Decide here, enforce there
Mature access control separates two responsibilities. The policy decision point evaluates a request against the rules and returns permit or deny. The policy enforcement point sits in front of the resource and acts on that verdict.
Keeping the decision logic in one place means every service enforces the same rules without reimplementing them.
The request to decision flow
The enforcement point intercepts a call, builds a request describing the subject, action, resource, and context, and sends it to the decision point. The decision point consults policy and any needed attributes, then returns a verdict the enforcement point obeys.
Why separate them
- Consistency. One decision engine, many enforcement points.
- Auditability. Decisions flow through a single evaluable place.
- Evolvability. Policy changes without touching every service.
Performance concerns
A remote decision per request adds latency, so teams often cache decisions for identical requests or distribute the policy to a local sidecar evaluator that decides in process.
Key idea
The policy decision point evaluates rules and the policy enforcement point obeys the verdict, centralizing decisions while keeping enforcement at each resource.