Jake wants to split the evaluation of user privileges from the final control over resource usage in his organization's new identity system. Which approach best supports this separation?
Use separate components for deciding rules and controlling resource entry
Grant microservices authority over user requests
Put decision-making and traffic flow into one tool
Depend on a firewall rule set that is updated periodically
In a robust design, a policy decision point (PDP) decides if requests should be approved, and a policy enforcement point (PEP) implements that approval or denial. Splitting these responsibilities helps maintain rules in a centralized location and apply them consistently without granting the decision logic direct access to resources. Combining both roles in a single service makes updates complex and introduces risk. Allowing each microservice to handle this disrupts consistency and is hard to manage. Depending on a firewall rule set that is updated periodically cannot adjust quickly enough for changing privileges.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What are Policy Decision Points (PDP) and Policy Enforcement Points (PEP)?
Open an interactive chat with Bash
Why is separating PDP and PEP important in security systems?
Open an interactive chat with Bash
What are the risks of combining decision-making and enforcement in one tool?