Policies
Realm Operations
The Policy resource with copy and move support endpoint is responsible for managing policies. It supports all the operations that previous version of Policy resource endpoint supports - create, read, update, delete, query, evalute and evaluateTree action - with two new actions move and copy for copying and moving policies between realms
Resource path:
/policies
Resource version: 2.1
copy
Copy a list of policies
Usage
am> action Policies --realm Realm --body body --actionName copy
Parameters
- --body
-
The resource in JSON format, described by the following JSON schema:
{ "$schema" : "http://json-schema.org/draft-04/schema#", "description" : "Policy copy action schema", "type" : "object", "title" : "Policy copy action schema", "properties" : { "from" : { "title" : "Copy/move from", "description" : "Policy copy/move origin parameters", "type" : "object", "properties" : { "application" : { "title" : "Application", "description" : "The policy set in which the input policies are located", "type" : "string" } }, "required" : [ "application" ] }, "to" : { "type" : "object", "title" : "Copy/Move To", "description" : "Policy copy/move destination parameters", "properties" : { "application" : { "title" : "Application", "description" : "The policy set in which to place the output policy. Required when copying or moving a policy to a different policy set.", "type" : "string" }, "realm" : { "title" : "Realm", "description" : "The realm in which to place the output policy. If not specified, OpenAM copies or moves the policy within the realm identified in the URL. Required when copying or moving a policy to a different realm.", "type" : "string" }, "namePostfix" : { "title" : "Name postfix", "description" : "A value appended to output policy names in order to prevent name clashes", "type" : "string" } }, "required" : [ "namePostfix" ] }, "resourceTypeMapping" : { "title" : "Resource type mapping", "description" : "One or more resource types mappings, where the left side of the mapping specifies the UUID of a resource type used by the input policies and the right side of the mapping specifies the UUID of a resource type used by the output policies. The two resource types should have the same resource patterns", "type" : "object", "additionalProperties" : { "type" : "string" } } }, "required" : [ "from", "to" ] }
create
Create new policy
Usage
am> create Policies --realm Realm --id id --body body
Parameters
- --id
-
The unique identifier for the resource.
- --body
-
The resource in JSON format, described by the following JSON schema:
{ "$schema" : "http://json-schema.org/draft-04/schema#", "description" : "Json schema for the policy resource", "title" : "Policy Resource Schema", "type" : "object", "properties" : { "name" : { "title" : "Name", "description" : "String matching the name of the application", "type" : "string" }, "active" : { "title" : "Active flag", "description" : "Boolean indicating whether OpenAM considers the policy active for evaluation purposes, defaults to false", "type" : "boolean" }, "description" : { "title" : "Description", "description" : "String describing the policy", "type" : "string" }, "applicationName" : { "title" : "Application name", "description" : "String containing the application name, such as \"iPlanetAMWebAgentService\", or \"mypolicyset\"", "type" : "string" }, "actionValues" : { "title" : "Action values", "description" : "Set of string action names, each set to a boolean indicating whether the action is allowed. Chosen from the available actions provided by the associated Managing Resource Types resource type", "type" : "object", "additionalProperties" : { "type" : "boolean" } }, "resources" : { "title" : "Resources", "description" : "List of the resource name pattern strings to which the policy applies. Must conform to the pattern templates provided by the associated Managing Resource Types resource type", "type" : "array", "items" : { "type" : "string" } }, "subject" : { "title" : "Subject", "description" : "Specifies the subject conditions to which the policy applies, where subjects can be combined by using the built-in types \"AND\", \"OR\", and \"NOT\", and where subject implementations are pluggable", "type" : "object" }, "condition" : { "title" : "Condition", "description" : "Specifies environment conditions, where conditions can be combined by using the built-in types \"AND\", \"OR\", and \"NOT\", and where condition implementations are pluggable", "type" : "object", "properties" : { "type" : { "type" : "string" }, "conditions" : { "type" : "array", "title" : "Condition", "description" : "Specifies environment conditions, where conditions can be combined by using the built-in types \"AND\", \"OR\", and \"NOT\", and where condition implementations are pluggable", "items" : { "type" : "object" } } } }, "resourceTypeUuid" : { "title" : "Resource Type UUID", "description" : "The UUIDs of the resource type associated with the policy", "type" : "string" }, "resourceAttributes" : { "title" : "Resource Attributes", "description" : "List of attributes to return with decisions. These attributes are known as response attributes", "type" : "array", "items" : { "type" : "object" } }, "lastModifiedBy" : { "title" : "Last Modified By", "description" : "A string containing the universal identifier DN of the subject that most recently updated the policy", "type" : "string" }, "lastModifiedDate" : { "title" : "Last Modified date", "description" : "An integer containing the last modified date and time, in number of seconds", "type" : "string" }, "createdBy" : { "title" : "Created By", "description" : "A string containing the universal identifier DN of the subject that created the policy", "type" : "string" }, "creationDate" : { "title" : "Creation Date", "description" : "An integer containing the creation date and time, in number of seconds", "type" : "string" } } }
delete
Delete policy
Usage
am> delete Policies --realm Realm --id id
Parameters
- --id
-
The unique identifier for the resource.
