Control plane / Data plane
The SaaS authorization solution is split into two parts - the control plane and the data plane.
- Control plane: includes the relations between all the various entities needed for authorization (user ids, role ids, etc.)
- Data plane: includes the actual data about those entities (e.g. names, emails, attributes, etc.)
While the control plane is mainly kept and managed in the cloud, the data plane can be kept and managed completely within your network/cloud. This way you can enjoy all the managed features of our service without having to share any of your data with the cloud (unless you want to).
Hybrid - Decoupling the data plane
Thanks to Permit.io’s and OPA+OPAL’s unique data decoupling architecture, a hybrid model is supported. In this model, you can fully utilize our SaaS service without exposing any data, security, or performance factors to it.
Our hybrid model decouples the data plane (which remains wholly within your own network) from the control-plane (which can remain hosted in our cloud-solution). This layout provides the best combination of security, scale, stability, and cost management.
Our cloud enables your deployed services to sync up with all the authorization meta-data they need, taking care of all the heavy lifting for you. These services can fully operate exclusively on meta-data (i.e. unique ids) without having to be aware of your actual information. So while you can opt to store information such as user names in the system, it is completely optional, and allows using this SaaS without any privacy or data-exposure concerns.
Local PDP - Policy Decision Point
A PDP is a network node responsible for answering authorization queries using policies and contextual data. The PDP provided to you by Permit acts as your microservice for authorization and is deployed beside your own services.
This component is the main part of the hybrid architecture, and can be deployed as a side-car, cluster, or just as a single instance (for light workload scenarios). The Permit.io PDP (Which bundles together OPA, OPAL, and an API server) is available publicly from Docker hub.
For more information, check out the PDP Documentation.