docs: add policy architecture diagram

1 files changed, 29 insertions, 0 deletions

diff --git a/doc/share/authz/README.md b/doc/share/authz/README.md
index 75c77575..30a0cbb1 100644
--- a/doc/share/authz/README.md
+++ b/doc/share/authz/README.md
@@ -9,6 +9,12 @@ identity of subjects and/or groups to which they belong.
 * Relationship-Based Access Control ([ReBAC](./ReBAC.md))
 * Attribute-Based Access Control ([ABAC](./ABAC.md))
 
+Authentication (Authn) is used to determine that users or systems are who they
+claim to be and provide proof in the form of identity principals and attributes.
+
+Authorization (Authz) is used to decide what privileges an actor has within a
+system.
+
 ## Policy
 
 * [What is a policy?](./POLICY.md)
@@ -36,3 +42,26 @@ Ideally, we must be able to model the following relationships:
 | `user-to-user`         | not required |
 
 Note: `user-to-user` relationships are not in the current access control model.
+
+## Architecture
+
+```plaintext
+ ------------------    -------    -------------
+ | Users/Services |--->| PEP |--->| Resources |
+ ------------------    -------    -------------
+                        |   A
+                        V   |
+                       -------   ------------    -------
+                       | PDP |-->| Policies |<---| PAP |
+                       -------   ------------    -------
+                        |   A                       A
+                        V   |                       |
+                       -------               -----------------
+                       | PIP |               | Administrator |
+                       -------               -----------------
+
+PAP: Policy Administration Point
+PDP: Policy Decision Point
+PEP: Policy Enforcement Point
+PIP: Policy Information Point
+```