Introduction:
This blog post is to get familiar with all the policies available in API management.
Prerequisite:
Basic idea about API Management. Reference Link: Get Started with API Management
Policy Categories:
Traffic Management Policies:
| Policy Name |
Quota policy |
| Policy Usage |
A Quota is an allotment of request messages that an API proxy can handle over a time period, such as minute, hour, day, week, or month. The policy maintains counters that tally the number of requests received by the API proxy. Quota policy is used for restricting the number of allowed transactions based on business requirements. |
| Use cases |
Subscriptions, Usage restrictions, Metering |
| Scenario |
Allow 3 calls every minute |
| Configuration |
<Quota xmlns="http://www.sap.com/apimgmt" async="false" continueOnError="false" enabled="true">
<Allow count="3"/>
<Interval>1</Interval>
<Distributed>true</Distributed>
<Synchronous>true</Synchronous>
<TimeUnit>minute</TimeUnit>
</Quota>
|
| Policy Name |
Spike Arrest |
| Policy Usage |
The Spike Arrest policy protects against traffic surges with the <Rate> element. This element throttles the number of requests processed by an API proxy and sent to a backend, protecting against performance lags and downtime. |
| Use cases |
Denial of service protection, Traffic shaping, Bot protection |
| Scenario |
Limit 30 calls per second |
| Configuration |
<SpikeArrest xmlns="http://www.sap.com/apimgmt" async="true" continueOnError="false" enabled="true">
<Rate>30ps</Rate>
<UseEffectiveCount>true</UseEffectiveCount>
</SpikeArrest>
|
**Note: If both Spike Arrest policy and quota policy need to be used, use spike arrest policy before applying quota policy.
| Policy Name |
Access Control Policy |
| Policy Usage |
Access Control policy is used to allow or deny specific IP addresses. |
| Use cases |
Whitelist IP address, Blacklist IP address |
| Scenario |
Allow only a list of IP Addresses |
| Configuration |
<AccessControl xmlns="http://www.sap.com/apimgmt" async="true" continueOnError="false" enabled="true">
<IPRules noRuleMatchAction="DENY">
<MatchRule action="ALLOW">
<SourceAddress mask="32">192.0.2.1</SourceAddress>
<SourceAddress mask="32">198.51.100.1</SourceAddress>
</MatchRule>
</IPRules>
<IgnoreTrueClientIPHeader>true</IgnoreTrueClientIPHeader>
</AccessControl>
|
| Policy Name |
Reset Quota |
| Policy Usage |
Reset Quota policy is used to temporarily increase the quota count. It should be placed in fault rules with a specific condition match to reset quota. |
| Scenario |
Add 2 more requests to quota count |
| Configuration |
<ResetQuota xmlns="http://www.sap.com/apimgmt" async="true" continueOnError="false" enabled="true">
<Quota name="Quota">
<Identifier name="_default">
<Allow>2</Allow>
</Identifier>
</Quota>
</ResetQuota>
|
| Policy Name |
Response Cache |
| Policy Usage |
Response Cache policy is used to cache data from a backend resource, reducing the number of requests to the resource. The Response Cache policy is a unique type of policy which needs to be added to both the request and response flow in an API proxy. |
| Scenario |
Cache data using query parameter ‘empId’ as cache key fragment along with URI |
| Configuration |
<ResponseCache xmlns="http://www.sap.com/apimgmt" async="false" continueOnError="false" enabled="true">
<CacheKey>
<KeyFragment ref="request.uri"/>
<KeyFragment ref="request.queryparam.empId"/>
</CacheKey>
<ExpirySettings>
<TimeoutInSec ref="">3600</TimeoutInSec>
</ExpirySettings>
<SkipCacheLookup>request.header.bypass-cache = "true"</SkipCacheLookup>
<SkipCachePopulation/>
</ResponseCache>
|
| Policy Name |
Populate Cache |
| Policy Usage |
Populate Cache policy is used to add data to the cache. |
| Scenario |
Store client-id from header to cache with key fragment name ‘apikey’ |
| Configuration |
