Tell us what you think

We want to create the best possible experience for our learners. Your feedback helps us to improve the experience for everyone.

Using Policies

Objective

After completing this lesson, you will be able to use policies

Usage of Policies

In this lesson, the following topics are discussed:

What are policies?
Policy types.
Apply pre-built policies using the Policy Designer.
Use predefined policies.

What Are Policies?

SAP API Management provides capabilities to define the behavior of an API by using Policies. A Policy is a program that executes a specific function at runtime. They provide the flexibility to add common functionalities on an API without having to code them individually each time.

Policies provide features to secure APIs, control the API traffic, and transform message formats. You can also customize the behavior of an API by adding scripts and attaching them to policies.

You can apply a policy on the request or response stream. You can also specify if it is applicable on the proxy endpoint or target endpoint. For information on the types of policies supported by API Management, see Policy Types.

You can use the following types of policies:

Predefined policy templates at SAP Business Accelerator Hub.
Pre-built policies within the Policy Editor.

Policy types

The following is the list of pre-built policies supported by API Management:

Access Control
Access Entity
Assign Message
Basic Authentication
Extract variables
Invalidate Cache
JavaScript
JSON to XML
Key Value Map Operations
Lookup Cache
Message Logging Policy
OAuth v2.0
OAuth v2.0 GET
OAuth v2.0 SET
Populate Cache
Python Script
Quota
Raise Fault
Reset Quota
Service Callout
Spike Arrest
SAML Assertion Policy
SOAP Message Validation Policy
Verify API Key
XML to JSON
XSL Transform
XML Threat Protection
Regular Expression Protection
JSON Threat Protection
Response Cache
Statistics Collector Policy

Apply Pre-built Policies Using the Policy Designer

To use one of the available policies, it is first necessary to consider where the policy will work. The policy editor offers the following options in the request and response:

The graphic shows the flow process of policies and endpoints in a request and response.

Policies can also be used for all calls (PostClientFlows, resources), then you do not select a PostClientFlow. In the following example, there are two PostClientFlows CatalogCollection and ServiceCollection. The policies are used for all PostClientFlows because none has been specially selected.

The graphic shows two PostClientFlows - CatalogCollection and ServiceCollecction in the Flow menu.

Security - Policies

SAP BTP, API Management offers many out-of-the-box API security policies based on the Open Web Application Security Project (OWASP). API security best practices can be customized for your enterprise requirements.

There is a blog series that showcases the security policies from SAP BTP, API Management to secure and protect the enterprise APIs as shown in the following figure, SAP Cloud Platform API Management.

The graphic shows a blog series of security policies in the SAP Cloud Platform API Management. The link to the blog series is provided in the following text.

You will find the blog series here: SAP Cloud Platform API Management – API Security Best Practices Blog Series

Logging and Monitoring Policies

The Message Logging policy lets you send syslog messages to third-party log management services, such as Splunk, SumoLogic, Loggly, or similar log management services.

A blog with the Message Logging Policy and Splunk can be found here: Splunk – Part 1 : SAP APIM Logging & Monitoring | SAP Blogs

A blog with the Message Logging Policy and Loggly can be found here: Part 7 – API Security Best Practices – Log all API interactions | SAP Blogs

Use Predefined Policies

There are predefined sets of policies for specific applications. They can be found in the SAP Business Accelerator Hub.

Navigate to https://api.sap.com/ to Explore → APIs.

Screenshot of the SAP API Business Hub. Choose Explore > APIs.

Under the Policy Template tab SAP Business Accelerator Hub, you will find 20 policy templates for immediate use.

Screenshot of the Policy Templates tab where you can choose from 20 policy templates.

Import a Policy Template from SAP Business Accelerator Hub

Search and find the Performance_Traceability policy template at SAP Business Accelerator Hub. Choose the Performance_Traceability tile. You will find the content at the Flow Type.

The following is an example with these two items:

Flow Type: ProxyEndPoint PreFlow
Content: JavaScript file

Screenshot of the Performance_Traceability policy template. The Flow Type and Content items are highlighted in red.

