Policy Authorization Agent (PAA)

Overview

Once you create a PAA (see Managing Policy Authorization Agents), the PAA is listed on the Policy Authorization Agent screen. Each PAA is represented by a Policy Authorization Agent Card.When an organization is maintaining multiple Environments (for example, Staging and Production), it is recommended that a PAA be configured for each Environment, each with its own connection strings.

In this scenario, the decision making workflow can involve (for example):

• An Application requesting an authorization decision from the local PDP.

• If Identity information is required, the PDP contacts the local PIP to retrieve Identity data from the local data sources.

• The PIP data is returned to the PDP, which sends the decision back to the Application.

All communication is managed locally, increasing performance and security, protecting sensitive information, and decreasing latency.

Supported Architectures

The PAA can work in a customer-hosted environment through the use of the following tools:

• Kubernetes-based deployment (standard Helm Chart)
• Standalone (Binary/Service)

End-to-End Workflow

An end-to-end workflow of configuring a Policy Authorization Agent to manage communication and authorization decisions locally would include:

• Creating a PAA
• Downloading the PAA bundle
• Installing and configuring the PAA
• Defining a Data Source
• Defining a View for the Data Source
• Assigning the PAA to an Environment and/or Scopes
• Creating a new Asset Type
• Associating the Asset Type Attributes

To learn more about installing and deploying PAAs, click here.