Access control policies endpoint
NOTE
If a user token is being passed, then the user of the token must have an “org admin” role for the requested org.
Access control policies are statements that bring attributes together to establish permissible and impermissible actions. These policies can either be local or global, and can override other policies. The /policies endpoint in the attribute-based access control API allows you to programmatically manage policies, including information on the rules that govern them as well as their respective subject conditions.
IMPORTANT
This endpoint is not to be confused with the
/policies endpoint in the Policy Service API, which is used to manage data usage policies.Getting started
The API endpoint used in this guide is part of the attribute-based access control API. Before continuing, please review the getting started guide for links to related documentation, a guide to reading the sample API calls in this document, and important information regarding required headers that are needed to successfully make calls to any Experience Platform API.
Retrieve a list of policies list
Make a GET request to the /policies endpoint to list all existing policies in your organization.
API format
GET /policies
Request
The following request retrieves a list of existing policies.
curl -X GET \
https://platform.adobe.io/data/foundation/access-control/administration/policies \
-H 'Authorization: Bearer {ACCESS_TOKEN}' \
-H 'x-api-key: {API_KEY}' \
-H 'x-gw-ims-org-id: {IMS_ORG}' \
Response
A successful response returns a list of existing policies.
{
{
"id": "7019068e-a3a0-48ce-b56b-008109470592",
"imsOrgId": "{IMS_ORG}",
"createdBy": "{CREATED_BY}",
"createdAt": 1652892767559,
"modifiedBy": "{MODIFIED_BY}",
"modifiedAt": 1652895736367,
"name": "schema-field",
"description": "schema-field",
"status": "inactive",
"subjectCondition": null,
"rules": [
{
"effect": "Deny",
"resource": "/orgs/{IMS_ORG}/sandboxes/xql/schemas/*/schema-fields/*",
"condition": "{\"adobe.match_all_labels_by_prefix\":[{\"var\":\"subject.roles.labels\"},\"core/\",{\"var\":\"resource.labels\"}]}",
"actions": [
"com.adobe.action.read",
"com.adobe.action.write",
"com.adobe.action.view"
]
},
{
"effect": "Permit",
"resource": "/orgs/{IMS_ORG}/sandboxes/*/schemas/*/schema-fields/*",
"condition": "{\"adobe.match_all_labels_by_prefix\":[{\"var\":\"subject.roles.labels\"},\"core/\",{\"var\":\"resource.labels\"}]}",
"actions": [
"com.adobe.action.delete"
]
},
{
"effect": "Deny",
"resource": "/orgs/{IMS_ORG}/sandboxes/delete-sandbox-adfengine-test-8/segments/*",
"condition": "{\"!\":[{\"adobe.match_any_labels_by_prefix\":[{\"var\":\"subject.roles.labels\"},\"custom/\",{\"var\":\"resource.labels\"}]}]}",
"actions": [
"com.adobe.action.write"
]
}
],
"_etag": "\"0300593f-0000-0200-0000-62852ff80000\""
},
{
"id": "13138ef6-c007-495d-837f-0a248867e219",
"imsOrgId": "{IMS_ORG}",
"createdBy": "{CREATED_BY}",
"createdAt": 1652859368555,
"modifiedBy": "{MODIFIED_BY}",
"modifiedAt": 1652890780206,
"name": "Documentation-Copy",
"description": "xyz",
"status": "active",
"subjectCondition": null,
"rules": [
{
"effect": "Permit",
"resource": "orgs/{IMS_ORG}/sandboxes/ro-sand/schemas/*/schema-fields/*",
"condition": "{\"!\":[{\"or\":[{\"adobe.match_all_labels_by_prefix\":[{\"var\":\"subject.roles.labels\"},\"core/\",{\"var\":\"resource.labels\"}]},{\"!\":[{\"and\":[{\"adobe.match_any_labels_by_prefix\":[{\"var\":\"subject.roles.labels\"},\"core/\",{\"var\":\"resource.labels\"}]},{\"adobe.match_all_labels_by_prefix\":[{\"var\":\"subject.roles.labels\"},\"core/\",{\"var\":\"resource.labels\"}]}]}]}]}]}",
"actions": [
"com.adobe.action.read"
]
},
{
"effect": "Deny",
"resource": "orgs/{IMS_ORG}/sandboxes/*/segments/*",
"condition": "{\"!\":[{\"or\":[{\"adobe.match_any_labels_by_prefix\":[{\"var\":\"subject.roles.labels\"},\"core/\",{\"var\":\"resource.labels\"}]},{\"adobe.match_all_labels_by_prefix\":[{\"var\":\"subject.roles.labels\"},\"custom/\",{\"var\":\"resource.labels\"}]}]}]}",
"actions": [
"com.adobe.action.read"
]
}
],
"_etag": "\"0300d43c-0000-0200-0000-62851c9c0000\""
},
}
Property
Description
idThe ID that corresponds with a policy. This identifier is auto-generated and can be used to lookup, update, and delete a policy.
