If you can’t explain an authorization decision, you can’t operate it.
You need to answer:
- “Why was this denied?” (developer + support)
- “Who had access during the incident?” (security)
- “Who approved/granted this?” (audit)
What to log (minimum viable)
For each decision, capture:
- subject (user/workload id)
- tenant / org scope
- action + resource identifiers
- decision (allow/deny)
- policy version / rule id
- correlation id / request id
Avoid logging secrets or full tokens.
Explainability patterns
- Return a reason code from the PDP (e.g.,
DENY_NOT_MEMBER,DENY_MFA_REQUIRED). - Provide a developer-facing “trace” mode in non-prod.
- Store policy versions so you can replay decisions.
Pitfalls
- Logging only “denied” without enough context to debug.
- Logging too much PII.
- Not linking decision logs to grant events (the moment access was granted).
Where to go next
- /topic/authorization/authorization-performance-caching-consistency-revocation
- /category/identity-security
- IDPro Book of Knowledge (reference): https://bok.idpro.org/