High-Level Architecture
The architecture of the customer-hosted deployment is similar to the Platform fully hosted by PlainID and includes the:
- Policy Administration Point (PAP) with all its services.
- The PAP component uses a Postgres DB as its main storage.
- Policy Authorization Agent (PAA) with the runtime authorization decision engine (PDP).
- Policy Decision Point PDP
- The PDP uses REDIS as storage.
In the Hybrid Agent deployment, you will need to make your Postgres and REDIS managed services available for the PlainID Platform.
Architecture Diagram
Following is a high level diagram explaining the PAP services, the PAA services between the components.
The Policy Administration Point (PAP) is a component that is responsible for access policy management. In the PAP, you can build policies, manage and investigate policy lifecycles, and simulate policies.
The Policy Authorization Agent (PAA) is a hybrid component that is installed in the customer's data center.
The PAA consists of the following services:
- Hybrid Agent
- Policy Decision Point
- Policy Information Point
- IDP Web-Hook (Optional)
- Secret-Manager
The PAA should be installed close to where Policy Access Decisions are required, and have access to relevant data sources as needed.
The Policy Decision Point (PDP) is a component that "calculates" and provides authorization
decisions based on the identity requesting access. The decisions are enforced through the Policy Enforcement Point (PEP).