Creating Policies

New
  • Published on Sep 14, 2025
  • 6 minute(s) read
Prev Next

The Policy Wizard is an easy, visual way to create Policies in the Platform. Before creating a new Policy, you must have created at least one Asset Type with at least one Application connected to it. Some objects (like Dynamic Groups and Conditions), can be created while creating a new Policy.

During the Policy creation process, you need to specify whether this new Policy is used for Dynamic Authorization Services or for SaaS Policy Management. Once a Policy has been created, it is listed in the Policy Catalog and can be viewed as code, visually in the Policy Map, exported, edited, and/or deleted.

How to Create Policies

In the Authorization Workspace, you can choose to create a Policy by selecting one of the options after clicking the Plus Button image.png

  • From Wizard to start creating a Policy using the Policy Wizard. Refer to our guide in the Policy Wizard for more information.
  • From Code to import or insert a file containing the Policy Code. For more information, refer to Policies in Rego.

Policy Wizard

To create a Policy with the Policy Wizard:

  1. Choose an Authorization Workspace from the Environment side-panel.
  2. In the Policies tab, click the + icon.
  3. Select From Policy Wizard. The New Policy Wizard is displayed.
  4. In the Fill in Policy Details screen, enter a Name for the Policy (required).
  5. In the Generate Policy ID section, select whether you want to input a Custom ID or an Auto Generated ID (one that the Platform creates). The Policy ID must be unique per Environment. It is used as the leading ID in the CRUD API for Policy Management (for more information, see Policy Management APIs).
    • If you selected Custom ID, the Policy ID field appears as an editable field. Enter the new Policy ID in the field. The maximum number of characters for this field is 128.
    • If you selected Auto Generated ID, a GUID is automatically set as the Policy ID.

Once the Policy is saved, the Policy ID can no longer be changed.

  1. Enter a Description for the new Policy (Optional).

    • Select the Access Type. Options are Allow or Restrict.
    • Allow grants access rights to the Identity, if all other aspects of the Policy settings match.
    • Restrict denies access based on the Policy settings.

  3. Select whether you're using the Policy for the Dynamic Authorization Service or SaaS Applications.

  4. Select the Application/s to connect to this Policy.

  5. Click Continue to advance to the Who Step.

Who Step
The Wizard advances to the WHO step, in which you select the Dynamic Groups which will be given access (or denied access) for this Policy.

  1. In the Select Dynamic Groups for this Policy screen Select one or more Dynamic Groups to which you have Admin Permissions or Create a new Dynamic Group by clicking New Dynamic Group.
    For more information, see Creating a Dynamic Group in the Policy Wizard.
  1. Click Continue.

What Step
The Wizard advances to the WHAT step where you can select which Assets Types you wish to associate with this Policy.
To add Assets to the Policy:

  1. Select an Asset Type from the drop-down. The list of Asset Types depends on which Application you chose to connect to the Policy.
  2. Click on Select Rulesets. A side panel opens where you are required to select at least one Ruleset to use in relation to the selected Asset Type and Action/s. You can also create a Ruleset from this panel.
  • After selecting your Ruleset/s, click Manage Rulesets to open the Ruleset side panel if required.
    • Select the Assets to use in this Policy
    • To add another Action-Ruleset/Asset combination to the Policy, click Add Combination. Note: This button is disabled if no Actions or only one Action is associated with the Asset Type.
      • To remove a combination, click on Remove Combination
  1. Click Save. If you wish to add another Asset Type, click Add Asset Type and go over the points in Step 1.
  2. Click Continue.

When Step
The wizard advances to the WHEN Step where you can select which Conditions you wish to associate with this Policy.
To create a condition:

  1. Select the checkbox next to existing Conditions or click the + New Condition. A side panel opens.
    • Fill in the Connection details section according to the relevant Condition.
  2. Click Save.
    • Ensure that the relevant Condition is selected in the list of Conditions.
      Conditions can also be predefined in the Assets and Conditions section of the Authorization Workspace.
  3. Click Done. The Policy is created and the Policy Map for the new Policy opens.

To manage existing Policies (edit, delete, or add Asset Types), see Managing Policies.

Note:

By default, all new Policies have a Policy State of Active. This means that they are considered when calculating the authorization decision. For more information, see Managing Policies.

Creating a New Dynamic Group in the Policy Wizard

While creating a new Policy, you may discover that you need to create a new Dynamic Group to help define the Policy. You do not need to exit the Wizard to accomplish this.

After entering the new Policy Name, Description and Access Type, you click Continue, select the relevant Dynamic Group. If you don't see the Dynamic Group, you have the option of creating a new Dynamic Group from within the Wizard.

To create a new Dynamic Group in the Policy Wizard:

  1. Click New Dynamic Group. The New Dynamic Group side panel opens.
  2. In the Workspace Name field, select the Workspace in which you want the Dynamic Group created.
  3. In the Fill in the Dynamic Group Details section, enter the Name and the Description (optional).
  4. In the Define Dynamic Group Rules, define a set of Rules based on existing Identity Attributes by selecting an Attribute, selecting an Operator, and providing a Value. As needed, use the And and/or OR options to add additional Rules.
  5. Click Save. The Dynamic Group is created in the specified Identity Workspace and added to the list of available Dynamic Groups to be used in the Policy.
  6. Click Continue and begin selecting Assets for the new Policy, as detailed above.
    Large GIF 1090x742.gif

Policies in Structured Rego

Policies in structured Rego can be imported and copied into the Platform to promote Policies between Environments. This can be done in the Authorization Workspace or using the Import/Export Policy APIs. Only valid Policies can be successfully imported.

Note: A Policy that is Inactive in the source Environment will, by default, be Active when imported into a new Environment. Updating an existing Policy via import does not affect its current Policy State. To deactivate the Policy in the target Environment, see Managing Policies.

Prerequisites for Importing Policies

The following objects are required in the target Environment for successful import and proper Authorization calculation:

  • Identity Templates with relevant Identity Attributes defined in the Identity Workspace Settings.
  • Asset Templates with associated Asset Attributes and Actions defined in the Asset Type Settings.

Required for Policies to be considered in access decisions:

  • Asset Types used in the Policy must be connected to an Application defined in the Authorization Workspace.
  • The relevant Application must be connected to a Scope defined in the Environment settings.

Without these connections, Policies can be imported successfully but will not factor into access decisions. Connections can be defined before or after import.

Creating a New Policy In Rego

To import Policy code in Rego:

  1. Select the relevant Authorization Workspace.
  2. Ensure the Policies section is open.
  3. Click on the Plus button image.png
  4. Click From Code to open the Create Policy from Code screen.
  5. Import a .rego file by:
    • Pasting the Rego code in the input field
    • Dragging and dropping the file into the input field.
    • Clicking Import File on the bottom of the page to upload a file.
  6. Optionally, Download Sample File to guide you on Policy creation.
  7. After importing, review and edit any errors highlighted in the wizard.
  8. Click Validate to check the code.
  9. Click Create Policy to finalize the new Policy.