XACML reference architecture

The reference architecture proposes a standard for deployment of necessary software modules within an infrastructure. Policy Decision Point (PDP)evaluates policies against access requests provided by Policy Enforcement Points (PEP). To provide the decisions, PDP may also need to query a Policy Information Point (PIP) to gather descriptive attributes about the user or any other missing attribute in the request. Also to manage the PDP and PIP functionality, Policy Administration Point(PAP) is there


So these four comportment or building blocks creates the XACML reference architecture.

  • Policy Enforcement Point (PEP) – The system entity that performs access control, by making decision requests and enforcing authorization decisions. Basically the entity that sends the XACML request to the Policy Decision Point (PDP) and receives an authorization decision.
  • Policy Decision Point (PDP) – The system entity that evaluates applicable policy and returns an authorization decision.
  • Policy Information Point (PIP) – The system entity that acts as a source of attribute values. Basically if there are missing attributes in the XACML request which is sent by PEP, PIP would find them for the PDP to evaluate the policy
  • Policy Administration Point (PAP) – The system entity that creates a policy or policy set and manages them