Stay organized with collectionsSave and categorize content based on your preferences.
Policies are implemented on a web page. When a container runs on the page, policies are applied to Tag Manager's custom template definitions to control how certain features and functionality can be used. Policies are implemented with thegtag('policy', ...)API.
Thegtag('policy', ...)API requires definitions for dataLayer andgtag(). Ensure thatdataLayerandgtag()are defined in your code beforegtag('policy', ...)is called later in the script:
window.dataLayer = window.dataLayer || [];
function gtag(){dataLayer.push(arguments);}
The<permissionId>argument is any one of the supported permissions types, e.g.inject_script. The policy will be called whenever a container wants to check if that permission is allowed.
The third argument—<function>—is a function that implements the indicated policy with this signature:
function(containerId, permissionId, data) {...}
containerIdis the Tag Manager container ID, e.g.'GTM-1234'.
permissionIdis a string that specifies the type of policy to be checked.
datais an object that contains any relevant information for the indicated permission type, e.g.'url'for a'send_pixel'permission.
A policy function rejects a permission request when it returnsfalseor throws an exception. Any exceptions with a type ofstringorErrorwill appear in theErrorssection of the debug pane whenpreview modeis enabled. When multiple policy checks are registered, each check is called, and each check has the ability to reject a policy request.
This example creates a policy that checks the'inject_script'permission:
This example uses the'all'keyword to check multiple policy scenarios:
gtag('policy','all',function(containerId,permissionId,data){//Onlysetpolicyfor1specificcontainer.//Thisenablesothercontainersloadedonthepageto//operatewithoutrestrictionsonpermissions.if(container!='GTM-4321')returntrue;//Sincethepolicyis'all',adjustpermissionsconditionally.switch(permissionId){case'send_pixel':returntrue;case'write_globals':returndata.key&&data.key=='_gaq';case'inject_script':leturl=data.url||'';if(url.indexOf('https://example.com')!=0)throw'Only example.com scripts are permitted';default://ITstaffdecidesthatallunknownpermissions//arerejected.returnfalse;}});
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Missing the information I need","missingTheInformationINeed","thumb-down"],["Too complicated / too many steps","tooComplicatedTooManySteps","thumb-down"],["Out of date","outOfDate","thumb-down"],["Samples / code issue","samplesCodeIssue","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2024-10-09 UTC."],[[["\u003cp\u003eUse the \u003ccode\u003egtag('policy', ...)\u003c/code\u003e API to control how Tag Manager's custom templates use features like injecting scripts or sending pixels within your web page.\u003c/p\u003e\n"],["\u003cp\u003ePolicies are applied by defining functions that evaluate permission requests for specific Tag Manager containers and functionalities, allowing or rejecting them based on your defined criteria.\u003c/p\u003e\n"],["\u003cp\u003eThe \u003ccode\u003egtag('policy', ...)\u003c/code\u003e API accepts a permission ID like \u003ccode\u003einject_script\u003c/code\u003e or \u003ccode\u003esend_pixel\u003c/code\u003e to define rules for that specific action, or \u003ccode\u003eall\u003c/code\u003e to handle various permissions within a single function.\u003c/p\u003e\n"],["\u003cp\u003ePolicy functions determine whether to allow or reject a permission request by returning \u003ccode\u003etrue\u003c/code\u003e for allowance, \u003ccode\u003efalse\u003c/code\u003e for rejection, or throwing an exception to provide a descriptive error in the debug console.\u003c/p\u003e\n"],["\u003cp\u003eYou can implement policies to manage permissions on a granular level, allowing specific scripts to be injected, pixels to be sent to certain URLs, or controlling access to global variables, ensuring enhanced security and control over your website's behavior.\u003c/p\u003e\n"]]],["Policies on a webpage control Tag Manager's custom template definitions using the `gtag('policy', ...)