Skip to main content

Policy Enforcement Point (PEP)

Description

The PEP, Policy enforcement point,  is a component of policy-based management, where enforce the policies. It is the component that serves as the gatekeeper to access a digital resource. The PEP gives the PDP, Policy Decision Point, the job of deciding whether or not to authorize the user based on the description of the user's attributes.

XACML PEP configuration

Soffid allows you to configure different policies enforcement points, each of then can use a different policy set.

Main Menu > Administration > Configure Soffid > Security settings > XACML PEP configuration

Screen

image-1627368437018.png

Custom attributes

Custom attributes for each PEP:

  • Enable XACML Policy Enforcement Point: select the Yes option to enable the PEP.
  • Policy Set Id: policy set identifier.
  • Policy Set Version: version of the policy set to enforce.
  • Trace requests: select the Yes option to enable the trace.

Policies enforcement points

Web Policy Enforcement Point

The policy will be enforced when the user open a new Soffid page.

Subjects

SUBJECTSRESOURCESACTIONSENVIRONMENTS
  

Get

Put

 
  •  

Resources

  •  

Actions

  • queryPassword
  • queryPasswordBypassPolicy: it is used when 
  • setPassword
  •  

Environments

  •  

Role centric Policy Enforcement Point

The policy will be enforced when the user login into Soffid. It will calculate the user authorizations as of the permissions that the user has assigned.

Subjects

Resources

Actions

Environments

SUBJECTSRESOURCESACTIONSENVIRONMENTS
  

Get

Put

 

Dynamic role Policy Enforcement Point

The policy will be enforced when the user performs an action to evaluate if the user has or not authorization.

You can use that PEP to split the permissions, for instance, a support group can update the permission of a specific group of user, and another support group can update the permissions of another group of users.

Subjects

  •  

    • Resources

    • soffid
    • method
    •  
      • SUBJECTS RESOURCES ACTIONS ENVIRONMENTS

      IP Address

      		soffid  object

      Get

      Actions

      Put

        Current

        Environments

        Time

          Current

        •  
          • Date

        Current DateTime

        External Policy Enforcement Point ( https://iam-sync-lab.soffidnetlab:1760//XACML/pep )

        PEP of general purpose. Calling the web service, the clients can made validations.

        Subjects

        • Resources

          Actions

        •  
          • SUBJECTSRESOURCESACTIONSENVIRONMENTS

           

            token

          • token

            • method

          • method
          • resource:

            soffid object

            Get

          • GET

            • Put

          • POST

          Environments

           

            Password vault Policy Enforcement Point ( https://iam-sync-lab.soffidnetlab:1760//XACML/vault )

            The policy will be enforced when the password vault is used.

            Subjects

            •  

              • Resources

              • Access
                • level
              • Account
              • System
              • Login
              • Vault Folder 
              • Server URL

                • Actions

                method:

                • GET
                • POST

                Environments

                • Current Time
                • Current Date
                • Current DateTime
                SUBJECTS RESOURCES ACTIONS ENVIRONMENTS

                 

                Access level

                Account

                System

                Login

                Vault Folder 

                Server URL

                Get

                Put

                Current Time

                Current Date

                Current DateTime

                 

                 

                Back to top