Technical Articles

Priyanka Chakraborti

March 3, 2022 16 minute read

SAP API Management Policies

Introduction:

This blog post is to get familiar with all the policies available in API management.

Prerequisite:

Basic idea about API Management. Reference Link: Get Started with API Management

Policy Categories:

Traffic Management Policies:

Policy Name	Quota policy
Policy Usage	A Quota is an allotment of request messages that an API proxy can handle over a time period, such as minute, hour, day, week, or month. The policy maintains counters that tally the number of requests received by the API proxy. Quota policy is used for restricting the number of allowed transactions based on business requirements.
Use cases	Subscriptions, Usage restrictions, Metering
Scenario	Allow 3 calls every minute
Configuration	`<Quota xmlns="http://www.sap.com/apimgmt" async="false" continueOnError="false" enabled="true"> <Allow count="3"/> <Interval>1</Interval> <Distributed>true</Distributed> <Synchronous>true</Synchronous> <TimeUnit>minute</TimeUnit> </Quota>`

Policy Name	Spike Arrest
Policy Usage	The Spike Arrest policy protects against traffic surges with the <Rate> element. This element throttles the number of requests processed by an API proxy and sent to a backend, protecting against performance lags and downtime.
Use cases	Denial of service protection, Traffic shaping, Bot protection
Scenario	Limit 30 calls per second
Configuration	`<SpikeArrest xmlns="http://www.sap.com/apimgmt" async="true" continueOnError="false" enabled="true"> <Rate>30ps</Rate> <UseEffectiveCount>true</UseEffectiveCount> </SpikeArrest>`

**Note: If both Spike Arrest policy and quota policy need to be used, use spike arrest policy before applying quota policy.

Policy Name	Access Control Policy
Policy Usage	Access Control policy is used to allow or deny specific IP addresses.
Use cases	Whitelist IP address, Blacklist IP address
Scenario	Allow only a list of IP Addresses
Configuration	`<AccessControl xmlns="http://www.sap.com/apimgmt" async="true" continueOnError="false" enabled="true"> <IPRules noRuleMatchAction="DENY"> <MatchRule action="ALLOW"> <SourceAddress mask="32">192.0.2.1</SourceAddress> <SourceAddress mask="32">198.51.100.1</SourceAddress> </MatchRule> </IPRules> <IgnoreTrueClientIPHeader>true</IgnoreTrueClientIPHeader> </AccessControl>`

Policy Name	Reset Quota
Policy Usage	Reset Quota policy is used to temporarily increase the quota count. It should be placed in fault rules with a specific condition match to reset quota.
Scenario	Add 2 more requests to quota count
Configuration	`<ResetQuota xmlns="http://www.sap.com/apimgmt" async="true" continueOnError="false" enabled="true"> <Quota name="Quota"> <Identifier name="_default"> <Allow>2</Allow> </Identifier> </Quota> </ResetQuota>`

Policy Name	Response Cache
Policy Usage	Response Cache policy is used to cache data from a backend resource, reducing the number of requests to the resource. The Response Cache policy is a unique type of policy which needs to be added to both the request and response flow in an API proxy.
Scenario	Cache data using query parameter ‘empId’ as cache key fragment along with URI
Configuration	`<ResponseCache xmlns="http://www.sap.com/apimgmt" async="false" continueOnError="false" enabled="true"> <CacheKey> <KeyFragment ref="request.uri"/> <KeyFragment ref="request.queryparam.empId"/> </CacheKey> <ExpirySettings> <TimeoutInSec ref="">3600</TimeoutInSec> </ExpirySettings> <SkipCacheLookup>request.header.bypass-cache = "true"</SkipCacheLookup> <SkipCachePopulation/> </ResponseCache>`

Policy Name	Populate Cache
Policy Usage	Populate Cache policy is used to add data to the cache.
Scenario	Store client-id from header to cache with key fragment name ‘apikey’
Configuration	`<PopulateCache xmlns="http://www.sap.com/apimgmt" async="false" continueOnError="false" enabled="true"> <CacheKey> <KeyFragment ref="">apikey</KeyFragment> </CacheKey> <Scope>Exclusive</Scope> <ExpirySettings> <TimeoutInSec>600</TimeoutInSec> </ExpirySettings> <Source>request.header.client_id</Source> </PopulateCache>`

Policy Name	Lookup Cache
Policy Usage	Lookup Cache policy is used to access the cached data.
Scenario	Access cached data (key fragment -> apikey) and store it into header named ‘apikey’
Configuration	`<LookupCache xmlns="http://www.sap.com/apimgmt" async="false" continueOnError="true" enabled="true"> <CacheKey> <KeyFragment ref="">apikey</KeyFragment> </CacheKey> <Scope>Exclusive</Scope> <AssignTo>request.header.apikey</AssignTo> </LookupCache>`

Policy Name	Invalidate Cache
Policy Usage	Invalidate Cache policy is used to flush the cache.
Scenario	Flush cached data (key fragment -> apikey)
Configuration	`<InvalidateCache xmlns="http://www.sap.com/apimgmt" async="false" continueOnError="false" enabled="true"> <CacheKey> <KeyFragment ref="apikey"/> </CacheKey> <Scope>Exclusive</Scope> <PurgeChildEntries>true</PurgeChildEntries> </InvalidateCache>`

Mediation Policies:

Policy Name	Access Entity
Policy Usage	It is used to retrieve entity profiles from SAP APIM datastore. The policy places the profile (XML Payload) in a variable whose name follows the format AccessEntity.{policy_name}. The following entities can be accessed: App API product Company Company developer Consumer key Developer
Scenario	Access developer profile using api key from query parameter
Configuration	`<AccessEntity xmlns="http://www.sap.com/apimgmt" async="true" continueOnError="false" enabled="true"> <EntityType value="developer"/> <EntityIdentifier ref="request.queryparam.apikey" type="consumerkey"/> </AccessEntity>`

Policy Name	Assign Message
Policy Usage	The AssignMessage policy changes or creates new request and response messages during the API proxy Flow. The following actions are supported: Add new form parameters, headers, or query parameters to a message Copy existing properties from one message to another Remove headers, query parameters, form parameters, and/or message payloads from a message Set the value of existing properties in a message
Scenario	Backend is expecting the api key as header. But from source, it is sent as a query parameter.
Solution	Add header name as ‘apikey’, header value -> value of query param ‘apikey’ Remove query param ‘apikey’
Configuration	`<AssignMessage xmlns="http://www.sap.com/apimgmt" async="false" continueOnError="false" enabled="true"> <Add> <Headers> <Header name="apikey">{request.queryparam.apikey}</Header> </Headers> </Add> <Remove> <QueryParams> <QueryParam name="apikey"/> </QueryParams> </Remove> <IgnoreUnresolvedVariables>false</IgnoreUnresolvedVariables> <AssignTo createNew="false" type="request">request</AssignTo> </AssignMessage>`

Policy Name	Extract Variables
Policy Usage	The ExtractVariables policy extracts content from a request or response and sets the value of a variable to that content.
Scenario	Extract requester’s age from XML payload and store it in a variable named ‘age’.
Configuration	`<ExtractVariables xmlns="http://www.sap.com/apimgmt" async="true" continueOnError="false" enabled="true"> <Source>request</Source> <XMLPayload> <Variable name="age" type="integer"> <XPath>/requestor/age</XPath> </Variable> </XMLPayload> </ExtractVariables>`

