With an API gateway integration, you can define custom policies that target inbound requests and outbound responses for API services and operations.
If custom policies are not enabled for your API service, enable them by clicking Enable Custom Policies on the API service’s Overview tab.
Custom policies control access to APIs in complex authorization scenarios. When you enable custom policies for an API service, PingOne Authorize generates a policy tree for the API service. The tree structure is system-owned and reflects the API service and its operations. You can’t modify the policy sets and policies in the tree, but you can add your own custom policies to Custom policy sets in the tree.
The tree structure is organized as follows.
Top-level policy sets include:
- API Service <Name>: This is the top level policy set for the API service. It serves as a container for everything nested underneath it.
- API Service and Operations: This policy set ensures that combining algorithms work correctly for AAM rules and policies.
The next level contains the request and response policies and policy sets for each API service.
These include:
- Inbound Request: This policy set is a container for rules
and custom policies that target inbound requests for the API service.
- Basic Rules: This policy is reserved for rules generated by the system that target inbound requests for the API service. The rules are based on the API Service configuration.
- Custom: This policy set is where you add your own custom policies that target inbound requests for the API service.
- Outbound Response: This policy set is a container for rules and custom policies that target outbound responses from the API service. Its children have the same structure as the Inbound Request policy set.
Each operation under the API service shares a similar structure.
Operation policies and policy sets include:
- Operation <Name>: This is the top level policy set for the operation. It serves as a container for everything nested underneath it.
- Inbound Request: This policy set is a container for rules
and custom policies that target inbound requests for the specific operation.
- Basic Rules: This policy stores group and scope-based rules that target inbound requests for the operation. The policy is generated automatically by the system when you add basic rules to an operation.
- Custom: This policy set is where you add your own custom policies that target inbound requests for the operation.
- Outbound Response: This policy set is a container for rules and custom policies that target outbound responses from the specific operation. It has nested children for Basic Rules and Custom policies.
For hands-on experience with writing a custom policy for an API operation, see Tutorial 3: Fine-grained API authorization.