Permit Deny
  • 23 Jul 2024
  • 6 Minutes to read
  • Dark
    Light
  • PDF

Permit Deny

  • Dark
    Light
  • PDF

Article summary

Post
/api/runtime/permit-deny/v3

The Permit/Deny API call is a Yes/No Authorization question. It returns a response to Access Decision-related responses to a specific question detailed in the API Request. It can also optionally return additional information.

Notice

When accessing the Authorization APIs, the URL base/prefix, according to your PlainID PDP Location
  • United States Cloud PDP - `https://tenant-name.us1.plainid.io`
  • Canadian Cloud PDP - `https://tenant-name.ca1.plainid.io`
  • European Cloud PDP - `https://tenant-name.eu1.plainid.io`
  • Local PAA - `https://your-paa.acme.local`

  • For more information on which Asset Types to use with your PAA or Cloud PDP, refer to Managing Asset Types.

    Important note about headers

    Refer to the headers below to modify your cURL sample. Check if the following headers are in the sample, if not, ensure you add it to your cURL sample before pasting into your API tool.

    Headers

    *Required
    HeaderValuecURL Line
    content-type`application/json``-H 'Content-Type: application/json' `

    cURL Sample Guidelines

    In order for the relevant parameters to appear in the cURL sample, you can input the values in the interactive API console on the right. They will then appear in the cURL sample on the bottom of the page in the correct format.

    Header parameters
    X-Client-Id
    string

    Client ID of the Scope
    The clientId is required, ensure that it is defined either in the header as X-Client-Id or in the body as clientId.

    X-Client-Secret
    string

    Client Secret ID of the Scope.
    You can also authenticate with an Authorization Token (in your API tool). Note that the X-Client-Id is still required, whether in the header or the body. Refer to Setting up an Authentication Method for more information.

    Body parameters
    PermitDeny
    {
      "entityId": "uid838277",
      "clientId": "PDASDASDASDASDASDF40",
      "clientSecret": "k3DSBn5vTJuNzcar0Cpb0wICar34QwYQCat4OMay",
      "entityAttributes": {
        "user_organization": [
          "Acme Finance"
        ],
        "user_title": [
          "Branch Clerk"
        ],
        "user_business_unit": [
          "LOB1"
        ],
        "User_Location": [
          "US"
        ]
      },
      "combinedMultiValue": false,
      "listOfResources": [
        {
          "resourceType": "Client Profiles",
          "prefetch": true,
          "resources": [
            {
              "action": "Read",
              "path": "P4",
              "assetAttributes": {
                "attribute_1": [
                  "string"
                ],
                "attribute_2": [
                  "string"
                ]
              }
            }
          ]
        }
      ]
    }
    Expand All
    object
    entityId
    string Required

    Unique identifier of the Identity (e.g. UID)

    clientId
    string Required

    Client ID of the Scope
    The Client ID is required, ensure that it is defined either in the header as X-Client-Id or in the body as clientId.

    clientSecret
    string

    Client Secret ID of the Scope.
    You can also authenticate with an Authorization Token (in your API tool). Note that the X-Client-Id is still required, whether in the header or the body. Refer to Setting up an Authentication Method for more information.

    listOfResources
    Array of object Required

    Contains a list of the Asset's unique identifiers:

    · Resource type (required)

    · Prefetch

    · Resources - Action (optional), Path (required), and Asset Attributes (optional)

    object
    resourceType
    string

    Asset Template ID

    prefetch
    boolean

    Fetches the Asset Attribute based on the Asset ID at the beginning of the Access Decision calculation.

    Default"False"
    resources
    Array of object
    object
    action
    string

    Name of the Action

    path
    string Required

    Unique Identifier of the Asset

    assetAttributes
    object
    attribute_1
    Array of string
    string
    attribute_2
    Array of string
    string
    entityTypeId
    string

    Identity Template ID

    entityAttributes
    object
    user_organization
    Array of string
    string
    user_title
    Array of string
    string
    user_business_unit
    Array of string
    string
    User_Location
    Array of string
    string
    contextData
    object

    Identity Context data for this request.

    When specifying this parameter, you are requesting information based on a specific parameter and its value.

    For example: Location where the contextData equals a specific branch.

    If not defined, Dynamic Groups based on context data will not be considered in the Access Decision.

    string
    Array
    environment
    object

    Environmental parameters need to be defined in Policies as a request (in Asset Rules or Conditions) and sent in the authorization request. Only the Assets that match the parameters in request will be returned.

    If not defined, parameters based on Environmental data will not be considered in the Access Decision.

    string
    Array
    remoteIp
    string

    IP address to be used when validating a Policy. Ensure that your IP Ranges are correct based on an IP calculator. If not defined, the IP considered in the calculation is taken from the X-Forwarded-For (Request header).

    Min length1
    timeZoneOffset
    number

    To define the offset from UTC time zone. Used in Time Condition.

    Default"0"
    includeDetails
    boolean

    Show/hide a detailed list of Resources that are allowed, denied, and not applicable.

    Default"False"
    includeContext
    boolean

    Show/hide the context data in the response.

    Default"False"
    includeAccessPolicy
    boolean

    Show/hide the name of the Policy in the response that granted the specified access.

    Default"False"
    includeAccessPolicyId
    boolean

    Show/hide the external id of the Policy in the response that granted the specified access.

    Default"False"
    includeAssetAttributes
    boolean

    Show/hide the Asset Attribute of the Assets in the response.

