Each policy definition has a SCAN script for the life cycle stage to assess the compliance state of a deployment. vCloud Application Director calls the policy scan action script prior to performing operations, except the teardown process, on the deployment or when a user explicitly initiates a policy scan on the deployment.

The scan action script includes a model of deployment as defined in vCloud Application Director REST API specification. The scan action script also receives additional components used in blueprint for the deployment.

You must create policy instances in specific deployment environments to enable policies. If a policy violation occurs during deployment, it is flagged and you can view the violation details in the compliance view summary page.


Java Script is the only supported language for authoring policy definition scripts.

Policy properties defined in a policy definition are supplied to the script as individual variables. The script can access them by declaring a variable with same name as the property name.

Script Input Variable


var min_cpu_count

Corresponds to min_cpu_count property and the value for the script is set to consume.


Includes the details of the deployment assessed for policy compliance.

For regular properties, var eventPayload must be added to access the eventPayload object.

The policy script might regard the eventPayload variable as a java object with the following properties:

deploymentProfile of type DeploymentProfile as defined in V2 API

Represents the deployment profile capturing latest details of deployment. In the case of updates, this includes all of the changes that are part of update profile.

blueprint of type Blueprint as defined in V2 API

Represents the actual blueprint object that's referenced from deploymentProfile.

logicalTemplates of type ListLogicalTemplate where LogicalTemplate is as defined in V2 API

Represents the list of logical templates referenced from various nodes inside the application blueprint.

serviceVersions of type ListServiceVersion where ServiceVersion is as defined in V2 API

Represents the list of service versions references from various nodes inside the application blueprint.

Policy scripts are expected to output the following properties to communicate the result of the compliance assessment. Scripts must declare them as variables.

Script Output Variable



Type of string that is mandatory. If script fails to set it then the compliance result is assumed as an Error.

The valid values for the variable are:


Indicates that a deployment is compliant against the policy being assessed.


Indicates that a deployment violates the policy being assessed.


Indicates failure to produce an assessment result.


Type of string.

This optional value provides a high-level summary of the reason behind policy violation. Value can be any string with less than 2048 characters.

The scripts can create log messages with the standard println function available in Java Script. The log is captured by vCloud Application Director, which is useful to diagnose errors in policy scripts or provide details for a policy assessment result.

Verify that your user account has the ROLE_CATALOG_ADMIN catalog administrator role assigned to it.

Verify that at least one policy is created in the catalog. See Add a Policy to the Catalog.


On the vCloud Application Director title bar, click the drop-down menu and select Catalog > Policies.


Open a policy to add a policy definition script.


In the Script column, click the hyperlink to open the Edit Script dialog box.

You can refer to the existing predefined policy definitions and create a script in the dialog box.


Click OK and save your changes when you are finished.

Specifying a policy definition has no impact on deployments unless you create a policy instance in a deployment environment to enable that policy definition on all of the deployments under the deployment environment. See Create a Policy Instance.