summaryrefslogtreecommitdiff
path: root/doc/share/authz
diff options
context:
space:
mode:
authormo khan <mo@mokhan.ca>2025-03-31 14:36:00 -0600
committermo khan <mo@mokhan.ca>2025-03-31 14:36:00 -0600
commit2201dfdb81ecf3db4e4cc76c1a78144964344a0f (patch)
tree56413ee81a809d803f9fba91716e546615400ded /doc/share/authz
parentdeb9cd01de503baadc6c41ec4fbbe99b04db6ba3 (diff)
docs: add policy architecture diagram
Diffstat (limited to 'doc/share/authz')
-rw-r--r--doc/share/authz/README.md29
1 files changed, 29 insertions, 0 deletions
diff --git a/doc/share/authz/README.md b/doc/share/authz/README.md
index 75c7757..30a0cbb 100644
--- a/doc/share/authz/README.md
+++ b/doc/share/authz/README.md
@@ -9,6 +9,12 @@ identity of subjects and/or groups to which they belong.
* Relationship-Based Access Control ([ReBAC](./ReBAC.md))
* Attribute-Based Access Control ([ABAC](./ABAC.md))
+Authentication (Authn) is used to determine that users or systems are who they
+claim to be and provide proof in the form of identity principals and attributes.
+
+Authorization (Authz) is used to decide what privileges an actor has within a
+system.
+
## Policy
* [What is a policy?](./POLICY.md)
@@ -36,3 +42,26 @@ Ideally, we must be able to model the following relationships:
| `user-to-user` | not required |
Note: `user-to-user` relationships are not in the current access control model.
+
+## Architecture
+
+```plaintext
+ ------------------ ------- -------------
+ | Users/Services |--->| PEP |--->| Resources |
+ ------------------ ------- -------------
+ | A
+ V |
+ ------- ------------ -------
+ | PDP |-->| Policies |<---| PAP |
+ ------- ------------ -------
+ | A A
+ V | |
+ ------- -----------------
+ | PIP | | Administrator |
+ ------- -----------------
+
+PAP: Policy Administration Point
+PDP: Policy Decision Point
+PEP: Policy Enforcement Point
+PIP: Policy Information Point
+```
generated by cgit v1.2.3 (git 2.39.1) at 2026-02-02 09:44:53 +0000