Skip to main content
Version: 1.9

Introduction

Access Decision Service (ADS) is a cloud-native authorization engine, suitable for flexible deployment in microservices, cloud or hybrid architectures. In an externalized access control architecture, Access Decision Service corresponds to the Policy Decision Point (PDP).

ADS provides externalized dynamic attribute-based authorization decisions to Policy Enforcement Points (PEPs), providing a REST API in compliance with the XACML 3.0 standard. It runs as a service on the network, exposing a web service interface that can be secured by SSL/TLS.

Externalized access control architecture

Access Decision Service is a standalone application, run from the command line. It can be deployed and configured independently of any management software, which means that the application can more easily be run independently or at scale.

Organizations can work directly with the authorization engine instead of having to go through management software and also more easily use the same tools and deployment strategies that they use for other software.

An open interface provides support for any type of attribute source, making it easy to adapt the service to diverse information architectures.

Policy Enforcement Point (PEP)

The authorization engine, in this case ADS, works in conjunction with the PEP, which is the component that enforces the access control decisions made by an authorization engine.

The PEP intercepts actions in the system it protects and sends a corresponding authorization request to ADS. This prompts ADS to evaluate the requests against applicable policies to determine whether access should be granted or not, that is, ADS will access the authorization configuration and available attribute sources (this can be anything from an LDAP, active directory, a database, identity attributes, etc.) and apply the policies. As a result of this evaluation, ADS provides the PEP with a permit/deny decision, after which the PEP takes action to enforce the decision mandated by the authorization engine.

Users of Axiomatics Policy Server (APS) have access to SDKs that simplify the implementation of PEPs in different environments.

Axiomatics Policy Server

Access Decision Service is included as a part of the Axiomatics Policy Server (APS) product. This is a suite of components that are downloaded and installed separately, and then used together in combinations as needed, allowing for great flexibility of implementation. One such component of APS is the Axiomatics Services Manager (ASM), which is referenced in this guide as a source of domain configuration files.