Technical Articles
SAP API Management Policies
Introduction:
This blog post is to get familiar with all the policies available in API management.
Prerequisite:
Basic idea about API Management. Reference Link: Get Started with API Management
Policy Categories:
Traffic Management Policies:
Policy Name | Quota policy |
Policy Usage | A Quota is an allotment of request messages that an API proxy can handle over a time period, such as minute, hour, day, week, or month. The policy maintains counters that tally the number of requests received by the API proxy. Quota policy is used for restricting the number of allowed transactions based on business requirements. |
Use cases | Subscriptions, Usage restrictions, Metering |
Scenario | Allow 3 calls every minute |
Configuration |
|
Policy Name | Spike Arrest |
Policy Usage | The Spike Arrest policy protects against traffic surges with the <Rate> element. This element throttles the number of requests processed by an API proxy and sent to a backend, protecting against performance lags and downtime. |
Use cases | Denial of service protection, Traffic shaping, Bot protection |
Scenario | Limit 30 calls per second |
Configuration |
|
**Note: If both Spike Arrest policy and quota policy need to be used, use spike arrest policy before applying quota policy.
Policy Name | Access Control Policy |
Policy Usage | Access Control policy is used to allow or deny specific IP addresses. |
Use cases | Whitelist IP address, Blacklist IP address |
Scenario | Allow only a list of IP Addresses |
Configuration |
|
Policy Name | Reset Quota |
Policy Usage | Reset Quota policy is used to temporarily increase the quota count. It should be placed in fault rules with a specific condition match to reset quota. |
Scenario | Add 2 more requests to quota count |
Configuration |
|
Policy Name | Response Cache |
Policy Usage | Response Cache policy is used to cache data from a backend resource, reducing the number of requests to the resource. The Response Cache policy is a unique type of policy which needs to be added to both the request and response flow in an API proxy. |
Scenario | Cache data using query parameter ‘empId’ as cache key fragment along with URI |
Configuration |
|
Policy Name | Populate Cache |
Policy Usage | Populate Cache policy is used to add data to the cache. |
Scenario | Store client-id from header to cache with key fragment name ‘apikey’ |
Configuration |
|
Policy Name | Lookup Cache |
Policy Usage | Lookup Cache policy is used to access the cached data. |
Scenario | Access cached data (key fragment -> apikey) and store it into header named ‘apikey’ |
Configuration |
|
Policy Name | Invalidate Cache |
Policy Usage | Invalidate Cache policy is used to flush the cache. |
Scenario | Flush cached data (key fragment -> apikey) |
Configuration |
|
Mediation Policies:
Policy Name | Access Entity |
Policy Usage | It is used to retrieve entity profiles from SAP APIM datastore. The policy places the profile (XML Payload) in a variable whose name follows the format AccessEntity.{policy_name}. The following entities can be accessed:
|
Scenario | Access developer profile using api key from query parameter |
Configuration |
|
Policy Name | Assign Message |
Policy Usage | The AssignMessage policy changes or creates new request and response messages during the API proxy Flow. The following actions are supported:
|
Scenario | Backend is expecting the api key as header. But from source, it is sent as a query parameter. |
Solution |
|
Configuration |
|
Policy Name | Extract Variables |
Policy Usage | The ExtractVariables policy extracts content from a request or response and sets the value of a variable to that content. |
Scenario | Extract requester’s age from XML payload and store it in a variable named ‘age’. |
Configuration |
|
Policy Name | Raise Fault |
Policy Usage | It generates a custom message in response to an error condition. Use RaiseFault to define a fault response that is returned to the requesting app when a specific condition arises. |
Scenario | Raise fault if age is less than 18 |
Solution | Put a conditional string as ‘age < 18’ |
Configuration |
|
Policy Name | JSON to XML |
Policy Usage | It is used to convert JSON payload to XML payload |
Scenario | Convert incoming JSON payload to XML. |
Configuration |
|
Policy Name | XML to JSON |
Policy Usage | It is used to convert XML payload to JSON payload |
Scenario | Convert incoming XML payload to JSON. |
