Contents x
      Managing Policy Authorization Agents (PAA)
      • 24 Mar 2024
      • 7 Minutes to read
      • Print
      • Dark
        Light
      • PDF
      Contents

      Managing Policy Authorization Agents (PAA)

      • Updated on 24 Mar 2024
      • 7 Minutes to read
      • Print
      • Dark
        Light
      • PDF
      Article Summary

      Supported Architectures
      The PAA can work in a customer-hosted environment through the use of the following tools:

      • Kubernetes-based deployment (standard Helm Chart)
      • Standalone (Binary/Service)

      End-to-End Workflow

      An end-to-end workflow of configuring a Policy Authorization Agent to manage communication and authorization decisions locally would includes: 

      • Creating a PAA
      • Downloading the PAA bundle
      • Installing and configuring the PAA
      • Defining a Data Source
      • Defining a View for the Data Source
      • Assigning the PAA to an Environment and/or Scopes
      • Creating a new Asset Type
      • Associating the Asset Type Attributes

      Viewing Policy Authorization Agent Details

      At any time, you can view details of a PAA by clicking on the PAA Card in the Policy Authorization Agents screen (Tenant Settings > Policy Authorization Agents). 

      The Policy Authorization Agent Details side panel opens, displaying the following information:

      • Name of the Policy Agent (which is editable, enabling you to change it, if needed)
      • Agent ID number

      Click Copy to copy the Agent ID number.

      Click Save if you changed the PAA name.

      Policy Authorization Agent Cards

      Multiple PAAs can be created within a Tenant. Each PAA is listed in the Tenant Settings > Policy Authorization Tab > Policy Authorization Agent List.

      The first PAA card that appears on the Policy Authorization Agent tab is the built-in PAA that contains a PDP component (Cloud-based Authorization Platform with all components hosted in the Cloud). Additional PAAs appear in alphabetical order, each containing the following information:

      • Name of the PAA
      • PIP icon, which is visible when the PAA is connected to one or more PIPs. If no PIPs have been connected to this PAA, the PIP icon is not displayed.
      • PDP icon indicates that a PDP has been connected to the PAA. 
      • Download button enables you to download an installation bundle for the PAA. Bundle options include: Helm and Standalone

      Information about Asset Types
      In the PDP, both Virtual and Internal Assets are supported. In the PAA, Virtual Assets, in addition to External Assets are supported.

      If you have a specific use-case that would require the use of different Assets across the PAA and PDP, PlainID encourages you to reach out to our Global Services team to assist in tailoring a solution.

      Managing Policy Authorization Agents

      You can manage local PAAs via the Authorization Platform UI. This includes adding, editing, and deleting PAAs at the Tenant level. To configure a PAA, you will need information from the Tenant Setting screen including:

      • Tenant ID
      • Authentication key
      • Agent ID

      To find these values, select the Hybrid Agent Key settings tab and copy these values. This information is used to configure and set up communication between the PAA (Hybrid Operator), and the Authorization Platform (Hybrid Commander). When you select the Policy Authorization Agents tab, all currently defined PAAs are displayed. Each PAA card represents a PAA Group. PAA Groups can contain a single PAA, or it can contain multiple PAAs located in the same or different regions (see Multi-Region PAA Groups).

      Each PAA Card displays the following information:

      • PAA name
      • Icon indicators for components contained in the PAA, for example, PDP and/or PIP
      • Three vertical black dots enabling you to delete the PAA
      • Download button to download different formats for the installation of the PAA bundle files (for example Helm)

      When you click on a PAA card, the Policy Authorization Agent Details for that card is displayed. This shows the currently defined name of the PAA and the Agent ID. You can click Copy to copy the Agent ID to the clipboard. This value is also needed to define the connection between the Hybrid Operator and the Hybrid Commander.

      Once you have created the PAA and downloaded and installed the configuration files, you can configure a Policy Information Point for the PAA. For more information, see Data Sources.