imsOrgIdThe organization where the queried policy is accessible.
createdByThe ID of the user who created the policy.
createdAtThe time when the policy was created. The
createdAt property is displayed in unix epoch timestamp.modifiedByThe ID of the user who last updated the policy.
modifiedAtThe time when the policy was last updated. The
modifiedAt property is displayed in unix epoch timestamp.nameThe name of the policy.
description(Optional) A property that can be added to provide further information on a particular policy.
statusThe current status of a policy. This property defines whether a policy is currently
active or inactive.subjectConditionThe conditions applied to a subject. A subject is a user with certain attributes requesting access to a resource to perform an action. In this case,
subjectCondition are query-like conditions applied to the subject attributes.rulesThe set of rules that define a policy. Rules define which attribute combinations are authorized in order for the subject to successfully perform an action to the resource.
rules.effectThe effect that results after considering values for
action, condition and resource. Possible values include: permit, deny, or indeterminate.rules.resourceThe asset or object that a subject can or can’t access. Resources can be files, applications, servers, or even APIs.
rules.conditionThe conditions applied to a resource. For example, if a resource is a schema, then a schema can have certain labels applied to it that contribute to whether an action against that schema is permissible or impermissible.
rules.actionThe action that a subject is permitted to do against a queried resource. Possible values include:
read, create, edit, and delete.Look up policy details by ID lookup
Make a GET request to the /policies endpoint while providing a policy ID in the request path to retrieve information about that individual policy.
API format
GET /policies/{POLICY_ID}
Parameter
Description
The ID of the policy you want to retrieve.
Request
The following request retrieves information about an individual policy.
curl -X GET \
https://platform.adobe.io/data/foundation/access-control/administration/policies/13138ef6-c007-495d-837f-0a248867e219 \
-H 'Authorization: Bearer {ACCESS_TOKEN}' \
-H 'x-api-key: {API_KEY}' \
-H 'x-gw-ims-org-id: {IMS_ORG}' \
Response
A successful request returns information on the queried policy ID.
