Trace an authorisation decision end to end
Run, trace and troubleshoot a representative PDP decision.
This exercise uses an existing Bruno test for a system user with a directly delegated access package. It expects Permit for read. Paths are based on source commit 20fcb3f.
What the exercise shows
The request calls POST /authorization/api/v1/decision with the system-user UUID, read, resource identifier and resource-party organisation number. Authorization enriches context, loads policy, evaluates roles and delegations, checks any access list and creates an audit event.
Prerequisites and execution
You need altinn-authorization-tmp, Bruno or Bruno CLI, access to an agreed test environment, a valid subscription key and approved test data. Retrieve secrets through the approved solution and never commit them.
Open:
src/apps/Altinn.Authorization/test/Bruno/Altinn.Authorization
Choose the agreed environment and run:
shared/Decision/SystemUser_AccPkg_ToDo_Scenarios/
SysUser_DirectDelg_AccPkg_Permit.bru
The pre-request script supplies subjectSystemUser, resourceId and resourceOrgno. Success is HTTP 200 with response[0].decision equal to Permit.
Request attributes
| Category | Attribute | Meaning |
|---|---|---|
| AccessSubject | urn:altinn:systemuser:uuid | acting system user |
| Action | urn:oasis:names:tc:xacml:1.0:action:action-id | read |
| Resource | urn:altinn:resource | protected resource |
| Resource | urn:altinn:organization:identifier-no | resource party |
Do not change shared test data without agreement.
Follow the code
DecisionController.Postreceives internal JSON or XML.- Context Handler enriches party, role and resource context.
- PRP loads the resource policy.
- PDP evaluates the policy.
- On
NotApplicable, relevant delegations are loaded and evaluated. - A preliminary
Permitmay becomeDenywhen a required access list rejects the party. - Event Log creates the event when enabled.
- The Audit Log function consumes
authorizationeventlogand calls the Audit Log API.
Run locally
just dev
dotnet build Altinn.Authorization.sln
dotnet run --project src/apps/Altinn.Authorization/src/Altinn.Authorization
Follow the repository README for database and secret configuration. A local process using shared backends is a hybrid test. A full Permit requires consistent resource, policy, party and delegation data across dependencies.
Interpret and troubleshoot
Permit must still be enforced by the PEP. Deny is explicit refusal, NotApplicable means no relevant rule produced a decision, and Indeterminate means evaluation failed. 401 or 403 before the XACML response usually concerns API access.
Check environment and subscription key; subject, resource party, resource and action; current policy; role or delegation; access list; feature flags and test data. Use trace or correlation ID across dependencies and Audit Log. Never log complete tokens or unnecessary decision context.