      Adding a New PAA

      To add a PAA:

      1. On the Tenant Settings screen, select the Policy Authorization Agents tab. The Policy Authorization Agents screen is displayed.
      2. Click Add. The Policy Authorization Agent Details screen is displayed.
      3. Enter a Name for the new Agent
      4. Select an existing Multi-Region group or create a new one. For more information, see Multi-Region PAA Groups.
      5. In the Incoming JWT Validation Settings field, enter the relevant JWKS URLS. This define the settings for validating the incoming JWT.**
      6. Click Save. The new PAA is created and added to the list of currently defined PAAs on the Policy Authorization Agents tab of the Tenant Settings screen.


      Backwards Compatibility

      As of PlainID's January 2024 release (5.2402), Scope Management allows users to set two new properties affecting how Authorization Requests are authenticated and how the PDP evaluates Identities.

      Existing Scopes operate in backward compatibility mode, with no change in behavior. The new properties are not defined by default to maintain backward compatibility, and existing Scopes are marked as incomplete. Users are advised to update the latest Policy Authorization Agent (PAA) and configure Scopes by selecting an Identity Matching Type and a Scope Auth Method based on their use-case. Once saved, the Scope will function according to the new settings.

      Also in this release, JWKs URL Settings for JWT validation are managed in the Scopes section within Environment Settings. Users are recommended to transfer JWKs Settings from the PAA to the new JWT Settings side-panel in the Scopes and Identity Templates sections after updating PAA and Scope definitions.

      Note that the JWKs Settings option in the PAA will soon be deprecated.

      For details on Identity Matchers and Scope Authentication, refer to Managing Identity Matchers and Managing Scope Authentication.


      Installing a PAA

      Download bundles are available on the Policy Authorization Agent screen in Tenant Settings > Policy Authorization Agents. For assistance in installing and configuring a PAA, contact the PlainID Technical Support Team.

      Changing the Name of a PAA

      You can change the name of the PAA as it appears on the Policy Authorization Agents tab.

      To change the name a PAA:

      1. Open the Tenant Settings screen and click on the PAA you wish to rename. The Policy Authorization Agent Details screen is displayed.
      2. In the Name field, enter the new name.
      3. Click Save.

      Deleting a PAA

      You can delete a PAA within a Multi-Region Group that is no longer needed.

      To delete a PAA:

      1. Open the Tenant Settings screen and locate the PAA you wish to delete. 
      2. In the upper right area of the PAA card, click the three vertical black dots and select Delete PAA.
      3. A confirmation message appears, asking you to confirm that you want to delete the PAA. Click Delete. The PAA is deleted permanently.

      Deleting a PAA that is currently associated with Assets and Environments is not permitted. If you attempt to delete a PAA that is the last one within its group and is still being in Asset Types and/or Identity Sources an error message is displayed. The error message provides information about the specific locations where the PAA is being used. Make sure to delete the relevant Identity Attribute sources and Asset Types listed in the error message before trying to delete the PAA again.

      Multi-Region PAA Groups

      When operating with a single, hosted Policy Authorization Agent within the Authorization Platform, the Cloud Policy Authorization PAA will be used by default.

      Because many organization operate in multiple regions across different networks, it is very common for them to create local repositories (databases, user directories, etc.) to improve performance as well as for security reasons.  The Authorization Platform's Multi-Region Group functionality can be used to enable organizations to work across multiple regions and networks. In the Authorization Platform, a single set of Data Models and Views are created for a new PAA.  Multiple Policy Administration Agents (PAAs) located in various regions can share the same data source, Data Model, Data Model properties, Views and Asset Attribute associations within a PAA Group. In this scenario, the only difference between the PAA Group members is the connection string (which includes the credentials, PI/Server name, Ports, etc.) 

      The process for creating and working in a multi-region configuration includes the following:

      • Create a new PAA, for example, EuropeGB1. This automatically creates a new Multi-Region Group with the same name.  

      • Create additional PAAs. Each time you create a new PAA for this Multi-Regional Group, in the Multi-Region field, click the down-arrow and select the name of the PAA Group.

      If you are not using PAAs in a multi-region configuration, each time you create a new PAA, you will leave the Multi-Region field blank. Each time you create a new PAA, you have the option to select in which region you wish to include the PAA. If you want to create a new Multi-Region group, leave the Multi-Region field empty and a new group will automatically be created and available for future PAAs to be added.
      *To learn more about installing and deploying PAAs, click here.

      Was this article helpful?
      What's Next