Policies

Realm Operations

The Policy resource with copy and move support endpoint is responsible for managing policies. It supports all the operations that previous version of Policy resource endpoint supports - create, read, update, delete, query, evalute and evaluateTree action - with two new actions move and copy for copying and moving policies between realms

Resource path:

/policies

Resource version: 2.1

copy

Copy a list of policies

Usage

am> action Policies --realm Realm --body body --actionName copy

Parameters

--body

The resource in JSON format, described by the following JSON schema:

{
  "$schema" : "http://json-schema.org/draft-04/schema#",
  "description" : "Policy copy action schema",
  "type" : "object",
  "title" : "Policy copy action schema",
  "properties" : {
    "from" : {
      "title" : "Copy/move from",
      "description" : "Policy copy/move origin parameters",
      "type" : "object",
      "properties" : {
        "application" : {
          "title" : "Application",
          "description" : "The policy set in which the input policies are located",
          "type" : "string"
        }
      },
      "required" : [ "application" ]
    },
    "to" : {
      "type" : "object",
      "title" : "Copy/Move To",
      "description" : "Policy copy/move destination parameters",
      "properties" : {
        "application" : {
          "title" : "Application",
          "description" : "The policy set in which to place the output policy. Required when copying or moving a policy to a different policy set.",
          "type" : "string"
        },
        "realm" : {
          "title" : "Realm",
          "description" : "The realm in which to place the output policy. If not specified, OpenAM copies or moves the policy within the realm identified in the URL. Required when copying or moving a policy to a different realm.",
          "type" : "string"
        },
        "namePostfix" : {
          "title" : "Name postfix",
          "description" : "A value appended to output policy names in order to prevent name clashes",
          "type" : "string"
        }
      },
      "required" : [ "namePostfix" ]
    },
    "resourceTypeMapping" : {
      "title" : "Resource type mapping",
      "description" : "One or more resource types mappings, where the left side of the mapping specifies the UUID of a resource type used by the input policies and the right side of the mapping specifies the UUID of a resource type used by the output policies. The two resource types should have the same resource patterns",
      "type" : "object",
      "additionalProperties" : {
        "type" : "string"
      }
    }
  },
  "required" : [ "from", "to" ]
}

create

Create new policy

Usage

am> create Policies --realm Realm --id id --body body

Parameters

--id

The unique identifier for the resource.

--body

The resource in JSON format, described by the following JSON schema:

{
  "$schema" : "http://json-schema.org/draft-04/schema#",
  "description" : "Json schema for the policy resource",
  "title" : "Policy Resource Schema",
  "type" : "object",
  "properties" : {
    "name" : {
      "title" : "Name",
      "description" : "String matching the name of the application",
      "type" : "string"
    },
    "active" : {
      "title" : "Active flag",
      "description" : "Boolean indicating whether OpenAM considers the policy active for evaluation purposes, defaults to false",
      "type" : "boolean"
    },
    "description" : {
      "title" : "Description",
      "description" : "String describing the policy",
      "type" : "string"
    },
    "applicationName" : {
      "title" : "Application name",
      "description" : "String containing the application name, such as \"iPlanetAMWebAgentService\", or \"mypolicyset\"",
      "type" : "string"
    },
    "actionValues" : {
      "title" : "Action values",
      "description" : "Set of string action names, each set to a boolean indicating whether the action is allowed. Chosen from the available actions provided by the associated Managing Resource Types resource type",
      "type" : "object",
      "additionalProperties" : {
        "type" : "boolean"
      }
    },
    "resources" : {
      "title" : "Resources",
      "description" : "List of the resource name pattern strings to which the policy applies. Must conform to the pattern templates provided by the associated Managing Resource Types resource type",
      "type" : "array",
      "items" : {
        "type" : "string"
      }
    },
    "subject" : {
      "title" : "Subject",
      "description" : "Specifies the subject conditions to which the policy applies, where subjects can be combined by using the built-in types \"AND\", \"OR\", and \"NOT\", and where subject implementations are pluggable",
      "type" : "object"
    },
    "condition" : {
      "title" : "Condition",
      "description" : "Specifies environment conditions, where conditions can be combined by using the built-in types \"AND\", \"OR\", and \"NOT\", and where condition implementations are pluggable",
      "type" : "object",
      "properties" : {
        "type" : {
          "type" : "string"
        },
        "conditions" : {
          "type" : "array",
          "title" : "Condition",
          "description" : "Specifies environment conditions, where conditions can be combined by using the built-in types \"AND\", \"OR\", and \"NOT\", and where condition implementations are pluggable",
          "items" : {
            "type" : "object"
          }
        }
      }
    },
    "resourceTypeUuid" : {
      "title" : "Resource Type UUID",
      "description" : "The UUIDs of the resource type associated with the policy",
      "type" : "string"
    },
    "resourceAttributes" : {
      "title" : "Resource Attributes",
      "description" : "List of attributes to return with decisions. These attributes are known as response attributes",
      "type" : "array",
      "items" : {
        "type" : "object"
      }
    },
    "lastModifiedBy" : {
      "title" : "Last Modified By",
      "description" : "A string containing the universal identifier DN of the subject that most recently updated the policy",
      "type" : "string"
    },
    "lastModifiedDate" : {
      "title" : "Last Modified date",
      "description" : "An integer containing the last modified date and time, in number of seconds",
      "type" : "string"
    },
    "createdBy" : {
      "title" : "Created By",
      "description" : "A string containing the universal identifier DN of the subject that created the policy",
      "type" : "string"
    },
    "creationDate" : {
      "title" : "Creation Date",
      "description" : "An integer containing the creation date and time, in number of seconds",
      "type" : "string"
    }
  }
}

