Page created: 22 Jul 2020
|
Page updated: 9 Feb 2021
Enabled by default, the Policy Decision logger records decision responses that are received from the policy decision point (PDP).
Regardless of whether PingDataGovernance Server is configured to evaluate a policy in Embedded or External mode, a policy-decision file logs every policy decision per request. This file is located at PingDataGovernance/logs/policy-decision and contains the following information:
- Policy-decision response
- Each client request triggers a policy-decision response that specifies the inbound actions to perform, and another policy-decision response that specifies the outbound actions to perform. If you think of a policy-decision response as a set or decision tree of policies, all inbound and outbound requests are read from that set or tree.
- Most recent policy decision
- To debug the most recent inbound request, open the policy-decision log file and
locate the highest
DECISION requestID
in the section near the bottom of the file. In the following example,[08/May/2019:15:35:04.791 -0500] "DECISION requestID=46"
represents the most recent request, andaction
equals"inbound-GET"
.[08/May/2019:15:35:04.791 -0500] DECISION requestID=46 correlationID="0349a205-6aeb-4bd6-923b-c777bcef2241" product="Ping Identity Data Governance Server" instanceName="dgl" startupID="XNM9Hw==" threadID=140 from=[0:0:0:0:0:0:0:l]:49882 method=GET url="https://0:0:0:0:0:0:0:1:8443/jokes/random" clientId="" action="inbound-GET" service="Random Joke API" domain="" identityProvider="Mock Access Token Validator" resourcePath="" deploymentPackageId="95c5864c-b7ab-4588-a3d6-99d99d09fafc" decisionId="734fc520-ffle-4f80-970a-12100cdd7646" authorized="true" decision="PERMIT" decisionStatusCode="OKAY" adviceIds="" adviceNames="" { "id" : "734fc520-ffle-4f80-970a-12100cdd7646", "deploymentPackageId" : "95c5864c-b7ab-4588-a3d6-99d99d09fafc", "elapsedTime" : 1036, "request" : {
Alternatively, you can use the most recent request timestamp to locate the most recent request.
- Policy advice
- If the policy contains advice, it is logged after the policy-decision response
JSON. Advice features the same corresponding
requestID
as the most recent policy decision, as the following example shows.[08/May/2019:15:35:05.377 -0500] ADVICE requestID=46 correlationID="0349a205-6aeb-4bd6-923b-c777bcef2241" product="Ping Identity Data Governance Server" instanceName="dgl" startupID="XNRLuQ==" threadID=139 from=[0:0:0:0:0:0:0:l]:56475 method=GET url="https: 0:0:0:0:0:0:0:l:8443/jokes/random" clientId="" action="outbound-GET" service="Random Joke API" resourcePath="" deploymentPackageId="026ab83d-5ed5-41f1-ada7-a50af5d02133" decisionId="0331232d-cd9e-43fc-8804-c2f8b0c23674" authorized="false" decision="DENY" decisionStatusCode="OKAY" advicelmplId="denied-reason" adviceImplName="Denied Reason Advice" obligatory="false" resourceModified="true"
To increase the level of detail that is returned in PDP decision responses, configure the Policy Decision Service as follows.
dsconfig set-policy-decision-service-prop \
--add decision-response-view:decision-tree \
--add decision-response-view:request \
--add decision-response-view:evaluated-entities \
--add decision-response-view:evaluation-log-with-attribute-values