Inferensys

Glossary

Policy Decision Point (PDP)

A Policy Decision Point (PDP) is the architectural component in an access control system that evaluates access requests against applicable policies and issues an authorization decision.
Cinematic overhead of a WeWork creative suite room with multiple curved monitors showing AI decision dashboards, executives in casual attire reviewing data, dramatic pendant lighting.
AUTHORIZATION ARCHITECTURE

What is Policy Decision Point (PDP)?

A Policy Decision Point (PDP) is the architectural component in an access control system that evaluates access requests against applicable policies and issues an authorization decision.

A Policy Decision Point (PDP) is the logical engine within an access control architecture that computes authorization decisions. It receives a request from a Policy Enforcement Point (PEP), evaluates the user's attributes, resource classification, and environmental context against a set of governing policies, and returns a simple permit or deny verdict. The PDP remains stateless and decoupled from the application, centralizing authorization logic.

In Attribute-Based Access Control (ABAC) and Zero Trust Architecture (ZTA) models, the PDP dynamically evaluates real-time risk signals rather than relying on static roles. It consumes attributes from a Policy Information Point (PIP) to resolve complex policy rules, ensuring that document-level security and field-level permissions are consistently enforced across distributed retrieval pipelines without embedding authorization logic in the application code.

ARCHITECTURAL ANATOMY

Key Characteristics of a PDP

The Policy Decision Point (PDP) is the brain of an attribute-based access control system. It decouples authorization logic from application code, evaluating requests against policies to render a binary permit or deny decision.

01

Centralized Policy Evaluation Engine

The PDP serves as a stateless decision engine that receives a structured authorization request from a Policy Enforcement Point (PEP) and returns a deterministic decision. It evaluates the request against all applicable policies, combining rules using conflict resolution algorithms (e.g., deny-overrides, first-applicable).

  • Ingests normalized XACML or ALFA requests
  • Evaluates user attributes, resource metadata, and environmental context
  • Returns Permit, Deny, or Indeterminate decisions
  • Logs decisions for the immutable audit trail
< 10 ms
Typical Decision Latency
02

Policy Information Point (PIP) Integration

A PDP rarely holds all the data it needs to make a decision. It reaches out to Policy Information Points to fetch missing attributes at decision time. This enables Just-In-Time (JIT) attribute resolution without bloating the initial request context.

  • Queries external identity providers for group memberships
  • Retrieves data classification tags from metadata stores
  • Checks real-time risk scores from insider threat detection systems
  • Caches frequently accessed attributes to meet latency budgets
03

Policy-as-Code Execution

Modern PDPs execute policies defined as version-controlled code rather than static configuration files. This Policy-as-Code (PaC) approach enables unit testing, CI/CD integration, and deterministic behavior across environments.

  • Policies written in Rego (Open Policy Agent) or Cedar (AWS Verified Permissions)
  • Supports hierarchical policy inheritance for organizational structures
  • Enables policy simulation for pre-deployment impact analysis
  • Prevents the confused deputy problem through explicit trust boundaries
04

Fine-Grained Attribute Matching

The PDP evaluates Attribute-Based Access Control (ABAC) rules by comparing subject, resource, and action attributes against policy conditions. This enables document-level security and field-level security decisions within a single architecture.

  • Matches user department and clearance level against resource sensitivity
  • Evaluates temporal constraints for Just-In-Time (JIT) access windows
  • Considers device posture and network location in Zero Trust evaluations
  • Supports purpose-based access restrictions for regulatory compliance
05

Obligation and Advice Generation

Beyond a simple permit or deny, a PDP can attach obligations (mandatory actions) and advice (optional guidance) to its decisions. This enables the PEP to enforce downstream controls like dynamic data masking or trigger data leakage prevention (DLP) scans.

  • Obligation: 'Apply field-level redaction to SSN column'
  • Obligation: 'Write access event to immutable audit trail'
  • Advice: 'Prompt user to justify elevated privilege request'
  • Enables privacy-preserving data release through masking directives
06

Stateless Horizontal Scalability

PDPs are designed as stateless services that can scale horizontally behind a load balancer. Each decision request is self-contained, carrying all necessary context or referencing external PIPs. This architecture supports high-throughput authorization for retrieval-augmented generation pipelines.

  • No session affinity required between requests
  • Decisions are deterministic given identical inputs
  • Supports pre-retrieval filtering at query time in RAG systems
  • Enables tenant isolation through policy partitioning
100k+
Decisions per Second per Node
POLICY DECISION POINT

Frequently Asked Questions

Explore the core architectural questions surrounding the Policy Decision Point (PDP), the logical engine responsible for evaluating access requests and issuing authorization decisions in modern distributed systems.

A Policy Decision Point (PDP) is the architectural component in an access control system that evaluates access requests against applicable policies and issues an authorization decision. It functions as the logical brain of attribute-based access control (ABAC) and policy-based management systems. The PDP operates by receiving a structured authorization request from a Policy Enforcement Point (PEP), which includes attributes of the subject (user), resource (document), action (read/write), and environment (time, location). The PDP then retrieves the relevant policies from a Policy Retrieval Point (PRP) and evaluates them against the provided attributes. The decision—typically Permit, Deny, or Indeterminate—is returned to the PEP for enforcement. This separation of decision logic from enforcement logic is a foundational principle of Zero Trust Architecture (ZTA) and is standardized by the XACML (eXtensible Access Control Markup Language) specification from OASIS.

Prasad Kumkar

About the author

Prasad Kumkar

CEO & MD, Inference Systems

Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.

His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.