In this lesson, the following topics are discussed:
- What are policies?
- Policy types.
- Apply prebuilt policies using the Policy Designer.
- Use predefined policies.
What are Policies?
SAP API Management provides capabilities to define the behavior of an API by using policies. A policy is a program that executes a specific function at runtime. They provide the flexibility to add common functionalities on an API without having to code them individually each time.
Policies provide features to secure APIs, control the API traffic, and transform message formats. You can also customize the behavior of an API by adding scripts and attaching them to policies.
You can apply a policy on the request or response stream. You can also specify if it is applicable on the proxy endpoint or target endpoint. For information on the types of policies supported by API Management, see Policy Types.
You can use the following types of policies:
- Predefined Policy Templates at SAP Business Accelerator Hub.
- Prebuild policies within the Policy Editor.
The following is the list of prebuilt policies supported by API Management:
- Access Control
- Access Entity
- Assign Message
- Basic Authentication
- Extract variables
- Invalidate Cache
- JSON to XML
- Key Value Map Operations
- Lookup Cache
- Message Logging Policy
- OAuth v2.0
- OAuth v2.0 GET
- OAuth v2.0 SET
- Populate Cache
- Python Script
- Raise Fault
- Reset Quota
- Service Callout
- Spike Arrest
- SAML Assertion Policy
- SOAP Message Validation Policy
- Verify API Key
- XML to JSON
- XSL Transform
- XML Threat Protection
- Regular Expression Protection
- JSON Threat Protection
- Response Cache
- Statistics Collector Policy
Read more here: Policy Types
Apply prebuilt policies using the Policy Designer
In order to use one of the available policies, it is first necessary to consider where the policy should work. The policy editor offers the following options in the request and response.
Policies can also be used for all calls (PostClientFlows, resources), then you do not select a PostClientFlow. In the following example, there are two PostClientFlows CatalogCollection and ServiceCollection. The policies are used for all PostClientFlows because none has been specially selected.
Security - policies
SAP BTP, API Management offers many out of the box API Security polices based on the Open Web Application Security Project (OWASP) API security best practices that can be customized for your enterprise requirements.
There is a blog series that will be showcasing the security policies from SAP BTP, API Management to secure and protect the enterprise APIs as shown in the following figure, SAP Cloud Platform API Management.
You will find the blog series here: SAP Cloud Platform API Management – API Security Best Practices Blog Series
Logging and monitoring policies
The Message Logging policy lets you send syslog messages to third-party log management services, such as Splunk, SumoLogic, Loggly, or similar log management services.
A blog with the Message Logging Policy and Splunk can found here: Splunk – Part 1 : SAP APIM Logging & Monitoring | SAP Blogs
A blog with the Message Logging Policy and Loggly can found here: Part 7 – API Security Best Practices – Log all API interactions | SAP Blogs
Use predefined policies
There are predefined sets of policies for specific applications. These can be found in the SAP Business Accelerator Hub.
Navigate to https://api.sap.com/ to Explore → APIs.
Under the Policy Template tab, SAP Business Accelerator Hub, you will find 20 policy templates for immediate use.
Import a Policy Template from SAP Business Accelerator Hub
Search and find the
Performance_Traceability policy template at SAP Business Accelerator Hub. Choose the Performance_Traceability tile. You will find the content at the Flow Type.
The following is an example with these two items:
- Flow Type: ProxyEndPoint PreFlow
To download the complete policies, choose the Download button in the upper right corner and save the *.zip file locally to your computer.
Switch to the Develop view and choose the Policy Templates tab.
Then import the previously locally stored policy template through the Import button.
At the end, the Performance_Traceability template is now imported into the SAP Business Accelerator Hub.
To place the policy template, navigate to the API in which you want to use the policy and navigate to the Policy Editor. Choose Edit so that the Policy Template button becomes active.
Now choose the Apply button to import the policy template.
Now, select the previously imported policy template and choose Apply.
The policy template has been imported and inserted into the corresponding flow.
After the update, save and redeploy, the policy template is active.
SAP API Management provides capabilities to define the behavior of an API by using policies. These capabilities can be used in both the request and the response. There are policies for the transformation of the payload as well as calls to external, for example to log in using OAuth 2.0 and much more. In particular, the security policies are very useful. SAP offers federal of policies, policy templates, for certain use cases. These can be easily imported.