Configuration |
|
Policy Name | XSL Transform |
Policy Usage | It is used to convert XML to another format such as XML, HTML, or plain text. |
Scenario | Convert incoming XML payload to HTML. |
Configuration |
|
Policy Name | Key Value Map Operations |
Policy Usage | It provides policy-based access to a Key Value Map (KVM) store available in API Management. Supported operations: PUT, GET, DELETE. By default, scope is environment i.e., map entries are shared by all API proxies running in an environment. |
Scenario | Retrieve client id and client secret from KVM store and set those as headers |
Configuration |
|
Security Policies
Policy Name | Basic Authentication |
Policy Usage | The policy has two modes of operations:
|
Scenario | Retrieve username and password from KVM encrypted store and set as ‘Authorization’ header |
Configuration |
|
Policy Name | Verify API Key |
Policy Usage | It is used to enforce verification of API keys at runtime, letting only apps with approved API keys access APIs. This policy ensures that API keys are valid, have not been revoked, and are approved to consume the specific resources associated with API products. |
Scenario | Verify API Key from header |
Configuration |
|
Policy Name | XML Threat Protection |
Policy Usage | It addresses XML vulnerabilities and minimizes attacks on your API. Optionally, detect XML payload attacks based on configured limits. This policy executes only if the ‘Content-Type’ of the request or response header is set to application/xml. |
Scenario | Apply character limits of 10 chars for names. |
Configuration |
|
Policy Name | JSON Threat Protection |
Policy Usage | It minimizes the risk posed by content-level attacks by enabling you to specify limits on various JSON structures, such as arrays and strings. This policy executes only if the ‘Content-Type’ of the request or response header is set to application/json. |
Scenario | Apply character limits of 10 chars for names. |
Configuration |
|
Policy Name | Regular Expression Protection |
Policy Usage | It extracts information from a message (for example, URI Path, Query Param, Header, Form Param, Variable, XML Payload, or JSON Payload) and evaluates that content against predefined regular expressions. If any specified regular expressions evaluate to true, the message is considered a threat and is rejected. |
Scenario | Validate if the “action” query param has any sql injection code to do any invasive operation. |
Configuration |
|
Policy Name | OAuth v2.0 |
Policy Usage | It is used to do the following operations.
|
Scenario | Generate Access Token |
Configuration |
|
Policy Name | OAuth v2.0 GET |
Policy Usage |
It is used to get attributes of type tokens and authorization codes and to make them available to policies and code executing in an API proxy. Whenever token validation occurs, variables are automatically populated with the values of token attributes. However, in cases where token validation has not occured, you can use this feature to explicitly populate variables with the attribute values of a token. For example, the below variables are populated when the AccessToken element is set:
|
Scenario | Get Access token value from query parameter. |
Configuration |
|
Policy Name | OAuth v2.0 SET |
Policy Usage | It is used to add or update custom attributes associated with an access token |
Scenario | Add a custom property called department.id to the access token’s profile. |
Configuration |
|
Policy Name | GenerateJWT |
Policy Usage | It is used to generate a signed JWT, with a configurable set of claims. Claims are statements about an entity (typically, the user) and additional data. |
Scenario |
Generate a JWT signed with the HS256 algorithm |
|
Policy Name | VerifyJWT |
Policy Usage | It is used to verify the signature on a JWT received from clients or other systems. This policy also extracts the claims into context variables so that subsequent policies or conditions can examine those values to make authorization or routing decisions. |
Scenario | Verify JWT signed with the HS256 encryption algorithm |
Configuration |
|
Policy Name | DecodeJWT |
Policy Usage | It is used to decode a JWT without verifying the signature on the JWT. By default, it searches for ‘Authorization’ header. |
Scenario | Decode JWT token |
Configuration |
|
Policy Name | SAML Assertion Generation |
Policy Usage | It enables API proxies to attach SAML assertions to outbound XML requests. Those assertions are then available to enable backend. |
