---
title: Troubleshooting policy queries
description: The following resources can help you solve issues with policy query requests and responses.
component: pingauthorize
version: 11.0
page_id: pingauthorize:pingauthorize_policy_administration_guide:paz_troubleshooting_policy_queries
canonical_url: https://docs.pingidentity.com/pingauthorize/11.0/pingauthorize_policy_administration_guide/paz_troubleshooting_policy_queries.html
revdate: December 5, 2024
section_ids:
  configure_query_response_granularity: Configuring query response granularity
  visualizing-policy-query-decisions: Visualizing policy query decisions
  about-this-task: About this task
  steps: Steps
  policy-query-logging: Policy query logging
---

# Troubleshooting policy queries

The following resources can help you solve issues with policy query requests and responses.

## Configuring query response granularity

A query response includes a set of decisions. Each decision is executed against a possible combination of request attributes. By default, query responses return two types of decisions:

* `PERMIT`

* `DENY` with [statements](paz_statements.html) attached

Adjust the granularity of query responses by configuring the query response view:

1. In the administrative console, go to Authorization and Policies and click Policy Decision Service.

2. In the Policy Query Configuration section, select the response granularity in the Query Response View list.

   ![Screen capture of the Query Response View option under Policy Query Configuation in the administrative console.](_images/query-response-view.png)

The following table describes the behavior of each available query response view:

| Response view                    | Description                                                                                                                                                                                                         |
| -------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| `permit`                         | Only includes `PERMIT` decisions in the query response.                                                                                                                                                             |
| `permit-and-deny-with-statement` | Includes `PERMIT` decisions and `DENY` decisions with statements attached in the query response.                                                                                                                    |
| `unfiltered`                     | Includes all decisions in the query response, regardless of the outcome or the presence of statements.You can use this view can help diagnose unexpected decision outcomes for specific combinations of attributes. |

Alternatively, you can add the `x-respond-with` header to your query requests and assign it one of the following values:

* `permit`

* `permitAndDenyWithStatement`

* `unfiltered`

|   |                                                                                                                                                                                                                                                                                      |
| - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
|   | The configured query response view will apply to responses in both [embedded](../pingauthorize_server_administration_guide/paz_config_embedded_pdp.html) and [external policy decision point (PDP)](../pingauthorize_server_administration_guide/paz_config_external_pdp.html) mode. |

## Visualizing policy query decisions

As part of the policy development and debugging process, you can examine recent decisions returned in a query response.

### About this task

When you develop and test policies, you can examine the decision flow and other details about recent decisions to make sure the decision engine is evaluating policies according to your expectations.

### Steps

1. In the `policy-query.log` file, copy the `response` field for the individual query permutation for which you want to visualize the corresponding decision.

   ```
   "response":{"id":"38be8a7e-b552-4fd8-9311-4b742dc71280","deploymentPackageId":"38288f2d-f7ca-4c1c-ada4-0d6ef878de38","timestamp":"2024-09-09T14:44:19.687068Z","elapsedTime":42514,"request":{"domain":"","service":"","identityProvider":"","action":"","attributes":{"User":"{\"userID\":789,\"role\":\"financial advisor\",\"name\":\"Jim Jones\"}","Action":"view","BankAccount.resource":"balance"}},"externallyResolvedAttributes":{},"decision":"DENY","authorised":false,"statements":[{"id":"1290c587-bfdc-434b-b181-43f542207235","name":"Denial reason","code":"denied-reason","payload":"Example: { \"status\": 403, \"message\": \"error_code\", \"detail\":\"Role does not equal teller or customer service rep\"}","obligatory":false,"fulfilled":false,"attributes":{}}],"status":{"code":"OKAY","messages":[],"errors":[]},"attributes":{...},"services":{...},"decisionTree":{...},"evaluationLog":[{...},{...}]}
   ```

2. In the Policy Editor, go to Policies > Decision Visualiser.

3. In the Paste Logs field, paste the log data you copied in step 1.

   ![Screen capture of a query audit log response entry copied into the Paste Logs field of the Decision Visualizer.](_images/query-decision-visualizer.png)

4. Click Visualise.

   ![Screen capture of the Visualization tab flow for a pasted query audit log entry.](_images/query-log-flow-visualizer.png)

   On the Visualisation tab, examine the decision flow to make sure decisions are evaluated according to your expectations.

5. Click a box in the flow to show more details.

   ![Screen capture of a Visualization flow node with expanded details.](_images/query-log-flow-node-details.png)

   This example represents a rule that denies requests to view account balances if the user's role is not `teller` or `customer service rep` and permits otherwise. The decision evaluated as `deny` and took 0.818 milliseconds. Additionally, there is a `denied-reason` statement attached to the decision with additional context for the denial.

6. Click the other tabs for additional details:

   * Request tab: Shows the JSON request sent to the decision engine, allowing you to confirm that the expected information was sent.

   * Response tab: Shows the response for the individual permutation's decision.

     This tab includes detailed information about the attributes and policy elements used to produce the decision response.

   * Output tab: Shows the time taken to evaluate each policy set, policy, and rule used in the final decision.

   * Attributes tab: Shows resolution, processing, and policy dependency details for each attribute used in the decision.

   * Services tab: Shows details about the services used in the decision.

## Policy query logging

The PingAuthorize Server and Policy Editor provide a set of configurable audit logs for debugging policy query requests. Learn more in [Policy query logging](paz_policy_query_logging.html).