AuthZEN PDP – The Control Plane for Decisions

What is OpenID AuthZEN?

OpenID AuthZEN standardizes authorization decisions: discovery, request/response semantics, and interoperability between Policy Enforcement Points (PEPs) and Policy Decision Points (PDPs). It aims to do for authorization what OIDC did for authentication.

Read more: Aserto AuthZEN overview

Fabric architecture: PDP at ARIA Shield

Every API call passes through ARIA Shield (session terminator). ARIA Shield is the PEP, calling our AuthZEN‑compliant PDP for subject/resource/action decisions.
Zero‑token SPA: no access tokens in the browser; policies are enforced server‑side.
CAEP/Shared‑Signals‑style events emitted for audit and analytics.

Migrating from OPA/Cedar

Map inputs to AuthZEN schema; keep policy logic semantically equivalent while gaining standardized discovery and decision responses.
Keep existing OPA/Cedar where appropriate; use PDP bridges for gradual migration.
See also: Open Policy Agent, AWS Cedar

Evidence checklist

AuthZEN discovery document exposed by PDP
ARIA Shield logs show per‑request decision ids with allow/deny and explanations
CAEP events emitted and consumed by analytics
p95 PDP latency dashboard

When to use which

Centralize application authorization decisions via AuthZEN PDP when you want interoperable, explainable, and observable policy at runtime.
Keep governance (reviews, SoD) in IGA; let the Fabric enforce runtime policy.

Deeper technical docs

ARIA Shield gateway (PEP): /docs/services/bff/explanation/bff_gateway
PDP flags and settings: /docs/services/pdp/reference/settings-flags
ARIA Shield reference (routes/settings): /docs/services/bff/reference/routes-reference, /docs/services/bff/reference/settings-reference

What is OpenID AuthZEN?​

Fabric architecture: PDP at ARIA Shield​

Migrating from OPA/Cedar​

Evidence checklist​

When to use which​

Deeper technical docs​