Policy Decision Points
A Policy Decision Point (PDP) loads XACML policies into memory and evaluates XACML requests against these policies. The response to a request is typically either Permit or Deny.
The world's largest XACML deployments are powered by Policy Decision Points from Axiomatics.
APS implements XACML 2.0 and 3.0. If the policy evaluation reaches a decision as expected it responds with Permit or Deny. If no matching policy is found or an error occurs the response is NotApplicable or Indeterminate respectively. Thus, the PDP basically responds to "yes/no" type of questions.
This can be a limitation. With millions of entries in a table, there will be many Deny answers before you find the few you may be allowed to see. The Axiomatics Reverse Query (ARQ) offers a solution. It extends the XACML PDP with an extra decision engine. It allows clients to ask open questions: "Which of the records am I allowed to see?".
The ARQ response is a logical expression that can serve as a filter to alter the dataflow between client and server either in an incoming or outgoing stream. The process is efficient. An ARQ response comes almost as fast as a simple Permit or Deny from the standard PDP. To achieve this, ARQ uses an embedded standard PDP.
The XACML v3.0 Multiple Decision Profile, which replaces the older Multiple resource profile of XACML v2.0, also handles multiple resources. Nonetheless, large data sets still remain a challenge, especially if you need to filter data in multiple dimensions. Axiomatics ARQ technology therefore comes with PEP capabilities of different kinds: ARQ-enabled PEP components for SQL resources can alter incoming SQL statements based on XACML policy mandates, ARQ PEP components for document management systems filters large amounts of documents, etc. The ARQ PDP extension therefore adds value in many different environments.
Axiomatics Policy Decision Points (PDP) with or without ARQ enhancements are highly optimized for optimal performance. They can run in a broad variety of environments:
- as a standalone Java program
- as a service on a J2EE application server
- as a standalone .NET library
- as an ASP.NET application
- embedded in-process with the calling PEP either in .NET or Java environments