Policy management consists of creating, deleting, and modifying policy objects within a SiteMinder policy store. Through the Policy Management API, you can perform most of the data manipulations that you can perform through the native Policy Server User Interface. For example, you can write a client application that allows administrators to perform tasks such as:

Creating a policy domain
Creating an Agent object
Creating an Agent configuration object
Creating a host configuration object
Registering a trusted host
Creating a SiteMinder user directory object
Creating an authentication scheme object
Creating an administrator
Creating a realm
Adding a realm to a policy domain
Creating a rule
Creating a response
Creating a policy
Adding a user or group to a policy
Adding a rule to a policy
Setting responses for rules in a policy
Migrating an entire policy store or an individual policy domain remotely

Policy Management Setup

To run applications built with the Policy Management API:

Use the Policy Server Management Console to configure the Policy Server so that it points to the policy store you want to access.
Run your Policy Management application on the same machine as the Policy Server or on a machine that has network access to the Policy Server.

Note: If an application built with the Policy Management API runs on the same machine as the Policy Server, the application must run as the same user who installed the Policy Server (for example, smuser on UNIX platforms).

Required JAR File

The JAR file smjavasdk2.jar is required for building and running Policy Management applications. The JAR file is stored in the following locations:

Windows platforms:
<install_path>\sdk\java
UNIX platforms:
<install_path>/sdk/java

Policy Store Objects

Interface SmPolicyApi is implemented by the class SmPolicyApiImpl. Use this class as the starting point for the Policy Management API. Each policy store object is associated with a class in the Policy Management API. You create and manage policy store objects through the methods in an object’s class.

Policy store objects can be classified according to scope:

Domain objects are visible only within the domain. They cannot be shared between domains.
Global objects are visible across all domains.
Global objects are sometimes called system objects.

Global objects include:

Administrators
Agent types
Agents and agent groups
Agent Configuration objects
Host Configuration objects
Trusted Hosts
Authentication schemes
Authentication/authorization maps
Certificate maps
Domains
ODBC query schemes
Password policies
Registration schemes
User directories

Domain objects include:

Policies
Realms
Responses and response groups
Response attributes
Rules and rule groups
User policies

When you are working in the Policy Server user interface, you will see most of the above objects listed in the System and Domain tabs of the SiteMinder Administration window.

Note: Descriptions in the Javadoc reference specify whether an object has global scope or domain scope.

Write a Policy Management Application

To write a Policy Management application

Establish a Connection to the Policy Server
Obtain a Session Object
Pass in the Session Object
Make Policy Management API Requests
Terminate the Administrator Session

The SiteMinder SDK contains a sample of how to use the classes and methods in the Java Policy Management API.

Establish a Connection to the Policy Server

To establish a connection to the Policy Server, use the SmApiConnection class of the Utilities package. This class holds the Agent API handle through which Java API requests are sent.

There are two types of connection handles in this class:

A default connection handle. A default connection handle:
- Represents a single instance of an Agent API object.
- Is static across the process.
- Allows connections to the Agent API object from both Policy Management and DMS clients.
You can establish multiple connections to the Policy Server through the single Agent API object instance.
A user-defined connection handle. You can create multiple user-defined connection objects; each one can support multiple connections to the Policy Server.

Obtain a Session Object

A session object is obtained when a user or administrator successfully logs in. In this case, an administrator login is required, since only administrators can perform policy management.

To log in a SiteMinder administrator and establish an administrator session, call the login() method in the SmApiSession class of the Utilities package.

Once login is successful, the session object will hold a valid administrator session specification.

Pass in the Session Object

After obtaining a valid session, create a Policy Management API object by passing the session to the constructor of the SmPolicyApiImpl class—for example:

SmPolicyApi policyApi = new SmPolicyApiImpl (apiSession);

In the example, policyApi is the new Policy Management API object and apiSession is the session obtained when the administrator successfully logged in.