delete

Delete policy

Usage

am> delete Policies --realm Realm --id id

Parameters

--id

The unique identifier for the resource.

evaluate

Request policy decisions for specific resources

Usage

am> action Policies --realm Realm --body body --actionName evaluate

Parameters

--body

The resource in JSON format, described by the following JSON schema:

{
  "$schema" : "http://json-schema.org/draft-04/schema#",
  "description" : "Evaluate action schema",
  "title" : "Evaluate action schema",
  "type" : "object",
  "properties" : {
    "resources" : {
      "type" : "array",
      "title" : "Resources",
      "description" : "Specifies the list of resources for which to return decisions",
      "items" : {
        "type" : "string"
      }
    },
    "application" : {
      "title" : "Application",
      "description" : "Holds the name of the application, and defaults to \"iPlanetAMWebAgentService\" if not specified",
      "type" : "string"
    },
    "subject" : {
      "title" : "Subject",
      "description" : "Holds an object that represents the subject. You can specify one or more of the following keys. If you specify multiple keys, the subject can have multiple associated principals, and you can use subject conditions corresponding to any type in the request",
      "type" : "object",
      "properties" : {
        "ssoToken" : {
          "title" : "SSOToken",
          "description" : "The value is the SSO token ID string for the subject",
          "type" : "string"
        },
        "jwt" : {
          "title" : "JWT",
          "description" : "The value is a JWT string",
          "type" : "string"
        },
        "claims" : {
          "title" : "Claims",
          "description" : "The value is an object (map) of JWT claims to their values.",
          "type" : "object",
          "additionalProperties" : {
            "type" : "string"
          }
        }
      }
    },
    "environment" : {
      "title" : "Environment",
      "description" : "Holds a map of keys to lists of values",
      "type" : "object",
      "additionalProperties" : {
        "type" : "array",
        "items" : {
          "type" : "string"
        }
      }
    }
  },
  "required" : [ "resources", "application" ]
}

evaluateTree

Request policy decisions for a tree of resources

Usage

am> action Policies --realm Realm --body body --actionName evaluateTree

Parameters

--body

The resource in JSON format, described by the following JSON schema:

{
  "$schema" : "http://json-schema.org/draft-04/schema#",
  "description" : "Evaluate tree action schema",
  "title" : "Evaluate tree action schema",
  "type" : "object",
  "properties" : {
    "resource" : {
      "title" : "Resource",
      "description" : "Specifies the root resource for the decisions to return",
      "type" : "string"
    },
    "application" : {
      "title" : "Application",
      "description" : "Holds the name of the application, and defaults to \"iPlanetAMWebAgentService\" if not specified",
      "type" : "string"
    },
    "subject" : {
      "title" : "Subject",
      "description" : "Holds an object that represents the subject. You can specify one or more of the following keys. If you specify multiple keys, the subject can have multiple associated principals, and you can use subject conditions corresponding to any type in the request",
      "type" : "object",
      "properties" : {
        "ssoToken" : {
          "title" : "SSOToken",
          "description" : "The value is the SSO token ID string for the subject",
          "type" : "string"
        },
        "jwt" : {
          "title" : "JWT",
          "description" : "The value is a JWT string",
          "type" : "string"
        },
        "claims" : {
          "title" : "Claims",
          "description" : "The value is an object (map) of JWT claims to their values.",
          "type" : "object",
          "additionalProperties" : {
            "type" : "string"
          }
        }
      }
    },
    "environment" : {
      "title" : "Environment",
      "description" : "Holds a map of keys to lists of values",
      "type" : "object",
      "additionalProperties" : {
        "type" : "array",
        "items" : {
          "type" : "string"
        }
      }
    }
  },
  "required" : [ "resources", "application" ]
}

move

Move a list of policies

Usage

am> action Policies --realm Realm --body body --actionName move

Parameters

--body

The resource in JSON format, described by the following JSON schema:

