How To

How do I share values between scripted policies in AM/OpenAM (All versions)?

Last updated Sep 14, 2020

The purpose of this article is to provide information on sharing values between scripted policies in AM/OpenAM. The only variable you can share between privileges/policies is the environment variable.

Background information

The only variable you can share between privileges/policies is the environment variable as explained here.

The ScriptCondition class sets the following objects, which makes them accessible to scripts:

scriptVariables.put("logger", PolicyConstants.DEBUG);
scriptVariables.put("username", SubjectUtils.getPrincipalId(subject));
scriptVariables.put("resourceURI", resourceName);
scriptVariables.put("environment", environment);
scriptVariables.put("advice", advice);
scriptVariables.put("responseAttributes", responseAttributes);
scriptVariables.put("httpClient", getHttpClient(configuration.getLanguage()));
scriptVariables.put("authorized", Boolean.FALSE);
scriptVariables.put("ttl", Long.MAX_VALUE);
// If a token is present include the corresponding identity and session objects.
scriptVariables.put("identity", new ScriptedIdentity(coreWrapper.getIdentity(ssoToken)));
scriptVariables.put("session", new ScriptedSession(ssoToken));

As you can see, the SSOToken is wrapped in a class called "ScriptedSession" which only exposes the getProperty() method, not setProperty() like the original SSOTokenImpl class did. Therefore, the only variable you can use to share between privileges/policies is environment (for example, environment.get() and environment.put() ).


The following example demonstrates two policies sharing the environment variable:

  1. Set up your policies:
    TestPolicy01 :*.html
        All of ... Authentication by Module Chain=ldapService
    TestPolicy02 :
        All of ... Script=TestPolicyCondition02
  2. Create a simple script:
    if (!environment) {
        logger.warning("TestPolicyCondition01:: No environment parameters specified in the evaluation request.");
        authorized = false;
    var test = environment.get("test");
    if (test == null) {
        logger.warning("No test specified in the evaluation request environment parameters.");
     environment.put("test", "testvalue1");
    } else {
        logger.message("TestPolicyCondition01:: test=" + test);
    authorized = true;
  3. Use a curl command such as the following to evaluate both policies; the server URL for the endpoint differs depending on which version you are using. For example:
    • AM 5 and later:
      $ curl -X POST -H "iPlanetDirectoryPro: AQIC5...DU3*" -H "Content-Type: application/json" -H "Accept-API-Version: resource=2.0" -d '{
          "resources": [
          "application": "iPlanetAMWebAgentService",
          "subject": { "ssoToken": "AQIC...*"}
    • Pre-AM 5:
      $ curl -X POST -H "iPlanetDirectoryPro: AQIC5...DU3*" -H "Content-Type: application/json" -d '{
          "resources": [
          "application": "iPlanetAMWebAgentService",
          "subject": { "ssoToken": "AQIC...*"}
  4. Verify that the test value is shared between the policies in the Entitlement debug log. This example indicates which messages have been printed by which policy:
    Entitlement:10/06/2018 03:07:24:873 PM BST: Thread[pool-15-thread-5,5,main]: TransactionId[52169231-8063-4d1e-9156-20d18c8e22f6-1527]
    WARNING: No test specified in the evaluation request environment parameters.  <--- printed from TestPolicy02
    Entitlement:10/06/2018 03:15:11:456 PM BST: Thread[http-bio-18080-exec-6,5,main]: TransactionId[52169231-8063-4d1e-9156-20d18c8e22f6-1527]
    CachingEntitlementCondition.evaluate() caching condition decision "true" for condition: org.forgerock.openam.entitlement.conditions.environment.ScriptCondition{ "scriptId": "5107450e-0167-4369-8f67-23c18d214149" }
    Entitlement:10/06/2018 03:15:14:062 PM BST: Thread[pool-15-thread-6,5,main]: TransactionId[52169231-8063-4d1e-9156-20d18c8e22f6-1527]
    TestPolicyCondition01:: test=testvalue2. <--- printed from TestPolicy01

This example is just a simple sample to demonstrate the concept. You should adjust it to fit your requirements.

See Also

How do I create a policy condition script in AM/OpenAM (All versions)?

FAQ: Configuring policies in AM/OpenAM

Agents and policies in AM/OpenAM

Authorization Guide › Scripting a Policy Condition

Authorization Guide › Requesting Policy Decisions Using REST

Related Training


Related Issue Tracker IDs


Copyright and TrademarksCopyright © 2020 ForgeRock, all rights reserved.