Policy Orchestration Points (POPs) define the connection between the Authorization Platform Tenant to the SaaS Application.
To manage Policy Orchestration Points, you can
- Create a POP
- Edit a POP
- Change the mode
- Delete a POP
Creating a POP
To create a Policy Orchestration Point:
- In the Orchestration Workspace, click Add Policy Orchestration Point. The Select Vendor side panel opens.
- Select the third-party vendor. A form opens, enabling you to configure the new POP.
- In the General section, enter:
- Display Name (required)
- Description (optional)
- In the Associated Workspaces, select the targeted Authorization or Identity Workspace.
- In the Connection Settings section, enter the relevant values for each parameter. Refer to the SaaS Authorization Management article and refer to the third-party vendor you use for connection details.
- Click Test Connection to verify that the new POP can connect to the third-party vendor app and that the user has the appropriate permissions. For more information about the permissions, refer to the third-party vendor documentation in SaaS Authorization Management
- If the Connection Test fails, an error appears below the Test Connection button indicating what needs to be fixed.
- When the Test Connection is successful, click Create. The new POP is added to the list of currently defined POPs and an initial discovery takes place.
The POP ID is automatically generated and can be utilized in Orchestration APIs.
Editing a POP
To edit a POP:
- Click the three vertical dots on the POP you wish to edit, and select Settings. The POP side panel opens with the current configuration in Edit mode. All of the fields except the POP ID and the Authentication Method can be changed.
- After you make any changes, click the Test Connection button to verify that the POP is still configured properly and can connect to the third-party vendor.
- When the Test Connection is successful, click Save.
Changing the POP Mode
In the Orchestration Workspace, you can switch between two modes:
- Learn Mode: PlainID observes the vendor’s Policies without enforcing changes. Use this mode to see how Policies are defined by the vendor.
- Manage Mode: PlainID takes control of Policies. You can make changes, and differences from the vendor are tracked for visibility and reconciliation.
You can switch between these modes at any time, depending on your governance needs.
Switching from Learn to Manage Mode
Switching to Manage Mode lets you govern Policies in PlainID. From this point, any changes made in PlainID are tracked and shown as differences from the vendor. No Policies are changed during the switch — only tracking is activated.
Switching from Manage to Learn Mode
Switching back to Learn Mode resets any undeployed changes made in PlainID and re-syncs with the vendor’s latest Policies.
A confirmation popup ensures you’re aware before making the switch.
For details on how Policy differences are shown and resolved in Manage Mode, see Orchestration Side Panels.
Deleting a POP
When you delete a Policy Orchestration Point, all associated objects generated by the POP are also permanently deleted from the Platform. This includes the following:
- POP
- Scope
- Application
- Policies discovered or created within the POP.
- Building Blocks including Dynamic Groups, Actions, Rulesets, and Conditions.
- Asset Types (including Attributes)
- Identity Sources
- Identity Attributes
Deleting a POP and associated objects in the Platform does not delete objects or Policies in the third-party application from which they were discovered.
To delete a POP:
- In the Orchestration Workspace, locate the POP you wish to delete in the list of Policy Orchestration Points.
- Click on the three vertical dots on the POP to access the drop-down menu.
- Click Delete POP. A warning message appears, asking you to confirm that you want to delete the POP.
- Click Delete to confirm. The POP is deleted, as well as all associated objects and Policies within the POP.