{
  "$schema" : "http://json-schema.org/draft-04/schema#",
  "description" : "Policy copy action schema",
  "type" : "object",
  "title" : "Policy copy action schema",
  "properties" : {
    "from" : {
      "title" : "Copy/move from",
      "description" : "Policy copy/move origin parameters",
      "type" : "object",
      "properties" : {
        "application" : {
          "title" : "Application",
          "description" : "The policy set in which the input policies are located",
          "type" : "string"
        }
      },
      "required" : [ "application" ]
    },
    "to" : {
      "type" : "object",
      "title" : "Copy/Move To",
      "description" : "Policy copy/move destination parameters",
      "properties" : {
        "application" : {
          "title" : "Application",
          "description" : "The policy set in which to place the output policy. Required when copying or moving a policy to a different policy set.",
          "type" : "string"
        },
        "realm" : {
          "title" : "Realm",
          "description" : "The realm in which to place the output policy. If not specified, OpenAM copies or moves the policy within the realm identified in the URL. Required when copying or moving a policy to a different realm.",
          "type" : "string"
        },
        "namePostfix" : {
          "title" : "Name postfix",
          "description" : "A value appended to output policy names in order to prevent name clashes",
          "type" : "string"
        }
      },
      "required" : [ "namePostfix" ]
    },
    "resourceTypeMapping" : {
      "title" : "Resource type mapping",
      "description" : "One or more resource types mappings, where the left side of the mapping specifies the UUID of a resource type used by the input policies and the right side of the mapping specifies the UUID of a resource type used by the output policies. The two resource types should have the same resource patterns",
      "type" : "object",
      "additionalProperties" : {
        "type" : "string"
      }
    }
  },
  "required" : [ "from", "to" ]
}

query

Query the stored policies

Usage

am> query Policies --realm Realm --filter filter

Parameters

--filter

A CREST formatted query filter, where "true" will query all. Fields that can be queried: [*]

read

Read policy

Usage

am> read Policies --realm Realm --id id

Parameters

--id

The unique identifier for the resource.

update

Update an existing policy

Usage

am> update Policies --realm Realm --id id --body body

Parameters

--id

The unique identifier for the resource.

--body

The resource in JSON format, described by the following JSON schema:

{
  "$schema" : "http://json-schema.org/draft-04/schema#",
  "description" : "Json schema for the policy resource",
  "title" : "Policy Resource Schema",
  "type" : "object",
  "properties" : {
    "name" : {
      "title" : "Name",
      "description" : "String matching the name of the application",
      "type" : "string"
    },
    "active" : {
      "title" : "Active flag",
      "description" : "Boolean indicating whether OpenAM considers the policy active for evaluation purposes, defaults to false",
      "type" : "boolean"
    },
    "description" : {
      "title" : "Description",
      "description" : "String describing the policy",
      "type" : "string"
    },
    "applicationName" : {
      "title" : "Application name",
      "description" : "String containing the application name, such as \"iPlanetAMWebAgentService\", or \"mypolicyset\"",
      "type" : "string"
    },
    "actionValues" : {
      "title" : "Action values",
      "description" : "Set of string action names, each set to a boolean indicating whether the action is allowed. Chosen from the available actions provided by the associated Managing Resource Types resource type",
      "type" : "object",
      "additionalProperties" : {
        "type" : "boolean"
      }
    },
    "resources" : {
      "title" : "Resources",
      "description" : "List of the resource name pattern strings to which the policy applies. Must conform to the pattern templates provided by the associated Managing Resource Types resource type",
      "type" : "array",
      "items" : {
        "type" : "string"
      }
    },
    "subject" : {
      "title" : "Subject",
      "description" : "Specifies the subject conditions to which the policy applies, where subjects can be combined by using the built-in types \"AND\", \"OR\", and \"NOT\", and where subject implementations are pluggable",
      "type" : "object"
    },
    "condition" : {
      "title" : "Condition",
      "description" : "Specifies environment conditions, where conditions can be combined by using the built-in types \"AND\", \"OR\", and \"NOT\", and where condition implementations are pluggable",
      "type" : "object",
      "properties" : {
        "type" : {
          "type" : "string"
        },
        "conditions" : {
          "type" : "array",
          "title" : "Condition",
          "description" : "Specifies environment conditions, where conditions can be combined by using the built-in types \"AND\", \"OR\", and \"NOT\", and where condition implementations are pluggable",
          "items" : {
            "type" : "object"
          }
        }
      }
    },
    "resourceTypeUuid" : {
      "title" : "Resource Type UUID",
      "description" : "The UUIDs of the resource type associated with the policy",
      "type" : "string"
    },
    "resourceAttributes" : {
      "title" : "Resource Attributes",
      "description" : "List of attributes to return with decisions. These attributes are known as response attributes",
      "type" : "array",
      "items" : {
        "type" : "object"
      }
    },
    "lastModifiedBy" : {
      "title" : "Last Modified By",
      "description" : "A string containing the universal identifier DN of the subject that most recently updated the policy",
      "type" : "string"
    },
    "lastModifiedDate" : {
      "title" : "Last Modified date",
      "description" : "An integer containing the last modified date and time, in number of seconds",
      "type" : "string"
    },
    "createdBy" : {
      "title" : "Created By",
      "description" : "A string containing the universal identifier DN of the subject that created the policy",
      "type" : "string"
    },
    "creationDate" : {
      "title" : "Creation Date",
      "description" : "An integer containing the creation date and time, in number of seconds",
      "type" : "string"
    }
  }
}