Policy Properties

A policy's properties are displayed when you create a new policy. You can also view and edit the properties later.
gateway90
A policy's properties are displayed when you create a new policy. You can also view and edit the properties later.
 
Service policies do not have properties visible on the interface. These policies are automatically created when a service is published and only one service policy may exist for a published service. For more information, see Working with Service Policies.
 
To access the properties for a policy:
  1. Do either of the following:
    • Select [
      Tasks
      ] > 
      Create Policy
       from the Main Menu
    • Right-click a policy in the Services and Policies list and then select Policy Properties.
  2. Configure the properties as follows:
    Setting
    Description
    Name
    Enter a name for the policy. This name should readily identify the purpose of the policy (i.e,. global, included, or internal). This name is displayed in the Services and Policies list and the policy assertions palette.
    Policy GUID
    This is the Globally Unique Identifier for the policy. It is assigned by the system and cannot be changed.
    Policy ID
    This is the entity ID for the policy. It is assigned by the system and cannot be changed.
    Policy Type
    From the drop-down list, select the type of policy being created:
    • Global Policy Fragment
      (Services_List-Global_policy.png in the Services and Policies list)
    • Included Policy Fragment
      (Services_List-Included_policy.png in the Services and Policies list)
    • Internal Use Policy
      (Services_List-Internal_policy.png in the Services and Policies list)
    • Policy-Backed Identity Provider Policy Fragment
      (Services_List-Included_policy.png in the Services and Policies list)
    • Policy-Backed Service Operation Policy Fragment
      (ScreenShot044.png in the Services and Policies list)
    For a description of each type, see Create a Policy or Policy Fragment.
    Only users with the role of 'Administrator' can create a policy.
    The Internal Use Policy option is available only when an internal service has been published
    For a shortcut method to creating an Included Policy Fragment, see Policy Fragment Shortcut
    Policy Tag
    This tag further specifies the purpose of the policy based on the selected Policy Type:
    • For Global Policy Fragment:
      The tag indicates when the global policy fragment should be executed:
      • message-received:
        Global policy runs on receipt of a message before service resolution
      • pre-security:
        Global policy runs before (request) security undecoration
      • pre-service:
        Global policy runs before the service policy
      • post-service:
        Global policy runs after the service policy
      • post-security:
        Global policy runs after (response) security decoration
      • message-completed:
        Global policy runs when processing for a message completes (even on policy failure/exception, service not resolved, etc)
    • For Included Policy Fragment:
      Policy tags are not used for this policy type.
    • For Internal Use Policy:
      The tag specifies which type of internal service can use the policy:
      • wsdm-notification:
        The policy is eligible to be selected as a notification policy from the Subscribe to WSDM Resource Assertion.
      • audit-message-filter:
        The policy is an Audit Message Filter (AMF) policy. For more information on this type of policy, see Working with Internal Use Policies.
      • audit-viewer:
        The policy is an Audit Viewer (AV) policy. For more information on this type of policy, see "Working with Internal Use Policies".
    • For Policy-Backed Identity Provider Policy Fragment:
      This tag specifies the intended use for the policy-backed identity provider fragment. There is one predefined tag for this policy type ("password-auth").
    • For Policy-Backed Service Operation Policy Fragment:
      The tag specifies the intended use for the policy-backed service operation fragment. There is currently one tag for this policy type:
      • com.l7tech.objectmodel.polback.BackgroundTask:
        The policy fragment can be used in scheduled tasks.
    The policy tags will be evaluated in the order shown above. For more information about global policies, see Working with Global Policy Fragments.
    The policy tag is displayed next to the policy name in the Services & Policies list on the Policy Manager interface.
    Intended for SOAP services
    Indicates whether the policy can be used in SOAP-only policies or in both SOAP and non-SOAP policies:
    • If the policy will contain assertions that require SOAP, select the Intended for SOAP services check box. The policy validator will issue a warning if anyone attempts to use the policy in a non-SOAP policy. Selecting this check box does not enforce the presence of SOAP-only assertions in the policy (in other words, the validator will not alert you if you have not added a SOAP-only assertion to the policy). For more information, see "
      Assertions that Require SOAP
      " under Working with Non-XML Messages.
      For SOAP-only assertions, an error occurs only when a non-SOAP request is received.
    • If the policy is intended for use in both SOAP and non-SOAP policies, clear this check box. The policy validator will issue a warning if you attempt to add a SOAP-only assertion to the policy.
      The Intended for SOAP services check box only controls the validator warnings. It does not affect how the policy functions at policy runtime. Normal policy logic still applies.
    Security Zone
    (for "Included Policy Fragment" only)
    Optionally choose a security zone. To remove this entity from a security zone (security role permitting), choose "No security zone".
    For more information about security zones, see Understanding Security Zones.
    This control is hidden if either: (a) no security zones have been defined, or (b) you do not have Read access to any security zone (regardless of whether you have Read access to entities inside the zones)
    A policy may allow entities that are not members of its security zone to be added and edited, but validation will prevent unpermitted entities to be saved. For example, it is possible to paste policy XML for assertions that are not part a policy's security zone. While authoring, you are not prevented from editing these assertions. However these unpermitted assertions will be detected during policy validation when you attempt to save the policy.
  3. Click [
    OK
    ].