Inferensys

Glossary

Policy Decision Point (PDP)

A Policy Decision Point (PDP) is the architectural component in an access control system that evaluates authorization requests against defined policies and issues an access decision to the Policy Enforcement Point.
Cinematic overhead of a WeWork creative suite room with multiple curved monitors showing AI decision dashboards, executives in casual attire reviewing data, dramatic pendant lighting.
ACCESS CONTROL ARCHITECTURE

What is Policy Decision Point (PDP)?

A Policy Decision Point (PDP) is the architectural component in an access control system that evaluates authorization requests against defined policies and issues an access decision to the Policy Enforcement Point.

A Policy Decision Point (PDP) is the logical engine within an attribute-based access control (ABAC) architecture that computes authorization decisions. It receives a request from the Policy Enforcement Point (PEP), retrieves applicable policies from the Policy Administration Point (PAP), and evaluates them against subject, resource, and environmental attributes to render a Permit, Deny, or Indeterminate decision.

The PDP operates as a stateless, policy-driven service, often implemented as a microservice or a dedicated entitlement service. It decouples authorization logic from application code, enabling centralized governance. Standards like XACML define the canonical request/response protocol, where the PDP's sole output is an authorization decision, leaving enforcement to the PEP.

ARCHITECTURAL CORE

Key Characteristics of a PDP

The Policy Decision Point is the brain of attribute-based access control, decoupling authorization logic from enforcement to enable centralized, fine-grained governance.

01

Decoupled Authorization Logic

The PDP exists as a logically separate service from the application it protects. This decoupling allows security and compliance teams to update access rules without modifying application code or redeploying services. The PDP receives a structured authorization request containing subject attributes, resource identifiers, and environmental context, then returns a simple permit or deny decision. This architecture is foundational to zero-trust security models, where every access request is individually authenticated and authorized.

02

Policy Evaluation Engine

At its core, the PDP contains a policy evaluation engine that processes rules written in a formal language like XACML (eXtensible Access Control Markup Language) or Rego (the language of Open Policy Agent). The engine combines attributes from multiple sources:

  • Subject attributes: user role, department, clearance level
  • Resource attributes: document classification, owner, creation date
  • Action attributes: read, write, delete, execute
  • Environmental attributes: time of day, network location, device posture The engine resolves conflicts through combining algorithms (e.g., deny-overrides, first-applicable) to produce a single definitive decision.
03

Policy Information Point (PIP) Integration

The PDP rarely holds all necessary data locally. It queries external Policy Information Points (PIPs) to retrieve additional attributes needed for evaluation. For example, when authorizing a content licensing API call, the PDP might query:

  • An entitlement service to verify the caller's subscription tier
  • An HR system to confirm the user's current employment status
  • A device management platform to check endpoint compliance This real-time attribute retrieval enables context-aware, risk-based authorization that adapts to changing conditions without hardcoding logic into the policy rules themselves.
04

Audit and Decision Logging

Every decision made by the PDP is recorded in an immutable audit log for compliance and forensic analysis. Each log entry captures:

  • The full authorization request context
  • The specific policy rules that were evaluated
  • The final decision (Permit, Deny, Not Applicable, Indeterminate)
  • Any obligations or advice attached to the decision This comprehensive logging supports SOX, HIPAA, and GDPR compliance by providing a complete, non-repudiable record of who accessed what and why. In content licensing systems, these logs serve as the authoritative record for royalty calculations and usage audits.
05

Obligations and Advice

Beyond a simple permit/deny response, a PDP can return obligations and advice to the Policy Enforcement Point (PEP).

  • Obligations are mandatory actions the PEP must perform alongside enforcement, such as redacting sensitive fields from a response, applying a digital watermark, or logging the access for billing purposes.
  • Advice provides non-mandatory guidance, such as recommending step-up authentication or displaying a data-use reminder. In content licensing, an obligation might require the PEP to inject a copyright notice into the retrieved content or enforce a time-limited viewing window before the data must be purged from the licensee's cache.
06

Stateless and Horizontally Scalable

A well-architected PDP is stateless, treating each authorization request as an independent transaction. This design enables horizontal scaling by deploying multiple PDP instances behind a load balancer, ensuring low-latency decisions even under high request volumes. The PDP relies on external PIPs for stateful attribute data and caches frequently used policies and attributes in a distributed cache (e.g., Redis) to minimize external calls. For content licensing APIs processing thousands of requests per second, this architecture ensures that authorization adds sub-millisecond overhead to the critical path.

