Skip to main content

View Decision Logs

In the Styra DAS UI, you can view the Decisions for your Custom system in the Decisions tab. When you run a SSH command, three decisions are generated.

The following three queries in your Custom system’s rules are the source of each of the three decisions.

  • display decision: Tells PAM plugin what prompts to present to the user.
  • pull decision: Tells PAM plugin what files to read from disk and environment variables to lookup.
  • authz decision: Tells PAM plugin to allow/deny the request along with an error message.

The authz decisions are based on the following information supplied to its query.

  • PAM session info (ip, username, process, and so on).
  • Values you entered for the display input prompts.
  • Values from the pull queries of the files and environment variables.

All of the decisions in the log are tagged as UNKNOWN because the DAS does not understand the structure of any of the decisions. Remember that neither Allow nor Deny are keywords in Rego. But, you can configure the DAS so it understands the structure and knows which decisions represent an Allow, which decisions represent a Deny, and which decisions are neither an Allow nor a Deny, but rather constitute Advice.

For a Custom system, DAS can tag its decisions as Allowed or Denied only when you do the following tasks.

  • Configure the system’s Decision Mappings.
  • Specify the Boolean result field in the decision’s JSON output.

You can specify the Decision Mappings for a Custom system using the configuration instructions.