Decision Inspector

Every check returns an AegisDecision that explains itself. Switch users in the header to watch the reasons change.

no global validators · see the fail-closed demo

Current subjectdemo-userholds

admineditor

dashboardAllowed

grantedThe subject holds at least one role the resource allows.

Allowed roles

admineditorviewer

Your roles

admineditor

Matched (why allowed)

admineditor

Allowed roles you lack

viewer

admin.settingsAllowed

grantedThe subject holds at least one role the resource allows.

Allowed roles

admin

Your roles

admineditor

Matched (why allowed)

admin

Allowed roles you lack

none

admin.usersAllowed

grantedThe subject holds at least one role the resource allows.

Allowed roles

admineditor

Your roles

admineditor

Matched (why allowed)

admineditor

Allowed roles you lack

none

Reasons

granted

The subject holds at least one role the resource allows.

no-matching-role

The subject has roles, but none are allowed for this resource.

closed-by-default

The resource has no allowed roles, so it denies everyone until permissions are set.

Not reachable by the three demo users.

no-context

There is no authenticated subject (userId is null) and no roles to check.

Not reachable by the three demo users.

Universal guard

Probe the API guard

Calls a route handler that uses requirePermission. A denial throws AegisDeniedError carrying the decision. Switch users in the header, then re-run.