Skip to Content
Technical Articles
Author's profile photo Priyanka Chakraborti

SAP API Management Policies

Introduction:

This blog post is to get familiar with all the policies available in API management.

Prerequisite:

Basic idea about API Management. Reference Link: Get Started with API Management

Policy Categories:

Traffic Management Policies:

Policy Name Quota policy
Policy Usage A Quota is an allotment of request messages that an API proxy can handle over a time period, such as minute, hour, day, week, or month. The policy maintains counters that tally the number of requests received by the API proxy. Quota policy is used for restricting the number of allowed transactions based on business requirements.
Use cases Subscriptions, Usage restrictions, Metering
Scenario Allow 3 calls every minute
Configuration
<Quota xmlns="http://www.sap.com/apimgmt" async="false" continueOnError="false" enabled="true">
  <Allow count="3"/>
  <Interval>1</Interval>
  <Distributed>true</Distributed>
  <Synchronous>true</Synchronous>
  <TimeUnit>minute</TimeUnit>
</Quota>

 

Policy Name Spike Arrest
Policy Usage The Spike Arrest policy protects against traffic surges with the <Rate> element. This element throttles the number of requests processed by an API proxy and sent to a backend, protecting against performance lags and downtime.
Use cases Denial of service protection, Traffic shaping, Bot protection
Scenario Limit 30 calls per second
Configuration
<SpikeArrest xmlns="http://www.sap.com/apimgmt" async="true" continueOnError="false" enabled="true">
  <Rate>30ps</Rate>
  <UseEffectiveCount>true</UseEffectiveCount>
</SpikeArrest>

**Note: If both Spike Arrest policy and quota policy need to be used, use spike arrest policy before applying quota policy.

Policy Name Access Control Policy
Policy Usage Access Control policy is used to allow or deny specific IP addresses.
Use cases Whitelist IP address, Blacklist IP address
Scenario Allow only a list of IP Addresses
Configuration
<AccessControl xmlns="http://www.sap.com/apimgmt" async="true" continueOnError="false" enabled="true">
  <IPRules noRuleMatchAction="DENY">
    <MatchRule action="ALLOW">
      <SourceAddress mask="32">192.0.2.1</SourceAddress>
      <SourceAddress mask="32">198.51.100.1</SourceAddress>
    </MatchRule>
  </IPRules>
  <IgnoreTrueClientIPHeader>true</IgnoreTrueClientIPHeader>
</AccessControl>

 

Policy Name Reset Quota
Policy Usage Reset Quota policy is used to temporarily increase the quota count. It should be placed in fault rules with a specific condition match to reset quota. 
Scenario Add 2 more requests to quota count
Configuration
<ResetQuota xmlns="http://www.sap.com/apimgmt" async="true" continueOnError="false" enabled="true">
  <Quota name="Quota">
    <Identifier name="_default">
      <Allow>2</Allow>
    </Identifier>
  </Quota>
</ResetQuota>

 

Policy Name Response Cache
Policy Usage Response Cache policy is used to cache data from a backend resource, reducing the number of requests to the resource. The Response Cache policy is a unique type of policy which needs to be added to both the request and response flow in an API proxy.
Scenario Cache data using query parameter ‘empId’ as cache key fragment along with URI
Configuration
<ResponseCache xmlns="http://www.sap.com/apimgmt" async="false" continueOnError="false" enabled="true">
  <CacheKey>
    <KeyFragment ref="request.uri"/>
    <KeyFragment ref="request.queryparam.empId"/>
  </CacheKey>
  <ExpirySettings>
    <TimeoutInSec ref="">3600</TimeoutInSec>
  </ExpirySettings>
  <SkipCacheLookup>request.header.bypass-cache = "true"</SkipCacheLookup>
  <SkipCachePopulation/>
</ResponseCache>

 

