Policy Decision logger - PingDataGovernance

Policy Decision logger - PingDataGovernance - 8.2

PingDataGovernance

bundle

pingdatagovernance-82

ft:publication_title

PingDataGovernance

Product_Version_ce

PingDataGovernance 8.2

category

Product

pdg-82

pingdatagovernance

ContentType_ce

Page created: 22 Jul 2020 |

Page updated: 9 Feb 2021

| 2 min read

8.2 PingDataGovernance Product Logging User task Product documentation Content Type Data Governance Capability

Enabled by default, the Policy Decision logger records decision responses that are received from the policy decision point (PDP).

Regardless of whether PingDataGovernance Server is configured to evaluate a policy in Embedded or External mode, a policy-decision file logs every policy decision per request. This file is located at PingDataGovernance/logs/policy-decision and contains the following information:

Policy-decision response

Each client request triggers a policy-decision response that specifies the inbound actions to perform, and another policy-decision response that specifies the outbound actions to perform. If you think of a policy-decision response as a set or decision tree of policies, all inbound and outbound requests are read from that set or tree.

Policy rules determine whether a request is denied, permitted, or indeterminate.

Most recent policy decision

To debug the most recent inbound request, open the policy-decision log file and locate the highest DECISION requestID in the section near the bottom of the file. In the following example,

[08/May/2019:15:35:04.791
                     -0500] "DECISION requestID=46"

represents the most recent request, and action equals "inbound-GET".

[08/May/2019:15:35:04.791 -0500] DECISION requestID=46 correlationID="0349a205-6aeb-4bd6-923b-c777bcef2241" 
product="Ping Identity Data Governance Server" instanceName="dgl" startupID="XNM9Hw==" threadID=140 
from=[0:0:0:0:0:0:0:l]:49882 method=GET url="https://0:0:0:0:0:0:0:1:8443/jokes/random" clientId="" 
action="inbound-GET" service="Random Joke API" domain="" identityProvider="Mock
Access Token Validator" resourcePath="" deploymentPackageId="95c5864c-b7ab-4588-a3d6-99d99d09fafc"
decisionId="734fc520-ffle-4f80-970a-12100cdd7646" authorized="true" decision="PERMIT" decisionStatusCode="OKAY" adviceIds=""
adviceNames=""

{
  "id" : "734fc520-ffle-4f80-970a-12100cdd7646",
  "deploymentPackageId" : "95c5864c-b7ab-4588-a3d6-99d99d09fafc",
  "elapsedTime" : 1036,
  "request" : {

Alternatively, you can use the most recent request timestamp to locate the most recent request.

Policy advice

If the policy contains advice, it is logged after the policy-decision response JSON. Advice features the same corresponding requestID as the most recent policy decision, as the following example shows.

[08/May/2019:15:35:05.377 -0500] ADVICE requestID=46 correlationID="0349a205-6aeb-4bd6-923b-c777bcef2241" product="Ping Identity
Data Governance Server" instanceName="dgl" startupID="XNRLuQ==" threadID=139 from=[0:0:0:0:0:0:0:l]:56475 method=GET url="https:
0:0:0:0:0:0:0:l:8443/jokes/random" clientId="" action="outbound-GET" service="Random Joke API" resourcePath=""
deploymentPackageId="026ab83d-5ed5-41f1-ada7-a50af5d02133" decisionId="0331232d-cd9e-43fc-8804-c2f8b0c23674" authorized="false"
decision="DENY" decisionStatusCode="OKAY" advicelmplId="denied-reason" adviceImplName="Denied Reason Advice" obligatory="false"
resourceModified="true"

To increase the level of detail that is returned in PDP decision responses, configure the Policy Decision Service as follows.

dsconfig set-policy-decision-service-prop \
  --add decision-response-view:decision-tree \
  --add decision-response-view:request \
  --add decision-response-view:evaluated-entities \
  --add decision-response-view:evaluation-log-with-attribute-values