SAP API Management – Policy Management
Policies are applied to an API Proxy to customize its behavior. These are preprocessing steps which are run on the SAP API Management layer and not on backend services.
Policies can be broadly classified into following four categories:
- Traffic Management Policies
- Mediation Policies
- Security Policies
- Custom Policies
Traffic Management Policies
The traffic management policies let us configure cache, control traffic quotas and spikes, set concurrent rate limits. Example of these types of policies are:
- Cache Policies
- Concurrent Rate Limit Policy
- Quota Policy
- Spike Arrest Policy
These policies let us perform message transformation, parsing, validation and raise faults and alerts. Examples include the following policies:
- XSL Transformation Policy
- XML to JSON Policy
- Fault Rule Policy
- Key value Map Operations Policy
- JSON to XML Policy
- Assign Message Policy
- Access Entity Policy
- Extract variables Policy
These policies controls the security related aspects for API Proxies. Examples include:
- Access Control Policy
- Basic Authentication Policy
- JSON Threat Protection Policy
- OAuth Policy
- Verify API Key Policy
- Java Script Policy
- Message Logging Policy
- Statistics Collector Policy
How Policies Work?
When a policy is added to an API Proxy, then it is added to a specific flow which defines when the policy is executed. Each request and response path in a proxy endpoint and target endpoint defines the following flows:
- Pre Flow
- Always executes before any other flows.
- The policies defined in the pre flow are applied to every message that passes through an endpoint.
- Conditional Flows
- Execute only when a conditional statement defined for the Flow evaluates to true.
- An endpoint can define any number of conditional Flows, but only the first conditional Flow whose condition evaluates to true executes. That means the policies attached to the conditional Flow only execute when the conditional Flow executes.
- Post Flow
- Always executes after all other Flows.
- Like Pre Flow, the policies defined in the Post Flow are applied to every message.
Add first policy: Verify API Key Policy
Let’s add a policy to an API Proxy.
- To start with, login to SAP API Management’s API Portal.
- Create an API Proxy from API Portal, [refer here for more details].
- To add the Verify API Key Policy, following the steps mentioned below:
Click on Launch Policy Designer
Click on PreFlow (in left panel) and then click on Verify API Key among the list of policies (on right side panel).
Just add the policy name and click Add.
Then, the policy will get added & then add the following text in the script area:
<VerifyAPIKey async=’true’ continueOnError=’false’ enabled=’true’ xmlns=’http://www.sap.com/apimgmt‘>
Then update the policy by clicking Update.
- The APIKey ref is the key which is used while consuming this API.
- Since, the key is saved as request header, so the while consuming, this key is to be passed as request header.
- Refer here for more details.
Then the API Proxy will be updated with newly added policy; and then Click Save.
The API Proxy will be updated successfully.
Create a Product having this API Proxy
Create a product, adding this newly created API (“CATALOGSERVICE”). Refer here for more details.
Publish this product
Consuming the API
To consume the API via product, we need to now login to the developer portal. Once logged in, we will find the newly published API Product here.
Then, an application has to be created using this Product. Refer here for more details.
Open the details of this product and subscribe it to a new application; as shown below:
Enter application details like name, description and click save to create the application. Once created successfully, you will get an appkey and secret for that application.
Testing the API using Verify API Key Policy
- To test the API, we will be using the SAP API Management’s Test Console. Refer here for more details.
- Add the proper URl and Authentication (if any) in the Test Cosole.
- Add the appkey (which was retrieved while creating application) as the Header and click Send to get the result.
This is how you can create an API proxy with Verify API Key Policy and consume the same.