Policy Name Populate Cache
Policy Usage Populate Cache policy is used to add data to the cache.
Scenario Store client-id from header to cache with key fragment name ‘apikey’
Configuration
<PopulateCache xmlns="http://www.sap.com/apimgmt" async="false" continueOnError="false" enabled="true">
  <CacheKey>
    <KeyFragment ref="">apikey</KeyFragment>
  </CacheKey>
  <Scope>Exclusive</Scope>
  <ExpirySettings>
    <TimeoutInSec>600</TimeoutInSec>
  </ExpirySettings>
  <Source>request.header.client_id</Source>
</PopulateCache>

 

Policy Name Lookup Cache
Policy Usage Lookup Cache policy is used to cached data.
Scenario Access cached data (key fragment -> apikey) and store it into header named ‘apikey’
Configuration
<LookupCache xmlns="http://www.sap.com/apimgmt" async="false" continueOnError="true" enabled="true">
  <CacheKey>
    <KeyFragment ref="">apikey</KeyFragment>
  </CacheKey>
  <Scope>Exclusive</Scope>
  <AssignTo>request.header.apikey</AssignTo>
</LookupCache>

 

Policy Name Invalidate Cache
Policy Usage Invalidate Cache policy is used to flush the cache.
Scenario Flush cached data (key fragment -> apikey)
Configuration
<InvalidateCache xmlns="http://www.sap.com/apimgmt" async="false" continueOnError="false" enabled="true">
  <CacheKey>
    <KeyFragment ref="apikey"/>
  </CacheKey>
  <Scope>Exclusive</Scope>
  <PurgeChildEntries>true</PurgeChildEntries>
</InvalidateCache>

Mediation Policies:

Policy Name Access Entity
Policy Usage It is used to retrieve entity profiles from SAP APIM datastore. The policy places the profile (XML Payload) in a variable whose name follows the format AccessEntity.{policy_name}. The following entities can be accessed:

  • App
  • API product
  • Company
  • Company developer
  • Consumer key
  • Developer
Scenario Access developer profile using api key from query parameter
Configuration
<AccessEntity xmlns="http://www.sap.com/apimgmt" async="true" continueOnError="false" enabled="true">
  <EntityType value="developer"/>
  <EntityIdentifier ref="request.queryparam.apikey" type="consumerkey"/>
</AccessEntity>

 

Policy Name Assign Message
Policy Usage The AssignMessage policy changes or creates new request and response messages during the API proxy Flow. The following actions are supported:

  • Add new form parameters, headers, or query parameters to a message
  • Copy existing properties from one message to another
  • Remove headers, query parameters, form parameters, and/or message payloads from a message
  • Set the value of existing properties in a message
Scenario Backend is expecting the api key as header. But from source, it is sent as a query parameter. 
Solution
  • Add header name as ‘apikey’, header value -> value of query param ‘apikey’
  • Remove query param ‘apikey’
Configuration
<AssignMessage xmlns="http://www.sap.com/apimgmt" async="false" continueOnError="false" enabled="true">
  <Add>
    <Headers>
      <Header name="apikey">{request.queryparam.apikey}</Header>
    </Headers>
  </Add>
  <Remove>
    <QueryParams>
      <QueryParam name="apikey"/>
    </QueryParams>
  </Remove>
  <IgnoreUnresolvedVariables>false</IgnoreUnresolvedVariables>
  <AssignTo createNew="false" type="request">request</AssignTo>
</AssignMessage>

 

Policy Name Extract Variables
Policy Usage The ExtractVariables policy extracts content from a request or response and sets the value of a variable to that content.
Scenario Extract requester’s age from XML payload and store it in a variable named ‘age’. 
Configuration
<ExtractVariables xmlns="http://www.sap.com/apimgmt" async="true" continueOnError="false" enabled="true">
  <Source>request</Source>
  <XMLPayload>
    <Variable name="age" type="integer">
      <XPath>/requestor/age</XPath>
    </Variable>
  </XMLPayload>
</ExtractVariables>

 

