Identity Cloud

Policy sets

Policy sets are associated with a set of resource types, and contain one or more policies based upon the template it provides. They are used as templates for policies protecting websites, web applications, or other resources.

For AM to decide if a user can access a resource, it requires a policy.

Policy sets are a way to group policies that protect applications or sites that have similar characteristics. For example, they all use the same resource type. This means that you do not need to configure the same set of parameters in each policy.

AM includes two policy sets that are used for web and Java agents, and for dynamic OAuth 2.0 policies.

Policy sets have templates, called application types. There are two application types defined by default, which correspond to the default policy sets. You can only configure these using REST, but for most use cases, you can use the default application types.

Default policy sets

AM includes the following default policy sets:

  • The Default Policy Set, iPlanetAMWebAgentService is the policy set configured by default for web and Java agents. You can create new policy sets for agents and configure them in the agent profile.

  • The Default OAuth2 Scopes Policy Set, oauth2Scopes, is the policy set configured for the OAuth 2.0 service on the realm.

When creating or editing policy sets, consider the following points:

  • When the realm and policy set differ for your web or Java agent, you can specify the realm and policy set in the agent profile. AM then directs requests from the agent to the specified realm and policy set, so this is backwards compatible with existing web and Java agents.

    You can configure the realm and policy set the agent uses in the agent profile. See the ForgeRock web agents documentation, or the ForgeRock Java agents documentation for more information.

  • AM only honors OAuth2 Scope resource type policies. Configure policies for your OAuth 2.0 service in a custom policy set with OAuth2 Scope resource type policies, or use the existing Default OAuth2 Scopes Policy Set.

  • AM creates a policy set containing a policy representing the resources and identities specified by a resource owner using UMA 2.0 to share their registered resources.

    These policies appear in the AM admin UI as read-only, and cannot be edited by administrative users such as amAdmin. They can, however, be viewed and deleted.

Manage policy sets using the AM admin UI or the REST API:

Copyright © 2010-2022 ForgeRock, all rights reserved.