Importing and Exporting Policies

You can import and export policies to and from files.

You can use these files to back up policies, transfer policies between AM instances, or store policy configuration in a version control system such as Git or Subversion.

AM supports exporting policies in JSON and eXtensible Access Control Markup Language (XACML) Version 3.0 format.

Comparison of Policy Import/Export Formats

Feature	Supported?
Feature	JSON	XACML
Can be imported/exported from within the AM console?	No	Yes
Can be imported/exported on the command line, using the ssoadm command?	Yes	Yes
Exports policies?	Yes	Yes
Exports policy sets?	Yes	Partial ^[a]
Exports resource types?	Yes	Partial ^[a]
Creates an exact copy of the original policy sets, resource types, and policies upon import?	Yes	Partial ^[b]
^[a]Only the details of policy sets and resource types that are actually used within a policy is exported to the XACML format. The full definition is not exported. ^[b]Policy sets and resource types will be generated from the details in the XML, but may not match the definitions of the originals. For example, the names are auto-generated.

Note

AM can only import XACML 3.0 files that were either created by an AM instance, or that have had minor manual modifications, due to the reuse of some XACML 3.0 parameters for non-standard information.

Importing and exporting JSON:

Importing and exporting XACML:

To Export Policies in JSON Format (ssoadm)

Use the ssoadm policy-export command:

$ ssoadm \
  policy-export \
  --realm "/" \
  --servername "https://openam.example.com:8443/openam" \
  --jsonfile "myPolicies.json" \
  --adminid uid=amAdmin,ou=People,dc=openam,dc=forgerock,dc=org \
  --password-file /tmp/pwd.txt
{
  "RESOURCE_TYPE" : 1,
  "POLICY" : 1,
  "APPLICATION" : 1
}

If exporting from a subrealm, include the top level realm ("/") in the --realm value. For example, --realm "/myRealm".

For more information on the syntax of this command, see "ssoadm policy-export".

To Import Policies in JSON Format (ssoadm)

Use the ssoadm policy-import command:

$ ssoadm \
  policy-import \
  --realm "/myRealm" \
  --servername "https://openam.example.com:8443/openam" \
  --jsonfile "myPolicies.json" \
  --adminid uid=amAdmin,ou=People,dc=openam,dc=forgerock,dc=org \
  --password-file /tmp/pwd.txt
{
  "POLICY" : {
    "CREATE_SUCCESS" : {
      "count" : 1
    }
  },
  "RESOURCE_TYPE" : {
    "CREATE_SUCCESS" : {
      "count" : 1
    }
  },
  "APPLICATION" : {
    "CREATE_SUCCESS" : {
      "count" : 1
    }
  }
}

If importing to a subrealm, include the top level realm ("/") in the --realm value. For example, --realm "/myRealm".

For more information on the syntax of this command, see "ssoadm policy-import".