Policy Wizard

Policies can be created once you have defined the required elements. If you begin to create a Policy but one or more objects have not been defined, the Policy may be created and added to the Policy Catalog with a red dot to indicate that the Policy was not completed. Once you create the missing objects, you can edit the Policy (see below) to make it active.

In addition to editing Policies that were discovered during the SaaS Policy Management process, you can also create new Policies in the Wizard and then view them in the Policy Catalog.

To create a Policy with the Policy Wizard:

1. From the Authorization Workspace, click New Policy. The New Policy wizard is displayed.

2. In the Fill in Policy Details screen, enter a Name for the Policy (required).

3. In the Generate Policy ID section, select whether you want to apply a Custom ID (one that you create yourself) or an Auto Generated ID (one that the Platform creates) automatically. The Policy ID must be unique per Environment. It is used as the leading ID in the CRUD API for Policy Management (for more information, see Policy Management APIs).

   • If you selected Custom ID, the Policy ID field appears as an editable field. Enter the new Policy ID in the field. The maximum number of characters for this field is 128.
   • If you selected Auto Generated ID, a GUID is automatically set as the Policy ID.

3. Enter a Description for the new Policy (Optional).

4. Select the Access Type. Options are Allow or Restrict.

   • Allow grants access rights to the Identity, if all other aspects of the Policy settings match.
   • Restrict denies access based on the Policy settings.

5. If a Policy Orchestration Point has been configured, define whether an option to define if the Policy is used for Policy Orchestration Point (POP) appears. If enabled, you can then select relevant Applications and enter the POP details. For more informaition on creating a new Policy used for POPs, see SaaS Policy Management. {Early Access Feature}

6. If no POP has been configured, or if you toggle not to use the Policy integrated with a third-party application (for example, Power BI or Zscalar), click Continue. The Wizard advances to the WHO step, in which you select the Dynamic Groups which will be given access (or denied access) for this Policy.

7. In the Select Dynamic Groups for this Policy screen, you can:

   • Select one or more Dynamic Groups to which you have Admin Permissions
   • Click New Dynamic Group. For more information, see Creating a Dynamic Group in the Policy Wizard.

8. Click Continue. The wizard advances to the WHAT screen where you can select which Assets Types, Actions (if applicable), Rulesets and Applications for the Policy you are creating.

   • In the Asset Type field, select an existing Asset Type from the drop down menu (required).
   • If one or more Actions have been defined for this Asset Type, you can select one or more Actions (required)
   • In the Rulesets field seelct one or more Rulesets. You must assign at least one. You can also click New Ruleset to define a new Ruleset.
   • Applications that have been defined automatically for the Asset Type appear below Applications. You can click on the Application to see its Details side panel.

9. Click Save. You can now:

   • Click Edit to change any of the objects you selected. The fields become editable
   • Click the trash can icon to delete the Policy.
   • Click Done.

The Policy is created and the Policy Map for the new Policy opens. Here you can:

• Activate or deactivate the Policy
• View the Policy code for the new Policy
• Export the Policy as code
• Delete the Policy
• Click on the displayed items to see the Details side panel (Dynamic Groups or Asset Types)

Creating a New Dynamic Group in the Policy Wizard

While creating a new Policy, you may discover that you need to create a new Dynamic Group to help define the Policy. You do not need to exit the Wizard to accomplish this.

After entering the new Policy Name, Description and Access Type, you click Continue. At this point, as detailed above, you are expected to select the relevant Dynamic Group. If you don't see the Dynamic Group, you have the option of creating a new Dynamic Group from within the Wizard.

To create a new Dynamic Group in the Policy Wizard:

1. Click New Dynamic Group. The New Dynamic Group side panel opens.
2. In the Workspace Name field, select the Workspace in which you want the Dynamic Group created.
3. In the Fill in the Dynamic Group Details section, enter the Name and the Description (optional).
4. In the Define Dynamic Group Rules, define a set of Rules based on existing Identity Attributes by selecting an Attribute, selecting an Operator, and providing a Value. As needed, use the And and/or OR options to add additional Rules.
5. Click Save. The Dynamic Group is created in the specified Identity Workspace and added to the list of available Dynamic Groups to be used in the Policy.
6. Click Continue and begin selecting Assets for the new Policy, as detailed above.

Incomplete Policies

If you have not completed all of the required elements of the Policy, you will get a message asking if you wish to complete the Policy now or complete it later. If you choose to complete it later, a red dot will appear next to the Policy listing in the Policy Catalog and the Policy will not be active.

Once you complete the required configurations, the red dot is removed and the Policy will be applied appropriately.