Make Policy Management API Requests

After you obtain a session object and create a Policy Management API object, you are ready to make Policy Management requests. Most of the methods in the Policy Management API are categorized according to the SiteMinder object that a given method acts upon—for example, agents, policies, and rules.

There is also a Utilities category for methods that perform services, such as cache and encryption key management. Use these categories to help you find a particular Policy Management API method to use in your custom policy management applications.

Note: The methods in the policyapi package can only be called from a Siteminder administrator session.

Terminate the Administrator Session

When you are finished making Policy Management API requests, log out the administrator by calling the logout() method in the SmApiSession class of the Utilities package.

Important! After you have called the logout() method, the connection handle becomes invalid. Do not reference it again.

Administrator Methods

Unless otherwise specified, the following methods are in the class SmPolicyApiImpl. The following methods act on administrator objects. You create an administrator object by instantiating SmAdmin.

Method	Description
addAdmin()	Adds an administrator object to the policy store.
addAdminToDomain()	Associates an administrator with a domain.
deleteAdmin()	Deletes an administrator.
getAdmin()	Gets the contents of an administrator.
getAdminUserDirs()	Gets a list of user directories that an administrator can manage.
modifyAdmin()	Modifies an administrator.
removeAdminFromDomain()	Disassociates an administrator from a domain.

Agent Methods

Unless otherwise specified, the methods listed in this table are in the class SmPolicyApiImpl. The following methods act on agent objects. You create an agent object by instantiating SmAgent.

Method	Description
addAgent()	Adds an agent object to the policy store.
deleteAgent()	Deletes an agent.
getAgent()	Gets the contents of an agent.
modifyAgent()	Modifies an agent.

Agent Configuration Object Methods

Unless otherwise specified, the methods listed in this table are in the class SmPolicyApiImpl. The following methods act on agent configuration objects. You define an agent configuration object by instantiating SmAgentConfig.

Method	Description
addAgentConfig()	Adds an agent configuration object to the policy store.
deleteAgentConfig()	Deletes an agent configuration object.
getAgentConfig()	Gets the contents of an agent configuration object.
modifyAgentConfig()	Modifies an agent configuration object.

Authentication and Authorization Map Methods

Unless otherwise specified, the methods listed in this table are in the class SmPolicyApiImpl. The following methods act on authentication and authorization directory mapping objects. You create an authentication and authorization directory mapping object by instantiating SmAuthAzMap.

Method	Description
addAuthAzMap()	Adds an authentication and authorization directory mapping object to the policy store.
deleteAuthAzMap()	Deletes an authentication and authorization directory mapping object.
getAuthAzMap()	Gets the contents of an authentication and authorization directory mapping object.
modifyAuthAzMap()	Modifies an authentication and authorization directory mapping object.

Authentication Scheme Methods

Unless otherwise specified, the methods listed in this table are in the class SmPolicyApiImpl. The following methods act on authentication schemes. You create an authentication scheme by instantiating SmScheme.

Method	Description
addScheme()	Adds an authentication scheme to the policy store.
deleteScheme()	Deletes an authentication scheme.
getScheme()	Gets the contents of an authentication scheme.
modifyScheme()	Modifies an authentication scheme.

Certificate Map Methods

Unless otherwise specified, the methods listed in this table are in the class SmPolicyApiImpl. The following methods act on certificate mapping objects. You create certificate mapping objects by instantiating SmCertMap.

Method	Description
addCertMap()	Adds a certificate mapping object to the policy store.
deleteCertMap()	Deletes a certificate mapping object.
getCertMap()	Gets the contents of a certificate mapping object.
modifyCertMap()	Modifies a certificate mapping object.

Domain Methods

Unless otherwise specified, the methods listed in this table are in the class SmPolicyApiImpl. The following methods act on domain objects. You create domain objects by instantiating SmDomain.

