ForgeRock Identity Platform
ForgeRock Identity Cloud

FAQ: Configuring policies in Identity Cloud and AM

Last updated Jan 16, 2023

The purpose of this FAQ is to provide answers to commonly asked questions regarding configuring policies and policy evaluation in ForgeRock Identity Cloud and AM.

1 reader recommends this article

Frequently asked questions

Q. Can I use both * and -*- wildcards in the same policy rule?

A. No, you cannot use both of these wildcards in a policy rule as although the policies are matched correctly, access is denied regardless of the outcome of the policy evaluation. Using either * or -*- in a policy rule works as expected. See Resource types for further information.

Q. Do I have to URL encode "?" in a policy rule?

A. If you have more than one question mark in your policy rule, the second and subsequent ?s should be URL encoded.

Q. How can I get a count of all my policies?

A. You can use a REST call such as the following, where the resultCount field will return a count of all your active policies:

$ curl -X GET -H "Content-Type: application/json" -H "iPlanetDirectoryPro:AQIC5wM2LY4Sfcxs...EwNDU2NjE0*" https://am.example.com:8443/am/json/policies?_queryFilter=true&_fields=resultCount

Example response:

{    "result": [         {             "_id": "Policy1",             "_rev": "1509627226562"         }     ],     "resultCount": 1,     "pagedResultsCookie": null,     "totalPagedResultsPolicy": "NONE",     "totalPagedResults": -1,     "remainingPagedResults": 0 }

There is an RFE to show a policy count in the AM admin UI: OPENAM-11694 (Create Policy count for tracking number of created Policies).

Q. Which data store is used when evaluating elements of a policy in a sub-realm?

A. Policies are evaluated as follows in sub-realms:

  • The policy is only evaluated if the agent is pointed directly at the sub-realm: /path/to/subrealm.
  • The elements related to identity (such as Subject Conditions, Identity Membership in Environment Conditions and the Subject Attributes in the Response Attributes) are evaluated against the data store(s) defined in the sub-realm that the policy belongs to (/path/to/subrealm).
  • The LDAP Filter condition element is unique because it uses the data store defined in the Policy Configuration service of the sub-realm the policy belongs to (/path/to/subrealm).

Q. Does policy evaluation accept OAuth2 or OIDC tokens in the header?

A. No, policy evaluation only accepts session tokens passed via the header. There is an RFE to allow OAuth2 (bearer) and OIDC (JWT) tokens to be accepted as well: OPENAM-11913 (Policy evaluation should accept OAuth2/OIDC tokens ).

Q. How do I specify the realm and chain when using the ”AuthenticateToService” condition in AM if a chain is within a different realm?

A. You can use the AuthenticateToService condition and specify the chain in the following format: /realm:chain. For example:

{    "type": "AuthenticateToService",     "authenticateToService": "/employees:LDAP" }

Failure against the above policy condition leads to advice showing the LDAP authentication chain in the employees realm is required.

See Policy decision advice for details on different types of policy decision advice and the conditions that cause AM to return the advice.

Q. Does Identity Cloud or AM validate the JWT token's signature before checking the subject conditions during policy evaluation?

A. No it does not as explained in Fun with OpenAM13 Authz Policies over REST – the ‘jwt’ parameter of the ‘Subject’. You could enforce this validation using policy condition scripts.


Creating policy condition scripts is outside the scope of ForgeRock support; if you want more tailored advice, consider engaging Deployment Support Services.

Q. Which URL is enforced by the Apache agent when using mod_rewrite?

A. Typically, mod_rewrite actions take place before policy enforcement by the agent, meaning the URL after the rewrite is enforced by the agent.

However, mod_rewrite is complex as it hooks into two phases, which may affect this processing order. Refer to Apache mod_rewrite Technical Details for further details on how mod_rewrite acts if you experience unexpected results.

Q. How do I add an action to a policy?

A. You can add an action by defining your own application type. See Policy set application types over REST for further information.

Q. Can I share values between scripted policies?

A. Yes, you can share the environment variable between privileges/policies.

See How do I share values between scripted policies in AM (All versions)? for further information and a worked example.

Q. Do agents support Perl-compatible regular expressions?

A. Web Agents do, but the other agents do not.

The following properties are available for the different areas of the agent that can use Perl-compatible expressions:

  • org.forgerock.agents.config.notenforced.ext.regex.enable
  • com.forgerock.agents.notenforced.url.regex.enable
  • com.forgerock.agents.agent.invalid.url.regex
  • com.forgerock.agents.agent.logout.url.regex

See Properties reference for further information.

See Also

FAQ: Configuring Agents in Identity Cloud and AM

Agents and policies in AM

Authorization and policy decisions

Web Agents User guide

Java Agents User guide

Related Training

ForgeRock Access Management Deep Dive (AM-410)

Copyright and Trademarks Copyright © 2023 ForgeRock, all rights reserved.