The policy configuration file includes a pointer to the policy
script, and the configured policies for each component resource. The
following extract of the default policy configuration file shows how
the at-least-X-capitals policy is applied to user
passwords, with a default value of 1.
{
"type" : "text/javascript",
"file" : "bin/defaults/script/policy.js",
"resources" : [
{
"resource" : "managed/user/*",
"properties" : [
...
{
"name" : "password",
"policies" : [
{
"policyId" : "required"
},
{
"policyId" : "not-empty"
},
{
"policyId" : "at-least-X-capitals",
"params" : {
"numCaps" : 1
}
},
...
}
]
}
The configuration file includes the following properties:
-
"type"- specifies the type of policy service. Currently, only"text/javascript"is supported. -
"file"- provides the path to the policy script file, relative to the OpenIDM installation directory. -
"resources"provides an array of resource objects, in JSON format, that are subject to the policy service. Resource objects are identified by the"resource"parameter, which indicates the URI and supports wildcard syntax. For example,"managed/user/*"indicates that the policy applies to all objects under/managed/user. Each resource has the following properties:"name"- the name of the property to which the policy is applied."policyID"- the ID of the policy that is applied to that property."params"- any specific parameters that apply to that policy ID.
You can specify that a particular policy does not apply to users
with specific OpenIDM roles by setting the "exceptRoles"
parameter of the policy ID. For example, the following extract from
policy.json specifies that the reauthorization
required policy definition does not apply to users with roles
openidm-admin, or opendim-reg.
...
{
"policyId" : "re-auth-required",
"params" : {
"exceptRoles" : [
"openidm-admin",
"openidm-reg"
]
}
}
...
