Access control in CESP is performed by CESP-Access. Once the user has been uniquely identified his/her ability to access data or application is checked. The PEP (policy Enforcement Point) is the gatekeeper that collects data about the caller and the request. This data is the sent to the Authorization Engine that performs this check. The Authorization Engine uses the Axiomatic Policy Server to evaluate the policies.