Scenario | Generate SAML assertion |
Configuration |
|
Policy Name | SAML Assertion Validation |
Policy Usage | It validates incoming messages that contain a digitally-signed SAML assertion, rejects them if they are invalid, and sets variables that allow additional policies, or the backend services itself, to further validate the information in the assertion. |
Scenario | Validate SAML assertion |
Configuration |
|
Extension Policies
Policy Name | JavaScript |
Policy Category | Extension Policies |
Policy Usage | You use the JavaScript policy to attach custom code to an API proxy flow. A JavaScript policy does not contain any actual code. Instead, a JavaScript policy references a JavaScript resource and defines the step in the API flow where the JavaScript executes. |
Scenario |
Assign message weight based on request method and use message weight attribute in Quota policy For example: Assign message weight = 2 for POST, message weight = 1 for GET. |
Solution | JS policy will be used along with Quota policy. Quota policy supports attribute MessageWeight to specify the weight assigned to each message. |
Configuration |
|
Policy Name | PythonScript |
Policy Category | Extension Policies |
Policy Usage | You use the Python script policy to attach custom code to an API proxy flow. A Python policy does not contain any actual code. Instead, a Python policy references a Python resource and defines the step in the API flow where the Python script executes. |
Scenario |
Assign message weight based on request method and use message weight attribute in Quota policy For example: Assign message weight = 2 for POST, message weight = 1 for GET. |
Solution | PY policy will be used along with Quota policy. Quota policy supports attribute MessageWeight to specify the weight assigned to each message. |
Configuration |
|
Policy Name | Message Logging |
Policy Category | Extension Policies |
Policy Usage | It is used to send syslog messages to third-party log management services, such as Splunk, Sumo Logic, and Loggly. |
Scenario | Send Log message to Loggly |
Configuration | Refer to blog post |
Policy Name | Message Validation |
Policy Category | Extension Policies |
Policy Usage | It is used to
To make this policy work, always set the ‘Content-Type’ header. |
Scenario | Validate XML message against XSD schema resource.xsd |
Configuration |
|
Policy Name | Open Connectors |
Policy Category | Extension Policies |
Policy Usage |
It is attached to an Open Connector type API. For an open connector type API, you can attach only one open connector policy. The policy is either attached to the target endpoint or the proxy endpoint. Refer to blog post |
Scenario | Access open connector instance |
Configuration |
|
Policy Name | Service Callout |
Policy Category | Extension Policies |
Policy Usage | It is used to call another service from your API proxy flow. |
Scenario | Call Google API for books |
Configuration |
|
Policy Name | Statistics Collector Policy |
Policy Category | Extension Policies |
Policy Usage |
It is used to collect statistics for data in a message, such as product ID, price, REST action, client and target URL, and message length. The data can come from flow variables or custom variables. To use custom variables, create metrics. For data of type string, reference the statistical data as a Dimension in a custom report. For numerical data types (integer/float/long/double), reference the statistical data in a custom report as a Metric. Refer to blog post |
Scenario | Collect statistical information about custom variable books.searchquery |
Configuration |
|
Reference Links:
- SAP API Management Help portal
- Blog series: API Security Best Practices
- API Management overview
- APIGEE policies
Thank you for reading this blog post. Please feel free to share your feedback or thoughts or ask questions in the Q&A tag below.
Regards,
Priyanka Chakraborti
One-stop shop for all API management policies capability. Thanks for sharing.
How do I put a condition in a policy to validate if a custom attribute is defined for the application. My use case is that I am defining IP addresses as application custom attribute and allowing the IP in Access Control policy by referencing attribute variable. I want to put a condition in the policy to execute if attribute is not defined in the application. How do put a conditional statement to validate if a custom attribute exists.