Policy Information Points
Policy Information Point (PIP) is used as a general term for an attribute store. IT organizations typically have too many directories and databases, not too few. The last thing they need is an authorization service that comes with yet another one. Axiomatics eXtensible authorization solutions are therefore built to integration with existing sources that can be used as trusted attribute stores.
When the PEP creates an XACML access requests and sends it to the PDP, all the information that is required for policy evaluation may not be available.
The PDP is therefore configured with PIP connectors which allows it to retrieve attribute values during policy evaluation. If an applicable XACML policy states that only members of a given user group are permitted to see the requested resource, the PDP may for instance need to use an LDAP query to find out which groups the current user belongs to. Another policy condition for authorized access may for instance demand minimal limits for an account balance related to the request. The PDP may then have to use a configured PIP connection to query an SQL database about the balance.
Axiomatics Policy Server (APS) comes with attribute management capabilities built-in but the philosophy behind the product is to reuse data where it currently resides whenever possible. Most organizations already have means to register trustworthy attributes about user group memberships, roles, departments, cost centers as well about resource meta data such as document classifications etc. Axiomatics recommends these stores be used for privilege-giving attributes.
As a result, great efforts have been made to create efficient PIP connectors for various data sources. Out-of-the-box the PDP used with Axiomatics Policy Server (APS) and Axiomatics Reverse Query (ARQ) comes with configurable connectivity for attributes you can reach via LDAP or SQL queries. For connectivity LDAP v3 and JDBC is used.
In addition, APS comes with an efficient API with which you easily can develop new attribute finders for custom data sources and then register them for use by APS.
The standard connectors as well as custom-built connectors all benefit from the performance enhancements offered by APS. Attribute retrieval via APS PIP connectors can use either or both of the following methods:
- Caching attribute values for configurable time intervals to reduce the number of queries that have to be made to an external source.
- Prefetching of attribute values using the optimization algorithms of APS which intelligently "plan ahead" during policy evaluation and make sure all relevant attributes are fetched in one single query ahead of time, rather than making a new query for each single attribute value.