` API. This API requires `dataLayer` and `gtag()` to be defined beforehand. Policies are set using `gtag('policy', \u003cpermissionId\u003e, \u003cfunction\u003e)`, where `\u003cpermissionId\u003e` specifies the permission type, such as `'inject_script'`. The `\u003cfunction\u003e` argument checks permissions, returning `false` or throwing an exception to reject them. Using `'all'` as `\u003cpermissionId\u003e` allows interaction with all policy checks. The policy function uses parameters `containerId`, `permissionId`, and `data` to evaluate requests.\n"],null,["# Custom template policies\n\nPolicies are implemented on a web page. When a container runs on the page, policies are applied to Tag Manager's custom template definitions to control how certain features and functionality can be used. Policies are implemented with the `gtag('policy', ...)` API.\n\nThe `gtag('policy', ...)` API requires definitions for dataLayer and `gtag()`. Ensure that `dataLayer` and `gtag()` are defined in your code before `gtag('policy', ...)` is called later in the script: \n\n window.dataLayer = window.dataLayer || [];\n function gtag(){dataLayer.push(arguments);}\n\nUse the `gtag('policy', ...)` API on a web page to set policies for [custom template permissions](/tag-platform/tag-manager/templates/permissions): \n\n gtag('policy', \u003cpermissionId\u003e, \u003cfunction\u003e)\n\nThe `\u003cpermissionId\u003e` argument is any one of the supported permissions types, e.g. [`inject_script`](/tag-platform/tag-manager/templates/permissions#inject_script). The policy will be called whenever a container wants to check if that permission is allowed. \n\n gtag('policy', 'inject_script', function(containerId, permissionId, data) {\n // Specific inject_script check goes here.\n });\n\nSpecify `'all'` to interact with all policy checks. \n\n gtag('policy', 'all', function(containerId, permissionId, data) {\n // System-wide check goes here.\n });\n\nThe third argument---`\u003cfunction\u003e`---is a function that implements the indicated policy with this signature: \n\n function(containerId, permissionId, data) {...}\n\n- **`containerId`** is the Tag Manager container ID, e.g. `'GTM-1234'`.\n- **`permissionId`** is a string that specifies the type of policy to be checked.\n- **`data`** is an object that contains any relevant information for the indicated permission type, e.g. `'url'` for a `'send_pixel'` permission.\n\nA policy function rejects a permission request when it returns `false` or throws an exception. Any exceptions with a type of `string` or `Error` will appear in the **Errors** section of the debug pane when [preview mode](https://support.google.com/tagmanager/answer/6107056) is enabled. When multiple policy checks are registered, each check is called, and each check has the ability to reject a policy request.\n\nThis example creates a policy that checks the `'inject_script'` permission: \n\n gtag('policy', 'inject_script', function(containerId, permissionId, data) {\n\n // reference the url of the script to be injected\n let url = data.url || '';\n\n // if the url of the injected script exactly matches, allow it.\n // otherwise throw an error\n if (url === 'https://scripts.example.com/analytics.js') {\n return true;\n } else {\n throw 'Only permitted to inject https://scripts.example.com/analytics.js';\n }\n });\n\nThis example uses the `'all'` keyword to check multiple policy scenarios: \n\n gtag('policy', 'all', function(containerId, permissionId, data) {\n\n // Only set policy for 1 specific container.\n // This enables other containers loaded on the page to\n // operate without restrictions on permissions.\n if (container != 'GTM-4321') return true;\n\n // Since the policy is 'all', adjust permissions conditionally.\n switch (permissionId) {\n\n case 'send_pixel':\n return true;\n\n case 'write_globals':\n return data.key && data.key == '_gaq';\n\n case 'inject_script':\n let url = data.url || '';\n if (url.indexOf('https://example.com') != 0)\n throw 'Only example.com scripts are permitted';\n\n default:\n // IT staff decides that all unknown permissions\n // are rejected.\n return false;\n }\n });"]]
