Responses
From the application’s perspective, once it asks for an Entitlements decision, the next thing that happens is that it receives a JSON object in response that describes the decision. A sample decision is shown below.
The most important fields are allowed
(a Boolean indicating whether the request is allowed or not) and entz
(a Rego set/JSON array of the list of JSON documents returned to the caller). The outcome field contains additional information about why the decision is made.
{
"allowed": true,
"entz": [
{"roles": ["DenySystemConfigModification"]},
{"roles": ["SystemPolicyEditor"]}
],
"outcome": {
"allow": true,
"decision_type": "ALLOWED",
"enforced": [
{
"allowed": true,
"entz": [],
"message": "Compliance Allow/Deny"
},
{
"allowed": true,
"entz": [{"roles": ["SystemPolicyEditor"]}],
"message": "Roles for subject"
},
{
"allowed": true,
"entz": [{"roles": ["DenySystemConfigModification"]}],
"message": "Roles for subject"
}
],
"monitored": [],
"policy_type": "rules",
"stacks": {
"e66a7ecdc6fc4d7bb0a8ae33b8f7175d": {
"enforced": [{
"allowed": true,
"entz": [],
"message": "Compliance Allow/Deny"
}],
"monitored": []
}
},
"system_type": "template.entitlements:0.1"
}
}
allowed
is a Boolean indicating whether the request was allowed at all. entz
is the union of all Entitlements produced by the system and any applicable stacks. entz
is a set in Rego, but is returned by the requester as a JSON array.