{
"policies": [
{
"id": "7019068e-a3a0-48ce-b56b-008109470592",
"imsOrgId": "5555467B5D8013E50A494220@AdobeOrg",
"createdBy": "example@AdobeID",
"createdAt": 1652892767559,
"modifiedBy": "example@AdobeID",
"modifiedAt": 1652895736367,
"name": "schema-field",
"description": "schema-field",
"status": "inactive",
"subjectCondition": null,
"rules": [
{
"effect": "Deny",
"resource": "/orgs/5555467B5D8013E50A494220@AdobeOrg/sandboxes/xql/schemas/*/schema-fields/*",
"condition": "{\"adobe.match_all_labels_by_prefix\":[{\"var\":\"subject.roles.labels\"},\"core/\",{\"var\":\"resource.labels\"}]}",
"actions": [
"com.adobe.action.read",
"com.adobe.action.write",
"com.adobe.action.view"
]
},
{
"effect": "Permit",
"resource": "/orgs/5555467B5D8013E50A494220@AdobeOrg/sandboxes/*/schemas/*/schema-fields/*",
"condition": "{\"adobe.match_all_labels_by_prefix\":[{\"var\":\"subject.roles.labels\"},\"core/\",{\"var\":\"resource.labels\"}]}",
"actions": [
"com.adobe.action.delete"
]
},
{
"effect": "Deny",
"resource": "/orgs/5555467B5D8013E50A494220@AdobeOrg/sandboxes/delete-sandbox-adfengine-test-8/segments/*",
"condition": "{\"!\":[{\"adobe.match_any_labels_by_prefix\":[{\"var\":\"subject.roles.labels\"},\"custom/\",{\"var\":\"resource.labels\"}]}]}",
"actions": [
"com.adobe.action.write"
]
}
],
"etag": "\"0300593f-0000-0200-0000-62852ff80000\""
}
]
}
Property
Description
idThe ID that corresponds with a policy. This identifier is auto-generated and can be used to lookup, update, and delete a policy.
imsOrgIdThe organization where the queried policy is accessible.
createdByThe ID of the user who created the policy.
createdAtThe time when the policy was created. The
createdAt property is displayed in unix epoch timestamp.modifiedByThe ID of the user who last updated the policy.
modifiedAtThe time when the policy was last updated. The
modifiedAt property is displayed in unix epoch timestamp.nameThe name of the policy.
description(Optional) A property that can be added to provide further information on a particular policy.
statusThe current status of a policy. This property defines whether a policy is currently
active or inactive.subjectConditionThe conditions applied to a subject. A subject is a user with certain attributes requesting access to a resource to perform an action. In this case,
subjectCondition are query-like conditions applied to the subject attributes.rulesThe set of rules that define a policy. Rules define which attribute combinations are authorized in order for the subject to successfully perform an action to the resource.
rules.effectThe effect that results after considering values for
action, condition and resource. Possible values include: permit, deny, or indeterminate.rules.resourceThe asset or object that a subject can or can’t access. Resources can be files, applications, servers, or even APIs.
rules.conditionThe conditions applied to a resource. For example, if a resource is a schema, then a schema can have certain labels applied to it that contribute to whether an action against that schema is permissible or impermissible.
rules.actionThe action that a subject is permitted to do against a queried resource. Possible values include:
read, create, edit, and delete.Create a policy create
To create a new policy, make a POST request to the /policies endpoint.
API format
POST /policies
Request
The following request creates a new policy named: acme-integration-policy.
curl -X POST \
https://platform.adobe.io/data/foundation/access-control/administration/policies \
-H 'Authorization: Bearer {ACCESS_TOKEN}' \
-H 'x-api-key: {API_KEY}' \
-H 'x-gw-ims-org-id: {IMS_ORG}'
-d'{
"name": "acme-integration-policy",
"description": "Policy for ACME",
"imsOrgId": "{IMS_ORG}",
"rules": [
{
"effect": "Permit",
"resource": "/orgs/{IMS_ORG}/sandboxes/*",
"condition": "{\"or\":[{\"adobe.match_any_labels_by_prefix\":[{\"var\":\"subject.roles.labels\"},\"core/\",{\"var\":\"resource.labels\"}]},{\"!\":[{\"adobe.match_all_labels_by_prefix\":[{\"var\":\"subject.roles.labels\"},\"core/\",{\"var\":\"resource.labels\"}]}]}]}",
"actions": [
"com.adobe.action.read"
]
}
]
}'
Parameter
Description
nameThe name of the policy.
description(Optional) A property that can be added to provide further information on a particular policy.
imsOrgIdThe organization that contains the policy.
rulesThe set of rules that define a policy. Rules define which attribute combinations are authorized in order for the subject to successfully perform an action to the resource.
rules.effectThe effect that results after considering values for
action, condition and resource. Possible values include: permit, deny, or indeterminate.rules.resourceThe asset or object that a subject can or can’t access. Resources can be files, applications, servers, or even APIs.
rules.conditionThe conditions applied to a resource. For example, if a resource is a schema, then a schema can have certain labels applied to it that contribute to whether an action against that schema is permissible or impermissible.
rules.actionThe action that a subject is permitted to do against a queried resource. Possible values include:
read, create, edit, and delete.Response
A successful request returns the newly created policy, including its unique policy ID and associated rules.
