View Decision Logs
In the Styra DAS UI, you can view the Decisions for your Custom System in the Decisions tab. When you run an SSH command, three decisions are generated.
The following three queries in your Custom System’s rules are the source of each decision.
display decision
: Configures the PAM plug-in on which prompts to present to the user.pull decision
: Configures the PAM plug-in which files to read from disk and environment variables to lookup.authz decision
: Configures the PAM plugin to allow/deny the request along with an error message.
The authz decisions
are based on the following information supplied to its query.
- PAM session info (for example IP, username, and process).
- Values you entered for the
display
input prompts. - Values from the
pull
queries of the files and environment variables.
All of the decisions in the log are tagged as UNKNOWN because the Styra DAS does not understand the structure of the decisions. Neither Allow
nor Deny
are keywords in Rego. You can configure Styra DAS so it understands the structure and knows which decisions represent an Allow
, which decisions represent a Deny
, and which decisions are neither an Allow
nor a Deny
, but rather constitute Advice
=.
For a Custom System, Styra DAS tags its decisions as Allowed or Denied the following is done.
- Configure the System Decision Mappings.
- Specify the Boolean result field in the decision’s JSON output.
You can specify the Decision Mappings for a Custom system using configuration instructions.