Skip to main content

Decision Tags

To see the results of configuring the Decision Mappings, repeat the SSH commands for the following user roles.

  • bob is a user who is not an admin.
  • alice is a user with the role of an admin.

Decision Logs for bob

In the CLI, Styra run the SSH command for ‘bob’ and press ENTER for the secret and jira-654 for the jira ticket.

ssh -p 2222 bob@localhost -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null

Your OPA policy will not allow this SSH because bob is not the owner of Jira ticket jira-654.

Once the decision mapping is configured, any decision that includes result.allowed is tagged with Allow, if result.allowed is true. It is tagged with Deny, if result.allowed is false. In all other cases, it is tagged with Advice.

The last decision listed in the decisions list is the authz decision and should be tagged as Denied along with an error message. Since ‘result.allow’ is Boolean with the value false, the decision is tagged Denied. The error message originates from ‘result.error’ that the authz query sets when the result is false.

Decision Logs for alice

In the Styra CLI, run the SSH command for alice and press ENTER for the secret and jira-654 for the Jira ticket.

Your OPA policy allows this SSH because alice is the owner of Jira ticket jira-654 and that ticket is for the server running at port 2222 with host_id 1234.

In the decisions log, you will see the corresponding three decisions, the display and pull decisions tagged as Advice and the authz decision tagged as Allowed.