<PopulateCache xmlns="http://www.sap.com/apimgmt" async="false" continueOnError="false" enabled="true">
<CacheKey>
<KeyFragment ref="">apikey</KeyFragment>
</CacheKey>
<Scope>Exclusive</Scope>
<ExpirySettings>
<TimeoutInSec>600</TimeoutInSec>
</ExpirySettings>
<Source>request.header.client_id</Source>
</PopulateCache>
|
| Policy Name |
Lookup Cache |
| Policy Usage |
Lookup Cache policy is used to access the cached data. |
| Scenario |
Access cached data (key fragment -> apikey) and store it into header named ‘apikey’ |
| Configuration |
<LookupCache xmlns="http://www.sap.com/apimgmt" async="false" continueOnError="true" enabled="true">
<CacheKey>
<KeyFragment ref="">apikey</KeyFragment>
</CacheKey>
<Scope>Exclusive</Scope>
<AssignTo>request.header.apikey</AssignTo>
</LookupCache>
|
| Policy Name |
Invalidate Cache |
| Policy Usage |
Invalidate Cache policy is used to flush the cache. |
| Scenario |
Flush cached data (key fragment -> apikey) |
| Configuration |
<InvalidateCache xmlns="http://www.sap.com/apimgmt" async="false" continueOnError="false" enabled="true">
<CacheKey>
<KeyFragment ref="apikey"/>
</CacheKey>
<Scope>Exclusive</Scope>
<PurgeChildEntries>true</PurgeChildEntries>
</InvalidateCache>
|
Mediation Policies:
| Policy Name |
Access Entity |
| Policy Usage |
It is used to retrieve entity profiles from SAP APIM datastore. The policy places the profile (XML Payload) in a variable whose name follows the format AccessEntity.{policy_name}. The following entities can be accessed:
- App
- API product
- Company
- Company developer
- Consumer key
- Developer
|
| Scenario |
Access developer profile using api key from query parameter |
| Configuration |
<AccessEntity xmlns="http://www.sap.com/apimgmt" async="true" continueOnError="false" enabled="true">
<EntityType value="developer"/>
<EntityIdentifier ref="request.queryparam.apikey" type="consumerkey"/>
</AccessEntity>
|
| Policy Name |
Assign Message |
| Policy Usage |
The AssignMessage policy changes or creates new request and response messages during the API proxy Flow. The following actions are supported:
- Add new form parameters, headers, or query parameters to a message
- Copy existing properties from one message to another
- Remove headers, query parameters, form parameters, and/or message payloads from a message
- Set the value of existing properties in a message
|
| Scenario |
Backend is expecting the api key as header. But from source, it is sent as a query parameter. |
| Solution |
- Add header name as ‘apikey’, header value -> value of query param ‘apikey’
- Remove query param ‘apikey’
|
| Configuration |
<AssignMessage xmlns="http://www.sap.com/apimgmt" async="false" continueOnError="false" enabled="true">
<Add>
<Headers>
<Header name="apikey">{request.queryparam.apikey}</Header>
</Headers>
</Add>
<Remove>
<QueryParams>
<QueryParam name="apikey"/>
</QueryParams>
</Remove>
<IgnoreUnresolvedVariables>false</IgnoreUnresolvedVariables>
<AssignTo createNew="false" type="request">request</AssignTo>
</AssignMessage>
|
| Policy Name |
Extract Variables |
| Policy Usage |
The ExtractVariables policy extracts content from a request or response and sets the value of a variable to that content. |
| Scenario |
Extract requester’s age from XML payload and store it in a variable named ‘age’. |
| Configuration |
<ExtractVariables xmlns="http://www.sap.com/apimgmt" async="true" continueOnError="false" enabled="true">
<Source>request</Source>
<XMLPayload>
<Variable name="age" type="integer">
<XPath>/requestor/age</XPath>
</Variable>
</XMLPayload>
</ExtractVariables>
|
| Policy Name |
Raise Fault |
| Policy Usage |
It generates a custom message in response to an error condition. Use RaiseFault to define a fault response that is returned to the requesting app when a specific condition arises. |
| Scenario |
Raise fault if age is less than 18 |
| Solution |