Policy Name	Raise Fault
Policy Usage	It generates a custom message in response to an error condition. Use RaiseFault to define a fault response that is returned to the requesting app when a specific condition arises.
Scenario	Raise fault if age is less than 18
Solution	Put a conditional string as ‘age < 18’
Configuration	`<RaiseFault xmlns="http://www.sap.com/apimgmt" async="true" continueOnError="false" enabled="true"> <FaultResponse> <Set> <Payload contentType="application/xml"> <Status>Not eligible for applying for Driver's license</Status> </Payload> <StatusCode>403</StatusCode> <ReasonPhrase>Server Error</ReasonPhrase> </Set> </FaultResponse> <IgnoreUnresolvedVariables>true</IgnoreUnresolvedVariables> </RaiseFault>`

Policy Name	JSON to XML
Policy Usage	It is used to convert JSON payload to XML payload
Scenario	Convert incoming JSON payload to XML.
Configuration	`<JSONToXML xmlns="http://www.sap.com/apimgmt" async="true" continueOnError="false" enabled="true"> <Options> <ArrayItemElementName>item</ArrayItemElementName> <ArrayRootElementName>rootelement</ArrayRootElementName> <ObjectRootElementName>objectroot</ObjectRootElementName> <AttributePrefix>@</AttributePrefix> <NullValue>NULL</NullValue> </Options> <Source>request</Source> </JSONToXML>`

Policy Name	XML to JSON
Policy Usage	It is used to convert XML payload to JSON payload
Scenario	Convert incoming XML payload to JSON.
Configuration	`<XMLToJSON xmlns="http://www.sap.com/apimgmt" async="false" continueOnError="false" enabled="true"> <Options> <NullValue>NULL</NullValue> <RecognizeNull>true</RecognizeNull> <RecognizeNumber>true</RecognizeNumber> <RecognizeBoolean>true</RecognizeBoolean> </Options> <Source>request</Source> </XMLToJSON>`

Policy Name	XSL Transform
Policy Usage	It is used to convert XML to another format such as XML, HTML, or plain text.
Scenario	Convert incoming XML payload to HTML.
Configuration	<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" version="1.0"> <xsl:template match="/"> <html> <body> <h2>Employee Details</h2> <table border="1"> <tr bgcolor="#ADD8E6"> <th style="text-align:left">ID</th> <th style="text-align:left">First Name</th> <th style="text-align:left">Last Name</th> </tr> <xsl:for-each select="EmployeeDetails/Record"> <tr> <td><xsl:value-of select="ID"/></td> <td><xsl:value-of select="FirstName"/></td> <td><xsl:value-of select="LastName"/></td> </tr> </xsl:for-each> </table> </body> </html> </xsl:template> </xsl:stylesheet>

Policy Name	Key Value Map Operations
Policy Usage	It provides policy-based access to a Key Value Map (KVM) store available in API Management. Supported operations: PUT, GET, DELETE. By default, scope is environment i.e., map entries are shared by all API proxies running in an environment.
Scenario	Retrieve client id and client secret from KVM store and set those as headers
Configuration	`<KeyValueMapOperations mapIdentifier="kvm_store" async="true" continueOnError="false" enabled="true" xmlns="http://www.sap.com/apimgmt"> <Get assignTo="request.header.client_id"> <Key> <Parameter>client_id</Parameter> </Key> </Get> <Get assignTo="request.header.client_secret"> <Key> <Parameter>client_secret</Parameter> </Key> </Get> </KeyValueMapOperations>`

Security Policies

Policy Name	Basic Authentication
Policy Usage	The policy has two modes of operations: Encode: Base64 encodes a username and password stored in variables Decode: Decodes the username and password from a Base64 encoded string
Scenario	Retrieve username and password from KVM encrypted store and set as ‘Authorization’ header
Configuration	`<BasicAuthentication xmlns="http://www.sap.com/apimgmt" async="true" continueOnError="false" enabled="true"> <Operation>Encode</Operation> <IgnoreUnresolvedVariables>false</IgnoreUnresolvedVariables> <User ref="private.user"/> <Password ref="private.password"/> <AssignTo createNew="false">request.header.Authorization</AssignTo> </BasicAuthentication>`

