Configuring Policy Sets

Policy Sets are associated with a set of resource types, and contain one or more policies based upon the template it provides. They are used as templates for policies protecting Web sites, Web applications, or other resources.

Where Do Policy Sets Fit in Authorization?

For AM to decide if a user can access a resource, it requires a policy.

Policy sets are a way to group up policies that protect applications or sites that have similar characteristics (for example, they all use the same resource type) so that you do not need to configure some of the parameters in each policy.

There is a template for policy sets too, called application types. You can modify these using REST.

AM includes two policy sets that are used for web and Java agents, and for dynamic OAuth 2.0 policies.

Policy sets have templates, called application types. There are two application types defined by default, which correspond to the default policy sets. You can only configure these using REST, but for most use cases, you can use the default application types.

Default Policy Sets

AM includes the following default policy sets:

  • The Default Policy Set, iPlanetAMWebAgentService is the policy set configured by default for web and Java agents. You can create new policy sets for agents and configure them in the agent profile.

  • The Default OAuth2 Scopes Policy Set, oauth2Scopes, is the policy set configured for the OAuth 2.0 service on the realm.

    The OAuth 2.0 service cannot be configured to use a different policy set. Configure all policies required for your OAuth 2.0 service in the Default OAuth2 Scopes Policy Set.

When creating or editing policy sets, consider the following points:

  • By default, web and Java agents request policy decisions in the Top Level Realm (/) from the default policy set, iPlanetAMWebAgentService. When the realm and policy set differ for your web or Java agent, you can specify the realm and policy set in the agent profile. AM then directs requests from the agent to the specified realm and policy set, so this is backwards compatible with existing web and Java agents.

    You can configure the realm and policy set the agent uses in the agent profile. See the ForgeRock Web Agents documentation, or the ForgeRock Java Agents documentation for more information.

  • AM only honors OAuth2 Scope resource type policies configured in the Default OAuth2 Scopes Policy Set. Configure all policies required for your OAuth 2.0 service in the Default OAuth2 Scopes Policy Set.

  • AM creates a policy set containing a policy representing the resources and identities specified by a resource owner using UMA 2.0 to share their registered resources.

    These policies appear in the AM Admin UI as read-only, and cannot be edited by administrative users such as amAdmin. They can, however, be viewed and deleted.

Manage policy sets using the AM Admin UI or the REST API:

To Configure a Policy Set (UI)

  1. In the AM Admin UI, go to Realms > Realm Name > Authorization > Policy Sets.

    • To create a new policy set, select New Policy Set.

    • To modify an existing policy set, select it from the table.

  2. If creating a new policy, enter an ID for the policy set. This is a required parameter.

    Once a policy set is created, you cannot change its ID.

  3. If creating a new policy, enter a name for the policy set. The name is optional and is for display purposes only.

    Do not use special characters within resource type, policy, or policy set names (for example, "my+resource+type") when using the AM Admin UI or REST endpoints. Using the special characters listed below causes AM to return a 400 Bad Request error. The special characters are: double quotes ("), plus sign (+), comma (,), less than (<), equals (=), greater than (>), backslash (\), forward slash (/), semicolon (;), and null (\u0000).

  4. From the Resource Types drop-down list, select one or more resource types that policies in this policy set will use.

    To remove a resource type from the policy set, select the label, and then press Delete or Backspace.

    Configure the OAuth2 Scope resource type only in the Default OAuth2 Scopes Policy Set. Any policy configured for the OAuth2 Scope resource type outside the default policy set will not be evaluated.

  5. Select Create to save the new policy set, or Save Changes to save modifications to an existing policy set.