Policy Decision Points

A Policy Decision Point (PDP) is a centralized component that evaluates access control policies and makes authorization decisions. According to StrongDM, the PDP "receives requests for access to resources, evaluates them against policies, and returns a decision (permit or deny)."

How the PDP works in ContractSpec

In ContractSpec, the PDP is invoked on every operation—whether it's rendering a UI component, executing a capability, or querying a data view. The flow is:

  1. Request evaluation – The runtime sends a request to the PDP containing:
    • The user's identity and attributes (roles, groups, location, etc.)
    • The resource being accessed (capability, field, workflow step)
    • The action being performed (read, write, execute)
    • Contextual information (time of day, device type, IP address)
  2. Policy evaluation – The PDP evaluates the request against all applicable PolicySpecs. These specs define rules using attribute-based access control (ABAC) and can reference:
    • User attributes (e.g., "role == 'admin'")
    • Resource attributes (e.g., "field.sensitivity == 'PII'")
    • Environmental attributes (e.g., "time.hour >= 9 AND time.hour < 17")
  3. Decision return – The PDP returns one of:
    • PERMIT – The operation is allowed.
    • DENY – The operation is blocked.
    • REDACT – The operation is allowed, but sensitive fields are masked.
  4. Enforcement – The runtime enforces the decision. If denied, the operation fails with a clear error message. If redacted, sensitive fields are replaced with placeholders.
  5. Auditing – Every PDP decision is logged to the audit log, including the request, decision, and reasoning.

Example PolicySpec

Here's a simple policy that restricts access to PII fields:

policyId: pii-access-control
version: 1.0.0
rules:
  - id: allow-admin-full-access
    effect: PERMIT
    condition: user.role == 'admin'
    
  - id: redact-pii-for-support
    effect: REDACT
    condition: |
      user.role == 'support' AND
      field.sensitivity == 'PII'
    redactFields: ['ssn', 'creditCard', 'dateOfBirth']
    
  - id: deny-pii-for-others
    effect: DENY
    condition: |
      user.role NOT IN ['admin', 'support'] AND
      field.sensitivity == 'PII'

With this policy, admins see all data, support staff see redacted PII, and other users cannot access PII at all.

Benefits of centralized decision-making

  • Consistency – Policies are enforced uniformly across all surfaces (API, UI, workflows).
  • Auditability – Every decision is logged, making it easy to trace why access was granted or denied.
  • Flexibility – Policies can be updated without changing application code.
  • Security – Reduces the risk of authorization bugs by removing ad-hoc checks scattered throughout the codebase.

Performance considerations

Because the PDP is invoked on every operation, performance is critical. ContractSpec optimizes this by:

  • Caching policy decisions for identical requests
  • Compiling policies into efficient bytecode
  • Evaluating only the minimal set of rules needed for each request
  • Running the PDP in-process to avoid network latency

In practice, PDP overhead is typically less than 1ms per request.

Previous: Spec SigningNext: Audit Logs