Technology Blogs by SAP
Learn how to extend and personalize SAP applications. Follow the SAP technology blog for insights into SAP BTP, ABAP, SAP Analytics Cloud, SAP HANA, and more.
Showing results for 
Search instead for 
Did you mean: 

Policy Management

Policies are applied to an API Proxy to customize its behavior. These are preprocessing steps which are run on the SAP API Management layer and not on backend services.

Policies can be broadly classified into following four categories:

  • Traffic Management Policies
  • Mediation Policies
  • Security Policies
  • Custom Policies

Traffic Management Policies

The traffic management policies let us configure cache, control traffic quotas and spikes, set concurrent rate limits. Example of these types of policies are:

  • Cache Policies
  • Concurrent Rate Limit Policy
  • Quota Policy
  • Spike Arrest Policy

Mediation Policies

These policies let us perform message transformation, parsing, validation and raise faults and alerts. Examples include the following policies:

  • XSL Transformation Policy
  • XML to JSON Policy
  • Fault Rule Policy
  • Key value Map Operations Policy
  • JSON to XML Policy
  • Assign Message Policy
  • Access Entity Policy
  • Extract variables Policy

Security Policies

These policies controls the security related aspects for API Proxies. Examples include:

  • Access Control Policy
  • Basic Authentication Policy
  • JSON Threat Protection Policy
  • OAuth Policy
  • Verify API Key Policy

Custom Policies

These policies let us provide custom policy functionality, with support for features as service callout, message data collection, and calling Java, JavaScript and created Python behavior. Examples include:

  • Java Script Policy
  • Message Logging Policy
  • Statistics Collector Policy

How Policies Work?

When a policy is added to an API Proxy, then it is added to a specific flow which defines when the policy is executed. Each request and response path in a proxy endpoint and target endpoint defines the following flows:

  • Pre Flow
    • Always executes before any other flows.
    • The policies defined in the pre flow are applied to every message that passes through an endpoint.
  • Conditional Flows
    • Execute only when a conditional statement defined for the Flow evaluates to true.
    • An endpoint can define any number of conditional Flows, but only the first conditional Flow whose condition evaluates to true executes. That means the policies attached to the conditional Flow only execute when the conditional Flow executes.
  • Post Flow
    • Always executes after all other Flows.
    • Like Pre Flow, the policies defined in the Post Flow are applied to every message.

Add first policy: Verify API Key Policy

Let’s add a policy to an API Proxy.

  • To start with, login to SAP API Management’s API Portal.
  • Create an API Proxy from API Portal, [refer here for more details].
  • To add the Verify API Key Policy, following the steps mentioned below:

Click on Launch Policy Designer

Click on PreFlow (in left panel) and then click on Verify API Key among the list of policies (on right side panel).

Just add the policy name and click Add.

Then, the policy will get added & then add the following text in the script area:

<VerifyAPIKey async='true' continueOnError='false' enabled='true' xmlns=''>

            <APIKey ref='request.header.apikey'/>


Then update the policy by clicking Update.

  • The APIKey ref is the key which is used while consuming this API.
  • Since, the key is saved as request header, so the while consuming, this key is to be passed as request header.
  • Refer here for more details.

Then the API Proxy will be updated with newly added policy; and then Click Save.

The API Proxy will be updated successfully.

Create a Product having this API Proxy

Create a product, adding this newly created API (“CATALOGSERVICE”). Refer here for more details.

Publish this product

Consuming the API

To consume the API via product, we need to now login to the developer portal. Once logged in, we will find the newly published API Product here.

Then, an application has to be created using this Product. Refer here for more details.

Open the details of this product and subscribe it to a new application; as shown below:

Enter application details like name, description and click save to create the application. Once created successfully, you will get an appkey and secret for that application.

Testing the API using Verify API Key Policy

  • To test the API, we will be using the SAP API Management’s Test Console. Refer here for more details.
  • Add the proper URl and Authentication (if any) in the Test Cosole.
  • Add the appkey (which was retrieved while creating application) as the Header and click Send to get the result.

This is how you can create an API proxy with Verify API Key Policy and consume the same.

Related Content

SAP API Management Online Guide

1 Comment