Arxi Decision Gate Asset Core
Docs
Asset Core Docs

Deterministic world-state engine documentation and API references.

Decision Gate docs

Why access was denied

Access denials are intentional and predictable in Asset Core. This guide helps you identify the most common causes quickly and verify the correct fix without guesswork.

Step 1: Identify the status code

Start by recording the HTTP status code and the server_correlation_id from the error response. The status code tells you which category of failure you are dealing with.

  • 401 Unauthorized: Authentication failed or token is missing/expired.
  • 403 Forbidden: Authenticated, but insufficient permissions or policy class gate.
  • 404 Not Found: Resource does not exist or is intentionally undisclosed.
  • 429 Too Many Requests: Quota or rate limit enforcement.

Step 2: Verify principal context

Use ACCTL to confirm the current principal:

acctl auth whoami

If the principal is not what you expect, fix token provisioning or directory configuration before evaluating RBAC.

Step 3: Inspect effective permissions

Check which operations are allowed for the current principal and namespace:

acctl auth permissions --namespace-id 5001

If the required operation is missing, adjust roles or namespace ACL bindings.

Step 4: Validate namespace state

A namespace can reject operations because it is disabled, deleting, frozen, or read-only. Inspect the namespace record and operational state:

acctl namespaces show --namespace-id 5001

If the lifecycle or operational state blocks the request, resolve that before retrying.

Step 5: Correlate logs and metrics

Use the server_correlation_id to trace the request through logs. For chronic issues, watch auth or ingress error counters in metrics to confirm whether the problem is systemic or isolated.

Common failure patterns

  • Wrong namespace: The token is valid but the namespace ID is incorrect.
  • Insufficient role: The principal exists but lacks commit or admin rights.
  • Namespace ACL deny: A deny binding overrides the tenant role.
  • Policy class gate: Production namespaces require higher roles for certain operations.
  • Lifecycle restriction: The namespace is disabled or deleting.

Next steps