Extend the Policy Service
To extend the policy service, add custom scripted policies, or add policies that are applied only under certain conditions.
Add Custom Scripted Policies
If your deployment requires additional validation functionality that is not supplied by the default policies, you can add your own policy scripts to your project's script
directory, and reference them from your project's conf/policy.json
file.
Do not modify the default policy script file (openidm/bin/defaults/script/policy.js
) as doing so might result in interoperability issues in a future release. To reference additional policy scripts, set the additionalFiles
property conf/policy.json
.
The following example creates a custom policy that rejects properties with null values. The policy is defined in a script named mypolicy.js
:
var policy = { "policyId" : "notNull", "policyExec" : "notNull", "policyRequirements" : ["NOT_NULL"] } addPolicy(policy); function notNull(fullObject, value, params, property) { if (value == null) { var requireNotNull = [ {"policyRequirement": "NOT_NULL"} ]; return requireNotNull; } return []; }
The mypolicy.js
policy is referenced in the policy.json
configuration file as follows:
{ "type" : "text/javascript", "file" : "policy.js", "additionalFiles" : ["script/mypolicy.js"], "resources" : [ { ... } ] }
Note
In cases where you are using the Admin UI, both policy.js
and mypolicy.js
will be run within the client, and then again by the the server. When creating new policies, be aware that these policies may be run in both contexts.
Add Conditional Policy Definitions
You can extend the policy service to support policies that are applied only under specific conditions. To apply a conditional policy to managed objects, add the policy to your project's managed.json
file. To apply a conditional policy to other objects, add it to your project's policy.json
file.
The following excerpt of a managed.json
file shows a sample conditional policy configuration for the "password"
property of managed user objects. The policy indicates that sys-admin users have a more lenient password policy than regular employees:
{ "objects" : [ { "name" : "user", ... "properties" : { ... "password" : { "title" : "Password", "type" : "string", ... "conditionalPolicies" : [ { "condition" : { "type" : "text/javascript", "source" : "(fullObject.org === 'sys-admin')" }, "dependencies" : [ "org" ], "policies" : [ { "policyId" : "max-age", "params" : { "maxDays" : ["90"] } } ] }, { "condition" : { "type" : "text/javascript", "source" : "(fullObject.org === 'employees')" }, "dependencies" : [ "org" ], "policies" : [ { "policyId" : "max-age", "params" : { "maxDays" : ["30"] } } ] } ], "fallbackPolicies" : [ { "policyId" : "max-age", "params" : { "maxDays" : ["7"] } } ] } ... }
To understand how a conditional policy is defined, examine the components of this sample policy. For more information on the policy function, see "Policy Implementation Functions".
There are two distinct scripted conditions (defined in the condition
elements). The first condition asserts that the user object, contained in the fullObject
argument, is a member of the sys-admin
org. If that assertion is true, the max-age
policy is applied to the password
attribute of the user object, and the maximum number of days that a password may remain unchanged is set to 90
.
The second condition asserts that the user object is a member of the employees
org. If that assertion is true, the max-age
policy is applied to the password
attribute of the user object, and the maximum number of days that a password may remain unchanged is set to 30
.
In the event that neither condition is met (the user object is not a member of the sys-admin
org or the employees
org), an optional fallback policy can be applied. In this example, the fallback policy also references the max-age
policy and specifies that for such users, their password must be changed after 7 days.
The dependencies
field prevents the condition scripts from being run at all, if the user object does not include an org
attribute.
Note
This example assumes that a custom max-age
policy validation function has been defined, as described in "Add Custom Scripted Policies".
Tip
These scripted conditions do not apply to progressive profiling. For more information, see "Custom Progressive Profile Conditions".