Resource-Level Policies

Unless otherwise configured, policies are by default applied to the entire API. However, you can implement an additional level of policy granularity, one in which access is controlled based on a criteria. Policies with this granularity are called resource-level policies.

At the resource level of granularity, policies are applied to only those requests that match the criteria. All policies, except the Cross-Origin Resource Sharing (CORS) policy, are resource-level.

In Mule 4, resource-level policies support HTTP-based APIs in addition to RAML APIs. You can apply multiple conditions to filter your resources and HTTP methods using the URI template regex to any number of methods in your API.

Usage Scenarios for Implementing Resource-Level Policies

You can use resource-level policies in many ways. Here are just a few:

  • Apply policies to specific resources.

  • Secure a subset of an API.

  • Set different limits on resources.

If you have a RAML or OAS specification attached to your API, you can use the Preview Resource Matching option to determine which resources are affected by your filters:

API Console displays resources and methods

A resource-level policy supports regular Java expressions. For example, you can use a wildcard to apply a policy to multiple resources. When you apply the policy to the API, specify the resources to which it applies:

rlp conditions

Guidelines for Implementing Resource-Level Policies

When implementing resource-level policies:

  • Do not use a placeholder, such as {userid}, in the regular expression.

    Using a placeholder in an expression fails because the placeholder does not match the actual node. In the example placeholder {userid}, the node looks something like this:


    671962fc-f076-4b19-bc38-45ba3a4e4095 is the user ID.

    1234 is the ID of a permission.

To apply a policy to resource /api/users/{userid} that represents a single user and all resource nodes, use the following expression:

The userid represents a single user and all resource nodes: /api/users/.*

To apply a policy to only the permissions resources /api/users/{userId/permissions} and /api/users/{userid}/permissions/{permissionId}, use the following expression:


Was this article helpful? Thanks for your feedback!
View on GitHub