How To
ForgeRock Identity Platform
Does not apply to Identity Cloud

How do I share values between scripted policies in AM (All versions)?

Last updated Jan 16, 2023

The purpose of this article is to provide information on sharing values between scripted policies in AM. The only variable you can share between privileges/policies is the environment variable.

Background information

The only variable you can share between privileges/policies is the environment variable as explained here.

The ScriptCondition class sets the following objects, which makes them accessible to scripts:

scriptVariables.put("logger", PolicyConstants.DEBUG); scriptVariables.put("username", SubjectUtils.getPrincipalId(subject)); scriptVariables.put("resourceURI", resourceName); scriptVariables.put("environment", environment); scriptVariables.put("advice", advice); scriptVariables.put("responseAttributes", responseAttributes); scriptVariables.put("httpClient", getHttpClient(configuration.getLanguage())); scriptVariables.put("authorized", Boolean.FALSE); scriptVariables.put("ttl", Long.MAX_VALUE); // If a token is present include the corresponding identity and session objects. scriptVariables.put("identity", new ScriptedIdentity(coreWrapper.getIdentity(ssoToken))); scriptVariables.put("session", new ScriptedSession(ssoToken));

As you can see, the SSOToken is wrapped in a class called "ScriptedSession" which only exposes the getProperty() method, not setProperty() like the original SSOTokenImpl class did. Therefore, the only variable you can use to share between privileges/policies is environment (for example, environment.get() and environment.put() ).


The following example demonstrates two policies sharing the environment variable:

  1. Set up your policies: TestPolicy01 :*.html All of ... Authentication by Module Chain=ldapService Script=TestPolicyCondition01 TestPolicy02 : http://* All of ... Script=TestPolicyCondition02
  2. Create a simple script: if (!environment) { logger.warning("TestPolicyCondition01:: No environment parameters specified in the evaluation request."); authorized = false; } var test = environment.get("test"); if (test == null) { logger.warning("No test specified in the evaluation request environment parameters."); environment.put("test", "testvalue1"); } else { logger.message("TestPolicyCondition01:: test=" + test); } authorized = true;
  3. Use a curl command such as the following to evaluate both policies: $ curl -X POST -H "iPlanetDirectoryPro: AQIC5...DU3*" -H "Content-Type: application/json" -H "Accept-API-Version: resource=2.0" -d '{ "resources": [ "" ], "application": "iPlanetAMWebAgentService", "subject": { "ssoToken": "AQIC...*"} }'
  4. Verify that the test value is shared between the policies in the Entitlement debug log. This example indicates which messages have been printed by which policy: Entitlement:10/06/2018 03:07:24:873 PM BST: Thread[pool-15-thread-5,5,main]: TransactionId[52169231-8063-4d1e-9156-20d18c8e22f6-1527] WARNING: No test specified in the evaluation request environment parameters. <--- printed from TestPolicy02 Entitlement:10/06/2018 03:15:11:456 PM BST: Thread[http-bio-18080-exec-6,5,main]: TransactionId[52169231-8063-4d1e-9156-20d18c8e22f6-1527] CachingEntitlementCondition.evaluate() caching condition decision "true" for condition: org.forgerock.openam.entitlement.conditions.environment.ScriptCondition{ "scriptId": "5107450e-0167-4369-8f67-23c18d214149" } : Entitlement:10/06/2018 03:15:14:062 PM BST: Thread[pool-15-thread-6,5,main]: TransactionId[52169231-8063-4d1e-9156-20d18c8e22f6-1527] TestPolicyCondition01:: test=testvalue2. <--- printed from TestPolicy01

This example is just a simple sample to demonstrate the concept. You should adjust it to fit your requirements.

See Also

How do I create a policy condition script in AM (All versions)?

FAQ: Configuring policies in Identity Cloud and AM

Agents and policies in AM

Scripted policy conditions

Request policy decisions over REST

Related Training


Related Issue Tracker IDs


Copyright and Trademarks Copyright © 2023 ForgeRock, all rights reserved.