Skip to Content
Technical Articles
Author's profile photo Maximiliano Colman

is the Access Control policy working as you expect?

Hi experts,

Not sure if you had noticed that the official SAP documentation of “Access Control” policy was updated recently, now this documentation is reflecting the same warnings / cautions than in apigee related with the http header parameter “True-Client-IP” and how to ignore it in the policy using the parameter “IgnoreTrueClientIPHeader”.


New SAP Access Control policy documentation –> link


Let’s try it:

Imagine that you are using the Access Control policy to allow request only from “”

Check your IP address in google:

Now open postman and add the following http header and perform a request:

Booom, you have access to the API!!!, you are telling to APIM that you are “”, now if you read the documentation you can avoid this using the parameter “IgnoreTrueClientIPHeader” with value “true” in the policy:

Perform another test:


As you can see the default value for the property “IgnoreTrueClientIPHeader” in the policy is “false”, so you MUST take care of it.


This shows the importance of keeping the documentation up to date and that people read it 🙂



Assigned Tags

      You must be Logged on to comment or reply to a post.
      Author's profile photo Cedric Heisel
      Cedric Heisel

      Thank you for sharing this insight,  Maximiliano Colman - that's a nice gap every developer using the access control policy needs to know and take care!

      Author's profile photo Michelle Crapo
      Michelle Crapo

      I'm so glad you shared this one.  Learning about the gaps is the only way to fix them.