To download the complete policies, choose the Download button in the upper right corner and save the *.zip file locally to your computer.

Switch to the Develop view and choose the Policy Templates tab.

Then, import the previous locally stored policy template through the Import button.

At the end, the Performance_Traceability template is now imported into the SAP Business Accelerator Hub.

To place the policy template, navigate to the API in which you want to use the policy, and navigate to the Policy Editor. Choose Edit so that the Policy Template button becomes active.

Choose Edit so that the Policy Template button becomes active.

Now, choose the Apply button to import the policy template. Then select the previously imported policy template and choose Apply.

Choose Apply to import the policy template.

Select the imported policy template and choose Apply.

The policy template has been imported and inserted into the corresponding flow.

After the update, save and redeploy, the policy template is active.

Summary

SAP API Management provides capabilities to define the behavior of an API by using policies. These capabilities can be used in both the request and the response. There are policies for the transformation of the payload and calls to external, for example, to log in using OAuth 2.0 and much more. In particular, the security policies are useful. SAP offers federal of policies and policy templates for certain use cases. They can be easily imported.

Add Policies for Basic Authentication Against the ES5 Demo System

Business Scenario

To use the interfaces in API management, authentication against the source interface is necessary, which is accomplished through a policy implementation. The creation of connections and artifacts is indicated with red markings in the following component diagram. ES5 Proxy

Task flow

In this exercise, you will perform the following tasks:

Add the Message Policy.
Add the Basic Authentication Policy.
Test your policies.
Monitor your API calls.

Task 1: Add the Message Policy

Steps

Add the Message Policy.
1. Navigate to Configure → APIs and choose the API Proxies tab.
2. Open your API view by choosing the link GWSAMPLE_BASIC_v1_date_subaccountnumber.
3. Choose the Policies button.
4. Choose the Edit button.
5. You can see the grey plus symbols on the right side.
6. Choose the following: Flows → TargetEndpoint → PostFlow. The plus signs are now black and usable.
7. Find the Assign Message Policy on the left side menu.
  Note
  To implement the policies in your API proxy, you must have a working concept on how the policies work.
8. Choose the plus sign at the Assign Message policy symbol. To add the following:
9. Choose the Add button in the pop-up window.
  Field Name Value
  Policy Type Assign Message
  Policy Name setCredentials
  Endpoint Type TargetEndpoint
  Flow Type Postflow
  Stream Incoming Request
10. Choose the Add button in the pop-up window.
11. In the XML editor, enter the following code via copy-paste:
  Note
  Be aware to substitute the Username and Password with yours.
  Code Snippet
```
12345678910111213141516171819


<AssignMessage async="false" continueOnError="false" enabled="true" xmlns='http://www.sap.com/apimgmt'>

  <Set>
      <Payload contentType="application/json" variablePrefix="@" variableSuffix="#">{"name":"foo",             "type":"@apiproxy.name#"}</Payload>
  </Set>
    <AssignVariable>
      <Name>request.header.username</Name>
      <Value>Your username from your GWSAMPLE_BASIC backend system</Value>
    </AssignVariable>
    <AssignVariable>
      <Name>request.header.password</Name>
      <Value>Your password from your GWSAMPLE_BASIC backend system</Value>
    </AssignVariable>
  <IgnoreUnresolvedVariables>false</IgnoreUnresolvedVariables>
<AssignTo createNew="false" type="request">request</AssignTo>
</AssignMessage>
```
  Note
  Be sure to substitute the username and password with yours.
  Note
  You can also download the code snippets via Github for this learning journey:
  integration-suite-learning-journey/src/rev_20 at main · SAP-samples/integration-suite-learning-journey · GitHub
12. Enter your username and password in a plain text format. It is also possible to set both values encrypted from a keystore.
  Now, you have defined two variables, request.header.username and the request.header.password.
13. Be aware before your update and save this entry, to set a second policy that uses the variables for basic authentication.

