API Gateway 10.11 | Using API Gateway | Policies | Managing Scope-level Policies
 
Managing Scope-level Policies
 
Creating a Scope-level Policy
Viewing List of Scope-level Policies and Policy Details
Modifying Scope-level Policy Details
Deleting a Scope-level Policy
You can define policies at the API-level or scope-level for an API. API-level policies are processed for all incoming requests to the API. Scope-level policies are processed only for incoming requests that apply to a specific scope in the API. Any policy you specify at the API-level is overridden by the policy defined at the scope-level if the policies are the same. In contrast, the API-level policies will not affect the scope-level policies. But if there are policies applied at the global-level (through a global policy) for the API, then those policies will override every other policy configured at the API-level.
The scope-level policies for an API provide a granular enforcement of policies at the resource-level, method-level, or both for the REST API, or at the operation-level for the SOAP API.
Note:
Scope-level policies are not supported for OData APIs.
An API can have zero or more scope-level policies. When you define the scope-level policies for an API, keep the following points in minds:
*For a policy (for example, Identify & Authorize) that can appear only once in an API, if the same policy is already applied through the API details page, API Gateway prompts you with a warning message that the scope-level policy takes precedence over the API-level policy, and is enforced on the API at run-time.
*For a policy (for example, Monitor SLA) that can appear multiple times in an API, if the same policy is already applied to the API through a global policy, API Gateway prompts you with a warning message that the global policy takes precedence over the scope-level policy, and is enforced on the API at run-time.
*If a resource or method or operation has the same policy (for example, Require HTTP / HTTPs) applied through different scopes, API Gateway prompts you with an error message and sets the focus to the conflicting policies. You must remove the required policy from the individual scope(s) to resolve the conflicts.
API Gateway supports scope-level policies only for the following stages:
*Identify and Access: All policies in this stage are supported.
*Request Processing: Only Data Masking policy in this stage is supported.
*Traffic Monitoring: All policies in this stage are supported.
*Response Processing: Only Data Masking policy in this stage is supported.
*Error Handling: Only Data Masking policy in this stage is supported.
For information on the usage scenarios of policies configured for the scopes of an API, see Example: Usage Scenarios of API Scopes.