--- title: Policies description: The Policy resource with copy and move support endpoint is responsible for managing policies. It supports all the operations that previous version of Policy resource endpoint supports - create, read, update, delete, query, evalute and evaluateTree action - with two new actions move and copy for copying and moving policies between realms component: pingam version: 8.1 page_id: pingam:entity-reference:sec-amster-entity-policies canonical_url: https://docs.pingidentity.com/pingam/8.1/entity-reference/sec-amster-entity-policies.html section_ids: sec-amster-entity-policies-realm-ops: Realm Operations sec-amster-entity-policies-realm-ops-copy: copy sec-amster-entity-policies-realm-ops-create: create sec-amster-entity-policies-realm-ops-delete: delete sec-amster-entity-policies-realm-ops-evaluate: evaluate sec-amster-entity-policies-realm-ops-evaluatetree: evaluateTree sec-amster-entity-policies-realm-ops-move: move sec-amster-entity-policies-realm-ops-query: query sec-amster-entity-policies-realm-ops-read: read sec-amster-entity-policies-realm-ops-update: update --- # Policies ## Realm Operations The Policy resource with copy and move support endpoint is responsible for managing policies. It supports all the operations that previous version of Policy resource endpoint supports - create, read, update, delete, query, evalute and evaluateTree action - with two new actions move and copy for copying and moving policies between realms Resource path: ``` /policies ``` Resource version: `2.1` ### copy Copy a list of policies **Usage** ``` am> action Policies --realm Realm --body body --actionName copy ``` **Parameters** * *\--body* The resource in JSON format, described by the following JSON schema: ```json { "$schema" : "http://json-schema.org/draft-04/schema#", "description" : "Policy copy action schema", "type" : "object", "title" : "Policy copy action schema", "properties" : { "from" : { "title" : "Copy/move from", "description" : "Policy copy/move origin parameters", "type" : "object", "properties" : { "application" : { "title" : "Application", "description" : "The policy set in which the input policies are located", "type" : "string" } }, "required" : [ "application" ] }, "to" : { "type" : "object", "title" : "Copy/Move To", "description" : "Policy copy/move destination parameters", "properties" : { "application" : { "title" : "Application", "description" : "The policy set in which to place the output policy. Required when copying or moving a policy to a different policy set.", "type" : "string" }, "realm" : { "title" : "Realm", "description" : "The realm in which to place the output policy. If not specified, OpenAM copies or moves the policy within the realm identified in the URL. Required when copying or moving a policy to a different realm.", "type" : "string" }, "namePostfix" : { "title" : "Name postfix", "description" : "A value appended to output policy names in order to prevent name clashes", "type" : "string" } }, "required" : [ "namePostfix" ] }, "resourceTypeMapping" : { "title" : "Resource type mapping", "description" : "One or more resource types mappings, where the left side of the mapping specifies the UUID of a resource type used by the input policies and the right side of the mapping specifies the UUID of a resource type used by the output policies. The two resource types should have the same resource patterns", "type" : "object", "additionalProperties" : { "type" : "string" } } }, "required" : [ "from", "to" ] } ``` ### create Create new policy **Usage** ``` am> create Policies --realm Realm --id id --body body ``` **Parameters** * *\--id* The unique identifier for the resource. * *\--body* The resource in JSON format, described by the following JSON schema: ```json { "$schema" : "http://json-schema.org/draft-04/schema#", "description" : "Json schema for the policy resource", "title" : "Policy Resource Schema", "type" : "object", "properties" : { "name" : { "title" : "Name", "description" : "String matching the name of the application", "type" : "string" }, "active" : { "title" : "Active flag", "description" : "Boolean indicating whether OpenAM considers the policy active for evaluation purposes, defaults to false", "type" : "boolean" }, "description" : { "title" : "Description", "description" : "String describing the policy", "type" : "string" }, "applicationName" : { "title" : "Application name", "description" : "String containing the application name, such as \"iPlanetAMWebAgentService\", or \"mypolicyset\"", "type" : "string" }, "actionValues" : { "title" : "Action values", "description" : "Set of string action names, each set to a boolean indicating whether the action is allowed. Chosen from the available actions provided by the associated Managing Resource Types resource type", "type" : "object", "additionalProperties" : { "type" : "boolean" } }, "resources" : { "title" : "Resources", "description" : "List of the resource name pattern strings to which the policy applies. Must conform to the pattern templates provided by the associated Managing Resource Types resource type", "type" : "array", "items" : { "type" : "string" } }, "subject" : { "title" : "Subject", "description" : "Specifies the subject conditions to which the policy applies, where subjects can be combined by using the built-in types \"AND\", \"OR\", and \"NOT\", and where subject implementations are pluggable", "type" : "object" }, "condition" : { "title" : "Condition", "description" : "Specifies environment conditions, where conditions can be combined by using the