--- title: "Creating Policies" slug: "creating-policies" updated: 2025-11-16T16:54:14Z published: 2025-11-16T16:54:14Z --- > ## Documentation Index > Fetch the complete documentation index at: https://docs.plainid.io/llms.txt > Use this file to discover all available pages before exploring further. # Creating Policies The Policy Wizard is an easy, visual way to create Policies in the Platform. Before creating a new Policy, you must have created at least one [Asset Type](/docs/managing-asset-types#creating-an-asset-type) with at least one [Application](/docs/managing-applications) connected to it. Some objects (like Dynamic Groups and Conditions), can be created while creating a new Policy. During the Policy creation process, you need to specify whether this new Policy is used for Dynamic Authorization Services or for [SaaS Policy Management](/v1/docs/saas-policy-management). Once a Policy has been created, it is listed in the Policy Catalog and can be viewed as code, visually in the Policy Map, exported, edited, and/or deleted. ## How to Create Policies In the Authorization Workspace, you can choose to create a Policy by selecting one of the options after clicking the Plus Button ![image.png](https://cdn.document360.io/726c7002-05a9-480e-b986-42c9e8824acd/Images/Documentation/image%28278%29.png) - **From Wizard** to start creating a Policy using the Policy Wizard. Refer to our guide in the [Policy Wizard](/v1/docs/policy-wizard) for more information. - **From Code** to import or insert a file containing the Policy Code. For more information, refer to [Policies in Rego](/v1/docs/creating-policies#policies-in-rego). - **From Native** to paste Policy Code in the vendor language. For more information, refer to [Native Policies](/v1/docs/creating-policies#importing-native-policies). ![image.png](https://cdn.document360.io/726c7002-05a9-480e-b986-42c9e8824acd/Images/Documentation/image%28345%29.png) ### Policy Wizard **To create a Policy with the Policy Wizard:** 1. Choose an Authorization Workspace from the Environment side-panel. 2. In the Policies tab, click the **+** icon. 3. Select **From Policy Wizard**. The New Policy Wizard is displayed. 4. In the **Fill in Policy Details** screen, enter a **Name** for the Policy (required). 5. In the **Generate Policy ID** section, select whether you want to input a **Custom ID** or an **Auto Generated ID** (one that the Platform creates). The Policy ID must be unique per Environment. It is used as the leading ID in the CRUD API for Policy Management (for more information, see [Policy Management APIs](/apidocs/policy-management-apis)). - If you selected **Custom ID**, the Policy ID field appears as an editable field. Enter the new Policy ID in the field. The maximum number of characters for this field is 128. - If you selected **Auto Generated ID**, a GUID is automatically set as the Policy ID. Once the Policy is saved, the Policy ID can no longer be changed. 1. Enter a **Description** for the new Policy (Optional). 2. - Select the **Access Type**. Options are **Allow** or **Restrict**. - **Allow** grants access rights to the Identity, if all other aspects of the Policy settings match. - **Restrict** denies access based on the Policy settings. 3. Select whether you're using the Policy for the **Dynamic Authorization Service** or **[SaaS Applications](/apidocs/saas-management-vendors)**. 4. Select the Application/s to connect to this Policy. 5. Click **Continue** to advance to the **Who Step**. **Who Step** The Wizard advances to the **WHO** step, in which you select the Dynamic Groups which will be given access (or denied access) for this Policy. 1. In the **Select Dynamic Groups for this Policy** screen Select one or more Dynamic Groups to which you have Admin Permissions or Create a new Dynamic Group by clicking **New Dynamic Group**. For more information, see [Creating a Dynamic Group in the Policy Wizard](/v1/docs/policy-wizard#creating-a-new-dynamic-group-in-the-policy-wizard). 1. Click **Continue**. **What Step** The Wizard advances to the **WHAT** step where you can select which **Assets Types** you wish to associate with this Policy. **To add Assets to the Policy**: 1. Select an **Asset Type** from the drop-down. The list of Asset Types depends on which Application you chose to connect to the Policy. 2. Click on **Select Rulesets**. A side panel opens where you are required to select at least one Ruleset to use in relation to the selected Asset Type and Action/s. You can also **create** a Ruleset from this panel. - After selecting your Ruleset/s, click Manage Rulesets to open the Ruleset side panel if required. - Select the **Assets** to use in this Policy - To add *another* Action-Ruleset/Asset combination to the Policy, click **Add Combination**. Note: This button is disabled if no Actions or only one Action is associated with the Asset Type. - To remove a combination, click on **Remove Combination** 1. Click Save. If you wish to add **another Asset Type**, click **Add Asset Type** and go over the points in Step 1. 2. Click **Continue**. **When Step** The wizard advances to the **WHEN** Step where you can select which **Conditions** you wish to associate with this Policy. **To create a condition**: 1. Select the checkbox next to existing Conditions or click the **+ New Condition**. A side panel opens. - Fill in the Connection details section according to the relevant Condition. 2. Click Save. - Ensure that the relevant Condition is selected in the list of Conditions. *Conditions can also be predefined in the Assets and Conditions section of the Authorization Workspace.