Skip to content

0435 Policy Management Capabilities

The policy management capabilities describe the different capabilities needed to automate the enforcement of policies. These capabilities were originally identified in the eXtensible Access Control Mark-up Language (XACML) standard.

XACML is an OASIS standard specifically focused at access control policies. However the architecture is clean enough to generalise to the management of all types of governance policy and so it has been included in the open metadata types.

There are five components involved in policy management: - Policy Administration Point (PAP) - the tool/API used to administer policies. - Policy Decision Point (PDP) - the component that evaluates policies for a specific situation and selects a course of action. - Policy Enforcement Point (PEP) - the component thar enforces the policy decision made by the PDP. Usually this is the component that is used to access a resource or perform a task. The PEP calls the PDP to find out what the decision that needs to be enforced and then enforces the resulting decision in real-time. - Policy Information Point (PIP) - a component that provides additional information to the PDP to enable it to make a decision. - Policy Retrieval Point (PRP) - a component used by the PDP to retrieve the policy details that apply to the situation that the PDP is evaluating.

Open Metadata Types

The open metadata types are implemented as classifications. The classifications can be applied to Referenceables so that they can be used to classify solution components during solution design and software capabilities for the running implementation.

UML

Using the Policy Management Capabilities open metadata types

The Digital Architecture OMAS and IT Infrastructure OMAS provide mechanisms to set up the Policy Management Capabilities classifications on metadata elements.

Implementation of Policy Management Capabilities in Egeria

Not only does Egeria support the use of the Policy Management Capabilities in your architectures and metadata, we have also the concepts in the design of Egeria itself.

In Egeria, the Policy Administration Point is Governance Program OMAS. Services such as Security Manager OMAS act as a Policy Retrieval Points to push policy information to external Policy Enforcement Points such as Apache Ranger.

Egeria's metadata access points and metadata access store can act as Policy Information Points.

Egeria's Metadata Security module is a Policy Enforcement Point, calling the metadata security connectors as Policy Decision Points.

The Engine Services running in the Engine Host OMAG Server can act as Policy Enforcement Points.


Raise an issue or comment below