Policy Name	Verify API Key
Policy Usage	It is used to enforce verification of API keys at runtime, letting only apps with approved API keys access APIs. This policy ensures that API keys are valid, have not been revoked, and are approved to consume the specific resources associated with API products.
Scenario	Verify API Key from header
Configuration	`<VerifyAPIKey xmlns="http://www.sap.com/apimgmt" async="true" continueOnError="false" enabled="true"> <APIKey ref="request.header.apikey"/> </VerifyAPIKey>`

Policy Name	XML Threat Protection
Policy Usage	It addresses XML vulnerabilities and minimizes attacks on your API. Optionally, detect XML payload attacks based on configured limits. This policy executes only if the ‘Content-Type’ of the request or response header is set to application/xml.
Scenario	Apply character limits of 10 chars for names.
Configuration	`<XMLThreatProtection xmlns="http://www.sap.com/apimgmt" async="false" continueOnError="false" enabled="true"> <NameLimits> <Element>10</Element> <Attribute>10</Attribute> <NamespacePrefix>10</NamespacePrefix> <ProcessingInstructionTarget>10</ProcessingInstructionTarget> </NameLimits> <Source>request</Source> </XMLThreatProtection>`

Policy Name	JSON Threat Protection
Policy Usage	It minimizes the risk posed by content-level attacks by enabling you to specify limits on various JSON structures, such as arrays and strings. This policy executes only if the ‘Content-Type’ of the request or response header is set to application/json.
Scenario	Apply character limits of 10 chars for names.
Configuration	`<JSONThreatProtection xmlns="http://www.sap.com/apimgmt" async="false" continueOnError="false" enabled="true"> <ArrayElementCount>-1</ArrayElementCount> <ContainerDepth>-1</ContainerDepth> <ObjectEntryCount>-1</ObjectEntryCount> <ObjectEntryNameLength>10</ObjectEntryNameLength> <Source>request</Source> <StringValueLength>-1</StringValueLength> </JSONThreatProtection>`

Policy Name	Regular Expression Protection
Policy Usage	It extracts information from a message (for example, URI Path, Query Param, Header, Form Param, Variable, XML Payload, or JSON Payload) and evaluates that content against predefined regular expressions. If any specified regular expressions evaluate to true, the message is considered a threat and is rejected.
Scenario	Validate if the “action” query param has any sql injection code to do any invasive operation.
Configuration	`<RegularExpressionProtection xmlns="http://www.sap.com/apimgmt" async="false" continueOnError="false" enabled="true"> <IgnoreUnresolvedVariables>false</IgnoreUnresolvedVariables> <QueryParam name="action"> <Pattern>[\s]((delete)\|(exec)\|(drop\stable)\|(insert)\|(shutdown)\|(update)\|(\bor\b))</Pattern> </QueryParam> <Source>request</Source> </RegularExpressionProtection>`

Policy Name	OAuth v2.0
Policy Usage	It is used to do the following operations. GenerateAccessToken GenerateAccessTokenImplicitGrant GenerateAuthorizationCode RefreshAccessToken VerifyAccessToken InvalidateToken ValidateToken
Scenario	Generate Access Token
Configuration	`<OAuthV2 xmlns="http://www.sap.com/apimgmt" async="false" continueOnError="false" enabled="true"> <ExpiresIn>3600000</ExpiresIn> <Operation>GenerateAccessToken</Operation> <GenerateResponse/> <SupportedGrantTypes> <GrantType>client_credentials</GrantType> </SupportedGrantTypes> </OAuthV2>`

