Managing Global Policies

Edit online
Important: API Gateway's Standard Edition License does not support the functionality of Global Policies. You can create and manage global policies only using the Advanced Edition License.

Global policies are a set of policies that are associated globally to all APIs or the selected set of APIs. Global policies are supported for SOAP and REST APIs but not supported for GraphQL API.

By associating policies globally to all APIs or the selected set of APIs, the administrator can ensure that a set of policies is applied to the selected APIs by default. The administrator can, for example, define a global policy that attaches a WS-Security (WSS) authentication to all SOAP API endpoints within a specific IP range. In this case, any client request from the specific IP range automatically inherits the security configuration defined in the global policy for SOAP APIs.

Global Policy Matrix

This table lists the stage-specific policies that can be configured as global policy for different types of APIs at the global level.
Note: The Policy configuration page displays only the policies that are common to one or more API types selected in the global policy filter.
Stages Policies
Transport
  • Enable HTTP/HTTPS - This policy can be enforced for all types of API. But the SOAP versions 1.1 and 1.2 are applicable only for SOAP-based APIs. The SOAP 1.1 and SOAP 1.2 sub types are not available in UI when the REST and ODATA APIs are selected.
    Note: Software AG recommends to create a separate policy for each API type.
  • Set Media Type - This policy is applicable only for a REST request and the policy name is not listed in Policy configuration page when the SOAP and ODATA APIs are selected.
  • Enable JMS/AMQP - This policy is applicable only for SOAP APIs and the policy name is not listed in Policy configuration page when the REST and ODATA APIs are selected.
Identity & Access
  • Authorize User, Identify & Authorize - These policies can be enforced to any API Type.
  • Inbound Auth - Message - This policy is applicable only for SOAP-based APIs and the policy name is not listed in Policy configuration page when the REST and ODATA APIs are selected.
Request Processing
  • Invoke webMethods IS, Validate API Specification, Data Masking - These policies can be enforced to any API Type.
  • Request Transformation - This policy is applicable only for SOAP and REST APIs. and not for ODATA services. When all three API types are selected, Request Transformation policy cannot be applied at the global level.
Routing
  • Custom HTTP Header, Outbound Auth - Transport, Outbound Auth - Message. The Routing stage policies can be applied at a global level for all types of API.
Traffic Monitoring
  • Log Invocation, Monitor Performance, Monitor SLA, Traffic Optimization, and Service Result Cache. The Traffic Monitoring stage policies can be applied at a global level for all types of API.
Response Processing
  • Invoke webMethods IS, Validate API Specification, Data Masking - These policies can be enforced to any API Type.
  • Response Transformation - This policy can be enforced only for SOAP and REST APIs and the policy name is not listed in Policy configuration page when ODATA API type is selected.
  • CORS - This policy can be enforced only for REST and ODATA APIs and the policy name is not listed in Policy configuration page when SOAP-based API is selected.
Error handling

Conditional Error Processing and Data Masking. The Error handling stage policies can be applied at a global level for all types of API.