Policy Name Raise Fault
Policy Usage It generates a custom message in response to an error condition. Use RaiseFault to define a fault response that is returned to the requesting app when a specific condition arises.
Scenario Raise fault if age is less than 18
Solution Put a conditional string as ‘age < 18’
Configuration
<RaiseFault xmlns="http://www.sap.com/apimgmt" async="true" continueOnError="false" enabled="true">
  <FaultResponse>
    <Set>
      <Payload contentType="application/xml">
        <Status>Not eligible for applying for Driver's license</Status>
      </Payload>
      <StatusCode>403</StatusCode>
      <ReasonPhrase>Server Error</ReasonPhrase>
    </Set>
  </FaultResponse>
  <IgnoreUnresolvedVariables>true</IgnoreUnresolvedVariables>
</RaiseFault>

 

Policy Name JSON to XML
Policy Usage It is used to convert JSON payload to XML payload
Scenario Convert incoming JSON payload to XML.
Configuration
<JSONToXML xmlns="http://www.sap.com/apimgmt" async="true" continueOnError="false" enabled="true">
  <Options>
    <ArrayItemElementName>item</ArrayItemElementName>
    <ArrayRootElementName>rootelement</ArrayRootElementName>
    <ObjectRootElementName>objectroot</ObjectRootElementName>
    <AttributePrefix>@</AttributePrefix>
    <NullValue>NULL</NullValue>
  </Options>
  <Source>request</Source>
</JSONToXML>

 

Policy Name XML to JSON
Policy Usage It is used to convert XML payload to JSON payload
Scenario Convert incoming XML payload to JSON.
Configuration
<XMLToJSON xmlns="http://www.sap.com/apimgmt" async="false" continueOnError="false" enabled="true">
  <Options>
    <NullValue>NULL</NullValue>
    <RecognizeNull>true</RecognizeNull>
    <RecognizeNumber>true</RecognizeNumber>
    <RecognizeBoolean>true</RecognizeBoolean>
  </Options>
  <Source>request</Source>
</XMLToJSON>

 

Policy Name XSL Transform
Policy Usage It is used to convert XML to another format such as XML, HTML, or plain text.
Scenario Convert incoming XML payload to HTML.
Configuration
<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" version="1.0">
  <xsl:template match="/">
    <html>
      <body>
  <h2>Employee Details</h2>
  <table border="1">
    <tr bgcolor="#ADD8E6">
      <th style="text-align:left">ID</th>
      <th style="text-align:left">First Name</th>
      <th style="text-align:left">Last Name</th>
    </tr>
    <xsl:for-each select="EmployeeDetails/Record">
    <tr>
      <td><xsl:value-of select="ID"/></td>
      <td><xsl:value-of select="FirstName"/></td>
      <td><xsl:value-of select="LastName"/></td>
    </tr>
    </xsl:for-each>
  </table>
</body>
    </html>
  </xsl:template>
</xsl:stylesheet>

 

Policy Name Key Value Map Operations
Policy Usage It provides policy-based access to a Key Value Map (KVM) store available in API Management. Supported operations: PUT, GET, DELETE. By default, scope is environment i.e., map entries are shared by all API proxies running in an environment. 
Scenario Retrieve client id and client secret from KVM store and set those as headers
Configuration
<KeyValueMapOperations mapIdentifier="kvm_store" async="true" continueOnError="false" enabled="true" xmlns="http://www.sap.com/apimgmt">
<Get assignTo="request.header.client_id">
    <Key>
      <Parameter>client_id</Parameter>
    </Key>
  </Get>
  <Get assignTo="request.header.client_secret">
    <Key>
      <Parameter>client_secret</Parameter>
    </Key>
  </Get>
</KeyValueMapOperations>

 

Security Policies

Policy Name Basic Authentication
Policy Usage The policy has two modes of operations:

  • Encode: Base64 encodes a username and password stored in variables
  • Decode: Decodes the username and password from a Base64 encoded string
Scenario Retrieve username and password from KVM encrypted store and set as ‘Authorization’ header
Configuration
<BasicAuthentication xmlns="http://www.sap.com/apimgmt" async="true" continueOnError="false" enabled="true">
  <Operation>Encode</Operation>
  <IgnoreUnresolvedVariables>false</IgnoreUnresolvedVariables>
  <User ref="private.user"/>
  <Password ref="private.password"/>
  <AssignTo createNew="false">request.header.Authorization</AssignTo>
</BasicAuthentication>

 

Policy Name Verify API Key
Policy Usage It is used to enforce verification of API keys at runtime, letting only apps with approved API keys access APIs. This policy ensures that API keys are valid, have not been revoked, and are approved to consume the specific resources associated with API products.
Scenario Verify API Key from header
Configuration
<VerifyAPIKey xmlns="http://www.sap.com/apimgmt" async="true" continueOnError="false" enabled="true">
  <APIKey ref="request.header.apikey"/>
</VerifyAPIKey>

 

Policy Name XML Threat Protection
Policy Usage It addresses  XML vulnerabilities and minimizes attacks on your API. Optionally, detect XML payload attacks based on configured limits. This policy executes only if the ‘Content-Type’ of the request or response header is set to application/xml.
Scenario Apply character limits of 10 chars for names.
Configuration
<XMLThreatProtection xmlns="http://www.sap.com/apimgmt" async="false" continueOnError="false" enabled="true">
  <NameLimits>
    <Element>10</Element>
    <Attribute>10</Attribute>
    <NamespacePrefix>10</NamespacePrefix>
    <ProcessingInstructionTarget>10</ProcessingInstructionTarget>
  </NameLimits>
  <Source>request</Source>
</XMLThreatProtection>

 

Policy Name JSON Threat Protection
Policy Usage It minimizes the risk posed by content-level attacks by enabling you to specify limits on various JSON structures, such as arrays and strings. This policy executes only if the ‘Content-Type’ of the request or response header is set to application/json.
Scenario Apply character limits of 10 chars for names.
Configuration
<JSONThreatProtection xmlns="http://www.sap.com/apimgmt" async="false" continueOnError="false" enabled="true">
  <ArrayElementCount>-1</ArrayElementCount>
  <ContainerDepth>-1</ContainerDepth>
  <ObjectEntryCount>-1</ObjectEntryCount>
  <ObjectEntryNameLength>10</ObjectEntryNameLength>
  <Source>request</Source>
  <StringValueLength>-1</StringValueLength>
</JSONThreatProtection>

 

Policy Name Regular Expression Protection
Policy Usage It extracts information from a message (for example, URI Path, Query Param, Header, Form Param, Variable, XML Payload, or JSON Payload) and evaluates that content against predefined regular expressions. If any specified regular expressions evaluate to true, the message is considered a threat and is rejected.
Scenario Validate if  the “action” query param has any sql injection code to do any invasive operation.
Configuration
<RegularExpressionProtection xmlns="http://www.sap.com/apimgmt" async="false" continueOnError="false" enabled="true">
  <IgnoreUnresolvedVariables>false</IgnoreUnresolvedVariables>
  <QueryParam name="action">
    <Pattern>[\s]*((delete)|(exec)|(drop\s*table)|(insert)|(shutdown)|(update)|(\bor\b))</Pattern>
  </QueryParam>
  <Source>request</Source>
</RegularExpressionProtection>

 

Policy Name OAuth v2.0
Policy Usage It is used to do the following operations.

  • GenerateAccessToken
  • GenerateAccessTokenImplicitGrant
  • GenerateAuthorizationCode
  • RefreshAccessToken
  • VerifyAccessToken
  • InvalidateToken
  • ValidateToken 

 

Scenario Generate Access Token
Configuration
<OAuthV2 xmlns="http://www.sap.com/apimgmt" async="false" continueOnError="false" enabled="true">
  <ExpiresIn>3600000</ExpiresIn>
  <Operation>GenerateAccessToken</Operation>
  <GenerateResponse/>
  <SupportedGrantTypes>
    <GrantType>client_credentials</GrantType>
  </SupportedGrantTypes>
</OAuthV2>

 

Policy Name OAuth v2.0 GET
Policy Usage

It is used to get attributes of type tokens and authorization codes and to make them available to policies and code executing in an API proxy. Whenever token validation occurs, variables are automatically populated with the values of token attributes. However, in cases where token validation has not occured, you can use this feature to explicitly populate variables with the attribute values of a token. 

