How To
ForgeRock Identity Platform
Does not apply to Identity Cloud

How do I create a policy in AM (All versions) using the REST API?

Last updated Aug 18, 2021

The purpose of this article is to provide information on creating a policy in AM using the REST API.

1 reader recommends this article

Creating a policy using REST

A Postman collection (Create Policy AM5.postman_collection.json) has been provided to make it easier to create policies. You will need to edit the Headers for the Authenticate request to provide your credentials and edit the Body for the Create policies request to provide details of the policy you want to create. See How do I use the Postman collections that are provided for AM (All versions)? for further information on installing Postman and using a collection.


Please observe the following when constructing REST calls:

  • Make the REST call to the actual AM server URL (not lb).
  • Change the name of the iPlanetDirectoryPro header to the name of your actual session cookie.
  • Set this session cookie header to the token returned when you authenticated.
  • Ensure the Accept-API-Version header contains valid resource versions.

See How do I avoid common issues with REST calls in AM (All versions)? for further information.

To create a policy using the command line:

  1. Authenticate as an admin user. For example:$ curl -X POST -H "X-OpenAM-Username: amadmin" -H "X-OpenAM-Password: cangetinam" -H "Content-Type: application/json" -H "Accept-API-Version: resource=2.1" Example response: { "tokenId": "AQIC5wM2LY4SfcxsuvGEjcsppDSFR8H8DYBSouTtz3m64PI.*AAJTSQACMDIAAlNLABQtNTQwMTU3NzgxODI0NzE3OTIwNAEwNDU2NjE0*", "successUrl": "/openam/console", "realm": "/" } 
  2. Query the resource types to obtain the resource type ID using the following curl command:$ curl -H "iPlanetDirectoryPro: AQIC5wM2LY4Sfcxs...EwNDU2NjE0*" Example response: {   "result": [     {       "uuid": "20a13582-1f32-4f83-905f-f71ff4e2e00d",       "name": "Delegation Service",       "description": "The built-in delegation Resource Type available to OpenAM Policies.",       "patterns": [         "sms://*:*/*?*",         "sms://*:*/*"       ],       "actions": {         "MODIFY": true,         "READ": true,         "DELEGATE": true       },       "createdBy": "id=dsameuser,ou=user,dc=openam,dc=forgerock,dc=org",       "creationDate": 1422892465848,       "lastModifiedBy": "id=dsameuser,ou=user,dc=openam,dc=forgerock,dc=org",       "lastModifiedDate": 1422892465848     },     {       "uuid": "76656a38-5f8e-401b-83aa-4ccb74ce88d2",       "name": "URL",       "description": "The built-in URL Resource Type available to OpenAM Policies.",       "patterns": [         "*://*:*/*?*",         "*://*:*/*"       ],       "actions": {         "POST": true,         "PATCH": true,         "GET": true,         "DELETE": true,         "OPTIONS": true,         "HEAD": true,         "PUT": true       },       "createdBy": "id=dsameuser,ou=user,dc=openam,dc=forgerock,dc=org",       "creationDate": 1422892465848,       "lastModifiedBy": "id=dsameuser,ou=user,dc=openam,dc=forgerock,dc=org",       "lastModifiedDate": 1422892465848     }   ],   "resultCount": 2,   "pagedResultsCookie": null,   "totalPagedResultsPolicy": "NONE",   "totalPagedResults": -1,   "remainingPagedResults": 0 }The "uuid" shown in the response is the "resourceTypeUuids" attribute required to create a policy.
  3. Create your policy using the following curl command ensuring you include the appropriate "resourceTypeUuids" attribute value as needed (typically this is the one returned for the URL resource type in step 2):$ curl -X POST -H "iPlanetDirectoryPro: AQIC5wM2LY4Sfcxs...EwNDU2NjE0*" -H "Content-Type: application/json" -H "Accept-API-Version: resource=2.0" -d "{ "name": "mypolicy", "active": true, "description": "My Policy.", "applicationName": "iPlanetAMWebAgentService", "actionValues": { "POST": false, "GET": true }, "resources": [ "*", "*?*" ], "subject": { "type": "Identity", "subjectValues": [ "uid=demo,ou=People,dc=example,dc=com" ] }, "resourceTypeUuid": "76656a38-5f8e-401b-83aa-4ccb74ce88d2" }' Example response: {     "name": "mypolicy",     "active": true,     "description": "My Policy.",     "applicationName": "iPlanetAMWebAgentService",     "actionValues": {         "POST": false,         "GET": true     },     "resources": [         "*",         "*?*"     ],     "subject": {         "type": "Identity",         "subjectValues": [             "uid=demo,ou=People,dc=example,dc=com"         ]     },     "resourceTypeUuid": "76656a38-5f8e-401b-83aa-4ccb74ce88d2",     "lastModifiedBy": "id=amAdmin,ou=user,dc=openam,dc=forgerock,dc=org",     "lastModifiedDate": "2015-05-11T14:48:08.711Z",     "createdBy": "id=amAdmin,ou=user,dc=openam,dc=forgerock,dc=org",     "creationDate": "2015-05-11T14:48:08.711Z" }

See Also

Best practice for creating and testing policies in AM (All versions)

Requesting Authorization from AM

Configuring Resource Types

Specifying Realms in REST API Calls

Related Training

ForgeRock Access Management Core Concepts (AM-400)

Related Issue Tracker IDs


Copyright and Trademarks Copyright © 2021 ForgeRock, all rights reserved.