Skip to content

/AWS1/CL_BDOPOLICY

Represents a complete policy resource within the AgentCore Policy system. Policies are ARN-able resources that contain Cedar policy statements and associated metadata for controlling agent behavior and access decisions. Each policy belongs to a policy engine and defines fine-grained authorization rules that are evaluated in real-time as agents interact with tools through Gateway. Policies use the Cedar policy language to specify who (principals based on OAuth claims like username, role, or scope) can perform what actions (tool calls) on which resources (Gateways), with optional conditions for attribute-based access control. Multiple policies can apply to a single request, with Cedar's forbid-wins semantics ensuring that security restrictions are never accidentally overridden.

CONSTRUCTOR

IMPORTING

Required arguments:

iv_policyid TYPE /AWS1/BDORESOURCEID /AWS1/BDORESOURCEID

The unique identifier for the policy. This system-generated identifier consists of the user name plus a 10-character generated suffix and serves as the primary key for policy operations.

iv_name TYPE /AWS1/BDOPOLICYNAME /AWS1/BDOPOLICYNAME

The customer-assigned immutable name for the policy. This human-readable identifier must be unique within the account and cannot exceed 48 characters.

iv_policyengineid TYPE /AWS1/BDORESOURCEID /AWS1/BDORESOURCEID

The identifier of the policy engine that manages this policy. This establishes the policy engine context for policy evaluation and management.

io_definition TYPE REF TO /AWS1/CL_BDOPOLICYDEFINITION /AWS1/CL_BDOPOLICYDEFINITION

The Cedar policy statement that defines the access control rules. This contains the actual policy logic used for agent behavior control and access decisions.

iv_createdat TYPE /AWS1/BDODATETIMESTAMP /AWS1/BDODATETIMESTAMP

The timestamp when the policy was originally created. This is automatically set by the service and used for auditing and lifecycle management.

iv_updatedat TYPE /AWS1/BDODATETIMESTAMP /AWS1/BDODATETIMESTAMP

The timestamp when the policy was last modified. This tracks the most recent changes to the policy configuration or metadata.

iv_policyarn TYPE /AWS1/BDOPOLICYARN /AWS1/BDOPOLICYARN

The Amazon Resource Name (ARN) of the policy. This globally unique identifier can be used for cross-service references and IAM policy statements.

iv_status TYPE /AWS1/BDOPOLICYSTATUS /AWS1/BDOPOLICYSTATUS

The current status of the policy.

it_statusreasons TYPE /AWS1/CL_BDOPLYSTATUSREASONS_W=>TT_POLICYSTATUSREASONS TT_POLICYSTATUSREASONS

Additional information about the policy status. This provides details about any failures or the current state of the policy lifecycle.

Optional arguments:

iv_description TYPE /AWS1/BDODESCRIPTION /AWS1/BDODESCRIPTION

A human-readable description of the policy's purpose and functionality. Limited to 4,096 characters, this helps administrators understand and manage the policy.

Queryable Attributes

policyId

The unique identifier for the policy. This system-generated identifier consists of the user name plus a 10-character generated suffix and serves as the primary key for policy operations.

Accessible with the following methods

Method Description
GET_POLICYID() Getter for POLICYID, with configurable default
ASK_POLICYID() Getter for POLICYID w/ exceptions if field has no value
HAS_POLICYID() Determine if POLICYID has a value

name

The customer-assigned immutable name for the policy. This human-readable identifier must be unique within the account and cannot exceed 48 characters.

Accessible with the following methods

Method Description
GET_NAME() Getter for NAME, with configurable default
ASK_NAME() Getter for NAME w/ exceptions if field has no value
HAS_NAME() Determine if NAME has a value

policyEngineId

The identifier of the policy engine that manages this policy. This establishes the policy engine context for policy evaluation and management.

Accessible with the following methods

Method Description
GET_POLICYENGINEID() Getter for POLICYENGINEID, with configurable default
ASK_POLICYENGINEID() Getter for POLICYENGINEID w/ exceptions if field has no valu
HAS_POLICYENGINEID() Determine if POLICYENGINEID has a value

definition

The Cedar policy statement that defines the access control rules. This contains the actual policy logic used for agent behavior control and access decisions.

Accessible with the following methods

Method Description
GET_DEFINITION() Getter for DEFINITION

description

A human-readable description of the policy's purpose and functionality. Limited to 4,096 characters, this helps administrators understand and manage the policy.

Accessible with the following methods

Method Description
GET_DESCRIPTION() Getter for DESCRIPTION, with configurable default
ASK_DESCRIPTION() Getter for DESCRIPTION w/ exceptions if field has no value
HAS_DESCRIPTION() Determine if DESCRIPTION has a value

createdAt

The timestamp when the policy was originally created. This is automatically set by the service and used for auditing and lifecycle management.

Accessible with the following methods

Method Description
GET_CREATEDAT() Getter for CREATEDAT, with configurable default
ASK_CREATEDAT() Getter for CREATEDAT w/ exceptions if field has no value
HAS_CREATEDAT() Determine if CREATEDAT has a value

updatedAt

The timestamp when the policy was last modified. This tracks the most recent changes to the policy configuration or metadata.

Accessible with the following methods

Method Description
GET_UPDATEDAT() Getter for UPDATEDAT, with configurable default
ASK_UPDATEDAT() Getter for UPDATEDAT w/ exceptions if field has no value
HAS_UPDATEDAT() Determine if UPDATEDAT has a value

policyArn

The Amazon Resource Name (ARN) of the policy. This globally unique identifier can be used for cross-service references and IAM policy statements.

Accessible with the following methods

Method Description
GET_POLICYARN() Getter for POLICYARN, with configurable default
ASK_POLICYARN() Getter for POLICYARN w/ exceptions if field has no value
HAS_POLICYARN() Determine if POLICYARN has a value

status

The current status of the policy.

Accessible with the following methods

Method Description
GET_STATUS() Getter for STATUS, with configurable default
ASK_STATUS() Getter for STATUS w/ exceptions if field has no value
HAS_STATUS() Determine if STATUS has a value

statusReasons

Additional information about the policy status. This provides details about any failures or the current state of the policy lifecycle.

Accessible with the following methods

Method Description
GET_STATUSREASONS() Getter for STATUSREASONS, with configurable default
ASK_STATUSREASONS() Getter for STATUSREASONS w/ exceptions if field has no value
HAS_STATUSREASONS() Determine if STATUSREASONS has a value

Public Local Types In This Class

Internal table types, representing arrays and maps of this class, are defined as local types:

TT_POLICIES

TYPES TT_POLICIES TYPE STANDARD TABLE OF REF TO /AWS1/CL_BDOPOLICY WITH DEFAULT KEY
.