Access Management 7.3.2

/json/users/{user}/uma/policies

AM-specific endpoint used to create, delete, read, update, and query UMA policies.

Supported HTTP methods
Action HTTP method

Create

PUT

Read

GET

Update

PUT

Delete

DELETE

Query

GET

Use the AM API Explorer for detailed information about this endpoint, and to test it against your deployed AM instance.

In the AM admin UI, click the Help icon, and go to API Explorer > users > {user} > uma > policies.

You must compose the path to the token endpoint addressing the specific realm where the token will be issued. For example, https://openam.example.com:8443/openam/json/realms/root/realms/alpha/users/{user}/uma/policies.

The policies endpoint does not support any parameters. To authenticate to the endpoint, send the SSO token of the resource owner as the value of the iplanetDirectoryPro header.

To create or update a policy, send an HTTP PUT request to the endpoint, adding the description of the policy as a JSON object in the body. For example:

{
    "policyId": "UMA_resource_ID_12345678",
    "permissions":
    [
        {
            "subject": "requesting_party_identity",
            "scopes": [
                "view",
                "comment",
                "download"
            ]
        }
    ],
  "type": "AND",
  "conditions": [
      {
          "type": "Expiration",
          "expirationDate": "1638263100"
      }
  ],


}
  • policyID is an UMA resource ID. To obtain it, query the /uma/resource_set endpoint.

  • The entire permissions object is mandatory.

  • subject is the username or identity associated with the requesting party.

    In other words, the person, device, or client that the policy grants permission to.

  • The scopes object is an array of permissions or scopes that are granted to the subject.

    These scopes must match the scopes supported by the resource that the policy protects.

  • The first type field is optional, and lets you add multiple conditions, separated by AND and OR functions.

  • The second type field specifies the condition type. Possible values are Expiration, to set an expiration date on an UMA authorization, or clientId, to restrict the list of clients that can obtain an RPT.

For examples of using this endpoint, see UMA policies.