Permit Deny
- 09 Apr 2024
- 3 Minutes to read
- Print
- DarkLight
- PDF
Permit Deny
- Updated on 09 Apr 2024
- 3 Minutes to read
- Print
- DarkLight
- PDF
Article Summary
Share feedback
Thanks for sharing your feedback!
Post
/api/runtime/permit-deny/v3
The Permit/Deny API call is a Yes/No authorization question. It returns a response to Access Decision-related responses to a specific question detailed in the API Request. It can also optionally return additional information.
Notice
When accessing the Authorization APIs, the URL base/prefix, according to your PlainID PDP Location- United States Cloud PDP - `https://tenant-name.us1.plainid.io`
- Canadian Cloud PDP - `https://tenant-name.ca1.plainid.io`
- European Cloud PDP - `https://tenant-name.eu1.plainid.io`
- Local PAA - `https://your-paa.acme.local`
For more information on which Asset Types to use with your PAA or Cloud PDP, refer to Managing Asset Types.
Body parameters
PermitDeny
{
"entityId": "uid838277",
"clientId": "PDASDASDASDASDASDF40",
"clientSecret": "k3DSBn5vTJuNzcar0Cpb0wICar34QwYQCat4OMay",
"entityAttributes": {
"user_organization": [
"Acme Finance"
],
"user_title": [
"Branch Clerk"
],
"user_business_unit": [
"LOB1"
],
"User_Location": [
"US"
]
},
"combinedMultiValue": false,
"listOfResources": [
{
"resourceType": "Client Profiles",
"resources": [
{
"action": "Read",
"path": "P4",
"assetAttributes": {
"attribute_1": [
"string"
],
"attribute_2": [
"string"
]
}
}
]
}
]
}object
entityId
string Required
Unique identifier of the Identity (e.g. UID)
clientId
string Required
Client ID of the Scope
clientSecret
string Required
Client Secret ID of the Scope
listOfResources
Array of object Required
Contains a list of the Asset's unique identifiers:
· Resource type (required)
· Resources - Action (optional), Path (required), and Asset Attributes (optional)
object
resourceType
string
Asset Template ID
resources
Array of object
object
action
string
Name of the Action
path
string Required
Unique Identifier of the Asset
assetAttributes
object
attribute_1
Array of string
string
attribute_2
Array of string
string
entityTypeId
string
Identity Template ID
entityAttributes
object
user_organization
Array of string
string
user_title
Array of string
string
user_business_unit
Array of string
string
User_Location
Array of string
string
contextData
object
Identity Context data for this request.
When specifying this parameter, you are requesting information based on a specific parameter and its value.
For example: Location where the contextData equals a specific branch.
If not defined, Dynamic Groups based on context data will not be considered in the Access Decision.
string
Array
environment
object
Environmental parameters need to be defined in Policies as a request (in Asset Rules or Conditions) and sent in the authorization request. Only the Assets that match the parameters in request will be returned.
If not defined, parameters based on Environmental data will not be considered in the Access Decision.
string
Array
remoteIp
string
IP address to be used when validating a policy. Ensure that your IP Ranges are correct based on an IP calculator. If not defined, the IP considered in the calculation is taken from the X-Forwarded-For (Request header).
Min length1
timeZoneOffset
number
To define the offset from UTC time zone. Used in Time Condition.
Default"0"
includeDetails
boolean
Show/hide a detailed list of Resources that are allowed, denied, and not applicable.
Default"False"
includeContext
boolean
Show/hide the context data in the response.
Default"False"
includeAccessPolicy
boolean
Show/hide the name of the Policy in the response that granted the specified access.
Default"False"
includeAccessPolicyId
boolean
Show/hide the external id of the Policy in the response that granted the specified access.
Default"False"
includeAssetAttributes
boolean
Show/hide the asset attribute of the assets in the response.
Default"False"
includeDenyReason
boolean
Include/exclude the reason for denying access to an Asset.
For more details on Deny Reason, click here
Default"False"
includeIdentity
boolean
Show/hide the Identity attribute of the Identity in the response.
Default"False"
accessTokenFormat
string
Determines the format of the response – whether JSON, JWT, or StandardJWT.
Default"JSON/JWT"
useCache
boolean
The attribute will determine if the response is going to consider the cache settings or override the cache and perform a full calculation.
Default"True"
prefetch
boolean
Fetches the Asset Attribute based on the Asset ID at the beginning of the Access Decision calculation.
Default"False"
combinedMultiValue
boolean
Determines the evaluation of Identity Attributes relationship in access decision.
Default"False"
assetContext
Array of object (assetContextRequestItem)
object
key
string
An auto-generated key to set the correlation between the requested object and the response object (optional). When working with a single assetContext object, use the “singleObjectResponse” value to align to the original structure response.
resourceType
string Required
path
string
action
string
assetAttributes
object
attribute_1
Array of string
string
attribute_2
Array of string
string
operationalFilters
Array of object
These operational filters should affect the Runtime behavior and results by applying additional filtering which is not directly related to Authorization logic.
object
OneOf
identitySourcesFilterByIDs
filterType
string Required
filterProperties
object
filterAction
string Required
Valid values[ "INCLUDE", "EXCLUDE" ]
objectsList
Array of string Required
string
Input your sourceID/s here. For information on where to locate the sourceID, check out Managing Attribute Sources in our documentation.
Responses
200
User gets a Permit decision
Permit
{
"result": "PERMIT"
}Deny
{
"result": "DENY"
}Permit with details
{
"result": "PERMIT",
"response": [
{
"allowed": [
{
"path": "AS-XX-12575",
"action": "Access",
"template": "Accounts"
}
],
"denied": [],
"not_applicable": []
}
]
}Deny with details
{
"result": "DENY",
"response": [
{
"allowed": [],
"denied": [
{
"path": "AS-XX-12575",
"action": "Access1",
"template": "Accounts"
}
],
"not_applicable": []
}
]
}Combined permit deny
{
"result": "DENY",
"response": [
{
"allowed": [
{
"path": "AS-XX-12575",
"action": "Access",
"template": "Accounts"
}
],
"denied": [
{
"path": "AS-XX-1257566",
"action": "Access",
"template": "Accounts"
}
],
"not_applicable": []
}
]
}AnyOf
permitDenyResponse
result
string
response
Array of object
object
allowed
Array of object
object
path
string
action
string
template
string
permissions
Array of object
object
permission
string
permissionId
string
denied
Array of object
object
path
string
action
string
template
string
not_applicable
Array of object
object
assetContextPermitDenyResponse
data
Array of object
object
assetContext
object (assetContextResponseItem)
AnyOf
object
key
string
An auto-generated key to set the correlation between the requested object and the response object (optional). When working with a single assetContext object, use the “singleObjectResponse” value to align to the original structure response.
object
resourceType
string
path
string
action
string
assetAttributes
object
attribute_1
Array of string
string
attribute_2
Array of string
string
output
object
accessResponse
object (permitDenyResponse)
result
string
response
Array of object
object
allowed
Array of object
object
path
string
action
string
template
string
permissions
Array of object
object
permission
string
permissionId
string
denied
Array of object
object
path
string
action
string
template
string
not_applicable
Array of object
object
error
string
object
400
Bad Request
401
Unauthorized
403
Forbidden
404
Not Found
500
Internal Server Error
501
Not Implemented
Was this article helpful?