{
"id": "c3863937-5d40-448d-a7be-416e538f955e",
"imsOrgId": "{IMS_ORG}",
"createdBy": "{CREATED_BY}",
"createdAt": 1652988384458,
"modifiedBy": "{MODIFIED_BY}",
"modifiedAt": 1652988384458,
"name": "acme-integration-policy",
"description": "Policy for ACME",
"status": "active",
"subjectCondition": null,
"rules": [
{
"effect": "Permit",
"resource": "/orgs/{IMS_ORG}/sandboxes/*",
"condition": "{\"or\":[{\"adobe.match_any_labels_by_prefix\":[{\"var\":\"subject.roles.labels\"},\"core/\",{\"var\":\"resource.labels\"}]},{\"!\":[{\"adobe.match_all_labels_by_prefix\":[{\"var\":\"subject.roles.labels\"},\"core/\",{\"var\":\"resource.labels\"}]}]}]}",
"actions": [
"com.adobe.action.read"
]
}
],
"_etag": null
}
Property
Description
idThe ID that corresponds with a policy. This identifier is auto-generated and can be used to lookup, update, and delete a policy.
nameThe name of a policy.
rulesThe set of rules that define a policy. Rules define which attribute combinations are authorized in order for the subject to successfully perform an action to the resource.
rules.effectThe effect that results after considering values for
action, condition and resource. Possible values include: permit, deny, or indeterminate.rules.resourceThe asset or object that a subject can or can’t access. Resources can be files, applications, servers, or even APIs.
rules.conditionThe conditions applied to a resource. For example, if a resource is a schema, then a schema can have certain labels applied to it that contribute to whether an action against that schema is permissible or impermissible.
rules.actionThe action that a subject is permitted to do against a queried resource. Possible values include:
read, create, edit, and delete.Update a policy by policy ID put
To update the rules of an individual policy, make a PUT request to the /policies endpoint while providing the ID of the policy that you want to update in the request path.
API format
PUT /policies/{POLICY_ID}
Parameter
Description
The ID of the policy you want to update.
Request
curl -X PUT \
https://platform.adobe.io/data/foundation/access-control/administration/policies/8cf487d7-3642-4243-a8ea-213d72f694b9 \
-H 'Authorization: Bearer {ACCESS_TOKEN}' \
-H 'x-api-key: {API_KEY}' \
-H 'x-gw-ims-org-id: {IMS_ORG}'
-d'{
"id": "8cf487d7-3642-4243-a8ea-213d72f694b9",
"imsOrgId": "{IMS_ORG}",
"name": "test-2",
"rules": [
{
"effect": "Deny",
"resource": "/orgs/{IMS_ORG}/sandboxes/*",
"condition": "{\"or\":[{\"adobe.match_any_labels_by_prefix\":[{\"var\":\"subject.roles.labels\"},\"core/\",{\"var\":\"resource.labels\"}]},{\"!\":[{\"adobe.match_all_labels_by_prefix\":[{\"var\":\"subject.roles.labels\"},\"core/\",{\"var\":\"resource.labels\"}]}]}]}",
"actions": [
"com.adobe.action.read"
]
}
]
}'
Response
A successful response returns the updated policy.