Method	Description
addDomain()	Adds a domain object to the policy store.
deleteDomain()	Deletes a domain.
getDomain()	Gets the contents of a domain.
getDomainObject()	Gets a domain object for the specified object name or OID.
getDomainObjectNames()	Gets a list of domain objects within a domain.
isDomainObject()	Indicates whether an object is a domain object. In classes SmObjectImpl, SmDomainObjectImpl.
modifyDomain()	Modifies a domain.

General Object Methods

Unless otherwise specified, the methods listed in this table are in the class SmPolicyApiImpl. The following methods act on multiple types of objects.

Method	Description
getGlobalObjectNames()	Gets a list of global objects.
getObject()	Gets a global object for the specified object name or OID.
getOid()	Retrieves an object identifier for an object. In class SmObjectImpl.
isWriteable()	Specifies whether an object is writeable. In classes SmAgentType, SmDomainObjectImpl, and SmObjectImpl.
renameObject()	Renames an object.

Group Methods

Unless otherwise specified, the methods listed in this table are in the class SmPolicyApiImpl. The following methods act on group objects. Group objects are created with SmAgentGroup (for agent groups), SmResponseGroup (for response groups), or SmRuleGroup (for rule groups).

Method	Description
addGroup()	Adds an agent, response, or rule group to the policy store.
addToGroup()	Adds a group element of type rule, response, or agent to the specified group.
deleteGroup()	Deletes an existing group.
getGroup()	Gets the contents of an existing group.
getGroupMembers()	Get a list of groups of all types.
modifyGroup()	Modify a group.
removeFromGroup()	Removes a group element from a group.

Host Configuration Object Methods

Unless otherwise specified, the methods listed in this table are in the class SmPolicyApiImpl. The following methods act on host configuration objects. You define a host configuration object by instantiating SmHostConfig.

Method	Description
addHostConfig()	Adds a host configuration object to the policy store.
deleteHostConfig()	Deletes a host configuration object.
getHostConfig()	Gets the contents of a host configuration object.
modifyHostConfig()	Modifies a host configuration object.

ODBC Query Scheme Methods

Unless otherwise specified, the methods listed in this table are in the class SmPolicyApiImpl. The following methods act on ODBC Query schemes. You create ODBC Query schemes by instantiating SmODBCQuery.

Method	Description
addODBCQuery()	Adds an ODBC query object to the policy store.
deleteODBCQuery()	Deletes an ODBC query object.
getODBCQuery()	Gets the contents of an ODBC query object.
modifyODBCQuery()	Modifies an ODBC query object.

Password Policy Methods

Unless otherwise specified, the methods listed in this table are in the class SmPolicyApiImpl. The following methods act on password policy objects. You create password policy objects by instantiating SmPasswordPolicy.

Method	Description
addPasswordPolicy()	Adds a password policy object to the policy store.
deletePasswordPolicy()	Deletes a password policy.
getPasswordPolicy()	Gets the contents of a password policy.
isEnabled()	Specifies whether the password policy is enabled. In class SmPasswordPolicy.
isEntireDir()	Specifies whether the password policy applies to the entire directory. In class SmPasswordPolicy.
modifyPasswordPolicy()	Modifies a password policy.

Policy Methods

The following methods act on policy and policy link objects. A policy link is an association of a policy, a rule, and optionally, a response. Unless otherwise specified, these methods are in the class SmPolicyApiImpl.

Policy objects are created with SmPolicy. Policy link objects are created with SmPolicyLink.

Method	Description
addPolicy()	Adds a policy object to the policy store.
addPolicyLink()	Adds a policy link to a policy.
deletePolicy()	Deletes the policy associated with the specified domain.
deletePolicyLink()	Removes a policy link from a policy.
getPolicy()	Gets the contents of a policy.
getPolicyLinks()	Gets all of the policy links for the specified policy and domain.
modifyPolicy()	Modify the policy associated with the specified domain.
modifyPolicyLink()	Modifies the specified policy link.