Using Policies

Objective

After completing this lesson, you will be able to Use policies.

Usage of Policies

In this lesson, the following topics are discussed:

  • What are policies?
  • Policy types.
  • Apply prebuilt policies using the Policy Designer.
  • Use predefined policies.

What are Policies?

SAP API Management provides capabilities to define the behavior of an API by using policies. A policy is a program that executes a specific function at runtime. They provide the flexibility to add common functionalities on an API without having to code them individually each time.

Policies provide features to secure APIs, control the API traffic, and transform message formats. You can also customize the behavior of an API by adding scripts and attaching them to policies.

You can apply a policy on the request or response stream. You can also specify if it is applicable on the proxy endpoint or target endpoint. For information on the types of policies supported by API Management, see Policy Types.

You can use the following types of policies:

  • Predefined Policy Templates at SAP Business Accelerator Hub.
  • Prebuild policies within the Policy Editor.

Policy types

The following is the list of prebuilt policies supported by API Management:

  • Access Control
  • Access Entity
  • Assign Message
  • Basic Authentication
  • Extract variables
  • Invalidate Cache
  • JavaScript
  • JSON to XML
  • Key Value Map Operations
  • Lookup Cache
  • Message Logging Policy
  • OAuth v2.0
  • OAuth v2.0 GET
  • OAuth v2.0 SET
  • Populate Cache
  • Python Script
  • Quota
  • Raise Fault
  • Reset Quota
  • Service Callout
  • Spike Arrest
  • SAML Assertion Policy
  • SOAP Message Validation Policy
  • Verify API Key
  • XML to JSON
  • XSL Transform
  • XML Threat Protection
  • Regular Expression Protection
  • JSON Threat Protection
  • Response Cache
  • Statistics Collector Policy

Read more here: Policy Types

Apply Prebuilt Policies Using the Policy Designer

In order to use one of the available policies, it is first necessary to consider where the policy should work. The policy editor offers the following options in the request and response.

Policies can also be used for all calls (PostClientFlows, resources), then you do not select a PostClientFlow. In the following example, there are two PostClientFlows CatalogCollection and ServiceCollection. The policies are used for all PostClientFlows because none has been specially selected.

Security - policies

SAP BTP, API Management offers many out of the box API Security polices based on the Open Web Application Security Project (OWASP) API security best practices that can be customized for your enterprise requirements.

There is a blog series that will be showcasing the security policies from SAP BTP, API Management to secure and protect the enterprise APIs as shown in the following figure, SAP Cloud Platform API Management.

You will find the blog series here: SAP Cloud Platform API Management – API Security Best Practices Blog Series

Logging and monitoring policies

The Message Logging policy lets you send syslog messages to third-party log management services, such as Splunk, SumoLogic, Loggly, or similar log management services.

A blog with the Message Logging Policy and Splunk can found here: Splunk – Part 1 : SAP APIM Logging & Monitoring | SAP Blogs

A blog with the Message Logging Policy and Loggly can found here: Part 7 – API Security Best Practices – Log all API interactions | SAP Blogs

Use Predefined Policies

There are predefined sets of policies for specific applications. These can be found in the SAP Business Accelerator Hub.

Navigate to https://api.sap.com/ to ExploreAPIs.

Under the Policy Template tab, SAP Business Accelerator Hub, you will find 20 policy templates for immediate use.

Import a Policy Template from SAP Business Accelerator Hub

Search and find the Performance_Traceability policy template at SAP Business Accelerator Hub. Choose the Performance_Traceability tile. You will find the content at the Flow Type.

The following is an example with these two items:

  • Flow Type: ProxyEndPoint PreFlow
  • Content: JavaScript file

To download the complete policies, choose the Download button in the upper right corner and save the *.zip file locally to your computer.

Switch to the Develop view and choose the Policy Templates tab.

Then import the previously locally stored policy template through the Import button.

At the end, the Performance_Traceability template is now imported into the SAP Business Accelerator Hub.

To place the policy template, navigate to the API in which you want to use the policy and navigate to the Policy Editor. Choose Edit so that the Policy Template button becomes active.

Now choose the Apply button to import the policy template.

Now, select the previously imported policy template and choose Apply.

The policy template has been imported and inserted into the corresponding flow.

After the update, save and redeploy, the policy template is active.

Summary

SAP API Management provides capabilities to define the behavior of an API by using policies. These capabilities can be used in both the request and the response. There are policies for the transformation of the payload as well as calls to external, for example to log in using OAuth 2.0 and much more. In particular, the security policies are very useful. SAP offers federal of policies, policy templates, for certain use cases. These can be easily imported.

