PingAuthorize

About the Decision Response View

You can use the Decision Response View to increase or decrease the size of the policy decision response from the Policy Decision Point (PDP).

When a client application makes a request for API resources, the PingAuthorize server returns a decision response payload that includes, at minimum, basic information about the server instance, the API resources, and the inbound and outbound flow of data. The payload also includes any views selected in the Decision Response View. By default, no views are selected. PingAuthorize then passes the full response payload to the Policy Decision Logger.

To configure the selected views for the Decision Response View, do one of the following:

  • In the administrative console, go to Configuration → Policy Decision Service and change the Selected views included for Decision Response View.

  • Use CLI commands to add or remove views.

You can change the verbosity of the response payload and the size of the policy-decision log files by changing the selected views in the Decision Response View by either:

  • Adding views increases the size of response payloads and policy-decision log files.

  • Removing views decreases the size of response payloads and policy-decision log files.

  • Some views are more verbose than others.

  • If you remove all views, the Policy Decision Logger still logs an abbreviated response. To prevent this abbreviated logging, disable include-pdp-response for the File Based Policy Decision Log Publisher.

  • The Decision Response View behavior doesn’t significantly change between embedded and external PDP modes.

You can select the following additional views in the Decision Response View.

Decision Response View Description

attributes

Full details of attributes evaluated during policy decision evaluation.

decision-tree

Detailed output tracing the decision’s policy evaluation flow.

evaluated-entities

Attribute and service resolution details. This is equivalent to specifying both attributes and services.

evaluation-log

Attribute and service resolution details. This is similar to specifying evaluated-entities, but the data are expressed in a flat format.

evaluation-log-with-attribute-values

Attribute and service resolution details. This is equivalent to specifying evaluation-log but also includes values and types for successful attribute resolutions.

request

The policy decision request. Might include sensitive data.

services

Full details of services invoked during policy decision evaluation.

Selecting the request view causes the Policy Decision Logger to record potentially sensitive data in API requests and responses.