PingAuthorize

Configuring the Decision Response View

Use the Decision Response View to increase or decrease the size of the policy decision response from the policy decision point (PDP).

When a client application makes a request for API resources, PingAuthorize Server returns a decision response payload that includes, at minimum, basic information about the server instance, the requested API resources, and the inbound and outbound flow of data. The payload also includes any views added to the Decision Response View. By default, no views are present. PingAuthorize then passes the full response payload to the Policy Decision Logger.

Adding or removing views in the Decision Response View alters the verbosity of the response payload and the size of the policy-decision.log file.

  • If you remove all views, the Policy Decision Logger still logs an abbreviated response. To prevent this abbreviated logging, disable include-pdp-response for the File Based Policy Decision Log Publisher.

  • The Decision Response View behavior doesn’t significantly change between embedded and external PDP modes.

You can add the following views to the Decision Response View:

Decision Response View Description

attributes

Inclludes full details of attributes evaluated during policy decision evaluation.

decision-tree

Includes detailed output tracing the decision’s policy evaluation flow.

evaluated-entities

Includes attribute and service resolution details. This is equivalent to specifying both attributes and services.

evaluation-log

Includes attribute and service resolution details. This is similar to specifying evaluated-entities, but the data are expressed in a flat format.

evaluation-log-with-attribute-values

Includes attribute and service resolution details. This is equivalent to specifying evaluation-log but also includes values and types for successful attribute resolutions.

request

Includes the full decision request object.

Selecting the request view causes the Policy Decision Logger to record potentially sensitive data in API requests and responses.

services

Includes full details of services invoked during policy evaluation.

Use the administrative console or dsconfig to configure the Decision Response View.

  • Admin console

  • dsconfig

Use the administrative console

Steps

  1. Go to Configuration > Authorization and Policies and click Policy Decision Service.

  2. In the Policy Request Configuration section, next to Decision Response View, select a response view and click the arrow.

    Screen capture of the Decision Response View configuration in the administrative console with the request view highlighted.

  3. Click Save to PingAuthorize Server Cluster.

Use dsconfig

Steps

  1. Run dsconfig with the set-policy-decision-service-prop subcommand.

    Example:

    PingAuthorize/bin/dsconfig set-policy-decision-service-prop \
  --no-prompt --port 5409 --useSSL --trustAll \
  --bindDN "cn=directory manager" \
  --bindPassword secret \
  --add decision-response-view:request

    In this example, the request view is added to the Decision Response View.