PingAM 7.5.1

Policy sets

AM uses a policy to determine whether to grant a principal access to a resource.

Policies belong to policy sets. Policy sets define a template for policies that apply to one or more resource types. A policy set groups policies with similar characteristics that protect websites, web applications, or other resources. It eliminates the need to configure the same basic settings repeatedly for each policy.

AM includes the following default policy sets:

  • The Default Policy Set, iPlanetAMWebAgentService, for web and Java agents. You can create new policy sets for agents and configure them in the agent profile.

  • The Default OAuth2 Scopes Policy Set, oauth2Scopes, for the OAuth 2.0 service.

Application types are templates for policy sets. The AM admin UI does not show application types. When you define a policy or policy set over REST, the application type appears in the JSON resource. You only configure application types using the REST API. The default application types suffice for most use cases.

When creating and editing policy sets, consider the following points:

  • You can specify the realm and policy set in an AM web or Java agent profile.

    AM directs requests from the agent to the specified realm and policy set, providing compatibility with older web and Java agents.

    For details, refer to the agent documentation:

  • AM only honors OAuth2 Scope resource type policies. Configure policies for your OAuth 2.0 service in a custom policy set with OAuth2 Scope resource type policies, or use the existing Default OAuth2 Scopes Policy Set.

  • AM creates a policy set with policies for UMA 2.0 resources and identities. A resource owner using UMA 2.0 relies on the policies to share their registered resources.

    These policies appear in the AM admin UI as read-only. Even the administrative users like amAdmin cannot edit them. Policy administrators can view and delete the policies.