Admin Portal
PAA and PIP settings are available at both the Tenant (Global) and Environment levels.
- Environment-level settings are accessible to designated administrators and viewers.
- Tenant-level (Global) settings are accessible and manageable exclusively by Tenant Administrators.
For more information about Environments, see Environmental PAA and PIP settings.
For Tenant configuration, see Global PAA and PIP Settings.
Policy Authorization Agent (PAA)
A Policy Authorization Agent (PAA) enables authorization decisions to be made locally within your Environment, whether in the Cloud, on premises, or in a hybrid deployment.
Organizations use PAAs to:
- Improve performance.
- Reduce latency.
- Keep sensitive data within their own network.
- Support multiple Environments, such as Staging and Production.
Instead of sending every authorization request to the Cloud, a PAA allows applications to interact with a locally deployed Runtime component.
How a PAA works
A typical authorization flow includes:
- An application sends an authorization request to the local Policy Decision Point (PDP).
- If identity or contextual data is required, the PDP queries the local Policy Information Point (PIP).
- The PIP retrieves data from configured data sources.
- The PDP evaluates the request and returns an authorization decision to the application.
Because communication occurs locally within your Environment, performance improves and sensitive data does not need to traverse external networks.
PAA components
Each PAA may include:
- Policy Decision Point (PDP). Evaluates authorization requests at Runtime.
- Policy Information Point (PIP). Connects to data sources such as databases, REST APIs, or directories.
- Hybrid Agent. Manages synchronization with the Authorization Platform.
- Built-in Redis. Supports local caching and synchronization.
In Production Environments, a managed Redis instance is recommended.
Viewing PAAs
Navigate to:
Tenant Settings > Policy Authorization Agents
Each PAA appears as a card in the list.
- The first card represents the built-in cloud-based PAA, fully hosted in the Cloud.
- Additional PAAs appear in alphabetical order.
Policy Authorization Agent cards
Each PAA card provides a quick overview of Runtime connectivity and health.
A card includes:
- PAA Name
- PIP icon. Visible when one or more PIPs are connected.
- PDP icon. Indicates a connected PDP.
- Download button. Provides installation bundles.
- Health status
- Last update time
Viewing PAA details
Click a PAA card to open the Details side panel, which displays:
- PAA Name. Editable.
- PAA Version
- Agent ID, with copy-to-clipboard option.
- Status of each Agent service.
Click Save after making changes to the PAA Name.
Monitoring PAA health
The Authorization Platform provides built-in visibility into the health and status of deployed PAAs. These indicators allow you to verify that essential services are running correctly and quickly identify issues.
If a PAA is created but not yet deployed:
- Status displays N/A.
- Connection status displays Not Connected.
The health status reflects mandatory services only. Optional services are tracked separately.
Hover over status symbols in the UI for additional details.
Agent service status legend
The following symbols appear in the PAA card and Details panel:
| Symbol | Description |
|---|---|
| 🟢 (Green Play) | Service is running. Latest version is in use. No critical errors detected. |
| 🟠 (Orange Play) | Service is running but not using the latest version. PIP Operator not configured or out of sync. Redis keys out of sync. |
| 🔴 (Red Play) | Service is running but reporting an error. |
| ⛔ (Red Stop) | Required service is not running. Status not received for five monitoring cycles. |
| ⚪ (Grey Stop) | Optional service is not running, for example, IDP Webhooks or Secret Management. These are not required for core authorization functionality. |
Service health behavior
When the Agent detects a service issue:
- The issue is reflected in the PAA card status.
- The error is logged locally within the PAA Environment.
These health indicators support monitoring and help ensure that Runtime authorization services remain operational.
Recommended multi-environment setup
If your organization maintains multiple Environments, such as Staging and Production, configure a separate PAA for each Environment with its own connection settings.
This ensures proper isolation of Runtime services and data sources across Environments.
End-to-end configuration overview
A typical configuration sequence includes:
- Create a PAA.
- Download the installation bundle.
- Install and configure the PAA.
- Define Data Sources.
- Create Views for the Data Sources.
- Assign the PAA to an Environment and or Scopes.
- Create an Asset Type.
- Associate Asset Type Attributes.
For detailed deployment and infrastructure instructions, see the Admin Guide.
PAA and PIP administration audit
PAA and PIP administrative events are available through Administration Audit Reports.