Add Policies for Basic Authentication Against the ES5 Demo System

Business Scenario

To utilize the interfaces in API management, authentication against the source interface is necessary, which is accomplished through a Policy implementation. The creation of connections and artifacts is indicated by yellow markings in the component diagram below.

Task Flow

In this exercise, you will perform the following tasks:

  1. Add the Message Policy.
  2. Add the Basic Authentication Policy.
  3. Test your Policies.
  4. Monitor your API calls.

Prerequisites

  • You have a working API Management.
  • You have a working API Provider.
  • You have a working API.

Outcome after this exercise

Calling the APIs from the ES5 using API Management API, demo systems now has an automatic basic authentication.

What do you learn within this exercise

You get familiar to the concept of using policies especially how to implement a basic authentication.

Exercise Options

To carry out this exercise, you can choose from the following options:

  1. Live Environment: Using the instructions provided below, you can perform the steps in your SAP BTP account.
  2. Platform Simulation: Follow the step-by-step instructions within the simulation.
  3. Side-by-side: Follow the step-by-step instructions within the simulation and perform the steps in your SAP BTP account simultaneously.

Note

We strongly recommend to perform the steps in the live environment.
ExerciseStart Exercise

Task 1: Add the Message Policy

Steps

  1. Add the Message Policy.

    1. Navigate to ConfigureAPIs.

    2. Open your API view by choosing the link, GWSAMPLE_BASIC_v1.

    3. Choose the Policies button.

    4. Choose the Edit button.

    5. You should be able to use the Policies on the right side.

    6. Choose the place for the policies. Choose the following: FlowsTargetEndpointPostFlow. The plus signs are now black and usable.

    7. Find the Assign Message policy.

    8. Choose the plus at Assign Message. Add/check the following data.

      Field NameValue
      Policy TypeAssign Message
      Policy NamesetCredentials
      Endpoint TypeTargetEndpoint
      Flow TypePostflow
      StreamIncoming Request

    9. Choose the Add button in the pop-up window.

    10. In the XML editor, enter the following code via copy-paste:

      Code Snippet
      Copy code
      Switch to dark mode
      123456789101112131415161718192021
      
<!-- This policy can be used to create or modify the standard HTTP request and response messages -->
<AssignMessage async="false" continueOnError="false" enabled="true" xmlns='http://www.sap.com/apimgmt'>
<!-- Sets a new value to the existing parameter -->
  <Set>
    <Payload contentType="application/json" variablePrefix="@" variableSuffix="#">{"name":"foo", "type":"@apiproxy.name#"}</Payload>
  </Set>
  <AssignVariable>

<Name>request.header.username</Name>
  <Value>ES5 User</Value>
  </AssignVariable>
  <AssignVariable>

<Name>request.header.password</Name>
  <Value>ES5 password</Value>
  </AssignVariable>
  <IgnoreUnresolvedVariables>false</IgnoreUnresolvedVariables>
  <AssignTo createNew="false" type="request">response</AssignTo>
</AssignMessage>

    11. Change the AssignTo entry type and value to request (No.2) , so it looks like this: <AssignTo createNew="false" type="request">request</AssignTo>.

    12. Enter your username and password in a plain text format.

      It is also possible to set both values as base64 encoded or read from a key store.

    13. Now you should have defined two variables, request.header.username and the request.header.password.

    14. Before we update and save this entry, we set a second policy that uses the variables for basic authentication.

Task 2: Add the Basic Authentication Policy

Steps

  1. Add the Basic Authentication Policy.

    1. On the right side, choose the Basic Authentication policy and choose the plus button.

    2. Check the following data and enter the Stream and Policy name:

      Field NameValue
      Policy TypeBasic Authentication
      Policy NamesetBasicAuthentication
      Endpoint TypeTargetEndpoint
      Flow TypePostflow
      StreamIncoming Request

    3. Choose the Add button within the pop-up window.

    4. Check the entries and choose the update button (on top right of the screen).

      You switch back to the detail view of your API.

    5. Choose the Save button.

      This step ensures, that your policies are usable.

  2. Deploy your API again.

    1. When you save your policy, you have to redeploy your API.

    2. Choose the Click to Deploy link in the message (No. 1) or you can also use three dotsDeploy from the top right menu (No. 2).

    3. Confirm the re-deployment of the API.

Task 3: Test Your Policies

Steps

  1. Test your API as Resources.

    1. Choose the Resources tab. (1), choose the first entry GET/BusinessPartnerSet (2), select the Try out button (3), and then choose the Execute button (4).

