From 2201dfdb81ecf3db4e4cc76c1a78144964344a0f Mon Sep 17 00:00:00 2001 From: mo khan Date: Mon, 31 Mar 2025 14:36:00 -0600 Subject: docs: add policy architecture diagram --- doc/share/authz/README.md | 29 +++++++++++++++++++++++++++++ 1 file changed, 29 insertions(+) (limited to 'doc/share/authz') diff --git a/doc/share/authz/README.md b/doc/share/authz/README.md index 75c77575..30a0cbb1 100644 --- a/doc/share/authz/README.md +++ b/doc/share/authz/README.md @@ -9,6 +9,12 @@ identity of subjects and/or groups to which they belong. * Relationship-Based Access Control ([ReBAC](./ReBAC.md)) * Attribute-Based Access Control ([ABAC](./ABAC.md)) +Authentication (Authn) is used to determine that users or systems are who they +claim to be and provide proof in the form of identity principals and attributes. + +Authorization (Authz) is used to decide what privileges an actor has within a +system. + ## Policy * [What is a policy?](./POLICY.md) @@ -36,3 +42,26 @@ Ideally, we must be able to model the following relationships: | `user-to-user` | not required | Note: `user-to-user` relationships are not in the current access control model. + +## Architecture + +```plaintext + ------------------ ------- ------------- + | Users/Services |--->| PEP |--->| Resources | + ------------------ ------- ------------- + | A + V | + ------- ------------ ------- + | PDP |-->| Policies |<---| PAP | + ------- ------------ ------- + | A A + V | | + ------- ----------------- + | PIP | | Administrator | + ------- ----------------- + +PAP: Policy Administration Point +PDP: Policy Decision Point +PEP: Policy Enforcement Point +PIP: Policy Information Point +``` -- cgit v1.2.3