The Permit/Deny API call is a Yes/No Authorization question. It returns a response to Access Decision-related responses to a specific question detailed in the API Request. It can also optionally return additional information.
Notice
When accessing the Authorization APIs, the URL base/prefix, according to your PlainID PDP LocationFor more information on which Asset Types to use with your PAA or Cloud PDP, refer to Managing Asset Types.
Important note about headers
Refer to the headers below to modify your cURL sample. Check if the following headers are in the sample, if not, ensure you add it to your cURL sample before pasting into your API tool.
Headers
*Required| Header | Value | cURL Line |
|---|---|---|
| content-type | `application/json` | `-H 'Content-Type: application/json' ` |
cURL Sample Guidelines
In order for the relevant parameters to appear in the cURL sample, you can input the values in the interactive API console on the right. They will then appear in the cURL sample on the bottom of the page in the correct format.
Client ID of the Scope
The clientId is required, ensure that it is defined either in the header as X-Client-Id or in the body as clientId under the runtimeFinetune parameter. Refer to Setting up an Authentication Method for more information.
Client Secret ID of the Scope.
You can also authenticate with an Authorization Token (in your API tool). Note that the X-Client-Id is still required, whether in the header or the body as clientSecret under the runtimeFinetune parameter. Refer to Setting up an Authentication Method for more information.
{
"entityId": "uid838277",
"clientId": "PDASDASDASDASDASDF40",
"clientSecret": "k3DSBn5vTJuNzcar0Cpb0wICar34QwYQCat4OMay",
"entityAttributes": {
"user_organization": [
"Acme Finance"
],
"user_title": [
"Branch Clerk"
],
"user_business_unit": [
"LOB1"
],
"User_Location": [
"US"
]
},
"combinedMultiValue": false,
"listOfResources": [
{
"resourceType": "Client Profiles",
"prefetch": true,
"resources": [
{
"action": "Read",
"path": "P4",
"assetAttributes": {
"order_type": [
"credit_card"
],
"customer_type": [
"regular"
]
}
}
]
}
]
}Unique identifier of the Identity (e.g. UID)
Client ID of the Scope
The Client ID is required, ensure that it is defined either in the header as X-Client-Id or in the body as clientId.
Client Secret ID of the Scope.
You can also authenticate with an Authorization Token (in your API tool). Note that the X-Client-Id is still required, whether in the header or the body. Refer to Setting up an Authentication Method for more information.
Contains a list of the Asset's unique identifiers:
· Resource type (required)
· Prefetch
· Resources - Action (optional), Path (required), and Asset Attributes (optional)
Asset Template ID
Fetches the Asset Attribute based on the Asset ID at the beginning of the Access Decision calculation.
Name of the Action
Unique Identifier of the Asset
Identity Template ID
Identity Context data for this request.
When specifying this parameter, you are requesting information based on a specific parameter and its value.
For example: Location where the contextData equals a specific branch.
If not defined, Dynamic Groups based on context data will not be considered in the Access Decision.
Environmental parameters need to be defined in Policies as a request (in Asset Rules or Conditions) and sent in the authorization request. Only the Assets that match the parameters in request will be returned.
If not defined, parameters based on Environmental data will not be considered in the Access Decision.
IP address to be used when validating a Policy. Ensure that your IP Ranges are correct based on an IP calculator. If not defined, the IP considered in the calculation is taken from the X-Forwarded-For (Request header).
To define the offset from UTC time zone. Used in Time Condition.
Show/hide a detailed list of Resources that are allowed, denied, and not applicable.
Show/hide the context data in the response.
Show/hide the name of the Policy in the response that granted the specified access.
Show/hide the external id of the Policy in the response that granted the specified access.
Show/hide the Asset Attribute of the Assets in the response.
Include/exclude the reason for denying access to an Asset. Uses prefetch logic the evaluate the reasons.
For more details on Deny Reason, click here
Show/hide the Identity Attribute of the Identity in the response.
Determines the format of the response – whether JSON, JWT, or StandardJWT.
The Attribute will determine if the response is going to consider the cache settings or override the cache and perform a full calculation.
Determines the evaluation of Identity Attributes relationship in access decision.
An auto-generated key to set the correlation between the requested object and the response object (optional). When working with a single assetContext object, use the “singleObjectResponse” value to align to the original structure response.
Determines the Asset Context response structure. See our article on Working with Asset Context for more information.
These operational filters should affect the Runtime behavior and results by applying additional filtering which is not directly related to Authorization logic.
Input your sourceID/s here. For information on the sourceID parameter and where to locate it, check out Managing Attribute Sources in the PlainID documentation.
The Attribute will determine if the calculation will skip unneeded or unavailable Identity sources. Refer to the Authorization API article for more information.
Show/hide additionalResponseInfo in the response.
Fail request when Attribute calculation fails.
User gets a Permit decision
{
"result": "PERMIT"
}{
"result": "DENY"
}{
"result": "PERMIT",
"response": [
{
"allowed": [
{
"path": "AS-XX-12575",
"action": "Access",
"template": "Accounts"
}
],
"denied": [],
"not_applicable": []
}
]
}{
"result": "DENY",
"response": [
{
"allowed": [],
"denied": [
{
"path": "AS-XX-12575",
"action": "Access1",
"template": "Accounts"
}
],
"not_applicable": []
}
]
}{
"result": "DENY",
"response": [
{
"allowed": [
{
"path": "AS-XX-12575",
"action": "Access",
"template": "Accounts"
}
],
"denied": [
{
"path": "AS-XX-1257566",
"action": "Access",
"template": "Accounts"
}
],
"not_applicable": []
}
]
}Additional response metadata. This response is only returned when the includeAccessPolicy is set to true, and when the permissionMetadata object contains one or more properties
An auto-generated key to set the correlation between the requested object and the response object (optional). When working with a single assetContext object, use the “singleObjectResponse” value to align to the original structure response.
Additional response metadata. This response is only returned when the includeAccessPolicy is set to true, and when the permissionMetadata object contains one or more properties
Bad Request
Unauthorized
Forbidden
Not Found
Internal Server Error
Not Implemented