Policy Name	OAuth v2.0 GET
Policy Usage	It is used to get attributes of type tokens and authorization codes and to make them available to policies and code executing in an API proxy. Whenever token validation occurs, variables are automatically populated with the values of token attributes. However, in cases where token validation has not occured, you can use this feature to explicitly populate variables with the attribute values of a token. For example, the below variables are populated when the AccessToken element is set: oauthv2accesstoken.{policy_name}.access_token oauthv2accesstoken.{policy_name}.scope oauthv2accesstoken.{policy_name}.refresh_token oauthv2accesstoken.{policy_name}.accesstoken.{custom_attribute_name} oauthv2accesstoken.{policy_name}.developer.id oauthv2accesstoken.{policy_name}.developer.app.name oauthv2accesstoken.{policy_name}.expires_in oauthv2accesstoken.{policy_name}.status
Scenario	Get Access token value from query parameter.
Configuration	`<GetOAuthV2Info xmlns="http://www.sap.com/apimgmt" async="false" continueOnError="false" enabled="true"> <AccessToken ref="request.queryparam.access_token"/> </GetOAuthV2Info>`

Policy Name	OAuth v2.0 SET
Policy Usage	It is used to add or update custom attributes associated with an access token
Scenario	Add a custom property called department.id to the access token’s profile.
Configuration	`<SetOAuthV2Info xmlns="http://www.sap.com/apimgmt" async="false" continueOnError="false" enabled="true"> <AccessToken ref="request.queryparam.access_token"/> <Attributes> <Attribute display="true" name="department.id" ref="request.queryparam.department_id"/> </Attributes> </SetOAuthV2Info>`

Policy Name	GenerateJWT
Policy Usage	It is used to generate a signed JWT, with a configurable set of claims. Claims are statements about an entity (typically, the user) and additional data.
Scenario	Generate a JWT signed with the HS256 algorithm
	`<GenerateJWT xmlns="http://www.sap.com/apimgmt" async="false" continueOnError="false" enabled="true"> <Algorithm>HS256</Algorithm> <IgnoreUnresolvedVariables>false</IgnoreUnresolvedVariables> <SecretKey> <Value ref="private.secretkey"/> </SecretKey> <ExpiresIn>1h</ExpiresIn> <Issuer>urn://sap-apim-jwt</Issuer> <AdditionalClaims> <Claim name="userId" type="string" ref="request.formparam.username"/> </AdditionalClaims> <OutputVariable>jwt-variable</OutputVariable> </GenerateJWT>`

Policy Name	VerifyJWT
Policy Usage	It is used to verify the signature on a JWT received from clients or other systems. This policy also extracts the claims into context variables so that subsequent policies or conditions can examine those values to make authorization or routing decisions.
Scenario	Verify JWT signed with the HS256 encryption algorithm
Configuration	`<VerifyJWT xmlns="http://www.sap.com/apimgmt" async="false" continueOnError="false" enabled="true"> <Algorithm>HS256</Algorithm> <Source>request.formparam.jwt</Source> <SecretKey> <Value ref="private.secretkey"/> </SecretKey> <Issuer>urn://sap-apim-jwt</Issuer> </VerifyJWT>`

Policy Name	DecodeJWT
Policy Usage	It is used to decode a JWT without verifying the signature on the JWT. By default, it searches for ‘Authorization’ header.
Scenario	Decode JWT token
Configuration	`<DecodeJWT xmlns="http://www.sap.com/apimgmt" async="false" continueOnError="false" enabled="true"> </DecodeJWT>`

