Control plane / Data plane
The SaaS authorization solution is split into two parts - the control plane and the data plane.
- Control plane: includes the relations between all the various entities needed for authorization (user ids, role ids, etc.)
- Data plane: includes the actual data about those entities (e.g. names, emails, attributes, etc.)
While the control plane is mainly kept and managed in the cloud, the data plane can be kept and managed completely within your network/cloud. This way you can enjoy all the managed features of our service without having to share any of your data with the cloud (unless you want to).
Hybrid - Decoupling the data plane
Thanks to Permit.io’s and OPA+OPAL’s unique data decoupling architecture, a hybrid model is supported. In this model, you can fully utilize our SaaS service without exposing any data, security, or performance factors to it.
Our hybrid model decouples the data plane (which remains wholly within your own network) from the control-plane (which can remain hosted in our cloud-solution). This layout provides the best combination of security, scale, stability, and cost management.
Our cloud enables your deployed services to sync up with all the authorization meta-data they need, taking care of all the heavy lifting for you. These services can fully operate exclusively on meta-data (i.e. unique ids) without having to be aware of your actual information. So while you can opt to store information such as user names in the system, it is completely optional, and allows using this SaaS without any privacy or data-exposure concerns.
Local PDP - Policy Decision Point
The main component which enables the hybrid architecture is the PDP (Policy Decision Point). The Permit.io PDP (Which bundles together OPA, OPAL, and an API server) is available publicly from Docker hub. The PDP essentially becomes your microservice for authorization, and can be deployed as a side-car, cluster, or even as a single instance (for light workload scenarios). Read more about the Permit.io PDP here.