API policies are rules that you can create to enforce API security and control access to APIs.
You can use API Center to define and assign the following types of policies:
•Security. A security policy defines authentication methods that can be used to access an operation.
•CORS. A Cross-Origin Resource Sharing (CORS) policy to ensure that your APIs can be securely accessed by client applications from different domains.
•Operational. Operational policies include rate limit policies and response caching policies for an operation. A rate limit policy defines the number of times API consumers can invoke an operation during a designated time frame. A response caching policy defines how long API Center stores API responses for an operation in the cache.
•Privacy. A privacy policy defines which Personally Identifiable Information (PII) is sensitive data that API Center protects for an API or operation.
•IP filtering. An IP filtering policy defines access rules for a managed API.
For example, you can assign a basic authentication policy and a rate limit policy of three calls per minute to a specific operation in order to control API consumer access to the operation.
You can assign IP filtering, security, and privacy policies at the API level. You can assign security, operational, and privacy policies at the API operation level. Operation policies take precedence over API policies.
To create, edit, enable, delete, and disable policies, you must be assigned an API Policy Manager or Administrator role. To assign security, operational, and privacy policies and view policy details, you must be assigned the Deployer or Designer role. To assign an IP filtering policy, you must be assigned the Deployer role.
You can't create a policy in disabled state. You can disable a policy that is assigned to an API. You can't delete a policy that is assigned to an API.