Policy Name	SAML Assertion Generation
Policy Usage	It enables API proxies to attach SAML assertions to outbound XML requests. Those assertions are then available to enable backend.
Scenario	Generate SAML assertion
Configuration	<GenerateSAMLAssertion xmlns="http://www.sap.com/apimgmt" async="false" continueOnError="false" enabled="true" ignoreContentType="false"> <Issuer>http://idp.example.com/metadata.php</Issuer> <KeyStore> <Name ref="reference">mockserverKeystore</Name> <Alias ref="reference">mockserverKeystore</Alias> </KeyStore> <OutputVariable> <FlowVariable name="assertion.content"/> </OutputVariable> <Subject>"http://sp.example.com/demo1/metadata.php"</Subject> <Template ignoreUnresolvedVariables="false"><![CDATA[ <saml2:Assertion ID="_8e8dc5f69a98cc4c1ff3427e5ce34606fd672f91e6" IssueInstant="2014-07-17T01:01:48Z" Version="2.0" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:xs="http://www.w3.org/2001/XMLSchema"> <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">"http://idp.example.com/metadata.php"</saml2:Issuer> <saml2:Subject xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"> <saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">"http://sp.example.com/demo1/metadata.php"</saml2:NameID> <saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> <saml2:SubjectConfirmationData NotOnOrAfter="2024-01-18T06:21:48Z" Recipient="http://sp.example.com/demo1/index.php?acs"/> </saml2:SubjectConfirmation> </saml2:Subject> <saml2:Conditions NotBefore="2014-07-17T01:01:18Z" NotOnOrAfter="2024-01-18T06:21:48Z" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"> <saml2:AudienceRestriction> <saml2:Audience>http://sp.example.com/demo1/metadata.php</saml2:Audience> </saml2:AudienceRestriction> </saml2:Conditions> <saml2:AuthnStatement AuthnInstant="2014-07-17T01:01:48Z" SessionNotOnOrAfter="2024-07-17T09:01:48Z" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"> <saml2:AuthnContext> <saml2:AuthnContextClassRef>urn:none</saml2:AuthnContextClassRef> </saml2:AuthnContext> </saml2:AuthnStatement> </saml2:Assertion> ]]></Template> </GenerateSAMLAssertion>

Policy Name	SAML Assertion Validation
Policy Usage	It validates incoming messages that contain a digitally-signed SAML assertion, rejects them if they are invalid, and sets variables that allow additional policies, or the backend services itself, to further validate the information in the assertion.
Scenario	Validate SAML assertion
Configuration	<ValidateSAMLAssertion xmlns="http://www.sap.com/apimgmt" async="false" continueOnError="false" enabled="true" ignoreContentType="false"> <RemoveAssertion>false</RemoveAssertion> <Source name="request"> <Namespaces> <Namespace prefix="samlp">urn:oasis:names:tc:SAML:2.0:protocol</Namespace> <Namespace prefix="saml">urn:oasis:names:tc:SAML:2.0:assertion</Namespace> <Namespace prefix="saml2">urn:oasis:names:tc:SAML:2.0:assertion</Namespace> </Namespaces> <XPath>/samlp:Response/saml2:Assertion</XPath> </Source> <TrustStore>saml_trust_store</TrustStore> </ValidateSAMLAssertion>

Extension Policies

Policy Name	JavaScript
Policy Category	Extension Policies
Policy Usage	You use the JavaScript policy to attach custom code to an API proxy flow. A JavaScript policy does not contain any actual code. Instead, a JavaScript policy references a JavaScript resource and defines the step in the API flow where the JavaScript executes.
Scenario	Assign message weight based on request method and use message weight attribute in Quota policy For example: Assign message weight = 2 for POST, message weight = 1 for GET.
Solution	JS policy will be used along with Quota policy. Quota policy supports attribute MessageWeight to specify the weight assigned to each message.
Configuration	`const callType = context.proxyRequest.method; context.setVariable("messageWeight", "1"); if (callType == 'POST') { context.setVariable("messageWeight", "2"); }`

Policy Name	PythonScript
Policy Category	Extension Policies
Policy Usage	You use the Python script policy to attach custom code to an API proxy flow. A Python policy does not contain any actual code. Instead, a Python policy references a Python resource and defines the step in the API flow where the Python script executes.
Scenario	Assign message weight based on request method and use message weight attribute in Quota policy For example: Assign message weight = 2 for POST, message weight = 1 for GET.
Solution	PY policy will be used along with Quota policy. Quota policy supports attribute MessageWeight to specify the weight assigned to each message.
Configuration	`callType = flow.getVariable('request.verb') if callType == 'POST': flow.setVariable('messageWeight', '2') else: flow.setVariable('messageWeight', '1')`

