The 5 steps
The UI also shows an explicit Access decision status with four values:
ALLOWED, DENIED, NOT_REQUIRED, MISSING_REQUIRED.
1) Login successful
At least one successful auth event was found, e.g. LOGIN_SUCCESS, MFA_SUCCESS, or CLIENT_LOGIN.
If this step is missing, the identity chain is not reliable.
2) Consent handled
Consent is evaluated semantically, not just as a binary flag.
GRANTED_IN_TRACE: newly granted in this flowALREADY_VALID: previously granted and still validNOT_REQUIRED: consent is currently not requiredMISSING_REQUIRED: consent is required but missing
A missing new consent event can still be correct when
ALREADY_VALID or NOT_REQUIRED applies.3) Sensitive access
The trace contains access to sensitive areas (e.g. Vault/Admin Vault).
This is a prioritization signal, not an automatic error.
4) Administrative change
Persisted admin changes were detected (e.g. USER_*, ROLE_*, TENANT_*, CLIENT_*, IDP_*).
A change is traceable when correlation ID and persisted events match.
5) Complete or incomplete
The chain is complete when required signals are present. Missing signals are listed explicitly.
missing_auth_successmissing_access_decisionmissing_audit_persisted
Example: "Incomplete (missing access decision)" means the decision path could not be fully proven.
Interpretation for non-dev teams
- Green means: evidence exists for this chain step.
- Orange means: security-relevant step or incomplete chain.
- Incomplete is not automatically an incident, but requires forensic follow-up.
- Correlation ID is the link between UI, API, and audit evidence.
Quick check for support questions
- Copy the correlation ID from the trace.
- Check the timeline for missing required signals.
- Read consent status semantically (not only by counting events).
- Use sensitive/admin flags for prioritization.