built-in types \"AND\", \"OR\", and \"NOT\", and where condition implementations are pluggable", "type" : "object", "properties" : { "type" : { "type" : "string" }, "conditions" : { "type" : "array", "title" : "Condition", "description" : "Specifies environment conditions, where conditions can be combined by using the built-in types \"AND\", \"OR\", and \"NOT\", and where condition implementations are pluggable", "items" : { "type" : "object" } } } }, "resourceTypeUuid" : { "title" : "Resource Type UUID", "description" : "The UUIDs of the resource type associated with the policy", "type" : "string" }, "resourceAttributes" : { "title" : "Resource Attributes", "description" : "List of attributes to return with decisions. These attributes are known as response attributes", "type" : "array", "items" : { "type" : "object" } }, "lastModifiedBy" : { "title" : "Last Modified By", "description" : "A string containing the universal identifier DN of the subject that most recently updated the policy", "type" : "string" }, "lastModifiedDate" : { "title" : "Last Modified date", "description" : "An integer containing the last modified date and time, in number of seconds", "type" : "string" }, "createdBy" : { "title" : "Created By", "description" : "A string containing the universal identifier DN of the subject that created the policy", "type" : "string" }, "creationDate" : { "title" : "Creation Date", "description" : "An integer containing the creation date and time, in number of seconds", "type" : "string" } } } ``` ### delete Delete policy **Usage** ``` am> delete Policies --realm Realm --id id ``` **Parameters** * *\--id* The unique identifier for the resource. ### evaluate Request policy decisions for specific resources **Usage** ``` am> action Policies --realm Realm --body body --actionName evaluate ``` **Parameters** * *\--body* The resource in JSON format, described by the following JSON schema: ```json { "$schema" : "http://json-schema.org/draft-04/schema#", "description" : "Evaluate action schema", "title" : "Evaluate action schema", "type" : "object", "properties" : { "resources" : { "type" : "array", "title" : "Resources", "description" : "Specifies the list of resources for which to return decisions", "items" : { "type" : "string" } }, "application" : { "title" : "Application", "description" : "Holds the name of the application, and defaults to \"iPlanetAMWebAgentService\" if not specified", "type" : "string" }, "subject" : { "title" : "Subject", "description" : "Holds an object that represents the subject. You can specify one or more of the following keys. If you specify multiple keys, the subject can have multiple associated principals, and you can use subject conditions corresponding to any type in the request", "type" : "object", "properties" : { "ssoToken" : { "title" : "SSOToken", "description" : "The value is the SSO token ID string for the subject", "type" : "string" }, "jwt" : { "title" : "JWT", "description" : "The value is a JWT string", "type" : "string" }, "claims" : { "title" : "Claims", "description" : "The value is an object (map) of JWT claims to their values.", "type" : "object", "additionalProperties" : { "type" : "string" } } } }, "environment" : { "title" : "Environment", "description" : "Holds a map of keys to lists of values", "type" : "object", "additionalProperties" : { "type" : "array", "items" : { "type" : "string" } } } }, "required" : [ "resources", "application" ] } ``` ### evaluateTree Request policy decisions for a tree of resources **Usage** ``` am> action Policies --realm Realm --body body --actionName evaluateTree ``` **Parameters** * *\--body* The resource in JSON format, described by the following JSON schema: ```json { "$schema" : "http://json-schema.org/draft-04/schema#", "description" : "Evaluate tree action schema", "title" : "Evaluate tree action schema", "type" : "object", "properties" : { "resource" : { "title" : "Resource", "description" : "Specifies the root resource for the decisions to return", "type" : "string" }, "application" : { "title" : "Application", "description" : "Holds the name of the application, and defaults to \"iPlanetAMWebAgentService\" if not specified", "type" : "string" }, "subject" : { "title" : "Subject", "description" : "Holds an object that represents the subject. You can specify one or more of the following keys. If you specify multiple keys, the subject can have multiple associated principals, and you can use subject conditions corresponding to any type in the request", "type" : "object", "properties" : { "ssoToken" : { "title" : "SSOToken", "description" : "The value is the SSO token ID string for the subject", "type" : "string" }, "jwt" : { "title" : "JWT", "description" : "The value is a JWT string", "type" : "string" }, "claims" : { "title" : "Claims", "description" : "The value is an object (map) of JWT claims to their values.", "type" : "object", "additionalProperties" : { "type" : "string" } } } }, "environment" : { "title" : "Environment", "description" : "Holds a map of keys to lists of values", "type" : "object", "additionalProperties" : { "type" : "array", "items" : { "type" : "string" } } } }, "required" : [ "resources", "application" ] } ``` ### move Move a list of policies **Usage** ``` am> action Policies --realm Realm --body body --actionName move ``` **Parameters** * *\--body* The resource in JSON format, described by the following JSON schema: ```json { "$schema" : "http://json-schema.org/draft-04/schema#", "description" : "Policy copy action schema", "type" : "object", "title" : "Policy copy