Put a conditional string as ‘age < 18’ |
| Configuration |
<RaiseFault xmlns="http://www.sap.com/apimgmt" async="true" continueOnError="false" enabled="true">
<FaultResponse>
<Set>
<Payload contentType="application/xml">
<Status>Not eligible for applying for Driver's license</Status>
</Payload>
<StatusCode>403</StatusCode>
<ReasonPhrase>Server Error</ReasonPhrase>
</Set>
</FaultResponse>
<IgnoreUnresolvedVariables>true</IgnoreUnresolvedVariables>
</RaiseFault>
|
| Policy Name |
JSON to XML |
| Policy Usage |
It is used to convert JSON payload to XML payload |
| Scenario |
Convert incoming JSON payload to XML. |
| Configuration |
<JSONToXML xmlns="http://www.sap.com/apimgmt" async="true" continueOnError="false" enabled="true">
<Options>
<ArrayItemElementName>item</ArrayItemElementName>
<ArrayRootElementName>rootelement</ArrayRootElementName>
<ObjectRootElementName>objectroot</ObjectRootElementName>
<AttributePrefix>@</AttributePrefix>
<NullValue>NULL</NullValue>
</Options>
<Source>request</Source>
</JSONToXML>
|
| Policy Name |
XML to JSON |
| Policy Usage |
It is used to convert XML payload to JSON payload |
| Scenario |
Convert incoming XML payload to JSON. |
| Configuration |
<XMLToJSON xmlns="http://www.sap.com/apimgmt" async="false" continueOnError="false" enabled="true">
<Options>
<NullValue>NULL</NullValue>
<RecognizeNull>true</RecognizeNull>
<RecognizeNumber>true</RecognizeNumber>
<RecognizeBoolean>true</RecognizeBoolean>
</Options>
<Source>request</Source>
</XMLToJSON>
|
| Policy Name |
XSL Transform |
| Policy Usage |
It is used to convert XML to another format such as XML, HTML, or plain text. |
| Scenario |
Convert incoming XML payload to HTML. |
| Configuration |
<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" version="1.0">
<xsl:template match="/">
<html>
<body>
<h2>Employee Details</h2>
<table border="1">
<tr bgcolor="#ADD8E6">
<th style="text-align:left">ID</th>
<th style="text-align:left">First Name</th>
<th style="text-align:left">Last Name</th>
</tr>
<xsl:for-each select="EmployeeDetails/Record">
<tr>
<td><xsl:value-of select="ID"/></td>
<td><xsl:value-of select="FirstName"/></td>
<td><xsl:value-of select="LastName"/></td>
</tr>
</xsl:for-each>
</table>
</body>
</html>
</xsl:template>
</xsl:stylesheet>
|
| Policy Name |
Key Value Map Operations |
| Policy Usage |
It provides policy-based access to a Key Value Map (KVM) store available in API Management. Supported operations: PUT, GET, DELETE. By default, scope is environment i.e., map entries are shared by all API proxies running in an environment. |
| Scenario |
Retrieve client id and client secret from KVM store and set those as headers |
| Configuration |
<KeyValueMapOperations mapIdentifier="kvm_store" async="true" continueOnError="false" enabled="true" xmlns="http://www.sap.com/apimgmt">
<Get assignTo="request.header.client_id">
<Key>
<Parameter>client_id</Parameter>
</Key>
</Get>
<Get assignTo="request.header.client_secret">
<Key>
<Parameter>client_secret</Parameter>
</Key>
</Get>
</KeyValueMapOperations>
|
Security Policies
| Policy Name |
Basic Authentication |
| Policy Usage |
The policy has two modes of operations:
- Encode: Base64 encodes a username and password stored in variables
- Decode: Decodes the username and password from a Base64 encoded string
|
| Scenario |
Retrieve username and password from KVM encrypted store and set as ‘Authorization’ header |
| Configuration |
<BasicAuthentication xmlns="http://www.sap.com/apimgmt" async="true" continueOnError="false" enabled="true">
<Operation>Encode</Operation>
<IgnoreUnresolvedVariables>false</IgnoreUnresolvedVariables>
<User ref="private.user"/>
<Password ref="private.password"/>
<AssignTo createNew="false">request.header.Authorization</AssignTo>
</BasicAuthentication>
|
| Policy Name |
Verify API Key |
| Policy Usage |