{
"id": "8cf487d7-3642-4243-a8ea-213d72f694b9",
"imsOrgId": "{IMS_ORG}",
"createdBy": "{CREATED_BY}",
"createdAt": 1652988866647,
"modifiedBy": "{MODIFIED_BY}",
"modifiedAt": 1652989297287,
"name": "test-2",
"description": null,
"status": "active",
"subjectCondition": null,
"rules": [
{
"effect": "Deny",
"resource": "/orgs/{IMS_ORG}/sandboxes/*",
"condition": "{\"or\":[{\"adobe.match_any_labels_by_prefix\":[{\"var\":\"subject.roles.labels\"},\"core/\",{\"var\":\"resource.labels\"}]},{\"!\":[{\"adobe.match_all_labels_by_prefix\":[{\"var\":\"subject.roles.labels\"},\"core/\",{\"var\":\"resource.labels\"}]}]}]}",
"actions": [
"com.adobe.action.read"
]
}
],
"_etag": null
}
Update policy properties patch
To update the properties of an individual policy, make a PATCH request to the /policies endpoint while providing the ID of the policy that you want to update in the request path.
API format
PATCH /policies/{POLICY_ID}
Parameter
Description
The ID of the policy you want to update.
Request
The following request replaces the value of /description in policy ID c3863937-5d40-448d-a7be-416e538f955e.
curl -X PATCH \
https://platform.adobe.io/data/foundation/access-control/administration/policies/c3863937-5d40-448d-a7be-416e538f955e \
-H 'Authorization: Bearer {ACCESS_TOKEN}' \
-H 'x-api-key: {API_KEY}' \
-H 'x-gw-ims-org-id: {IMS_ORG}'
-d'{
"operations": [
{
"op": "replace",
"path": "/description",
"value": "Pre-set policy to be applied for ACME"
}
]
}'
Operations
Description
opThe operation call used to define the action needed to update the role. Operations include:
add, replace, and remove.pathThe path of the parameter to be updated.
valueThe new value you want to update your parameter with.
Response
A successful response returns the queried policy ID with updated description.
{
"id": "c3863937-5d40-448d-a7be-416e538f955e",
"imsOrgId": "{IMS_ORG}",
"createdBy": "acp_accessControlService",
"createdAt": 1652988384458,
"modifiedBy": "acp_accessControlService",
"modifiedAt": 1652988384458,
"name": "acme-integration-policy",
"description": "Pre-set policy to be applied for ACME",
"status": "active",
"subjectCondition": null,
"rules": [
{
"effect": "Permit",
"resource": "/orgs/{IMS_ORG}/sandboxes/*",
"condition": "{\"or\":[{\"adobe.match_any_labels_by_prefix\":[{\"var\":\"subject.roles.labels\"},\"core/\",{\"var\":\"resource.labels\"}]},{\"!\":[{\"adobe.match_all_labels_by_prefix\":[{\"var\":\"subject.roles.labels\"},\"core/\",{\"var\":\"resource.labels\"}]}]}]}",
"actions": [
"com.adobe.action.read"
]
}
],
"_etag": null
}
Delete a policy delete
To delete a policy, make a DELETE request to the /policies endpoint while providing the ID of the policy you want to delete.
API format
DELETE /policies/{POLICY_ID}
Parameter
Description
The ID of the policy you want to delete.
Request
The following request deletes the policy with the ID of c3863937-5d40-448d-a7be-416e538f955e.
curl -X DELETE \
https://platform.adobe.io/data/foundation/access-control/administration/policies/c3863937-5d40-448d-a7be-416e538f955e \
-H 'Authorization: Bearer {ACCESS_TOKEN}' \
-H 'x-api-key: {API_KEY}' \
-H 'x-gw-ims-org-id: {IMS_ORG}' \
Response
A successful response returns HTTP status 204 (No Content) and a blank body.
You can confirm the deletion by attempting a lookup (GET) request to the policy. You will receive an HTTP status 404 (Not Found) because the policy has been removed from the administration.
recommendation-more-help
631fcab2-5cb1-46ef-ba66-fe098ac723e0