Decisions
A decision is the result of a single /v1/authorize call. Every time your app or agent asks AuthzX whether a subject can perform an action on a resource, one decision record is produced.
A decision has one of three outcomes:
- allow — a matching ALLOW policy granted access, no DENY blocked it.
- deny — no ALLOW matched, or a DENY policy took precedence.
- error — the AuthzX Agent could not reach a verdict (invalid input, missing subject, evaluation failure).
Decision Log
The Decision Log (Observability → Decision Log in the console) is the runtime feed of every decision across your tenant. It defaults to the last 24 hours and is filterable.
Each row carries the fields AuthzX records for a decision:
| Field | Meaning |
|---|---|
decision_id | Unique ID for this evaluation. Use it in support tickets. |
timestamp | When the AuthzX Agent returned the verdict. |
subject_id | The subject that requested access. |
resource_id | The resource the action was attempted on. |
action | The action string (read, write, ...). |
policy_id | The policy that matched. Empty on default-deny. |
verdict | allow / deny / error. |
access_path | DIRECT, ROLE, or ABAC — which of the access paths produced the grant. |
error_message | Populated only when verdict = error. |
agent_name | Which agent (or cloud) served the decision. |
Searching and filtering
The Decision Log supports search and filters on:
- Subject name or ID
- Resource name or ID
- Policy name
- Agent name
- Verdict
- Time range
Click any row to open the detail drawer. Copy JSON serializes the full decision — request, response, and metadata — so you can paste it into a bug report, a test case, or a Policy Tester scenario.
Decision Log vs Audit Log
These often get confused. They answer different questions.
| Decision Log | Audit Log | |
|---|---|---|
| Records | Runtime authorization events | Control-plane configuration changes |
| Example entry | "user-123 was denied delete on doc-456 at 14:02" | "admin edited policy editors-can-read-write at 13:45" |
| Source | /v1/authorize calls | Dashboard / API mutations |
| Use case | Debug "why was I denied?" | Answer "who changed this policy?" |
If you're debugging a request, start in the Decision Log. If you're investigating a config change, use the Audit Log.
Decision Log vs Hotspots
The Decision Log shows individual events. Hotspots aggregates them.
- Decision Log — one row per request. Best for forensic, "what exactly happened at 14:02:11" questions.
- Hotspots (Observability → Hotspots in the console) — auto-detected issues across your authorization setup, grouped by severity. Six categories:
- Deny spikes (critical) — resources where deny rate jumped > 3x baseline in 24h
- Eval errors (critical) — policies that failed to evaluate (missing attributes, timeouts)
- Uncovered resources (warning) — resources with no policy referencing them
- New deny pairs (warning) — subject/resource pairs newly denied in the last 24h
- Dead policies (info) — policies not evaluated in the last 30 days
- Latency regressions (info) — policies whose p95 eval latency grew > 1.5x week-over-week
Use Hotspots to notice a pattern, then pivot to the Decision Log to inspect individual cases.
Retention
Decision events age out according to the audit-service retention policy configured for your tenant. For exact retention windows and export options, see your operator documentation or contact your account team — the defaults differ between self-hosted and cloud deployments.
Related
- Access Paths — the
access_pathfield explained. - Authorize API — the request/response shape the log is recording.
- AuthzX Agent — decisions served locally still stream to the cloud Decision Log.