Access Management 7.2.2

Policy sets

A policy set groups together the policies that protect applications or sites with similar characteristics; for example, applications that use the same resource type. Policy sets prevent you from having to configure the identical parameters in numerous policies.

Essentially, a policy set provides a template for a number of similar policies.

By default, AM includes two policy sets: one for web and Java agents and one for dynamic OAuth 2.0 policies.

Policy sets have templates, called application types. There are two application types defined by default, which correspond to the default policy sets. You only configure application types using the REST API. The default application types should work for most use cases.

Default policy sets

AM includes the following default policy sets:

  • The Default Policy Set, iPlanetAMWebAgentService, for web and Java agents. You can create new policy sets for agents and configure them in the agent profile.

  • The Default OAuth2 Scopes Policy Set, oauth2Scopes, for the OAuth 2.0 service on the realm.

When you create or edit policy sets, consider the following points:

  • By default, web and Java agents request policy decisions in the Top Level Realm from the policy set, iPlanetAMWebAgentService. If the realm and policy set differ for your web or Java agent, specify the realm and policy set in the agent profile. AM directs requests from the agent to the specified realm and policy set. This behavior is backwards compatible with existing web and Java agents.

    For information on setting the realm and policy set in the agent profile details, refer to the ForgeRock web agents documentation or the ForgeRock Java agents documentation.

  • AM only honors OAuth2 Scope resource type policies. Configure policies for your OAuth 2.0 service in a custom policy set with OAuth2 Scope resource type policies, or use the existing Default OAuth2 Scopes Policy Set.

  • AM creates a policy set containing a policy representing the resources and identities specified by a resource owner using UMA 2.0 to share their registered resources.

    These policies appear in the AM admin UI as read-only, and cannot be edited by administrative users such as amAdmin. They can, however, be viewed and deleted.

Manage policy sets using the AM admin UI or the REST API: