In designing identity systems, we typically talk about two abstract places where authorization decisions are made: the policy enforcement point (PEP) and the policy decision point (PDP). Figure 8-5 shows a PEP and PDP in action.

Figure 8-5. PEP and PDP actions

The PEP is the point in the system where the user requests access to a resource. For example, if a user attempts to access a web page, the web server is the PEP. The PDP is the point in the system where the decision is made as to whether or not the user will be allowed to access a resource. In many cases, the PDP is part of the same system that houses the PEP, but it needn't be. The web server could, for example, send the resource name (a URL, in this case) and the user ID to a separate system and simply get back a "yes" or "no" answer. Note that this is different from the web server asking another server to authenticate a user. That is an authentication question, not one of authorization.

Even when the PEP and the PDP are co-located in the same system or program, it is useful to see authorization as a coordinated effort between these two abstract systems. The PDP makes its determination of entitlements or permissions based on an access policy that has been set in advance.

When a PDP makes a determination regarding a particular subject's right to access a particular resource, the decision ...