authz/decisiontree#

The decisiontree API allows the caller to get the value of any decisions across ALL policy modules, with a user context, but without a resource context.

This API is useful for getting a "decision tree" that guides a calling application around what functionality will be available to a user based on their context.

It is used by the the display state map middleware in SDKs such as the Aserto Express.js SDK, in conjunction with the Aserto React SDK, that is useful in conditionally rendering UI elements based on the display state that corresponds to a decision.

The inputs to the decisiontree API are the user context, the set of decisions that the calling application wants to evaluate, the (optional) policy module used to make the decision(s), and a set of options.

URL#

POST .../api/v1/authz/decisiontree

Input payload#

json
1
{
2
"identityContext": {
3
"mode": "JWT"
4
},
5
"policyContext": {
6
"decisions": [
7
"visible", "enabled"
8
],
9
"id": "[policy-id]",
10
"path": "sample.GET.api.orders",
11
},
12
"options": {
13
"grouping": "FLAT",
14
"pathSeparator": "SLASH"
15
}
16
}

The identityContext map is documented here.

The policyContext map is documented here.

The options map allows the caller to specify the format for retrieving the cartesian product of paths and decisions that are being requested.

Grouping#

Grouping values are:

  • FLAT: every path is returned in a single flat list

  • VERB: paths are grouped under the first element of the path, which is commonly an HTTP VERB

Path separator#

Path separator values are:

  • SLASH: the key in the returned decision tree is of the form VERB/route/segments/etc

  • DOT: the key in the returned decision tree is of the form VERB.route.segments.etc

Output payload#

The return payload for the options above may look like the following:

json
1
{
2
"GET/api/orders": {
3
visible: true,
4
enabled: true
5
}
6
}
authz/decisiontree