Last modified: Jul 16, 2026

Trace an authorisation decision end to end

Run, trace and troubleshoot a representative PDP decision.

This exercise uses an existing Bruno test for a system user with a directly delegated access package. It expects Permit for read. Paths are based on source commit 20fcb3f.

What the exercise shows

The request calls POST /authorization/api/v1/decision with the system-user UUID, read, resource identifier and resource-party organisation number. Authorization enriches context, loads policy, evaluates roles and delegations, checks any access list and creates an audit event.

Prerequisites and execution

You need altinn-authorization-tmp, Bruno or Bruno CLI, access to an agreed test environment, a valid subscription key and approved test data. Retrieve secrets through the approved solution and never commit them.

Open:

src/apps/Altinn.Authorization/test/Bruno/Altinn.Authorization

Choose the agreed environment and run:

shared/Decision/SystemUser_AccPkg_ToDo_Scenarios/
  SysUser_DirectDelg_AccPkg_Permit.bru

The pre-request script supplies subjectSystemUser, resourceId and resourceOrgno. Success is HTTP 200 with response[0].decision equal to Permit.

Request attributes

CategoryAttributeMeaning
AccessSubjecturn:altinn:systemuser:uuidacting system user
Actionurn:oasis:names:tc:xacml:1.0:action:action-idread
Resourceurn:altinn:resourceprotected resource
Resourceurn:altinn:organization:identifier-noresource party

Do not change shared test data without agreement.

Follow the code

  1. DecisionController.Post receives internal JSON or XML.
  2. Context Handler enriches party, role and resource context.
  3. PRP loads the resource policy.
  4. PDP evaluates the policy.
  5. On NotApplicable, relevant delegations are loaded and evaluated.
  6. A preliminary Permit may become Deny when a required access list rejects the party.
  7. Event Log creates the event when enabled.
  8. The Audit Log function consumes authorizationeventlog and calls the Audit Log API.

Run locally

just dev
dotnet build Altinn.Authorization.sln
dotnet run --project src/apps/Altinn.Authorization/src/Altinn.Authorization

Follow the repository README for database and secret configuration. A local process using shared backends is a hybrid test. A full Permit requires consistent resource, policy, party and delegation data across dependencies.

Interpret and troubleshoot

Permit must still be enforced by the PEP. Deny is explicit refusal, NotApplicable means no relevant rule produced a decision, and Indeterminate means evaluation failed. 401 or 403 before the XACML response usually concerns API access.

Check environment and subscription key; subject, resource party, resource and action; current policy; role or delegation; access list; feature flags and test data. Use trace or correlation ID across dependencies and Audit Log. Never log complete tokens or unnecessary decision context.