Working with Deny Reason
  • 12 Dec 2023
  • 3 Minutes to read
  • Dark
    Light
  • PDF

Working with Deny Reason

  • Dark
    Light
  • PDF

Article summary

About Deny Reason

The includeDenyReason is an optional runtime request parameter in the Permit Deny API. When sent in the request, the response provides visibility into the different deny reasons that might occur when receiving a denied response from the PDP.

This capability can be used for troubleshooting and provides better support for onboarding new Applications or a new set of Policies.

Additionally, integrated Applications can use Deny-Reason codes in their responses to clarify to users why they were not granted access.

Example:
If a user does not meet the conditions set in the Policy (e.g. working hours), they cannot access the relevant information granted by the Policy.

Response structure

Deny-Reason codes within the response are returned for every Asset Action permutation. A basic response returns all the Deny-Reason code/s relevant to the request.

Example:
Basic Response Structure (includeDetails set to false, includeDenyReason set to true)

{
  "result": "DENY",
  "reason": ["PID003","PID004"]
}

 

A breakdown for every code per Asset Action permutation is returned in a detailed response.

Example:
Detailed Response Structure (includeDetails set to true, includeDenyReason set to true)

{
    "result": "DENY",
    "reason": [
        "PID003",
        "PID004"
    ],
    "response": [
        {
            "allowed": [],
            "denied": [
                {
                    "path": "/accounts/transfer",
                    "Action": "Approve",
                    "template": "Accounts",
                    "reason": "PID003"
                },
                {
                    "path": "/accounts/transfer",
                    "Action": "Edit",
                    "template": "Accounts",
                    "reason": "PID004"
                }
            ],
            "not_applicable": []
        }
    ]
}

PlainID PDP Deny Reason Codes

Deny Reason returns in a form of code to make the integration with consuming Applications easier.

For each Asset Action permutation sent in the Authorization request, an appropriate error code is returned.
It is important to ensure that the Asset Type setup is correct, all relevant Actions are available, and the values match the Authorization request sent.
Note: Action value is case sensitive.

The following table provides information for each Deny Code scenario:

ScenarioDeny CodeDetails
User does not match any relevant Dynamic GroupPID001The user evaluation does not match any Dynamic Group connected to the Access Policies within the Scope sent in the Authorization request.

The code indicates that either the user is not eligible for access or there is missing information used in the Policy calculation.

It is important to ensure that the user's information is accurate, and that Dynamic Groups are created as expected.
Conditions were not metPID002Conditions evaluation did not pass for all Policies connected to the Scope sent in the Authorization request.
In this case, the PDP does not proceed to Dynamic Groups evaluation.

The code indicates that either the user is not eligible for access, or there is missing information used in the Policy calculation.

Make sure that relevant information like offset, remote IP, or relevant environment parameters are sent as part of the Authorization request, and that Conditions are created as expected.
The requested Action is not defined under the Asset Type (Resource Type)PID003This code appears in case the Action is not defined under the Asset Template ID specified in the request.

Make sure the Asset Type setup is as correct and that all relevant Actions are available and values match the Authorization request sent.

Action value is case sensitive
Asset not foundPID004The Asset sent in the request is not found in the Asset source.

Make sure Asset that was sent is available in the Asset Source (can be PlainId or an external one) and the Asset ID (path) sent is accurate.

This error is not returned when Assets are sent as part of the request (virtual).
The Policy was evaluated and the Asset was deniedPID005There can be multiple cases:
  • This Asset Action permutation is not part of any Policy which match the requested identity.
  • Access denied due to Restrictive Policy
  • No relevant Policy applies for the requested userPID006The user is not authorized to perform a specific Action based on their Dynamic Group and Conditions stated in the Policy.
    Scope is connected to restrictive Policies onlyPID007The requested Scope is only connected to Restrictive Policies.

    Access is not granted until at least one access Policy is created.

    Was this article helpful?