evaluate
Request policy decisions for specific resources
Usage
am> action Policies --realm Realm --body body --actionName evaluate
Parameters
- --body
-
The resource in JSON format, described by the following JSON schema:
{ "$schema" : "http://json-schema.org/draft-04/schema#", "description" : "Evaluate action schema", "title" : "Evaluate action schema", "type" : "object", "properties" : { "resources" : { "type" : "array", "title" : "Resources", "description" : "Specifies the list of resources for which to return decisions", "items" : { "type" : "string" } }, "application" : { "title" : "Application", "description" : "Holds the name of the application, and defaults to \"iPlanetAMWebAgentService\" if not specified", "type" : "string" }, "subject" : { "title" : "Subject", "description" : "Holds an object that represents the subject. You can specify one or more of the following keys. If you specify multiple keys, the subject can have multiple associated principals, and you can use subject conditions corresponding to any type in the request", "type" : "object", "properties" : { "ssoToken" : { "title" : "SSOToken", "description" : "The value is the SSO token ID string for the subject", "type" : "string" }, "jwt" : { "title" : "JWT", "description" : "The value is a JWT string", "type" : "string" }, "claims" : { "title" : "Claims", "description" : "The value is an object (map) of JWT claims to their values.", "type" : "object", "additionalProperties" : { "type" : "string" } } } }, "environment" : { "title" : "Environment", "description" : "Holds a map of keys to lists of values", "type" : "object", "additionalProperties" : { "type" : "array", "items" : { "type" : "string" } } } }, "required" : [ "resources", "application" ] }
evaluateTree
Request policy decisions for a tree of resources
Usage
am> action Policies --realm Realm --body body --actionName evaluateTree
Parameters
- --body
-
The resource in JSON format, described by the following JSON schema:
{ "$schema" : "http://json-schema.org/draft-04/schema#", "description" : "Evaluate tree action schema", "title" : "Evaluate tree action schema", "type" : "object", "properties" : { "resource" : { "title" : "Resource", "description" : "Specifies the root resource for the decisions to return", "type" : "string" }, "application" : { "title" : "Application", "description" : "Holds the name of the application, and defaults to \"iPlanetAMWebAgentService\" if not specified", "type" : "string" }, "subject" : { "title" : "Subject", "description" : "Holds an object that represents the subject. You can specify one or more of the following keys. If you specify multiple keys, the subject can have multiple associated principals, and you can use subject conditions corresponding to any type in the request", "type" : "object", "properties" : { "ssoToken" : { "title" : "SSOToken", "description" : "The value is the SSO token ID string for the subject", "type" : "string" }, "jwt" : { "title" : "JWT", "description" : "The value is a JWT string", "type" : "string" }, "claims" : { "title" : "Claims", "description" : "The value is an object (map) of JWT claims to their values.", "type" : "object", "additionalProperties" : { "type" : "string" } } } }, "environment" : { "title" : "Environment", "description" : "Holds a map of keys to lists of values", "type" : "object", "additionalProperties" : { "type" : "array", "items" : { "type" : "string" } } } }, "required" : [ "resources", "application" ] }
move
Move a list of policies
Usage
am> action Policies --realm Realm --body body --actionName move
Parameters
- --body
-
The resource in JSON format, described by the following JSON schema:
{ "$schema" : "http://json-schema.org/draft-04/schema#", "description" : "Policy copy action schema", "type" : "object", "title" : "Policy copy action schema", "properties" : { "from" : { "title" : "Copy/move from", "description" : "Policy copy/move origin parameters", "type" : "object", "properties" : { "application" : { "title" : "Application", "description" : "The policy set in which the input policies are located", "type" : "string" } }, "required" : [ "application" ] }, "to" : { "type" : "object", "title" : "Copy/Move To", "description" : "Policy copy/move destination parameters", "properties" : { "application" : { "title" : "Application", "description" : "The policy set in which to place the output policy. Required when copying or moving a policy to a different policy set.", "type" : "string" }, "realm" : { "title" : "Realm", "description" : "The realm in which to place the output policy. If not specified, OpenAM copies or moves the policy within the realm identified in the URL. Required when copying or moving a policy to a different realm.", "type" : "string" }, "namePostfix" : { "title" : "Name postfix", "description" : "A value appended to output policy names in order to prevent name clashes", "type" : "string" } }, "required" : [ "namePostfix" ] }, "resourceTypeMapping" : { "title" : "Resource type mapping", "description" : "One or more resource types mappings, where the left side of the mapping specifies the UUID of a resource type used by the input policies and the right side of the mapping specifies the UUID of a resource type used by the output policies. The two resource types should have the same resource patterns", "type" : "object", "additionalProperties" : { "type" : "string" } } }, "required" : [ "from", "to" ] }
query
Query the stored policies
Usage
am> query Policies --realm Realm --filter filter
Parameters
- --filter
-
A CREST formatted query filter, where "true" will query all. Fields that can be queried: [*]
read
Read policy
Usage
am> read Policies --realm Realm --id id
Parameters
- --id
-
The unique identifier for the resource.
update
Update an existing policy
Usage
am> update Policies --realm Realm --id id --body body
Parameters
- --id
-
The unique identifier for the resource.
- --body
-
The resource in JSON format, described by the following JSON schema:
{ "$schema" : "http://json-schema.org/draft-04/schema#", "description" : "Json schema for the policy resource", "title" : "Policy Resource Schema", "type" : "object", "properties" : { "name" : { "title" : "Name", "description" : "String matching the name of the application", "type" : "string" }, "active" : { "title" : "Active flag", "description" : "Boolean indicating whether OpenAM considers the policy active for evaluation purposes, defaults to false", "type" : "boolean" }, "description" : { "title" : "Description", "description" : "String describing the policy", "type" : "string" }, "applicationName" : { "title" : "Application name", "description" : "String containing the application name, such as \"iPlanetAMWebAgentService\", or \"mypolicyset\"", "type" : "string" }, "actionValues" : { "title" : "Action values", "description" : "Set of string action names, each set to a boolean indicating whether the action is allowed. Chosen from the available actions provided by the associated Managing Resource Types resource type", "type" : "object", "additionalProperties" : { "type" : "boolean" } }, "resources" : { "title" : "Resources", "description" : "List of the resource name pattern strings to which the policy applies. Must conform to the pattern templates provided by the associated Managing Resource Types resource type", "type" : "array", "items" : { "type" : "string" } }, "subject" : { "title" : "Subject", "description" : "Specifies the subject conditions to which the policy applies, where subjects can be combined by using the built-in types \"AND\", \"OR\", and \"NOT\", and where subject implementations are pluggable", "type" : "object" }, "condition" : { "title" : "Condition", "description" : "Specifies environment conditions, where conditions can be combined by using the built-in types \"AND\", \"OR\", and \"NOT\", and where condition implementations are pluggable", "type" : "object", "properties" : { "type" : { "type" : "string" }, "conditions" : { "type" : "array", "title" : "Condition", "description" : "Specifies environment conditions, where conditions can be combined by using the built-in types \"AND\", \"OR\", and \"NOT\", and where condition implementations are pluggable", "items" : { "type" : "object" } } } }, "resourceTypeUuid" : { "title" : "Resource Type UUID", "description" : "The UUIDs of the resource type associated with the policy", "type" : "string" }, "resourceAttributes" : { "title" : "Resource Attributes", "description" : "List of attributes to return with decisions. These attributes are known as response attributes", "type" : "array", "items" : { "type" : "object" } }, "lastModifiedBy" : { "title" : "Last Modified By", "description" : "A string containing the universal identifier DN of the subject that most recently updated the policy", "type" : "string" }, "lastModifiedDate" : { "title" : "Last Modified date", "description" : "An integer containing the last modified date and time, in number of seconds", "type" : "string" }, "createdBy" : { "title" : "Created By", "description" : "A string containing the universal identifier DN of the subject that created the policy", "type" : "string" }, "creationDate" : { "title" : "Creation Date", "description" : "An integer containing the creation date and time, in number of seconds", "type" : "string" } } }