JSON PDP API response format
After the Policy Decision Service makes a decision, it returns the decision to the JSON PDP API, which then forwards the decision response to the client. JSON PDP API responses include decisions, such as PERMIT or DENY, and any obligations or statements that were matched during policy evaluation.
Individual responses
The following example shows a response to an individual JSON request:
{
"id": "12345678-90ab-cdef-1234-567890abcdef",
"deploymentPackageId": "12345678-90ab-cdef-1234-567890abcdef",
"timestamp": "2021-06-11T03:12:19.720485Z",
"elapsedTime": 184024,
"decision": "PERMIT",
"authorized": true,
"statements": [
{
"id": "12345678-90ab-cdef-1234-567890abcdef",
"name": "Statement Name",
"code": "statement-code",
"payload": "{\"data\": \"some data\"}",
"obligatory": true,
"fulfilled": false,
"attributes": {}
}
],
"status": {
"code": "OKAY",
"messages": [],
"errors": []
}
}The decision and authorized values identify whether the policies authorize the request, and the statements array contains statements to be applied by the PEP. The elapsedTime value shows evaluation duration in microseconds.
Batch responses
Batch responses are returned as a responses array that contains individual JSON responses. The order of the responses matches the order of the original requests, meaning the first response in the responses array corresponds to the first request in the batch, the second response to the second request, and so on.
The following example shows a response to a batch JSON request:
{
"responses": [
{
"id": "12345678-90ab-cdef-1234-567890abcdef",
"deploymentPackageId": "12345678-90ab-cdef-1234-567890abcdef",
"timestamp": "2021-06-11T04:18:32.820482Z",
"elapsedTime": 830492,
"decision": "PERMIT",
"authorized": true,
"statements": [
{
"id": "12345678-90ab-cdef-1234-567890abcdef",
"name": "Advice Name",
"code": "advice-code",
"payload": "{\"data\": \"some data\"}",
"obligatory": true,
"fulfilled": false,
"attributes": {}
}
],
"status": {
"code": "OKAY",
"messages": [],
"errors": []
}
},
{
"id": "fedcba09-8765-4321-fedcba098765",
"deploymentPackageId": "fedcba09-8765-4321-fedcba098765",
"timestamp": "2021-06-11T04:18:33.650974Z",
"elapsedTime": 492048,
"decision": "PERMIT",
"authorized": true,
"statements": [
{
"id": "fedcba09-8765-4321-fedcba098765",
"name": "Different Advice",
"code": "advice-code",
"payload": "{\"data\": \"other data\"}",
"obligatory": false,
"fulfilled": false,
"attributes": {}
}
],
"status": {
"code": "OKAY",
"messages": [],
"errors": []
}
}
]
}Query responses
The following example shows a response to a query request:
{
"requestId": "8245be35-ec9e-40f1-a79a-80890041f4b0",
"timestamp": "2023-11-14T03:21:47.734842Z",
"elapsedTime": 22,
"results": [
{
"attribute": "action",
"value": "delete",
"decision": "PERMIT"
}
]
}The results array contains a list of query attribute values that either produced a PERMIT decision or a DENY decision, along with any obligations or statements that were matched.
Configuring response timestamp precision
The PingAuthorize Server returns timestamps in each JSON PDP API response to identify when policy decisions were produced. By default, PingAuthorize uses the highest timestamp precision supported by the host operating system and CPU. On hosts that support nanosecond timestamps, responses include nanosecond-precision values. On systems that provide lower precision, such as microsecond-level timestamps, PingAuthorize uses that precision instead.
You can enforce microsecond-precision timestamps to maintain compatibility with clients that expect legacy formats. To enable this behavior, set the Policy Decision Service’s use-microseconds-timestamp property to true.
For example:
dsconfig set-policy-decision-service-prop \
--set use-microseconds-timestamp:trueTo revert to nanosecond precision:
dsconfig set-policy-decision-service-prop \
--reset use-microseconds-timestamp|
This setting affects the API response body only. |