action schema", "properties" : { "from" : { "title" : "Copy/move from", "description" : "Policy copy/move origin parameters", "type" : "object", "properties" : { "application" : { "title" : "Application", "description" : "The policy set in which the input policies are located", "type" : "string" } }, "required" : [ "application" ] }, "to" : { "type" : "object", "title" : "Copy/Move To", "description" : "Policy copy/move destination parameters", "properties" : { "application" : { "title" : "Application", "description" : "The policy set in which to place the output policy. Required when copying or moving a policy to a different policy set.", "type" : "string" }, "realm" : { "title" : "Realm", "description" : "The realm in which to place the output policy. If not specified, OpenAM copies or moves the policy within the realm identified in the URL. Required when copying or moving a policy to a different realm.", "type" : "string" }, "namePostfix" : { "title" : "Name postfix", "description" : "A value appended to output policy names in order to prevent name clashes", "type" : "string" } }, "required" : [ "namePostfix" ] }, "resourceTypeMapping" : { "title" : "Resource type mapping", "description" : "One or more resource types mappings, where the left side of the mapping specifies the UUID of a resource type used by the input policies and the right side of the mapping specifies the UUID of a resource type used by the output policies. The two resource types should have the same resource patterns", "type" : "object", "additionalProperties" : { "type" : "string" } } }, "required" : [ "from", "to" ] } ``` ### query Query the stored policies **Usage** ``` am> query Policies --realm Realm --filter filter ``` **Parameters** * *\--filter* A CREST formatted query filter, where "true" will query all. Fields that can be queried: \[\*] ### read Read policy **Usage** ``` am> read Policies --realm Realm --id id ``` **Parameters** * *\--id* The unique identifier for the resource. ### update Update an existing policy **Usage** ``` am> update Policies --realm Realm --id id --body body ``` **Parameters** * *\--id* The unique identifier for the resource. * *\--body* The resource in JSON format, described by the following JSON schema: ```json { "$schema" : "http://json-schema.org/draft-04/schema#", "description" : "Json schema for the policy resource", "title" : "Policy Resource Schema", "type" : "object", "properties" : { "name" : { "title" : "Name", "description" : "String matching the name of the application", "type" : "string" }, "active" : { "title" : "Active flag", "description" : "Boolean indicating whether OpenAM considers the policy active for evaluation purposes, defaults to false", "type" : "boolean" }, "description" : { "title" : "Description", "description" : "String describing the policy", "type" : "string" }, "applicationName" : { "title" : "Application name", "description" : "String containing the application name, such as \"iPlanetAMWebAgentService\", or \"mypolicyset\"", "type" : "string" }, "actionValues" : { "title" : "Action values", "description" : "Set of string action names, each set to a boolean indicating whether the action is allowed. Chosen from the available actions provided by the associated Managing Resource Types resource type", "type" : "object", "additionalProperties" : { "type" : "boolean" } }, "resources" : { "title" : "Resources", "description" : "List of the resource name pattern strings to which the policy applies. Must conform to the pattern templates provided by the associated Managing Resource Types resource type", "type" : "array", "items" : { "type" : "string" } }, "subject" : { "title" : "Subject", "description" : "Specifies the subject conditions to which the policy applies, where subjects can be combined by using the built-in types \"AND\", \"OR\", and \"NOT\", and where subject implementations are pluggable", "type" : "object" }, "condition" : { "title" : "Condition", "description" : "Specifies environment conditions, where conditions can be combined by using the built-in types \"AND\", \"OR\", and \"NOT\", and where condition implementations are pluggable", "type" : "object", "properties" : { "type" : { "type" : "string" }, "conditions" : { "type" : "array", "title" : "Condition", "description" : "Specifies environment conditions, where conditions can be combined by using the built-in types \"AND\", \"OR\", and \"NOT\", and where condition implementations are pluggable", "items" : { "type" : "object" } } } }, "resourceTypeUuid" : { "title" : "Resource Type UUID", "description" : "The UUIDs of the resource type associated with the policy", "type" : "string" }, "resourceAttributes" : { "title" : "Resource Attributes", "description" : "List of attributes to return with decisions. These attributes are known as response attributes", "type" : "array", "items" : { "type" : "object" } }, "lastModifiedBy" : { "title" : "Last Modified By", "description" : "A string containing the universal identifier DN of the subject that most recently updated the policy", "type" : "string" }, "lastModifiedDate" : { "title" : "Last Modified date", "description" : "An integer containing the last modified date and time, in number of seconds", "type" : "string" }, "createdBy" : { "title" : "Created By", "description" : "A string containing the universal identifier DN of the subject that created the policy", "type" : "string" }, "creationDate" : { "title" : "Creation Date", "description" : "An integer containing the creation date and time, in number of seconds", "type" : "string" } } } ```