MuleSoft Omni Gateway provides powerful governance tools including a number of inbound and outbound policies, asset groups and automated policy assignments. These form a strong foundation for organizations to build and adhere to governance standards.
But there’s a limitation. Traditional policies work at the API level. You configure one or more policy behavior per endpoint. Sometimes real world governance requires different policy behavior for different contexts for the same asset. Creating separate API endpoints or deploying custom code to handle conditional logic doesn’t scale.
Fine-grained governance in MuleSoft Omni Gateway
We’re solving this challenge by providing conditional policy assignments for fine-grained governance. Conditional policy assignment enables administrators to define multiple configurations of the same policy, each triggered by specific request characteristics, such as the HTTP method, request path, and attributes within the headers object of an incoming request. Let’s take a look at a few use cases below.
1. Context-aware request logging
A common governance requirement is auditing client requests, but what you log depends on the HTTP method. Using the Message Logging policy to log everything (query params + payload) generates massive audit logs and privacy risk. Creating separate endpoints or deploying custom code creates API sprawl and maintenance burden.
With conditional policy assignment you can configure conditions to examine the “request” presented to an API For “GET” methods you can the #[attributes.headers] or #[attributes.queryParams] to validate the host or the query parameters that were actually submitted. Conversely, for a “POST” method, you can evaluate #[payload]. With conditional configurations you can apply Message Logging Policy intelligently based on the request context.
2. Tiered rate limiting by HTTP method
Your upstream API has different cost profiles for different operations. eg a GET operation is less expensive in terms of cost and response time than a POST operation. With conditional configurations you can apply different rate limits to match these costs. This intelligent strategy protects your upstream API from write-heavy clients while maximizing throughput for read-heavy clients. All governed from one endpoint and one policy configuration.
3. Path-based security rules
Not all request paths are equally sensitive.Your ‘/api/public/*’ endpoints may not need the same encryption or authentication as ‘/api/internal/*’ In addition to conditional support for METHOD, you can use RegEx expressions on Request Path, Host and Headers to control when a specific configuration of a given policy should be assigned. This eliminates the need for separate endpoint declarations or custom flow logic.
How conditions work
Conditional Policy Assignment supports matching on:
- HTTP Method: GET, POST, PUT, PATCH, DELETE
- Request Path: A RegEx expression to match request path
- Host: A RegEx expression to match the request host
- Headers: A map of header names and values
You can combine multiple conditions using AND logic to express complex governance rules. For example: “If the request is a POST AND the path starts with /data/ AND the header X-Client-Tier equals premium, then apply the Data Weave Body Transformation Policy.” This flexibility means you can express almost any governance rule without creating separate API endpoints or custom code.
demo
This demonstration will walk through configuring conditional policy assignments. We will illustrate how to set conditions based on the request’s method verb (GET vs. POST) and a specific header value, for both inbound and outbound traffic. This will also walk through the fine-grained control and dynamic policy execution capabilities.
A significant step forward
Conditional policy assignment represents a significant capability for API governance in Omni Gateway. Available today, it enables customers to enforce governance with the precision that modern APIs demand without creating API sprawl or sacrificing auditability. Architects and governance teams can now express governance rules that were previously impossible without custom code.
To learn more, review the following resources:
