Enabled by default, the Policy Decision logger records decision responses that are received from the policy decision point (PDP).
Regardless of whether PingAuthorize Server is configured to evaluate a policy in Embedded or External mode, a policy-decision file logs every policy decision per request. This file is located at PingAuthorize/logs/policy-decision and contains the following information:
- Policy-decision response
Each client request triggers a policy-decision response that specifies the inbound actions to perform, and another policy-decision response that specifies the outbound actions to perform. If you think of a policy-decision response as a set or decision tree of policies, all inbound and outbound requests are read from that set or tree.
Policy rules determine whether a request is denied, permitted, or indeterminate.
- Most recent policy decision
To debug the most recent inbound request, open the policy-decision log file and locate the highest
DECISION requestID
in the section near the bottom of the file.Alternatively, you can use the most recent request timestamp to locate the most recent request.
- Policy advice
If the policy contains advice, it is logged after the policy-decision response JSON. Advice features the same corresponding
requestID
as the most recent policy decision.
To increase the level of detail that is returned in PDP decision responses, configure the Policy Decision Service as follows.
dsconfig set-policy-decision-service-prop \
--add decision-response-view:decision-tree \
--add decision-response-view:request \
--add decision-response-view:evaluated-entities \
--add decision-response-view:evaluation-log-with-attribute-values
Policy Decision views also affect the decision response payload of the request. You
can remove added views by using the --remove
decision-response-view:<view_name>
argument. See About the Decision Response View for more information.