Skip to main content

Architecture

OpenTDF is built on a flexible, service-oriented architecture designed for robust and fine-grained access control. The platform consists of four core components that work together to protect data throughout its lifecycle. This architecture aligns with the well-established National Institute of Standards and Technology (NIST) model for Attribute-Based Access Control (ABAC), ensuring a standards-based and interoperable approach.

Core Platform Components

The four main services of the OpenTDF platform are the Policy Service, Authorization Service, Entity Resolution Service, and the Key Access Server.

Policy Service

The Policy Service is where all access control policies are defined and managed. It provides the tools and APIs to create a rich set of policies that govern data access. This includes not only attributes and their values, but also the definitions of actions, obligations, and key access mappings.

In the context of the NIST ABAC model, the Policy Service functions as the Policy Administration Point (PAP).

Authorization Service

The Authorization Service is the core decision-making engine of the platform. It is responsible for evaluating the rich policies from the Policy Service against a set of attributes to render an authorization decision.

In the context of the NIST ABAC model, it functions as the Policy Decision Point (PDP).

Entity Resolution Service (ERS)

The Entity Resolution Service is responsible for gathering the attributes about a subject needed for a decision. By default, it can derive attributes from claims in an authentication token. Optionally, it can be configured to connect to external attribute sources (LDAP, SQL) to "hydrate" the entity with more attributes.

In the context of the NIST ABAC model, the ERS functions as the Policy Information Point (PIP).

Key Access Server (KAS)

The Key Access Server (KAS) enforces access control decisions. Its role is more extensive than a typical enforcement point:

  • Cryptographic Enforcement: It enforces decisions by granting or withholding cryptographic keys for TDF decryption.
  • Encryption Enablement: It manages key exchanges and enables various TDF encryption modes.

In the context of the NIST ABAC model, the KAS functions as the Policy Enforcement Point (PEP).

Furthermore, the OpenTDF platform is designed for flexibility. Developers can build and integrate their own custom PEPs. These custom enforcement points can leverage the platform's robust Authorization (PDP) and Policy (PAP) services while implementing enforcement logic tailored to specific applications. These custom PEPs can also optionally interface with the KAS to take advantage of its powerful cryptographic capabilities.