ARCHITECTURAL COMPARISON

PDP vs. Related Authorization Components

Distinguishing the Policy Decision Point from other core components in an attribute-based access control (ABAC) architecture.

FeaturePolicy Decision Point (PDP)Policy Enforcement Point (PEP)Policy Administration Point (PAP)Policy Information Point (PIP)

Primary Function

Evaluates authorization requests against policies and returns a permit/deny decision

Intercepts access requests and enforces the PDP's decision

Provides the interface for authoring, managing, and versioning authorization policies

Acts as the attribute source, retrieving subject, resource, and environmental data required for policy evaluation

Role in Request Flow

Central decision engine; stateless evaluation of boolean logic

Entry gatekeeper; handles protocol translation and credential extraction

Out-of-band management plane; not in the real-time access path

Real-time attribute provider queried by the PDP during decision evaluation

Standard Protocol

XACML 3.0 request/response context

XACML 3.0 context handler; often integrated with API gateways or reverse proxies

RESTful policy management interfaces; PAP-to-PDP policy distribution protocols

LDAP, SQL, or RESTful attribute queries; XACML attribute designator resolution

Stateful or Stateless

Stateless; each request is evaluated independently against the current policy set

Stateless enforcement; may maintain session context for subsequent attribute caching

Stateful; maintains policy version history and lifecycle metadata

Stateless or short-lived cache; retrieves attributes from authoritative sources on demand

Key Output

Authorization decision (Permit, Deny, Indeterminate, NotApplicable) with optional obligations

Granted or blocked resource access; obligation fulfillment (e.g., logging, masking)

Versioned policy artifacts and compliance audit trails

Attribute tuples (subject role, resource classification, environmental time/date)

Failure Mode

Returns Indeterminate decision; PEP must enforce a safe default (typically deny)

Closes connection or returns 403 Forbidden if PDP is unreachable

Prevents policy updates but does not interrupt runtime authorization

Returns missing attribute error; PDP treats as Indeterminate unless policy specifies a default

Typical Deployment

Dedicated authorization server or microservice; horizontally scaled for throughput

API gateway plugin, sidecar proxy, or application interceptor

Administrative console or CI/CD pipeline integration for policy-as-code

Connector service bridging PDP to enterprise identity providers, CMDBs, and HR systems

Obligation Handling

Defines obligations in the decision response (e.g., 'log access', 'notify owner')

Executes obligations returned by the PDP; may fail closed if obligation fulfillment fails

Manages obligation templates and associates them with policy rules

Not applicable

ARCHITECTURE DEEP DIVE

Frequently Asked Questions

Clarifying the role, mechanics, and implementation of the Policy Decision Point within enterprise access control systems.

A Policy Decision Point (PDP) is the architectural component in an access control system that evaluates authorization requests against defined policies and issues an access decision to the Policy Enforcement Point (PEP). The PDP operates as the logical brain of the system, distinct from the PEP, which acts as the gatekeeper. When a subject requests access to a resource, the PEP intercepts the call and formulates a formal authorization query. This query, containing attributes of the subject, resource, and action, is sent to the PDP. The PDP then retrieves applicable policies from the Policy Retrieval Point (PRP) and relevant attribute data from the Policy Information Point (PIP). It combines these inputs, evaluates the rules—often using a standardized language like XACML (eXtensible Access Control Markup Language) or OPA's Rego—and computes a single, definitive response: Permit, Deny, or Indeterminate. This separation of concerns allows the enforcement logic to remain lightweight and fast, while the complex, potentially high-latency decision logic is centralized and managed independently.

Prasad Kumkar

About the author

Prasad Kumkar

CEO & MD, Inference Systems

Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.

His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.