For example, the below variables are populated when the AccessToken element is set:

  • oauthv2accesstoken.{policy_name}.access_token
  • oauthv2accesstoken.{policy_name}.scope
  • oauthv2accesstoken.{policy_name}.refresh_token
  • oauthv2accesstoken.{policy_name}.accesstoken.{custom_attribute_name}
  • oauthv2accesstoken.{policy_name}.developer.id
  • oauthv2accesstoken.{policy_name}.developer.app.name
  • oauthv2accesstoken.{policy_name}.expires_in
  • oauthv2accesstoken.{policy_name}.status
Scenario Get Access token value from query parameter.
Configuration
<GetOAuthV2Info xmlns="http://www.sap.com/apimgmt" async="false" continueOnError="false" enabled="true">
  <AccessToken ref="request.queryparam.access_token"/>
</GetOAuthV2Info>

 

Policy Name OAuth v2.0 SET
Policy Usage It is used to add or update custom attributes associated with an access token
Scenario Add a custom property called department.id to the access token’s profile.
Configuration
<SetOAuthV2Info xmlns="http://www.sap.com/apimgmt" async="false" continueOnError="false" enabled="true">
  <AccessToken ref="request.queryparam.access_token"/>
  <Attributes>
    <Attribute display="true" name="department.id" ref="request.queryparam.department_id"/>
  </Attributes>
</SetOAuthV2Info>

 

Policy Name GenerateJWT
Policy Usage It is used to generate a signed JWT, with a configurable set of claims.  Claims are statements about an entity (typically, the user) and additional data.
Scenario
<GenerateJWT xmlns="http://www.sap.com/apimgmt" async="false" continueOnError="false" enabled="true">
  <Algorithm>HS256</Algorithm>
  <IgnoreUnresolvedVariables>false</IgnoreUnresolvedVariables>
  <SecretKey>
    <Value ref="private.secretkey"/>
  </SecretKey>
  <ExpiresIn>1h</ExpiresIn>
  <Issuer>urn://sap-apim-jwt</Issuer>
  <AdditionalClaims>
    <Claim name="userId" type="string" ref="request.formparam.username"/>
  </AdditionalClaims>
  <OutputVariable>jwt-variable</OutputVariable>
</GenerateJWT>

 

Policy Name VerifyJWT
Policy Usage It is used to verify the signature on a JWT received from clients or other systems. This policy also extracts the claims into context variables so that subsequent policies or conditions can examine those values to make authorization or routing decisions.
Scenario Verify JWT signed with the HS256 encryption algorithm
Configuration
<VerifyJWT xmlns="http://www.sap.com/apimgmt" async="false" continueOnError="false" enabled="true">
  <Algorithm>HS256</Algorithm>
  <Source>request.formparam.jwt</Source>
  <SecretKey>
    <Value ref="private.secretkey"/>
  </SecretKey>
  <Issuer>urn://sap-apim-jwt</Issuer>
</VerifyJWT>

 

Policy Name DecodeJWT
Policy Usage It is used to decode a JWT without verifying the signature on the JWT. By default, it searches for ‘Authorization’ header.
Scenario Decode JWT token
Configuration
<DecodeJWT xmlns="http://www.sap.com/apimgmt" async="false" continueOnError="false" enabled="true">
</DecodeJWT>

 