    Default"False"
    includeDenyReason
    boolean

    Include/exclude the reason for denying access to an Asset.
    For more details on Deny Reason, click here

    Default"False"
    includeIdentity
    boolean

    Show/hide the Identity Attribute of the Identity in the response.

    Default"False"
    accessTokenFormat
    string

    Determines the format of the response – whether JSON, JWT, or StandardJWT.

    Default"JSON/JWT"
    useCache
    boolean

    The Attribute will determine if the response is going to consider the cache settings or override the cache and perform a full calculation.

    Default"True"
    combinedMultiValue
    boolean

    Determines the evaluation of Identity Attributes relationship in access decision.

    Default"False"
    assetContext
    Array of object (assetContextRequestItem)
    object
    key
    string

    An auto-generated key to set the correlation between the requested object and the response object (optional). When working with a single assetContext object, use the “singleObjectResponse” value to align to the original structure response.

    resourceType
    string Required
    path
    string
    action
    string
    assetAttributes
    object
    attribute_1
    Array of string
    string
    attribute_2
    Array of string
    string
    operationalFilters
    Array of object

    These operational filters should affect the Runtime behavior and results by applying additional filtering which is not directly related to Authorization logic.

    object
    OneOf
    identitySourcesFilterByIDs
    filterType
    string Required
    filterProperties
    object
    filterAction
    string Required
    Valid values[ "\"INCLUDE\"", "\"EXCLUDE\"" ]
    objectsList
    Array of string Required
    string

    Input your sourceID/s here. For information on the sourceID parameter and where to locate it, check out Managing Attribute Sources in the PlainID documentation.

    skipUnneededOrUnavailableIdentitySources
    boolean

    The Attribute will determine if the calculation will skip unneeded or unavailable Identity sources. Refer to the Authorization API article for more information.

    Default"False"
    includePartialIdentitySourcesIndication
    boolean

    Show/hide additionalResponseInfo in the response.

    Default"False"
    Responses
    200

    User gets a Permit decision

    Permit
    {
      "result": "PERMIT"
    }
    Deny
    {
      "result": "DENY"
    }
    Permit with details
    {
      "result": "PERMIT",
      "response": [
        {
          "allowed": [
            {
              "path": "AS-XX-12575",
              "action": "Access",
              "template": "Accounts"
            }
          ],
          "denied": [],
          "not_applicable": []
        }
      ]
    }
    Deny with details
    {
      "result": "DENY",
      "response": [
        {
          "allowed": [],
          "denied": [
            {
              "path": "AS-XX-12575",
              "action": "Access1",
              "template": "Accounts"
            }
          ],
          "not_applicable": []
        }
      ]
    }
    Combined permit deny
    {
      "result": "DENY",
      "response": [
        {
          "allowed": [
            {
              "path": "AS-XX-12575",
              "action": "Access",
              "template": "Accounts"
            }
          ],
          "denied": [
            {
              "path": "AS-XX-1257566",
              "action": "Access",
              "template": "Accounts"
            }
          ],
          "not_applicable": []
        }
      ]
    }
    Expand All
    AnyOf
    permitDenyResponse
    result
    string
    response
    Array of object
    object
    allowed
    Array of object
    object
    path
    string
    action
    string
    template
    string
    permissions
    Array of object
    object
    permission
    string
    permissionId
    string
    denied
    Array of object
    object
    path
    string
    action
    string
    template
    string
    not_applicable
    Array of object
    object
    identity
    object (identityResponse)
    type
    string
    typeName
    string
    attributes
    object
    additionalResponseInfo
    object (additionalResponseInfoResponse)
    identitySources
    object
    skipped
    Array of object (identitySourceInfo)
    object
    sourceId
    string
    sourceName
    string
    message
    string
    attributes
    Array of string
    string
    failed
    Array of object (identitySourceInfo)
    object
    sourceId
    string
    sourceName
    string
    message
    string
    attributes
    Array of string
    string
    assetContextPermitDenyResponse
    data
    Array of object
    object
    assetContext
    object (assetContextResponseItem)
    AnyOf
    object
    key
    string

    An auto-generated key to set the correlation between the requested object and the response object (optional). When working with a single assetContext object, use the “singleObjectResponse” value to align to the original structure response.

    object
    resourceType
    string
    path
    string
    action
    string
    assetAttributes
    object
    attribute_1
    Array of string
    string
    attribute_2
    Array of string
    string
    output
    object
    accessResponse
    object (permitDenyResponse)
    result
    string
    response
    Array of object
    object
    allowed
    Array of object
    object
    path
    string
    action
    string
    template
    string
    permissions
    Array of object
    object
    permission
    string
    permissionId
    string
    denied
    Array of object
    object
    path
    string
    action
    string
    template
    string
    not_applicable
    Array of object
    object
    identity
    object (identityResponse)
    type
    string
    typeName
    string
    attributes
    object
    additionalResponseInfo
    object (additionalResponseInfoResponse)
    identitySources
    object
    skipped
    Array of object (identitySourceInfo)
    object
    sourceId
    string
    sourceName
    string
    message
    string
    attributes
    Array of string
    string
    failed
    Array of object (identitySourceInfo)
    object
    sourceId
    string
    sourceName
    string
    message
    string
    attributes
    Array of string
    string
    error
    string
    400

    Bad Request

    401

    Unauthorized

    403

    Forbidden

    404

    Not Found

    500

    Internal Server Error

    501

    Not Implemented


    Was this article helpful?