Using the Operational Aggregate Policy
Learn how to group Operational Policies together into an Operational Aggregate Policy.
For information about using policies in the context of the Community Manager developer portal, see Business Policies.
Table of Contents
- Introduction
- Creating an Aggregate Policy
- Configuring an Aggregate Policy
- Activating a policy
- Attaching a policy
Introduction
An Aggregate Policy is a collection of policies that are gathered together to form a policy group. Policies included in an Aggregate policy are defined to achieve a specific purpose relative to governing Policy Manager objects (Organizations, Services, and so on). You can specify that messages must meet all the policies defined (Policy Enforcement Requirement of AND), or must meet at least one of them (Policy Enforcement Requirement of OR).
Some examples of scenarios where you might want to define an Aggregate Policy:
- Basic Authentication: requires the HTTP Security policy and an Authentication policy.
- Client Certificate: requires the HTTP Security policy and an Authentication policy.
- A use case such as Using Binary Security Token with WS-Security Policy, where you're using an Authentication policy and a WS-Security Transport Binding policy.
- Any scenario where you're using a WS-Security policy: requires an Authentication policy as well as the WS-Security policy.
- You could use this policy, with OR configured when attached at the API level, in a scenario where there are different consumers that want to consume an API in different ways. The Operational Aggregate Policy could fail when assigned at the operation level using the HTTP Basic Authentication policy or the HTTP Client Certificate, returning an HTTP "401 Unauthorized access" error. For example, some consumers might want to use OAuth and some might want to use Basic Auth. You could configure an Aggregate Policy so that an API could support both. To do this, include both policies in the aggregate and set the Policy Enforcement Requirement to OR. See, To configure policy enforcement requirements below.
Creating an Aggregate Policy
The first step in creating a policy is to define the basic policy information.
To add an operational policy
- Go to Workbench > Browse > Organization, and select Policies > Operational Policies. The Policies Summary is displayed.
- Click Add Policy.
- Choose the policy type and click Next.
- Specify a name (required) and description (optional) and click Finish. At the Completion Summary, click Close. The Add Policy Wizard creates a draft policy instance that you can then configure on the Policy Details page.
For more information, see Add Policy.
Configuring an Aggregate Policy
An Aggregate Policy is a containment policy that allows you to create a logical grouping of Policy Manager policies. Essentially, you first create the aggregate policy, and then you add and configure each policy that you want to include in the aggregate policy.
Notes
- Each policy must be configured as a separate entity.
- Policies can be directly added to an Aggregate policy, and exist inside the logical grouping.
- You can reference policies that have already been defined, from within the Aggregate policy. In this scenario, the policies still display in their original location within Policy Manager but also display as part of the Aggregate policy.
- An Aggregate policy can include both newly defined and existing (referenced) policies.
- If you change a policy that's referenced by one or more Aggregate policies, the change applies to all instances of the policy—the original instance and every occurrence within an Aggregate policy.
- You can attach the Aggregate Policy to objects such as services in the same way that you'd attach any other policy.
There are two steps:
- Configure policy enforcement requirements: this allows you to configure policy alternates depending on circumstances. You can configure AND or OR. See To configure policy enforcement requirements below.
- Add policies, either by defining new policies or referencing existing policies. Refer to these procedures:
To configure policy enforcement requirements
- Go to Workbench > Browse > Organization and select the Policies > Operational Policies folder. The Policies Summary is displayed.
- Find the policy on the list and click to go to the Details page for the policy.
- In the first panel, in the Options section, click Modify.
The Choose Policy Enforcement Requirement page is displayed. An example is shown below.
- In the Options field, specify your preference:
- AND: The message must meet the requirements of all policies or it will fail. This is the default behavior. All the policies configured in the aggregate must be satisfied.
- OR: If the message meets the requirements of any one of the policies configured in the aggregate, it is successful.
- Click Apply.
To define new policies in an Aggregate policy
- Go to Workbench > Browse > Organization and select the Policies > Operational Policies folder. The Policies Summary is displayed.
- Find the policy on the list and click to go to the Details page for the policy.
- In the second panel, in the Policies section, click Add to add the first new policy.
- In the Select Policy Creation Option page, choose the policy type that you're adding and then click Next.
- Specify the policy name and then click Finish, then click Close.
- At the Details page for the policy you just added, click Modify. Configure the policy details as you normally would. The configuration options are different for each policy. For a full list of policies, with links to policy documentation details, see About Policies.
- In the left pane, click the Aggregate Policy. In the center pane, click Add to add a second policy. Repeat steps 4 through 7 as needed to add all the policies you need in your Aggregate policy.
To reference existing policies in an Aggregate policy
- Go to Workbench > Browse > Organization and select the Policies > Operational Policies folder. The Policies Summary is displayed.
- Find the policy on the list and click to go to the Details page for the policy.
- In the second panel, in the Policy References section, click Modify to reference the first existing policy.
- In the Organization Tree that opens, check the boxes for one or more existing policies, and then click Apply. The policies are added to the Aggregate Policy.
Activating a policy
When you create and configure a policy, the policy is in Draft state. When the policy configuration is complete, activate the policy: click Activate Policy and then confirm. See Activate a Policy.
A policy in Draft state is not available for general use. Once you activate the policy, it is in Active state and is available for use.
Attaching a policy
To use the Aggregate Policy, go to the Policies folder in the respective organization and attach the policy to a web service, binding, or binding operation.