In this lesson, we will cover the following topics:
- What are Policies?
- Policy types
- Apply prebuilt Policies using the Policy Designer
- Use predefined Policies
What are Policies?
SAP API Management provides capabilities to define the behavior of an API by using Policies. A Policy is a program that executes a specific function at runtime. They offer the flexibility to add common functionalities on an API without having to code them individually each time.
Policies provide features to secure APIs, control the API traffic, and transform message formats. You can also customize the behavior of an API by adding scripts and attaching them to policies.
You can apply a policy on the request or response stream. You can also specify if it is applicable on the proxy endpoint or the target endpoint. For information on the types of policies supported by API Management, see Policy Types.
You can use the following types of policies:
- Predefined policy templates at SAP Business Accelerator Hub.
- Prebuilt policies within the Policy Editor.
Policy types
The following is the list of prebuilt policies supported by API Management:
- Access Control
- Access Entity
- Assign Message
- Basic Authentication
- Extract variables
- Invalidate Cache
- JavaScript
- JSON to XML
- Key Value Map Operations
- Lookup Cache
- Message Logging Policy
- OAuth v2.0
- OAuth v2.0 GET
- OAuth v2.0 SET
- Populate Cache
- Python Script
- Quota
- Raise Fault
- Reset Quota
- Service Callout
- Spike Arrest
- SAML Assertion Policy
- SOAP Message Validation Policy
- Verify API Key
- XML to JSON
- XSL Transform
- XML Threat Protection
- Regular Expression Protection
- JSON Threat Protection
- Response Cache
- Statistics Collector Policy
Read more here: Policy Types
Apply Prebuilt Policies Using the Policy Designer
To use one of the available policies, it is necessary first to consider where the policy will work. The policy editor offers the following options in the request and response:
Policies can also be used for all calls (PostClientFlows, resources), so you do not select a PostClientFlow. In the following example, there are two PostClientFlows CatalogCollection and ServiceCollection. The policies are used for all PostClientFlows because none have been specially selected.
Security - Policies
SAP Business Technology Platform, API Management offers many out-of-the-box API security policies based on the Open Web Application Security Project (OWASP). API security best practices can be customized for your enterprise requirements.
There is a blog series that showcases the security policies from SAP Business Technology Platform, API Management to secure and protect the enterprise APIs, as shown in the following figure, SAP Cloud Platform API Management.
You will find the blog series here: SAP Cloud Platform API Management – API Security Best Practices Blog Series
Logging and Monitoring Policies
The Message Logging policy lets you send syslog messages to third-party log management services, such as Splunk, SumoLogic, Loggly, or similar log management services.
A blog with the Message Logging Policy and Splunk can be found here: Splunk – Part 1 : SAP APIM Logging & Monitoring | SAP Blogs
A blog with the Message Logging Policy and Loggly can be found here: Part 7 – API Security Best Practices – Log all API interactions | SAP Blogs
Use Predefined Policies
There are predefined sets of policies for specific applications. They can be found in the SAP Business Accelerator Hub.
Navigate to https://api.sap.com/ to Categories→and select the resource APIs.
Under the Policy Template tab SAP Business Accelerator Hub, you will find over 20 policy templates for immediate use.
Import a Policy Template from SAP Business Accelerator Hub
Search and find the Performance_Traceability policy template at SAP Business Accelerator Hub. Choose the Performance_Traceability tile. You will find the content at the Flow Type.
The following is an example with these two items:
- Flow Type: ProxyEndPoint PreFlow
- Content: JavaScript file
To download the complete policies, choose the Download button in the upper right corner and save the *.zip file locally to your computer.
Switch to the Develop view and choose the Policy Templates tab.
Then, import the previous locally stored policy template through the Import button.
In the end, the Performance_Traceability template is now imported into the SAP Business Accelerator Hub.
To place the policy template, navigate to the API in which you want to use the policy, and navigate to the Policy Editor. Choose Edit so that the Policy Template button becomes active.
Now, choose the Apply button to import the policy template. Then select the previously imported policy template and choose Apply.
The policy template has been imported and inserted into the corresponding flow.
After the update, save and redeploy, the policy template will be active.
Summary
SAP API Management provides capabilities to define the behavior of an API by using policies. These capabilities can be used in both the request and the response. There are policies for the transformation of the payload and calls to external, for example, to log in using OAuth 2.0 and much more. In particular, the security policies are useful. SAP offers federal policies and policy templates for certain use cases. They can be easily imported.
