Atom
Queries & Search

Authorization Explain

How to understand one allow or deny decision.

Authorization explain is the human-readable version of an authorization check.

It should show:

  • the subject being checked;
  • the target object;
  • the requested action;
  • matching role assignments;
  • matching direct policies;
  • matching permission blocks;
  • skipped permission blocks and why they did not match;
  • final allow or deny reason.

Example Question

Why was meter-001 denied publish on telemetry?

Useful output should answer:

meter-001 is active.
telemetry exists and is a channel resource.
publish is valid for `resource:channel`.
No allow permission block matched this channel.
Final decision: deny by default.

Why This Matters

Without explain output, operators have to inspect roles, assignments, groups, and conditions manually. Explain output gives a decision trail that can be used during incidents, audits, and onboarding.

Previous

Queries And Search

Next

Entity Access

On this page