Field Name	Value
Policy Type	Assign Message
Policy Name	setCredentials
Endpoint Type	TargetEndpoint
Flow Type	Postflow
Stream	Incoming Request

Task 2: Add the Basic Authentication Policy

Steps

In this step, the previously defined variables are set as authorization parameters in the HTTP request header.

Add the Basic Authentication Policy.
1. On the right side, choose the Basic Authentication policy and choose the plus button.
2. Add/check the following data:
  Field Name Value
  Policy Type Basic Authentication
  Policy Name setBasicAuthentication
  Endpoint Type TargetEndpoint
  Flow Type Postflow
  Stream Incoming Request
3. Choose the Add button within the pop-up window.
4. Check the entries and choose the update button (on top right of the screen).
  Switch back to the detail view of your API Proxy and choose the Save button.
5. After saving a navigation bar at the top of the API Proxy details window with a request to deploy, the API Proxy shows.
6. Choose the Click to Deploy link to confirm the deployment via the detail pop-up window.

Field Name	Value
Policy Type	Basic Authentication
Policy Name	setBasicAuthentication
Endpoint Type	TargetEndpoint
Flow Type	Postflow
Stream	Incoming Request

Task 3: Test Your Policies

Steps

After the set up of the automatic authentication, you can now test your configured policy via the resources. You receive a status code 200.

Test your policies via resources.
1. Choose the Resources tab. Choose the first entry GET/BusinessPartnerSet, select the Try out button, and then choose the Execute button.
2. You receive an HTTP status Code with response 200 and the containing response body.
3. Check out the result.
  Note
  If you don't get an HTTP status Code with response 200, check your username and password in the policy. Be sure that your backend system account is not blocked by too many failed logons.

Task 4: Monitor Your API Calls

Steps

We use the API Monitor to examine the metrics of the API calls made so far. An extra app is available.

Analyze your API calls.
1. Navigate to Monitor → APIs.
  Note
  Your monitor can look different.

Explore the API, Policies, and More at SAP Business Accelerator Hub

Business Scenario

Exploring the SAP Business Accelerator Hub to identify available APIs, policies, and other artifacts enable you to expedite your integrations, extensions, and innovations.

Task flow

In this exercise, you will perform the following tasks:

Log on to the SAP Business Accelerator Hub (https://api.sap.com).
Explore the policies.
Explore the APIs at the SAP Business Accelerator Hub.

Prerequisites

You have successfully completed the previous exercise.

Outcome after this exercise

Gain a comprehensive understanding of the SAP Business Accelerator Hub and its extensive collection of available APIs for your utilization.

What do you learn within this exercise

By exploring the SAP Business Accelerator Hub, you can discover and analyze API Management Policies, allowing you to determine their suitability for various purposes based on your needs and objectives.

Task 1: Log on to SAP Business Accelerator Hub

Steps

Log on to the SAP Business Accelerator Hub.
1. Open the link: https://api.sap.com
2. Log in through the Login button to try out the APIs.
3. Navigate to Explore → APIs.

Task 2: Explore the Policies

Steps

Explore the policies.
1. Choose the Policy Template tab.
2. Now, you can check out all the available policies, which you can use in your SAP API Management.
3. Find the Performance_Traceability policy and open it.
4. Check out the documentation for more information.
5. Review the configuration of the policies, especially the proxy_request_retriving_latency.

Task 3: Explore the APIs at SAP Business Accelerator Hub

Steps

Explore the APIs.
1. Navigate back to https://api.sap.comExplore → APIs.
2. Choose ODATA V2.
3. In the search bar, enter Purchase Order and choose Enter.
  You see a tile with the name: Purchase Order.
4. Choose the Purchase Order tile. You will find a lot of information there.
  Note
  The Purchase Order ODATA V2 is marked as deprecated, but don't worry it works, so try it out.
5. Choose the Try Out button.
6. On the left side, find Purchase Order → GET /APurchaseOrder and choose it. On top of the page, you see the chosen context, /A_PurchaseOrder.
7. Choose the Run button.
  You get an HTTP Status Code 200 and a filled Response Body and Response Header.

Next lesson