It is used to enforce verification of API keys at runtime, letting only apps with approved API keys access APIs. This policy ensures that API keys are valid, have not been revoked, and are approved to consume the specific resources associated with API products. |
| Scenario |
Verify API Key from header |
| Configuration |
<VerifyAPIKey xmlns="http://www.sap.com/apimgmt" async="true" continueOnError="false" enabled="true">
<APIKey ref="request.header.apikey"/>
</VerifyAPIKey>
|
| Policy Name |
XML Threat Protection |
| Policy Usage |
It addresses XML vulnerabilities and minimizes attacks on your API. Optionally, detect XML payload attacks based on configured limits. This policy executes only if the ‘Content-Type’ of the request or response header is set to application/xml. |
| Scenario |
Apply character limits of 10 chars for names. |
| Configuration |
<XMLThreatProtection xmlns="http://www.sap.com/apimgmt" async="false" continueOnError="false" enabled="true">
<NameLimits>
<Element>10</Element>
<Attribute>10</Attribute>
<NamespacePrefix>10</NamespacePrefix>
<ProcessingInstructionTarget>10</ProcessingInstructionTarget>
</NameLimits>
<Source>request</Source>
</XMLThreatProtection>
|
| Policy Name |
JSON Threat Protection |
| Policy Usage |
It minimizes the risk posed by content-level attacks by enabling you to specify limits on various JSON structures, such as arrays and strings. This policy executes only if the ‘Content-Type’ of the request or response header is set to application/json. |
| Scenario |
Apply character limits of 10 chars for names. |
| Configuration |
<JSONThreatProtection xmlns="http://www.sap.com/apimgmt" async="false" continueOnError="false" enabled="true">
<ArrayElementCount>-1</ArrayElementCount>
<ContainerDepth>-1</ContainerDepth>
<ObjectEntryCount>-1</ObjectEntryCount>
<ObjectEntryNameLength>10</ObjectEntryNameLength>
<Source>request</Source>
<StringValueLength>-1</StringValueLength>
</JSONThreatProtection>
|
| Policy Name |
Regular Expression Protection |
| Policy Usage |
It extracts information from a message (for example, URI Path, Query Param, Header, Form Param, Variable, XML Payload, or JSON Payload) and evaluates that content against predefined regular expressions. If any specified regular expressions evaluate to true, the message is considered a threat and is rejected. |
| Scenario |
Validate if the “action” query param has any sql injection code to do any invasive operation. |
| Configuration |
<RegularExpressionProtection xmlns="http://www.sap.com/apimgmt" async="false" continueOnError="false" enabled="true">
<IgnoreUnresolvedVariables>false</IgnoreUnresolvedVariables>
<QueryParam name="action">
<Pattern>[\s]*((delete)|(exec)|(drop\s*table)|(insert)|(shutdown)|(update)|(\bor\b))</Pattern>
</QueryParam>
<Source>request</Source>
</RegularExpressionProtection>
|
| Policy Name |
OAuth v2.0 |
| Policy Usage |
It is used to do the following operations.
- GenerateAccessToken
- GenerateAccessTokenImplicitGrant
- GenerateAuthorizationCode
- RefreshAccessToken
- VerifyAccessToken
- InvalidateToken
- ValidateToken
|
| Scenario |
Generate Access Token |
| Configuration |
<OAuthV2 xmlns="http://www.sap.com/apimgmt" async="false" continueOnError="false" enabled="true">
<ExpiresIn>3600000</ExpiresIn>
<Operation>GenerateAccessToken</Operation>
<GenerateResponse/>
<SupportedGrantTypes>
<GrantType>client_credentials</GrantType>
</SupportedGrantTypes>
</OAuthV2>
|
| Policy Name |
OAuth v2.0 GET |
| Policy Usage |
It is used to get attributes of type tokens and authorization codes and to make them available to policies and code executing in an API proxy. Whenever token validation occurs, variables are automatically populated with the values of token attributes. However, in cases where token validation has not occured, you can use this feature to explicitly populate variables with the attribute values of a token.
