---
title: /json/users/{user}/uma/policies
description: AM-specific endpoint used to create, delete, read, update, and query UMA policies.
component: pingam
version: 8.1
page_id: pingam:uma:endpoint-policies
canonical_url: https://docs.pingidentity.com/pingam/8.1/uma/endpoint-policies.html
keywords: ["User-Managed Access (UMA)", "Endpoints", "Policies"]
page_aliases: ["uma-guide:endpoint-policies.adoc"]
---

# /json/users/{user}/uma/policies

AM-specific endpoint used to create, delete, read, update, and query UMA policies.

> **Collapse: Supported HTTP methods**
>
> | Action | HTTP method |
> | ------ | ----------- |
> | Create | PUT         |
> | Read   | GET         |
> | Update | PUT         |
> | Delete | DELETE      |
> | Query  | GET         |

|   |                                                                                                                                                                                                                           |
| - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
|   | Use the AM API Explorer for detailed information about this endpoint, and to test it against your deployed AM instance.In the AM admin UI, click the Help icon, and go to API Explorer > users > *user* > uma > policies. |

You must compose the path to the token endpoint addressing the specific realm where the token will be issued. For example, `https://am.example.com:8443/am/json/realms/root/realms/alpha/users/user/uma/policies`.

The policies endpoint does not support any parameters. To authenticate to the endpoint, send the SSO token of the resource owner as the value of the `iPlanetDirectoryPro` header.

To create or update a policy, send an HTTP PUT request to the endpoint, adding the description of the policy as a JSON object in the body. For example:

```json
{
    "policyId": "UMA_resource_ID_12345678",
    "permissions":
    [
        {
            "subject": "requesting_party_identity",
            "scopes": [
                "view",
                "comment",
                "download"
            ]
        }
    ],
  "type": "AND",
  "conditions": [
      {
          "type": "Expiration",
          "expirationDate": "1638263100"
      }
  ],


}
```

* `policyID` is an UMA resource ID. To obtain it, query the [/uma/resource\_set](endpoint-resource_set.html) endpoint.

* The entire `permissions` object is mandatory.

* `subject` is the username or identity associated with the requesting party.

  In other words, the person, device, or client that the policy grants permission to.

* The `scopes` object is an array of permissions or scopes that are granted to the `subject`.

  These scopes must match the scopes supported by the resource that the policy protects.

* The first `type` field is optional, and lets you add multiple conditions, separated by `AND` and `OR` functions.

* The second `type` field specifies the condition type. Possible values are `Expiration`, to set an expiration date on an UMA authorization, or `clientId`, to restrict the list of clients that can obtain an RPT *(tooltip: Requesting party token)*.

For examples of using this endpoint, see [UMA policies](uma-policies.html).