A security architect is designing an access control system with a key requirement to decouple authorization logic from the access control mechanism itself. This will allow policies to be updated centrally without redeploying the services they protect. Which design pattern best fulfills this requirement?
A shared library for authorization that is compiled into every microservice
A single security gateway that evaluates and enforces all access policies for inbound traffic
A centralized policy engine that makes decisions and distributed agents that enforce them
An identity-aware proxy that relies on periodically synchronized group memberships
This scenario describes the separation of the Policy Decision Point (PDP) and the Policy Enforcement Point (PEP). A centralized policy engine (the PDP) evaluates access rules, while distributed agents (PEPs) at the service or application level enforce the resulting decisions. This decoupling allows for dynamic, centralized policy management. A single security gateway combines decision and enforcement, creating a potential bottleneck and monolithic update cycle. Using a shared library would require recompiling and redeploying services to update authorization logic, which violates a key requirement. An identity-aware proxy with periodic syncs may not be real-time enough and still often combines the roles of decision and enforcement.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is a Policy Decision Point (PDP)?
Open an interactive chat with Bash
What is a Policy Enforcement Point (PEP)?
Open an interactive chat with Bash
How do PDP and PEP work together in access control systems?