Authorization Architecture
Policy Decision Point (PDP)
A Policy Decision Point is the runtime engine that evaluates access requests against policies and returns allow or deny decisions.
What is a Policy Decision Point?
A Policy Decision Point (PDP) is the component in an authorization architecture that answers the question: "Is this principal allowed to perform this action on this resource?"
The PDP receives an authorization query containing:
- Principal – Who is requesting access (user, service, API key)
- Action – What operation they want to perform (read, write, delete)
- Resource – What they want to access (document, API endpoint, data)
- Context – Additional information (time, location, device)
The PDP evaluates this query against loaded policies and returns a decision: ALLOW or DENY.
Popular Policy Decision Points
Open Policy Agent (OPA)
CNCF-graduated project using Rego policy language. Widely used for Kubernetes admission control, API authorization, and infrastructure policies.
Amazon Verified Permissions (AVP)
AWS managed service using Cedar policy language. Designed for fine-grained authorization in applications with deep AWS integration.
PDP in the Authorization Architecture
The PDP works alongside other components:
PDP
Evaluates policies at runtime
PEP
Enforces decisions in apps
Policies are created in the Policy Administration Point (PAP), loaded into the PDP, and enforced by Policy Enforcement Points (PEPs) in your applications.
How Big ACL Works with PDPs
Big ACL acts as a Policy Administration Point that generates policies for multiple PDPs:
- Write policies once in natural language
- Automatically translate to Cedar for Amazon Verified Permissions
- Export to Rego for Open Policy Agent
- Deploy consistently across all your PDPs
Manage all your PDPs from one Policy Administration Point
Try Big ACL free