Policy Name SAML Assertion Generation
Policy Usage It enables API proxies to attach SAML assertions to outbound XML requests. Those assertions are then available to enable backend.
Scenario Generate SAML assertion
Configuration
<GenerateSAMLAssertion xmlns="http://www.sap.com/apimgmt" async="false" continueOnError="false" enabled="true" ignoreContentType="false">
  <Issuer>http://idp.example.com/metadata.php</Issuer>
  <KeyStore>
    <Name ref="reference">mockserverKeystore</Name>
    <Alias ref="reference">mockserverKeystore</Alias>
  </KeyStore>
  <OutputVariable>
    <FlowVariable name="assertion.content"/>
  </OutputVariable>
  <Subject>"http://sp.example.com/demo1/metadata.php"</Subject>
  <Template ignoreUnresolvedVariables="false"><![CDATA[
<saml2:Assertion ID="_8e8dc5f69a98cc4c1ff3427e5ce34606fd672f91e6" IssueInstant="2014-07-17T01:01:48Z" Version="2.0" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:xs="http://www.w3.org/2001/XMLSchema">
    <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">"http://idp.example.com/metadata.php"</saml2:Issuer>
    <saml2:Subject xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
        <saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">"http://sp.example.com/demo1/metadata.php"</saml2:NameID>
        <saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
            <saml2:SubjectConfirmationData NotOnOrAfter="2024-01-18T06:21:48Z" Recipient="http://sp.example.com/demo1/index.php?acs"/>
        </saml2:SubjectConfirmation>
    </saml2:Subject>
    <saml2:Conditions NotBefore="2014-07-17T01:01:18Z" NotOnOrAfter="2024-01-18T06:21:48Z" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
        <saml2:AudienceRestriction>            <saml2:Audience>http://sp.example.com/demo1/metadata.php</saml2:Audience>
        </saml2:AudienceRestriction>
    </saml2:Conditions>
    <saml2:AuthnStatement AuthnInstant="2014-07-17T01:01:48Z" SessionNotOnOrAfter="2024-07-17T09:01:48Z" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
        <saml2:AuthnContext>          <saml2:AuthnContextClassRef>urn:none</saml2:AuthnContextClassRef>
        </saml2:AuthnContext>
    </saml2:AuthnStatement>
</saml2:Assertion>
                ]]></Template>
</GenerateSAMLAssertion>

 

Policy Name SAML Assertion Validation
Policy Usage It validates incoming messages that contain a digitally-signed SAML assertion, rejects them if they are invalid, and sets variables that allow additional policies, or the backend services itself, to further validate the information in the assertion.
Scenario Validate SAML assertion
Configuration
<ValidateSAMLAssertion xmlns="http://www.sap.com/apimgmt" async="false" continueOnError="false" enabled="true" ignoreContentType="false">
  <RemoveAssertion>false</RemoveAssertion>
  <Source name="request">
    <Namespaces>
      <Namespace prefix="samlp">urn:oasis:names:tc:SAML:2.0:protocol</Namespace>
      <Namespace prefix="saml">urn:oasis:names:tc:SAML:2.0:assertion</Namespace>
      <Namespace prefix="saml2">urn:oasis:names:tc:SAML:2.0:assertion</Namespace>
    </Namespaces>
    <XPath>/samlp:Response/saml2:Assertion</XPath>
  </Source>
  <TrustStore>saml_trust_store</TrustStore>
</ValidateSAMLAssertion>

 

Extension Policies

Policy Name JavaScript
Policy Category Extension Policies
Policy Usage You use the JavaScript policy to attach custom code to an API proxy flow. A JavaScript policy does not contain any actual code. Instead, a JavaScript policy references a JavaScript resource and defines the step in the API flow where the JavaScript executes. 
Scenario

Assign message weight based on request method and use message weight attribute in Quota policy

For example: Assign message weight = 2 for POST, message weight = 1 for GET. 

Solution JS policy will be used along with Quota policy. Quota policy supports attribute MessageWeight to specify the weight assigned to each message.
Configuration
const callType = context.proxyRequest.method;
context.setVariable("messageWeight", "1");
if (callType == 'POST') {
    context.setVariable("messageWeight", "2");
}

 

Policy Name PythonScript
Policy Category Extension Policies
Policy Usage You use the Python script policy to attach custom code to an API proxy flow. A Python policy does not contain any actual code. Instead, a Python policy references a Python resource and defines the step in the API flow where the Python script executes. 
Scenario

Assign message weight based on request method and use message weight attribute in Quota policy

For example: Assign message weight = 2 for POST, message weight = 1 for GET. 