For example, the below variables are populated when the AccessToken element is set:
- oauthv2accesstoken.{policy_name}.access_token
- oauthv2accesstoken.{policy_name}.scope
- oauthv2accesstoken.{policy_name}.refresh_token
- oauthv2accesstoken.{policy_name}.accesstoken.{custom_attribute_name}
- oauthv2accesstoken.{policy_name}.developer.id
- oauthv2accesstoken.{policy_name}.developer.app.name
- oauthv2accesstoken.{policy_name}.expires_in
- oauthv2accesstoken.{policy_name}.status
|
| Scenario |
Get Access token value from query parameter. |
| Configuration |
<GetOAuthV2Info xmlns="http://www.sap.com/apimgmt" async="false" continueOnError="false" enabled="true">
<AccessToken ref="request.queryparam.access_token"/>
</GetOAuthV2Info>
|
| Policy Name |
OAuth v2.0 SET |
| Policy Usage |
It is used to add or update custom attributes associated with an access token |
| Scenario |
Add a custom property called department.id to the access token’s profile. |
| Configuration |
<SetOAuthV2Info xmlns="http://www.sap.com/apimgmt" async="false" continueOnError="false" enabled="true">
<AccessToken ref="request.queryparam.access_token"/>
<Attributes>
<Attribute display="true" name="department.id" ref="request.queryparam.department_id"/>
</Attributes>
</SetOAuthV2Info>
|
| Policy Name |
GenerateJWT |
| Policy Usage |
It is used to generate a signed JWT, with a configurable set of claims. Claims are statements about an entity (typically, the user) and additional data. |
| Scenario |
Generate a JWT signed with the HS256 algorithm
|
|
<GenerateJWT xmlns="http://www.sap.com/apimgmt" async="false" continueOnError="false" enabled="true">
<Algorithm>HS256</Algorithm>
<IgnoreUnresolvedVariables>false</IgnoreUnresolvedVariables>
<SecretKey>
<Value ref="private.secretkey"/>
</SecretKey>
<ExpiresIn>1h</ExpiresIn>
<Issuer>urn://sap-apim-jwt</Issuer>
<AdditionalClaims>
<Claim name="userId" type="string" ref="request.formparam.username"/>
</AdditionalClaims>
<OutputVariable>jwt-variable</OutputVariable>
</GenerateJWT>
|
| Policy Name |
VerifyJWT |
| Policy Usage |
It is used to verify the signature on a JWT received from clients or other systems. This policy also extracts the claims into context variables so that subsequent policies or conditions can examine those values to make authorization or routing decisions. |
| Scenario |
Verify JWT signed with the HS256 encryption algorithm |
| Configuration |
<VerifyJWT xmlns="http://www.sap.com/apimgmt" async="false" continueOnError="false" enabled="true">
<Algorithm>HS256</Algorithm>
<Source>request.formparam.jwt</Source>
<SecretKey>
<Value ref="private.secretkey"/>
</SecretKey>
<Issuer>urn://sap-apim-jwt</Issuer>
</VerifyJWT>
|
| Policy Name |
DecodeJWT |
| Policy Usage |
It is used to decode a JWT without verifying the signature on the JWT. By default, it searches for ‘Authorization’ header. |
| Scenario |
Decode JWT token |
| Configuration |
<DecodeJWT xmlns="http://www.sap.com/apimgmt" async="false" continueOnError="false" enabled="true">
</DecodeJWT>
|
| Policy Name |
SAML Assertion Generation |
| Policy Usage |
It enables API proxies to attach SAML assertions to outbound XML requests. Those assertions are then available to enable backend. |
| Scenario |
Generate SAML assertion |
| Configuration |
<GenerateSAMLAssertion xmlns="http://www.sap.com/apimgmt" async="false" continueOnError="false" enabled="true" ignoreContentType="false">
<Issuer>http://idp.example.com/metadata.php</Issuer>
<KeyStore>
<Name ref="reference">mockserverKeystore</Name>
<Alias ref="reference">mockserverKeystore</Alias>
</KeyStore>
<OutputVariable>
<FlowVariable name="assertion.content"/>
</OutputVariable>
<Subject>"http://sp.example.com/demo1/metadata.php"</Subject>
<Template ignoreUnresolvedVariables="false"><![CDATA[
<saml2:Assertion ID="_8e8dc5f69a98cc4c1ff3427e5ce34606fd672f91e6" IssueInstant="2014-07-17T01:01:48Z" Version="2.0" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:xs="http://www.w3.org/2001/XMLSchema">
<saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">"http://idp.example.com/metadata.php"</saml2:Issuer>
<saml2:Subject xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
<saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">"http://sp.example.com/demo1/metadata.php"</saml2:NameID>
<saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml2:SubjectConfirmationData NotOnOrAfter="2024-01-18T06:21:48Z" Recipient="http://sp.example.com/demo1/index.php?acs"/>
</saml2:SubjectConfirmation>
</saml2:Subject>
<saml2:Conditions NotBefore="2014-07-17T01:01:18Z" NotOnOrAfter="2024-01-18T06:21:48Z" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
<saml2:AudienceRestriction> <saml2:Audience>http://sp.example.com/demo1/metadata.php</saml2:Audience>
</saml2:AudienceRestriction>
</saml2:Conditions>
<saml2:AuthnStatement AuthnInstant="2014-07-17T01:01:48Z" SessionNotOnOrAfter="2024-07-17T09:01:48Z" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
<saml2:AuthnContext> <saml2:AuthnContextClassRef>urn:none</saml2:AuthnContextClassRef>
</saml2:AuthnContext>
</saml2:AuthnStatement>
</saml2:Assertion>
]]></Template>
</GenerateSAMLAssertion>
|
| Policy Name |
SAML Assertion Validation |
| Policy Usage |
It validates incoming messages that contain a digitally-signed SAML assertion, rejects them if they are invalid, and sets variables that allow additional policies, or the backend services itself, to further validate the information in the assertion. |
| Scenario |
Validate SAML assertion |
| Configuration |
<ValidateSAMLAssertion xmlns="http://www.sap.com/apimgmt" async="false" continueOnError="false" enabled="true" ignoreContentType="false">
<RemoveAssertion>false</RemoveAssertion>
<Source name="request">
<Namespaces>
<Namespace prefix="samlp">urn:oasis:names:tc:SAML:2.0:protocol</Namespace>
<Namespace prefix="saml">urn:oasis:names:tc:SAML:2.0:assertion</Namespace>
<Namespace prefix="saml2">urn:oasis:names:tc:SAML:2.0:assertion</Namespace>
</Namespaces>
<XPath>/samlp:Response/saml2:Assertion</XPath>
</Source>
<TrustStore>saml_trust_store</TrustStore>
</ValidateSAMLAssertion>
|
Extension Policies
| Policy Name |
JavaScript |
| Policy Category |
Extension Policies |
| Policy Usage |
You use the JavaScript policy to attach custom code to an API proxy flow. A JavaScript policy does not contain any actual code. Instead, a JavaScript policy references a JavaScript resource and defines the step in the API flow where the JavaScript executes. |
| Scenario |
Assign message weight based on request method and use message weight attribute in Quota policy
For example: Assign message weight = 2 for POST, message weight = 1 for GET. |
| Solution |
JS policy will be used along with Quota policy. Quota policy supports attribute MessageWeight to specify the weight assigned to each message. |
| Configuration |
const callType = context.proxyRequest.method;
context.setVariable("messageWeight", "1");
if (callType == 'POST') {
context.setVariable("messageWeight", "2");
}
|
| Policy Name |
PythonScript |
| Policy Category |
Extension Policies |
| Policy Usage |
You use the Python script policy to attach custom code to an API proxy flow. A Python policy does not contain any actual code. Instead, a Python policy references a Python resource and defines the step in the API flow where the Python script executes. |
| Scenario |
Assign message weight based on request method and use message weight attribute in Quota policy
For example: Assign message weight = 2 for POST, message weight = 1 for GET. |
| Solution |
PY policy will be used along with Quota policy. Quota policy supports attribute MessageWeight to specify the weight assigned to each message. |
| Configuration |
callType = flow.getVariable('request.verb')
if callType == 'POST':
flow.setVariable('messageWeight', '2')
else:
flow.setVariable('messageWeight', '1')
|
| Policy Name |
Message Logging |
| Policy Category |
Extension Policies |
| Policy Usage |
It is used to send syslog messages to third-party log management services, such as Splunk, Sumo Logic, and Loggly. |
| Scenario |
Send Log message to Loggly |
| Configuration |
Refer to blog post |
| Policy Name |
Message Validation |
| Policy Category |
Extension Policies |
| Policy Usage |
It is used to
- Validate any XML message against an XSD schema.
