Coordination between distributed PDPs

For distributed applications, using a centralised policy decision point (PDP) with a common policy allows coordination between multiple resources that are being accessed. But the central PDP is a bottleneck to performance because every request needs to be diverted to it. Having a set of distributed PDPs co-located with resources can overcome the performance bottleneck, but any form of coordination is then lost. Furthermore, even a centralised PDP sometimes needs to coordinate its access control decision making over time. Therefore, coordination between decision making, for both centralised and distributed PDPs, is needed. This paper addresses issues of coordination between distributed or centralised decision making, by examining when coordination is needed, providing a conceptual model for coordination, defining policy elements that can control coordination, and rules for the refinement of coordination policies The paper provides a detailed example of coordination policy refinement, and provides an outline of how we are implementing the model in our system.