Solution PY policy will be used along with Quota policy. Quota policy supports attribute MessageWeight to specify the weight assigned to each message.
Configuration
callType = flow.getVariable('request.verb')
if callType == 'POST':
    flow.setVariable('messageWeight', '2')
else:
    flow.setVariable('messageWeight', '1')

 

Policy Name Message Logging
Policy Category Extension Policies
Policy Usage It is used to send syslog messages to third-party log management services, such as Splunk, Sumo Logic, and Loggly.
Scenario Send Log message to Loggly
Configuration Refer to blog post

 

Policy Name Message Validation
Policy Category Extension Policies
Policy Usage It is used to

  • Validate any XML message against an XSD schema.
  • Validate SOAP messages against a WSDL definition.
  • Confirm JSON or XML is well-formed, based on content-type (if <ResourceURL> element is omitted).

To make this policy work, always set the ‘Content-Type’ header.

Scenario Validate XML message against XSD schema resource.xsd
Configuration
<MessageValidation xmlns="http://www.sap.com/apimgmt" async="false" continueOnError="false" enabled="true">
  <Source>request</Source>
  <ResourceURL>xsd://resource.xsd</ResourceURL>
</MessageValidation>

 

Policy Name Open Connectors
Policy Category Extension Policies
Policy Usage

It is attached to an Open Connector type API. For an open connector type API, you can attach only one open connector policy. The policy is either attached to the target endpoint or the proxy endpoint. 

Refer to blog post

Scenario Access open connector instance
Configuration
<OpenConnectors xmlns="http://www.sap.com/apimgmt" async="true" continueOnError="false" enabled="true">
  <InstanceSecret kvm-map-name="apim.oc.instance.token" kvm-key-name="default"/>
</OpenConnectors>

 

Policy Name Service Callout
Policy Category Extension Policies
Policy Usage It is used to call another service from your API proxy flow. 
Scenario Call Google API for books
Configuration
<ServiceCallout xmlns="http://www.sap.com/apimgmt" async="true" continueOnError="false" enabled="true">
  <Request clearPayload="true" variable="googleBookReq">
    <Set>
      <QueryParams>
        <QueryParam name="q">{request.queryparam.search}</QueryParam>
      </QueryParams>
    </Set>
  </Request>
  <Response>googleBookResponse</Response>
  <Timeout>30000</Timeout>
  <HTTPTargetConnection>
    <URL>https://www.googleapis.com/books/v1/volumes</URL>
  </HTTPTargetConnection>
</ServiceCallout>

 

Policy Name Statistics Collector Policy
Policy Category Extension Policies
Policy Usage

It is used to collect statistics for data in a message, such as product ID, price, REST action, client and target URL, and message length. The data can come from flow variables or custom variables. To use custom variables, create metrics. For data of type string, reference the statistical data as a Dimension in a custom report. For numerical data types (integer/float/long/double), reference the statistical data in a custom report as a Metric.

Refer to blog post

Scenario Collect statistical information about custom variable books.searchquery
Configuration
<StatisticsCollector xmlns="http://www.sap.com/apimgmt" async="false" continueOnError="false" enabled="true">
  <Statistics>
    <Statistic name="search" ref="books.searchquery" type="string">default</Statistic>
  </Statistics>
</StatisticsCollector>

 

Reference Links:

 

Thank you for reading this blog post. Please feel free to share your feedback or thoughts or ask questions in the Q&A tag below.

QA Link

Regards,

Priyanka Chakraborti

Assigned Tags

      2 Comments
      You must be Logged on to comment or reply to a post.
      Author's profile photo Saurabh Kabra
      Saurabh Kabra

      One-stop shop for all API management policies capability. Thanks for sharing.

      Author's profile photo AHMAD SHABBIR
      AHMAD SHABBIR

      How do I put a condition in a policy to validate if a custom attribute is defined for the application. My use case is that I am defining IP addresses as application custom attribute and allowing the IP in Access Control policy by referencing attribute variable. I want to put a condition in the policy to execute if attribute is not defined in the application. How do put a conditional statement to validate if a custom attribute exists.