Policy Name	Message Logging
Policy Category	Extension Policies
Policy Usage	It is used to send syslog messages to third-party log management services, such as Splunk, Sumo Logic, and Loggly.
Scenario	Send Log message to Loggly
Configuration	Refer to blog post

Policy Name	Message Validation
Policy Category	Extension Policies
Policy Usage	It is used to Validate any XML message against an XSD schema. Validate SOAP messages against a WSDL definition. Confirm JSON or XML is well-formed, based on content-type (if <ResourceURL> element is omitted). To make this policy work, always set the ‘Content-Type’ header.
Scenario	Validate XML message against XSD schema resource.xsd
Configuration	`<MessageValidation xmlns="http://www.sap.com/apimgmt" async="false" continueOnError="false" enabled="true"> <Source>request</Source> <ResourceURL>xsd://resource.xsd</ResourceURL> </MessageValidation>`

Policy Name	Open Connectors
Policy Category	Extension Policies
Policy Usage	It is attached to an Open Connector type API. For an open connector type API, you can attach only one open connector policy. The policy is either attached to the target endpoint or the proxy endpoint. Refer to blog post
Scenario	Access open connector instance
Configuration	`<OpenConnectors xmlns="http://www.sap.com/apimgmt" async="true" continueOnError="false" enabled="true"> <InstanceSecret kvm-map-name="apim.oc.instance.token" kvm-key-name="default"/> </OpenConnectors>`

Policy Name	Service Callout
Policy Category	Extension Policies
Policy Usage	It is used to call another service from your API proxy flow.
Scenario	Call Google API for books
Configuration	`<ServiceCallout xmlns="http://www.sap.com/apimgmt" async="true" continueOnError="false" enabled="true"> <Request clearPayload="true" variable="googleBookReq"> <Set> <QueryParams> <QueryParam name="q">{request.queryparam.search}</QueryParam> </QueryParams> </Set> </Request> <Response>googleBookResponse</Response> <Timeout>30000</Timeout> <HTTPTargetConnection> <URL>https://www.googleapis.com/books/v1/volumes</URL> </HTTPTargetConnection> </ServiceCallout>`

Policy Name	Statistics Collector Policy
Policy Category	Extension Policies
Policy Usage	It is used to collect statistics for data in a message, such as product ID, price, REST action, client and target URL, and message length. The data can come from flow variables or custom variables. To use custom variables, create metrics. For data of type string, reference the statistical data as a Dimension in a custom report. For numerical data types (integer/float/long/double), reference the statistical data in a custom report as a Metric. Refer to blog post
Scenario	Collect statistical information about custom variable books.searchquery
Configuration	`<StatisticsCollector xmlns="http://www.sap.com/apimgmt" async="false" continueOnError="false" enabled="true"> <Statistics> <Statistic name="search" ref="books.searchquery" type="string">default</Statistic> </Statistics> </StatisticsCollector>`

Reference Links:

SAP API Management Help portal
Blog series: API Security Best Practices
API Management overview
APIGEE policies

Thank you for reading this blog post. Please feel free to share your feedback or thoughts or ask questions in the Q&A tag below.

QA Link

Regards,

Priyanka Chakraborti

3 Comments

You must be Logged on to comment or reply to a post.

Saurabh Kabra

March 5, 2022 at 12:49 pm

One-stop shop for all API management policies capability. Thanks for sharing.

AHMAD SHABBIR

May 10, 2022 at 8:27 pm

How do I put a condition in a policy to validate if a custom attribute is defined for the application. My use case is that I am defining IP addresses as application custom attribute and allowing the IP in Access Control policy by referencing attribute variable. I want to put a condition in the policy to execute if attribute is not defined in the application. How do put a conditional statement to validate if a custom attribute exists.

Saravanan Subramanian

November 14, 2023 at 3:08 pm

One place to get basic policy template, thanks for sharing!