A Policy Based Management System (PBMS) is a Framework in which an Access Request received by a Policy Enforcement Point (PEP) is presented to a Policy Decision Point (PDP) which retrieves the Authorization Policy data from a Policy Retrieval Point along with data on the Entity requesting access and data on the Target Resource from Policy Information Point(s) and renders a decision to the Policy Decision Point.

Generally, any of the AAA Servers (or Access Control Engines) transactions may retrieve a policy or evaluate an Access Control Policy, and any of the Service Equipment may enforce a policy. Policy Retrieval Points (Policy Repositories) may reside on any of the Access Control Engines or be located elsewhere in the network.

Data against which Access Control Policy conditions are evaluated (such as resource status, session state, or time of day) are accessible at Policy Information Points (PIPs) and might be accessed using Policy Information Blocks (PIBs).

A Policy Based Management System consists of four main functional Non_normative elements: (following RFC 2904, except for PAP)