§ 04 · The three components
Three components, one decision

Every action runs the same checkpoint.

A trader clicking Execute Trade triggers the same flow as a President viewing the audit registry.
No exceptions.

Subject

User request

Trader clicks "Execute Trade" on the FX dashboard.

PIP · Identity

Policy Information Point

Identity file cabinet. Pulls role, location, device, risk, permissions — the full Golden Record.

PDP · Decision

Policy Decision Point

The rule book. Evaluates 7 policies and returns Allow, Deny, or Allow with Monitoring.

PEP · Enforcement

Policy Enforcement Point

Front-door guard. Intercepts every action and enforces the verdict. Embedded in every page.

PIP — Analogy

The security office that holds everyone's profile.

PDP — Analogy

The rules posted on each door about who can enter.

PEP — Analogy

The badge reader on every door.

The six-step decision flow

  1. Intercept User clicks an action; the PEP intercepts the call
  2. Enrich PIP retrieves the Golden Record (full attribute set) for the subject
  3. Match PDP filters the policy catalog to those targeting the user's role and department
  4. Evaluate Each rule's condition checked against subject, request, and resource attributes
  5. Respond PDP returns one of four decisions: PERMIT, DENY, PERMIT_WITH_LOG, INDETERMINATE
  6. Log Every decision written to access_logs with policy_id, reason, and timestamp
Previous03 · How we built it