* 3. Click **Done**. The Policy is created and the Policy Map for the new Policy opens. **To manage existing Policies (edit, delete, or add Asset Types), see** [**Managing Policies**](/v1/docs/managing-policies). **Note:** By default, all new Policies have a Policy State of Active. This means that they are considered when calculating the authorization decision. For more information, see [Managing Policies](/v1/docs/-managing-policies#activating-and-deactivating-a-policy). #### Creating a New Dynamic Group in the Policy Wizard While creating a new Policy, you may discover that you need to create a new Dynamic Group to help define the Policy. You do not need to exit the Wizard to accomplish this. After entering the new **Policy Name**, **Description** and **Access Type**, you click **Continue**, select the relevant Dynamic Group. If you don't see the Dynamic Group, you have the option of creating a new Dynamic Group from within the Wizard. **To create a new Dynamic Group in the Policy Wizard**: 1. Click **New Dynamic Group**. The New Dynamic Group side panel opens. 2. In the **Workspace Name** field, select the Workspace in which you want the Dynamic Group created. 3. In the **Fill in the Dynamic Group Details** section, enter the **Name** and the **Description** (optional). 4. In the **Define Dynamic Group Rules**, define a set of Rules based on existing Identity Attributes by selecting an **Attribute**, selecting an **Operator**, and providing a **Value**. As needed, use the **And** and/or **OR** options to add additional Rules. 5. Click **Save**. The Dynamic Group is created in the specified Identity Workspace and added to the list of available Dynamic Groups to be used in the Policy. 6. Click **Continue** and begin selecting Assets for the new Policy, as detailed above. ![Large GIF 1090x742.gif](https://cdn.document360.io/726c7002-05a9-480e-b986-42c9e8824acd/Images/Documentation/Large%20GIF%20%281090x742%29%281%29.gif) ### Policies in Structured Rego Policies in structured **Rego** can be imported and copied into the Platform to promote Policies between Environments. This can be done in the **Authorization Workspace** or using the **Import/Export Policy APIs**. Only valid Policies can be successfully imported. > **Note:** A Policy that is **Inactive** in the source Environment will, by default, be **Active** when imported into a new Environment. Updating an existing Policy via import does not affect its current Policy State. To deactivate the Policy in the target Environment, see [Managing Policies](/v1/docs/deleting-policies). --- #### Prerequisites for Importing Policies The following objects are required in the target Environment for successful import and proper Authorization calculation: - Identity Templates with relevant Identity Attributes defined in the Identity Workspace Settings. - Asset Templates with associated Asset Attributes and Actions defined in the Asset Type Settings. **Required for Policies to be considered in access decisions:** - Asset Types used in the Policy must be connected to an Application defined in the Authorization Workspace. - The relevant Application must be connected to a Scope defined in the Environment settings. > Without these connections, Policies can be imported successfully but will not factor into access decisions. Connections can be defined before or after import. --- #### Creating a New Policy In Rego **To import Policy code in Rego:** 1. Select the relevant **Authorization Workspace**. 2. Ensure the **Policies** section is open. 3. Click on the **Plus button** ![image.png](https://cdn.document360.io/726c7002-05a9-480e-b986-42c9e8824acd/Images/Documentation/image%28278%29.png) 4. Click **From Code** to open the **Create Policy from Code** screen. 5. Import a `.rego` file by: - **Pasting the Rego code** in the input field. - **Dragging and dropping** the file into the input field. - **Clicking Import File** on the bottom of the page to upload a file. ***You can also import or drag and drop a JSON file containing Rego code**.* 6. Optionally, **Download Sample File** to guide you on Policy creation. 7. After importing, review and edit any errors highlighted in the wizard. 8. Click **Validate** to check the code. 9. Click **Create Policy** to finalize the new Policy. --- ### Native Policies Importing Native Policies allows you to create and manage Policies directly in a POP vendor’s native language instead of Rego. This is particularly useful for SaaS applications that support native Policy definitions, enabling you to bring existing logic into the Platform without translation. See [**Snowflake**](/v1/docs/sf-native-policy-support) or [**Databricks**](/v1/docs/databricks-native-policy-support) Native Policy Support articles for a guide on Policy, tag, table, and column function parameters. *PlainID strongly recommends implementing Policies with tags, table, and column mapping*. #### Creating a New Native Policy **To create a new Native Policy**: 1. In the **Authorization Workspace Policy screen**, click the **Plus (+)** button. 2. Select **From Native**. A new Native Policy screen opens. 3. Enter a **Label** for the Policy. 4. In the **Generate Policy ID** section, enter a POP ID. The Policy ID must be unique per Environment and is used as the primary identifier in the [Policy Management APIs](/apidocs/policy-management-apis). 5. Enter a **Description** for the Policy (optional). 6. Select the **Application** that supports native Policies. 7. Provide the **POP connection details**. For more information, see [SaaS Management Vendors](/apidocs/saas-management-vendors). 8. In the code screen, **paste** the Native Policy code in the input field. Refer to Snowflake and Databricks documentation for more information on vendor languages. > File upload and validation for Native Policies **is not available yet**. 1. Add tables, tags, and columns as needed per vendor language. More information on how to use them are available in the [**Snowflake**](/v1/docs/sf-native-policy-support) or [**Databricks**](/v1/docs/databricks-native-policy-support) Native Policy Support articles. - **Row Access Policies** – Define the Policy logic and specify the relevant tables. - **Masking Policies** – Define the Policy logic and specify the tags or columns to be masked. 1. Click Create to finalize the new Native Policy. Check out the video below for an explanantion of the value of Native Policies and a detailed guide on creating Native Policies. [Embedded content](https://www.youtube.com/embed/WRX6MhkZOsY) ---