Policy Management And Authorisation Service
The Policy Management and Authorisation Service implements the Policy Management and Authorisation interfaces. The Authorisation Interface acts as an policy decision point (PDP) and decides whether some identity (e.g. a user or a service) is authorised to access a certain resource. A resource in the context of the Authorisation Interface can be an arbitrary service, a service chain, an information model or a concrete data set. The Policy Management Interface allows the management (create, update, delete) of XACML policies.
The Authorisation Interface evaluates an authorisation request of a policy enforcement point (PEP) and returns the authorisation decision. The authorisation decision is based on an XACML authorisation request passed from the Policy Enforcement Service or a security-enabled (e.g. by an integrated PEP component) service. The authorisation request comprises the authenticated identities of the service requestor including all relevant identity related attributes as well as specific environment attributes, for example individual state variables of the service. The authorisation decision is currently provided as a compliance value indicating how to treat the request (e.g. permit or deny).
The Policy Management Interface is responsible for the management of access policies and thus plays the role of a policy administration point (PAP). Since V2 access policies can be expressed in the XACML access control policy language. XACML defines also a processing model which describes how the policies shall be interpreted. The evaluation of the policies is delegated to a Policy Decision Point (PDP) which is typically a software component that can be invoked by the service implementation.
XACML allows the definition of very flexible policies that can be evaluated against any kind of environment attributes. Such environment attributes may be derived from boundary conditions of a service request as well as from the underlying data source. Environment attributes can in most cases only be determined by a service or a component that is directly involved in the invocation of a request to a secured service. This is typically the role of a PEP, the Policy Enforcement Service.
