Is there a way to know which action produced which output? If I submit a request with multiple actions I'd like to be able to map the outputs to the actions.

Hi, It's only possible to determine which

rule

activated the

output

. This is because

outputs

are defined per

rule

. As an example, given a policy such as this:

---
apiVersion: api.cerbos.dev/v1
resourcePolicy:
  version: "default"
  resource: "system_access"
  rules:
    - name: working-hours-only
      actions: ['*']
      effect: EFFECT_DENY
      roles: ['*']
      condition:
        match:
          expr: now().getHours() > 18 || now().getHours() < 8
      output:
        when:
          ruleActivated: |-
            {"principal": P.id, "resource": R.id, "timestamp": now(), "message": "System can only be accessed between 0800 and 1800"}
          conditionNotMet: |-
            {"principal": P.id, "resource": R.id, "timestamp": now(), "message": "System can be accessed at this time"}

There is only one rule defined and it's

working-hours-only

. If the rule is activated the response would include

outputs

field like this:

[
  {
    "src": "resource.system_access.vdefault#working-hours-only",
    "val": {
      "message": "System can only be accessed between 0800 and 1800",
      "principal": "john",
      "resource": "bastion_002",
      "timestamp": "2023-06-02T21:53:58.319506543+01:00"
    }
  }
]

it is possible to see the rule after

#

in the

src

field.

The issue is that there may be 2 actions in the request, and they're both denied because of different rules, so I would like to know why each action was denied.

Hi Jonah, you can submit multiple resources in the same request, but repeating the same resource with different actions is possible. Then, you can match partially activated rules with each action. Having said that, could you let me know if you are trying to debug your policies, or does your program code path depend on the rule that denied the action?

Yeah, submitting multiple resources each with a single action seems like the way to go. This is not for debugging, it's for the application. Basically in the frontend of our system we want to display a hover message when an action is not allowed with the specific reason that comes from the Cerbos policy.

Got it. Alternatively, you can structure your policies so that different rules process different actions. You can use derived roles or local variables to avoid repeating expressions in the rule conditions.

Actually it looks like the information I want might be in the

meta

block?