Policy Wizard
    • 24 Nov 2024
    • 5 Minutes to read
    • Dark
      Light
    • PDF

    Policy Wizard

    • Dark
      Light
    • PDF

    Article summary

    The Policy Wizard is an easy, visual way to create Policies in the Platform. Before creating a new Policy, you must have created at least one Asset Type with at least one Application connected to it. Some objects (like Dynamic Groups and Conditions), can be created while creating a new Policy.

    During the Policy creation process, you will need to specify whether this new Policy will be used for Dynamic Authorization Services or for SaaS Policy Management. Once a Policy has been created, it is listed in the Policy Catalog and can be viewed as code, visually in the Policy Map, exported, edited, and/or deleted.

    To create a Policy with the Policy Wizard:

    1. From the Authorization Workspace, click New Policy. The New Policy wizard is displayed.

    2. In the Fill in Policy Details screen, enter a Name for the Policy (required).

    3. In the Generate Policy ID section, select whether you want to apply a Custom ID (one that you create yourself) or an Auto Generated ID (one that the Platform creates) automatically. The Policy ID must be unique per Environment. It is used as the leading ID in the CRUD API for Policy Management (for more information, see Policy Management APIs).

      • If you selected Custom ID, the Policy ID field appears as an editable field. Enter the new Policy ID in the field. The maximum number of characters for this field is 128.
      • If you selected Auto Generated ID, a GUID is automatically set as the Policy ID.

    Note:
    Once the Policy is saved, the Policy ID can no longer be changed.

    • Enter a Description for the new Policy (Optional).
    • Select the Access Type. Options are Allow or Restrict.
      • Allow grants access rights to the Identity, if all other aspects of the Policy settings match.
      • Restrict denies access based on the Policy settings.
    • If the Use Policy for field, select either Dynamic Authorization Service or SaaS Applications SaaS Policy Management to manage third party vendor Applications. Once you make a selection, the available Applications for that selection are displayed.
    • Click Continue. The Wizard advances to the WHO step, in which you select the Dynamic Groups which will be given access (or denied access) for this Policy. * In the Select Dynamic Groups for this Policy screen, you can:
    • Click Continue. The wizard advances to the WHAT screen where you can select which Assets Types you wish to associate with this Policy. Note that you can only configure one Asset Type at a time for the new Policy. Once you select an Asset Type, the Actions, Rulesets and Applications available for that Asset Type are displayed. only Asset Types associated to the Application(s) you chose in the previous screen will be displayed. Select one Asset Type. Additional Asset Types can be added immediately after the first one has been configured.
      • If one or more Actions have been defined for this Asset Type, you can select which Actions you want to be associated with this Policy.
      • In the Rulesets field select one or more Rulesets. You must assign at least one. You can also click New Ruleset to define a new Ruleset. Click Done after assigning one or more Rulesets to this new Policy. The Rulesets side panel closes.
    1. Click Continue. The wizard advances to the WHEN screen where you can select which Conditions you wish to associate with this Policy. To create a condition:
      • Click the + New Condition. A side panel opens.
      • Fill in the Connection details section according to the relevant Condition.
      • Click Save.
      • Ensure that the relevant Condition is selected in the list of Conditions.
        Conditions can also be predefined in the Assets and Conditions section of the Authorization Workspace.
    2. Done. The Policy is created and the Policy Map for the new Policy opens. Here you can:
    • Activate or deactivate the Policy
    • View the Policy code for the new Policy
    • Export the Policy as code
    • Delete the Policy
    • Click on the displayed items in the Map to see the Details side panel (Dynamic Groups, Conditions, Asset Types)

    To manage existing Policies (edit, delete, or add Asset Types), see Managing Policies.

    Note:

    By default, all new Policies have a Policy State of Active. This means that they are considered when calculating the authorization decision. For more information, see Managing Policies.

    * Click Edit to change any of the objects you selected. The fields become editable
    * Click the trash can icon to delete the Policy.
    * Click Add Asset Type to add another Asset Type to the Policy, again defining Actions and Rulesets.

    Creating a New Dynamic Group in the Policy Wizard

    While creating a new Policy, you may discover that you need to create a new Dynamic Group to help define the Policy. You do not need to exit the Wizard to accomplish this.

    After entering the new Policy Name, Description and Access Type, you click Continue. At this point, as detailed above, you are expected to select the relevant Dynamic Group. If you don't see the Dynamic Group, you have the option of creating a new Dynamic Group from within the Wizard.

    To create a new Dynamic Group in the Policy Wizard:

    1. Click New Dynamic Group. The New Dynamic Group side panel opens.
    2. In the Workspace Name field, select the Workspace in which you want the Dynamic Group created.
    3. In the Fill in the Dynamic Group Details section, enter the Name and the Description (optional).
    4. In the Define Dynamic Group Rules, define a set of Rules based on existing Identity Attributes by selecting an Attribute, selecting an Operator, and providing a Value. As needed, use the And and/or OR options to add additional Rules.
    5. Click Save. The Dynamic Group is created in the specified Identity Workspace and added to the list of available Dynamic Groups to be used in the Policy.
    6. Click Continue and begin selecting Assets for the new Policy, as detailed above.

    DG creation from policy wizard.gif

    Incomplete Policies

    If you have not completed all of the required elements of the Policy, you will get a message asking if you wish to complete the Policy now or complete it later. If you choose to complete it later, a red dot will appear next to the Policy listing in the Policy Catalog and the Policy will not be active.

    Once you complete the required configurations, the red dot is removed and the Policy will be applied appropriately.


    Was this article helpful?