Diagram 06 · Authorization Fabric

ABAC Enforcement

ACDS as the single decision engine. PIPs feed attributes. PAP feeds policies. Every system in the perimeter is its own PEP, calling ACDS at every action.

PIPs · ATTRIBUTE SOURCES PIP · SUBJ Identity Provider customer-owned IdP PIV/CAC · subject attrs PIP · VDE Attribute Resolver virtual directory · federation resolves subj + env attrs PIP · RES Data Catalog resource attrs · sensitivity dbt Lineage · Titus tags ABAC AUTHORIZATION FABRIC Second Front · single source of authorization truth DECISION ENGINE ACDS Access Control Decision Service evaluates policies against attributes · returns permit / deny / obligations PAP Policy Store versioned · signed · auditable ADMIN Locksmith policy authoring · audit policies administers PEPs · ENFORCEMENT POINTS PEP · UI Sponsor 360 UI Gateway session entry · role-scoped views first enforcement of the session PEP · CROSS-BOUNDARY MuleSoft Anypoint every cross-boundary call obligations applied at the broker PEP · CRM Sales Cloud Shield sharing rules · field encryption every record read / write PEP · ETL ETL Pipeline classification at ingest Titus tags travel with data PEPs · ENFORCEMENT POINTS PEP · AGENT Lumbra Nebula Tool Registry every tool call · per-action agent acts AS the operator PEP · WAREHOUSE Snowflake row + column policies every SELECT calls ACDS PEP · SEARCH Elastic Cloud document-level security every query calls ACDS PEP · KEYS On-Prem HSM · BYOK key access · BYOK enforcement field-level encryption gates subject + env attrs resource attrs decision request decision request ANATOMY OF A DECISION · sub-second cycle, repeated at every action STEP 1 · PEP Request arrives PEP receives the action JWT carries subject attrs resource ID + intended action STEP 2 · PEP Calls ACDS payload: subject · resource action · environment XACML-style request STEP 3 · ACDS Resolves attributes queries PIPs as needed VDE → IdP for subject EDC for resource attrs STEP 4 · ACDS Evaluates & decides PAP supplies policies policy engine evaluates returns decision + obligations STEP 5 · PEP Enforces permit + apply obligations row filters · column masks or deny with reason code CYCLE Layered enforcement UI · MuleSoft · Lumbra Shield · Snowflake · Elastic every layer is a PEP