Your company built many information systems to support various business functions. Each system implements its own access control mechanism to enforce security policies, so much so that they are frequently not enforced consistently. As a security professional, you suggest the authorization mechanism should be removed from individual systems and implemented per XACML on a central server. Which of the following is the best role of the server?
A. Relying party
B. Identity provider (IdP)
C. Policy decision point (PDP)
D. Policy enforcement point (PEP)
Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.
My suggested answer is C. Policy decision point (PDP).
The data-flow model of XACML introduces four major actors: Policy Enforcement Point (PEP), Policy Decision Point (PDP), Policy Information Point (PIP), and Policy Administration Policy (PAP).
The concept of PEP and PDP is widely adopted, such as Risk based access control and Zero Trust Architecture.
Policy administration point (PAP)
The system entity that creates a policy or policy set
Policy decision point (PDP)
The system entity that evaluates applicable policy and renders an authorization decision. This term is defined in a joint effort by the IETF Policy Framework Working Group and the Distributed Management Task Force (DMTF)/Common Information Model (CIM) in [RFC3198]. This term corresponds to “Access Decision Function” (ADF) in [ISO10181-3].
Policy enforcement point (PEP)
The system entity that performs access control, by making decision requests and enforcing authorization decisions. This term is defined in a joint effort by the IETF Policy Framework Working Group and the Distributed Management Task Force (DMTF)/Common Information Model (CIM) in [RFC3198]. This term corresponds to “Access Enforcement Function” (AEF) in [ISO10181-3].
Policy information point (PIP)
The system entity that acts as a source of attribute values
Source: XACML 3.0
- Attribute Based Access Control
- Privilege Management Workshop
- XACML 3.0
A BLUEPRINT FOR YOUR SUCCESS IN CISSP
My new book, The Effective CISSP: Security and Risk Management, helps CISSP aspirants build a solid conceptual security model. It is not only a tutorial for information security but also a study guide for the CISSP exam and an informative reference for security professionals.
您的公司構建了許多信息系統來支持各種業務功能。 每個系統都實施自己的訪問控制機制來強制執行安全策略，以至於經常無法一致地實施它們。 作為安全專家，您建議應從個別系統中移除授權機制，並根據XACML在中央服務器上實施授權規則。 以下哪項是中央服務器的最佳角色？
A. 依賴方 (Relying party)
B. 身份提供者 (IdP)
C. 政策決策點 (PDP)
D. 政策執行點 (PEP)