- Validate SOAP messages against a WSDL definition.
- Confirm JSON or XML is well-formed, based on content-type (if <ResourceURL> element is omitted).
To make this policy work, always set the ‘Content-Type’ header. |
| Scenario |
Validate XML message against XSD schema resource.xsd |
| Configuration |
<MessageValidation xmlns="http://www.sap.com/apimgmt" async="false" continueOnError="false" enabled="true">
<Source>request</Source>
<ResourceURL>xsd://resource.xsd</ResourceURL>
</MessageValidation>
|
| Policy Name |
Open Connectors |
| Policy Category |
Extension Policies |
| Policy Usage |
It is attached to an Open Connector type API. For an open connector type API, you can attach only one open connector policy. The policy is either attached to the target endpoint or the proxy endpoint.
Refer to blog post |
| Scenario |
Access open connector instance |
| Configuration |
<OpenConnectors xmlns="http://www.sap.com/apimgmt" async="true" continueOnError="false" enabled="true">
<InstanceSecret kvm-map-name="apim.oc.instance.token" kvm-key-name="default"/>
</OpenConnectors>
|
| Policy Name |
Service Callout |
| Policy Category |
Extension Policies |
| Policy Usage |
It is used to call another service from your API proxy flow. |
| Scenario |
Call Google API for books |
| Configuration |
<ServiceCallout xmlns="http://www.sap.com/apimgmt" async="true" continueOnError="false" enabled="true">
<Request clearPayload="true" variable="googleBookReq">
<Set>
<QueryParams>
<QueryParam name="q">{request.queryparam.search}</QueryParam>
</QueryParams>
</Set>
</Request>
<Response>googleBookResponse</Response>
<Timeout>30000</Timeout>
<HTTPTargetConnection>
<URL>https://www.googleapis.com/books/v1/volumes</URL>
</HTTPTargetConnection>
</ServiceCallout>
|
| Policy Name |
Statistics Collector Policy |
| Policy Category |
Extension Policies |
| Policy Usage |
It is used to collect statistics for data in a message, such as product ID, price, REST action, client and target URL, and message length. The data can come from flow variables or custom variables. To use custom variables, create metrics. For data of type string, reference the statistical data as a Dimension in a custom report. For numerical data types (integer/float/long/double), reference the statistical data in a custom report as a Metric.
Refer to blog post |
| Scenario |
Collect statistical information about custom variable books.searchquery |
| Configuration |
<StatisticsCollector xmlns="http://www.sap.com/apimgmt" async="false" continueOnError="false" enabled="true">
<Statistics>
<Statistic name="search" ref="books.searchquery" type="string">default</Statistic>
</Statistics>
</StatisticsCollector>
|
Reference Links:
Thank you for reading this blog post. Please feel free to share your feedback or thoughts or ask questions in the Q&A tag below.
QA Link
Regards,
Priyanka Chakraborti
One-stop shop for all API management policies capability. Thanks for sharing.
How do I put a condition in a policy to validate if a custom attribute is defined for the application. My use case is that I am defining IP addresses as application custom attribute and allowing the IP in Access Control policy by referencing attribute variable. I want to put a condition in the policy to execute if attribute is not defined in the application. How do put a conditional statement to validate if a custom attribute exists.