    2. Now, it should work as expected.

      If the API test doesn`t show some results, check the Authentication policy again.

    3. Check out the result.

  2. Test with the API Test Console.

    1. Open the API Test Console and choose your API. Find the /BusinessPartnerSet in the URL bar.

    2. Choose the Send button on the bottom right of the screen.

    3. Authentication is set to None.

    4. Everything works as expected.

Task 4: Monitor Your API Calls

Steps

  1. Analyze your API calls.

    1. Navigate to MonitorAPIs.

    2. Choose your API and check out the results.

      Note

      It might be possible that your monitor looks different.

Explore the API, Policies and More at SAP Business Accelerator Hub

Business Scenario

You want to check which APIs, policies, and other artifacts are listed in the SAP Business Accelerator Hub.

Task Flow

In this exercise, you will perform the following tasks:

  1. Log On to SAP Business Accelerator Hub.
  2. Explore the policies.
  3. Import the downloaded Policies to your HelloWorldAPI.
  4. Explore the APIs at SAP Business Accelerator Hub.

Prerequisites

Access to the internet.

Outcome After This Exercise

Familiarize yourself with the SAP Business Accelerator Hub and all the provided APIs, which are available for use.

What Do You Learn Within This Exercise

Familiarize yourself with the SAP Business Accelerator Hub and all the provided APIs, which are available for use.

Exercise Options

To carry out this exercise, you can choose from the following options:

  1. Live Environment: Using the instructions provided below, you can perform the steps in your SAP BTP account.
  2. Platform Simulation: Follow the step-by-step instructions within the simulation.
  3. Side-by-side: Follow the step-by-step instructions within the simulation and perform the steps in your SAP BTP account simultaneously.

Note

We strongly recommend to perform the steps in the live environment.
ExerciseStart Exercise

Task 1: Log on to SAP Business Accelerator Hub

Steps

  1. Log on to SAP Business Accelerator Hub.

    1. Open the link: https://api.sap.com

    2. Log in through the Login button to try out APIs.

    3. Navigate ExploreAPIs.

Task 2: Explore the Policies

Steps

  1. Explore the policies.

    1. Choose Policy Template link.

    2. Now you can check out all the available policies, you can use in your API Management.

    3. Find the Performance_Traceability policy and open it.

    4. Check out the documentation, if you need more information.

      If you need more detailed information about the Performance_Traceability policy, feel free to check out the documentation under https://api.sap.com/policytemplate/Performance_Traceability

    5. Review the configuration of the policies, especially the proxy_request_retriving_latency.

  2. Download the Performance_Tracebility policy.

    1. To use this template in your API, choose the Download button on the top right of your screen and save it to your local file system.

Task 3: Import the Downloaded Policies to Your HelloWorldAPI

Steps

  1. Import the policy to Policy Template.

    1. Navigate to your subaccountIntegration SuiteConfigureAPIs*. Choose the Policy Templates tab.

    2. Choose the Import button and browse to your downloaded policy template.

    3. Choose the OK button of the template you have imported.

  2. Apply the imported policy.

    1. Navigate to your API in which you want to use this template, for example, HelloWorldAPI.

    2. Open the API and choose the Policies button in the top right of the screen.

    3. Choose the Edit button. The Edit button name changes to Update. Now, follow this navigation path: Policy TemplateApply.

    4. Choose your imported template and choose Apply.

      Note

      There may be an error here and the Apply button does not work. In this case, you must delete the existing entries under Created Policies. Then import the policies again.

    5. The policies are imported and placed on the correct flow.

    6. Choose Update and Save and deploy it again (as we have done in the last exercise).

      Note

      The policies in the HelloWorld API cannot be tested because no API call is possible.

      Similarly, the policy template can be added to any API.

Task 4: Explore the APIs at SAP Business Accelerator Hub

Steps

  1. Explore the APIs.

    1. Navigate back to https://api.sap.comExploreAPIs.

    2. Choose ODATA V2.

    3. In the search bar, enter Purchase Order and choose Enter.

      You should see a tile with this name: Purchase Order.

    4. Choose the Purchase Order tile. You will find a lot of information there.

    5. Choose the Try Out button.

    6. On the left side, find Purchase OrderGET /APurchaseOrder and choose it. On top of the page, you will see the chosen context, /A_PurchaseOrder.

    7. Choose the Run button.

      You should get an http status code 200 and a filled Response Body and Response Header.

Log in to track your progress & complete quizzes