Decisions
A decision is the result of a single /access/v1/evaluation call. Every time a caller asks Vengtoo whether a subject can perform an action on a resource, one decision record is produced.
A decision has one of three outcomes:
- allow — a matching ALLOW policy granted access, no DENY blocked it.
- deny — no ALLOW matched, or a DENY policy took precedence.
- error — Vengtoo could not reach a verdict. Check the
error_messagefield in the response for the cause. Common reasons: unresolvable subject or resource (ID not found), malformed request input, or an evaluation timeout. Treaterroras deny in your enforcement logic — never default to allow on an unknown verdict.
Decision Log
The Decision Log (Observability → Decision Log in the console) is the runtime feed of every decision across your tenant. It defaults to the last 24 hours and is filterable.
Each row carries the fields Vengtoo records for a decision:
| Field | Meaning |
|---|---|
decision_id | Unique ID for this decision record. Use it in support tickets. |
timestamp | When the Vengtoo Agent returned the verdict. |
subject_id | The subject that requested access. |
resource_id | The resource the action was attempted on. |
action | The action string (read, write, ...). |
policy_id | The policy that matched. Empty on default-deny. |
verdict | allow / deny / error. |
reason | Human-readable explanation of the decision (e.g. "Direct access granted to entity ..."). |
access_path | direct, role, or abac — which of the access paths produced the grant. |
latency | How long the evaluation took. Shown in the dashboard as the Latency column. |
error_message | Populated only when verdict = error. |
agent_name | Which agent (or cloud) served the decision. |
Decision Log vs Audit Log
These often get confused. They answer different questions.
| Decision Log | Audit Log | |
|---|---|---|
| Records | Runtime authorization events | Control-plane configuration changes |
| Example entry | "user-123 was denied delete on doc-456 at 14:02" | "admin edited policy editors-can-read-write at 13:45" |
| Source | /access/v1/evaluation calls | Dashboard / API mutations |
| Use case | Debug "why was I denied?" | Answer "who changed this policy?" |
If you're debugging a request, start in the Decision Log. If you're investigating a config change, use the Audit Log.
Decision Log vs Hotspots
The Decision Log shows individual events — one row per request, best for forensic investigation of a specific denial or unexpected access. Hotspots surfaces patterns across decisions and your authorization model. Use Hotspots to notice an issue, then pivot to the Decision Log to inspect the individual cases behind it.
Related
- Access Paths — the
access_pathfield explained. - Authorize API — the request/response shape the log is recording.
- Vengtoo Agent — decisions served locally still stream to the cloud Decision Log.