How Does a Policy Decision Point Load a New Policy?
Policy Decision Points (PDP) are managed through Authorization Domains in the Axiomatics Services Manager (ASM). When a new policy is applied to a Domain, the PDPs in that Domain will get notified and call the ASM API to retrieve the new Domain Configuration (including the policy).
When the PDPs receive the new configuration, it’s loaded into memory and validated. Example of validations made by the PDP:
- Check that all functions, data types, and combining algorithms used in the policies are supported by the PDP.
- Verify that policies are well-formed.
- Determine that Policy Information Points required by the configuration are known to the PDP.
Although It might take the PDP several ms to load the new configuration into memory and it will use CPU cycles, the existing configuration will still be in place and will still be used by the PDP to service requests that are received during the time of loading the new configuration. Given this there is no downtime for the PDP to apply a new configuration. The processing of an incoming request and the action of loading the new configuration use the same CPU and with that might potentially “steal” some CPU cycles that could be used for processing the request faster. However this has a very negligible impact on the overall performance of the system.