies from some other resources. (If you already have existing policies)

WSO2 Identity Server has decouple the PAP and PDP to over come with above disadvantages. To achieve this decouple,  WSO2 Identity server, uses two policy stores.  one store is called as “PAP Policy Store”, other one is called as “PDP Policy Store”.  Basically PAP policy store, is to store any policy that is created from UI and imported from UI.   PDP store contains the policies that are actually evaluated in run time.  To make the bridge between PAP store and PDP store,  there is component called “Policy publisher”  Idea of this component to, syn policies from PAP policy store to PDP policy store. Policy publisher is an extensible component,  where you can use to publish policies from Identity serve’s PAP store to any place that you wish.