@@ -9,6 +9,12 @@ identity of subjects and/or groups to which they belong.
* Relationship-Based Access Control ([ReBAC](./ReBAC.md))
* Attribute-Based Access Control ([ABAC](./ABAC.md))
+Authentication (Authn) is used to determine that users or systems are who they
+claim to be and provide proof in the form of identity principals and attributes.
+
+Authorization (Authz) is used to decide what privileges an actor has within a
+system.
+
## Policy
* [What is a policy?](./POLICY.md)
@@ -36,3 +42,26 @@ Ideally, we must be able to model the following relationships:
| `user-to-user` | not required |
Note: `user-to-user` relationships are not in the current access control model.
+
+## Architecture
+
+```plaintext
+ ------------------ ------- -------------
+ | Users/Services |--->| PEP |--->| Resources |
+ ------------------ ------- -------------
+ | A
+ V |
+ ------- ------------ -------
+ | PDP |-->| Policies |<---| PAP |
+ ------- ------------ -------
+ | A A
+ V | |
+ ------- -----------------
+ | PIP | | Administrator |
+ ------- -----------------
+
+PAP: Policy Administration Point
+PDP: Policy Decision Point
+PEP: Policy Enforcement Point
+PIP: Policy Information Point
+```