Currently, the only way to troubleshoot denied operations is by going to the log.
To make this easier, there are a couple of metrics being added: one for each result type.
Allowed operations are tagged by operation, so the cardinality is bound to the type of operations.
Denied operations are tagged further with resource and principal. Even though this increases the cardinality considerably, it should only be used for the cases where there are authorization issues.
Currently, the only way to troubleshoot denied operations is by going to the log. To make this easier, there are a couple of metrics being added: one for each result type. Allowed operations are tagged by operation, so the cardinality is bound to the type of operations. Denied operations are tagged further with resource and principal. Even though this increases the cardinality considerably, it should only be used for the cases where there are authorization issues.