docs/site/Authorization-component-decision-matrix.md
The final decision to allow access for a subject is done by the interceptor by
creating a decision matrix from the voting results (from all the authorizer
and voter functions of an endpoint).
The following table illustrates an example decision matrix with 3 votes and corresponding options.
| Authorizer | Voter # 1 | Voter #2 | Options | Final Decision |
|---|---|---|---|---|
| Deny | Deny | Deny | any | Deny |
| Allow | Allow | Allow | any | Allow |
| Abstain | Allow | Abstain | any | Allow |
| Abstain | Deny | Abstain | any | Deny |
| Deny | Allow | Abstain | {precedence: Deny} | Deny |
| Deny | Allow | Abstain | {precedence: Allow} | Allow |
| Allow | Abstain | Deny | {precedence: Deny} | Deny |
| Allow | Abstain | Deny | {precedence: Allow} | Allow |
| Abstain | Abstain | Abstain | {defaultDecision: Deny} | Deny |
| Abstain | Abstain | Abstain | {defaultDecision: Allow} | Allow |
authorizer function and 2 voters for an
endpoint.
authorizer function returns ALLOW, but voter 1 in authorize
decorator returns ABSTAIN and voter 2 in decorator returns DENY.DENY, then the access for the subject is denied to
the endpoint.