Axiomatics | Policy Information Points

Policy Information Point (PIP) is used as a general term for an attribute store. IT organizations typically have too many directories and databases, not too few. The last thing they need is an authorization service that comes with yet another one. Axiomatics eXtensible authorization solutions are therefore built to integration with existing sources that can be used as trusted attribute stores.

When the PEP creates an XACML access requests and sends it to the PDP, all the information that is required for policy evaluation may not be available.

pip-attribute-lookup

The PDP is therefore configured with PIP connectors which allows it to retrieve attribute values during policy evaluation. If an applicable XACML policy states that only members of a given user group are permitted to see the requested resource, the PDP may for instance need to use an LDAP query to find out which groups the current user belongs to. Another policy condition for authorized access may for instance demand minimal limits for an account balance related to the request. The PDP may then have to use a configured PIP connection to query an SQL database about the balance.

Axiomatics Policy Server (APS) comes with attribute management capabilities built-in but the philosophy behind the product is to reuse data where it currently resides whenever possible. Most organizations already have means to register trustworthy attributes about user group memberships, roles, departments, cost centers as well about resource meta data such as document classifications etc. Axiomatics recommends these stores be used for privilege-giving attributes.

As a result, great efforts have been made to create efficient PIP connectors for various data sources. Out-of-the-box the PDP used with Axiomatics Policy Server (APS) and Axiomatics Reverse Query (ARQ) comes with configurable connectivity for attributes you can reach via LDAP or SQL queries. For connectivity LDAP v3 and JDBC is used.

In addition, APS comes with an efficient API with which you easily can develop new attribute finders for custom data sources and then register them for use by APS.

The standard connectors as well as custom-built connectors all benefit from the performance enhancements offered by APS. Attribute retrieval via APS PIP connectors can use either or both of the following methods:

Caching attribute values for configurable time intervals to reduce the number of queries that have to be made to an external source.
Prefetching of attribute values using the optimization algorithms of APS which intelligently "plan ahead" during policy evaluation and make sure all relevant attributes are fetched in one single query ahead of time, rather than making a new query for each single attribute value.

Approach
- - Future-proof access control
    Extensible authorization
    Beyond roles and RBAC
    Risk intelligence
    Fine granular policy enforcement
    Enabling information sharing
  - Business values
    Governance
    Compliance
    Risk management integration
    Cost savings
    New opportunities
Technology
- - Products and Services
    Axiomatics products - overview
    Axiomatics Policy Server
    APS Developer Edition
    Axiomatics Policy Auditor
    Axiomatics Reverse Query
    CA SiteMinder Extension
  - Components
    Policy Administration Points
    Axiomatics Language for Authorization (ALFA)
    Policy Enforcement Points
    Policy Information Points
    Policy Decision Points
  - Foundations
    100% XACML
    Attribute Based Access Control
    Externalized authorization
    Fine-grained authorization
  - Resources
    White papers
    Data Sheets
    Case studies
    Product sheets
    Videos
    XACML for developers
    XACML for Windows Server 2012
Solutions
- - Industries
    Financial industries
    Health care
    Insurance
    Manufacturing
    Public sector
    OEM / Solution providers
  - Objectives
    Privacy protection
    Fraud prevention
    Information sharing
    Cloud scenarios
    SOA security
About
- - Company
    About Axiomatics
    Management
    Board
    Contacts
    Careers
  - Customers and Partners
    Customers
    Partners
    System integrators
    Technology partners
  - News and Events
    News
    Events
    Newsletters

Search

100% pure XACML
XACML is the standards language that enables enterprises to implement policy-based authorization. Products from Axiomatics implement XACML 2.0 and 3.0. This article describes the details of the OASIS standard.

Axiomatics Professional Services
Description of the Axiomatics Policy Server, the world's leading XACML implementation.

XACML advanced training
Description of the Axiomatics Policy Server, the world's leading XACML implementation.

Fine-grained authorization
XACML policies use attributes of the subject, the action, the resource and the context in which access is requested to deliver fine-grained access controls.

XACML introduction training
Description of the Axiomatics Policy Server, the world's leading XACML implementation.

Analysis and further reading

To get more in-depth information on fine-grained, context aware access control, visit our resource centre. Once you have registered and logged on you can access all our whitepapers.

Become a registered user

Contact Axiomatics

Would you like to learn more about Axiomatics solutions? Would you like to see a demo? Do you want to speak to an Axiomatics representative about your authorization requirements?

Contact Axiomatics

Policy Information Points

Search

Read more

Analysis and further reading

Contact Axiomatics

Approach

Technology

Solutions

About

Contact