Effective CISSP Questions

The development team of your company is implementing a web-based multi-tiered Procurement Management System. Purchase orders shall be approved before issuance by different management levels based on a variety of criteria, e.g., Order Amount, Supplier, or Product Category. As criteria are subject to change, the development team decides not to hard code the approval logics and policies but implements a user interface for the procurement manager to manage them. The web server delegates the authorization decision of requests from web clients to a remote authorization server that will refer to the approval policies managed by the procurement manager.  If the authorization mechanism is based on XACML, which of the following roles is the web server?
A. Policy Enforcement Point (PEP)
B. Policy Decision Point (PDP)
C. Policy Administration Point (PAP)
D. Policy Information Point (PIP)

Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.

My suggested answer is A. Policy Enforcement Point (PEP).

Sample XACML Implementation


  • PEP (Policy Enforcement Point)
    Point which intercepts user’s access request to a resource, makes a decision request to the PDP to obtain the access decision(i.e. access to the resource is approved or rejected), and acts on the received decision
  • PDP (Policy Decision Point)
    Point which evaluates access requests against authorization policies before issuing access decisions
  • PAP (Policy Administration Point)
    Point which manages access authorization policies
  • PIP (Policy Information Point)
    The system entity that acts as a source of attribute values (i.e. a resource, subject, environment)

Source: Wikipedia

Leave a Reply