0435 Policy Management Capabilities
The policy management capabilities describe the different capabilities needed to automate the enforcement of policies. These capabilities were originally identified in the eXtensible Access Control Mark-up Language (XACML) standard.
XACML is an OASIS standard specifically focused at access control policies. However the architecture is clean enough to generalise to the management of all types of governance policy and so it has been included in the open metadata types.
There are five components involved in policy management:
- Policy Administration Point (PAP) - the tool/API used to administer policies.
- Policy Decision Point (PDP) - the component that evaluates policies for a specific situation and selects a course of action.
- Policy Enforcement Point (PEP) - the component thar enforces the policy decision made by the PDP. Usually this is the component that is used to access a resource or perform a task. The PEP calls the PDP to find out what the decision that needs to be enforced and then enforces the resulting decision in real-time.
- Policy Information Point (PIP) - a component that provides additional information to the PDP to enable it to make a decision.
- Policy Retrieval Point (PRP) - a component used by the PDP to retrieve the policy details that apply to the situation that the PDP is evaluating.
Open Metadata Types
The open metadata types are implemented as classifications. The classifications can be applied to Referenceables so that they can be used to classify solution components during solution design and software server capabilities for the running implementation.
Using the Policy Management Capabilities open metadata types
Implementation of Policy Management Capabilities in Egeria
Not only does Egeria support the use of the Policy Management Capabilities in your architectures and metadata, we have also the concepts in the design of Egeria itself.
In Egeria, the Policy Administration Point is Governance Program OMAS. Services such as Governance Engine OMAS act as a Policy Retrieval Points to push policy information to external Policy Enforcement Points such as Apache Ranger.
Egeria’s Metadata Security module is a Policy Enforcement Point, calling the metadata security connectors as Policy Decision Points.
License: CC BY 4.0, Copyright Contributors to the ODPi Egeria project.