PingAuthorize

Visualizing a policy decision response

When you develop and test policies in PingAuthorize, examine the decision flow and other details about recent decisions to make sure the decision service is evaluating policies according to your expectations.

Steps

  1. In the Policy Editor, go to Policies > Decision Visualizer.

  2. Select a decision to visualize.

    Choose from:

    • Select a recent decision.

      1. In the Decision Visualizer, click the Recent Decisions tab.

      2. Select a recent decision from the list.

        You can control the number of decisions that appear in the Recent Decisions list. Learn more in Setting the request list length for Decision Visualizer.

        To visualize self-governance decisions, sign on as a self-governance administrator and click Self Governance instead of Recent Decisions.

    • Copy and paste a decision response from the policy decision log.

      To visualize a policy decision log entry, you must add either the decision-tree or the evaluation-log view to the Decision Response View. Learn more in Configuring the Decision Response View.

      1. In the <PingAuthorize>/logs/policy-decision.log file, copy the decision response JSON object.

      2. In the Decision Visualizer, click the Paste Logs tab.

      3. Paste the decision response JSON object.

      4. Click Visualise.

        Result

        An interactive decision tree of your policies is displayed.

        Screen capture of the Policy Editor’s Decision Visualizer decision tree for an evaluated policy decision

  3. Examine the decision flow to make sure decisions are evaluated according to your expectations.

    You can click any box in the flow to show more details.

  4. Click the other tabs for additional details.

    • Request tab: Shows the JSON request sent to the decision service, allowing you to confirm that the expected information was sent.

    • Response tab: Shows the complete, high-verbosity response for the decision.

      If the same comparison condition is attached to more than one rule in the policy subtree, the decision response includes only the evaluation for the first instance of this comparison. Although the condition is included only once in the response, the decision service evaluates the condition wherever it is needed to make a decision.

      If the parent policy of the first instance of this condition isn’t applicable to the request, the decision response doesn’t include evaluation of any rule containing this condition. This behavior is the same regardless of the rule’s outcome (Permit, Deny, Not Applicable).

    • Output tab: Shows details about the decision, including the time it took to evaluate policies and rules.

    • Attributes tab: Shows details about the attributes used in the decision.

    • Services tab: Shows details about the services used in the decision.