The PingOne policy decision service provides an action for runtime evaluation of decision requests against a given policy decision resource.

Policy decision evaluation request data model

Property Type? Required? Mutable? Description
parameters Object Required Mutable An object that specifies the evaluation parameters required by the policy.
userContext.environment.id UUID Optional Mutable A string that specifies the environment’s unique identifier.
userContext.user.id UUID Optional Mutable A string that specifies the user’s unique identifier.

Policy decision evaluation response data model

Property Type? Required? Mutable? Description
authorizationVersion.id UUID Optional Mutable A string that specifies the ID of the authorization version deployed to this endpoint. Versioning allows independent development and deployment of policies. If omitted, the endpoint always uses the latest policy version available from the policy editor service.
id UUID Required Mutable A string that specifies the resource’s unique identifier.
correlationId UUID Optional Mutable A string that specifies the decision evaluation correlation ID.
decision String Required Mutable A string that specifies the decision result. Options are PERMIT, DENY, NOT_APPLICABLE, and INDETERMINATE.
elapsedMicroseconds Integer Optional Mutable An integer that specifies the evaluation duration in microseconds.
status.code String Optional Mutable A string that specifies the status. Options are OKAY, MISSING_ATTRIBUTE, TYPE_CONVERSION_ERROR, PROCESSING_ERROR, and TIMEOUT.
status.message String Optional Mutable A string that specifies the description of the error.
statements.id UUID Required Mutable A string that specifies the statement’s unique identifier.
statements.name String Required Mutable A string that specifies the statement name.
statements.code UUID Optional Mutable A string that specifies the the statement code. Options are ANSWER.
statements.payload Object Optional Mutable An object that specifies statement payload.
timestamp String Optional Mutable A string that specifies the time the evaluation was executed.

Policy decision evaluation related resource links

Link Description
profile A string that specifies the URL for the decision request’s associated profile.
authorizationVersion.href A string that specifies the URL for the authorization version endpoint.
authorizationVersion.profile A string that specifies the URL for the authorization version profile.
policy.href A string that specifies the URL for the policy endpoint.
policy.profile A string that specifies the URL for the policy profile.
statements.href A string that specifies the URL for the statements endpoint.
statements.profile A string that specifies the URL for the statements profile.

Event types

The audit reporting events applicable to the policy decision service are:

Topic Event
decision-endpoints DECISION_ENDPOINT.DECISION_REQUEST_EVALUATED
authorize-editor ENVIRONMENT.INITIALIZED

The decision event format returned by a DECISION_ENDPOINT.DECISION_REQUEST_EVALUATED event uses terse keys to reduce storage requirements. The following table explains the meaning of each key returned in the decision event response.

Key Description
enm The name of the endpoint against which the decision request was evaluated.
eid The ID of the endpoint against which the decision request was evaluated.
pid The ID of the PingOne Authorize Policy that was deployed to the endpoint at the time the decision request was evaluated.
ver The ID of the version that was deployed to the endpoint at the time the decision request was evaluated.
dec The overall decision produced.
sce The JSON object describing the scenario (the decisions produced by individual policies and rules that contributed to the overall decision).
sce.P The list of the IDs of the policies and rules that produced the decision PERMIT.
sce.D The list of the IDs of the policies and rules that produced the decision DENY.
sce.I The list of the IDs of the policies and rules that produced the decision INDETERMINATE.
exe The time taken to evaluate the decision request (in microseconds).
att The JSON array giving the names and values of PingOne Authorize Attributes that have been explicitly marked for logging.
att.n The attribute name.
att.v The attribute value.
svc The JSON array giving the names and values of PingOne Authorize Services that were invoked as part of the decision request evaluation.
svc.n The attribute name.
svc.v The attribute value.

Response codes

Code Message
200 Successful operation.
400 The request could not be completed.
401 You do not have access to this resource.
403 You do not have permissions or are not licensed to make this request.
404 The requested resource was not found.