Policy Wizard

The Policy Wizard is an easy, visual way to create Policies in the Platform. Before creating a new Policy, you must have created at least one Asset Type with at least one Application connected to it. Some objects (like Dynamic Groups and Conditions), can be created while creating a new Policy.

During the Policy creation process, you will need to specify whether this new Policy will be used for Dynamic Authorization Services or for SaaS Policy Management. Once a Policy has been created, it is listed in the Policy Catalog and can be viewed as code, visually in the Policy Map, exported, edited, and/or deleted.

To create a Policy with the Policy Wizard:

1. From the Authorization Workspace, click New Policy. The New Policy wizard is displayed.

2. In the Fill in Policy Details screen, enter a Name for the Policy (required).

3. In the Generate Policy ID section, select whether you want to apply a Custom ID (one that you create yourself) or an Auto Generated ID (one that the Platform creates) automatically. The Policy ID must be unique per Environment. It is used as the leading ID in the CRUD API for Policy Management (for more information, see Policy Management APIs).

   • If you selected Custom ID, the Policy ID field appears as an editable field. Enter the new Policy ID in the field. The maximum number of characters for this field is 128.
   • If you selected Auto Generated ID, a GUID is automatically set as the Policy ID.

3. Enter a Description for the new Policy (Optional).

4. Select the Access Type. Options are Allow or Restrict.

   • Allow grants access rights to the Identity, if all other aspects of the Policy settings match.
   • Restrict denies access based on the Policy settings.

5. If the Use Policy for field, select either Dynamic Authorization Service or SaaS Applications SaaS Policy Management to manage third party vendor Applications. Once you make a selection, the available Applications for that selection are displayed.

6. Click Continue. The Wizard advances to the WHO step, in which you select the Dynamic Groups which will be given access (or denied access) for this Policy. 7. In the Select Dynamic Groups for this Policy screen, you can:

   • Select one or more Dynamic Groups to which you have Admin Permissions.
     *Create a new Dynamic Group by clicking New Dynamic Group. For more information, see Creating a Dynamic Group in the Policy Wizard.

7. Click Continue. The wizard advances to the WHAT screen where you can select which Assets Types you wish to associate with this Policy. Note that you can only configure one Asset Type at a time for the new Policy. Once you select an Asset Type, the Actions, Rulesets and Applications available for that Asset Type are displayed. only Asset Types associated to the Application(s) you chose in the previous screen will be displayed. Select one Asset Type. Additional Asset Types can be added immediately after the first one has been configured.

   • If one or more Actions have been defined for this Asset Type, you can select which Actions you want to be associated with this Policy.
   • In the Rulesets field select one or more Rulesets. You must assign at least one. You can also click New Ruleset to define a new Ruleset. Click Done after assigning one or more Rulesets to this new Policy. The Rulesets side panel closes.

8. Click Continue.

9. Save. You can now:

   • Click Edit to change any of the objects you selected. The fields become editable
   • Click the trash can icon to delete the Policy.
   • Click Add Asset Type to add another Asset Type to the Policy, again defining Actions and Rulesets.

10. If Conditions have been created, you can now select which Conditions can be associated to this Policy. Click Done.

The Policy is created and the Policy Map for the new Policy opens. Here you can:

• Activate or deactivate the Policy
• View the Policy code for the new Policy
• Export the Policy as code
• Delete the Policy
• Click on the displayed items in the Map to see the Details side panel (Dynamic Groups, Conditions, Asset Types)

Creating a New Dynamic Group in the Policy Wizard

While creating a new Policy, you may discover that you need to create a new Dynamic Group to help define the Policy. You do not need to exit the Wizard to accomplish this.

After entering the new Policy Name, Description and Access Type, you click Continue. At this point, as detailed above, you are expected to select the relevant Dynamic Group. If you don't see the Dynamic Group, you have the option of creating a new Dynamic Group from within the Wizard.

To create a new Dynamic Group in the Policy Wizard:

1. Click New Dynamic Group. The New Dynamic Group side panel opens.
2. In the Workspace Name field, select the Workspace in which you want the Dynamic Group created.
3. In the Fill in the Dynamic Group Details section, enter the Name and the Description (optional).
4. In the Define Dynamic Group Rules, define a set of Rules based on existing Identity Attributes by selecting an Attribute, selecting an Operator, and providing a Value. As needed, use the And and/or OR options to add additional Rules.
5. Click Save. The Dynamic Group is created in the specified Identity Workspace and added to the list of available Dynamic Groups to be used in the Policy.
6. Click Continue and begin selecting Assets for the new Policy, as detailed above.

Incomplete Policies

If you have not completed all of the required elements of the Policy, you will get a message asking if you wish to complete the Policy now or complete it later. If you choose to complete it later, a red dot will appear next to the Policy listing in the Policy Catalog and the Policy will not be active.

Once you complete the required configurations, the red dot is removed and the Policy will be applied appropriately.