---
title: Creating a policy to control the set of actions for a specific resource
description: For a given resource, control the outcomes (deny or permit) of actions on the resource.
component: pingauthorize
version: 11.0
page_id: pingauthorize:pingauthorize_policy_administration_guide:paz_create_policy_control_actions
canonical_url: https://docs.pingidentity.com/pingauthorize/11.0/pingauthorize_policy_administration_guide/paz_create_policy_control_actions.html
revdate: December 9, 2025
section_ids:
  steps: Steps
---

# Creating a policy to control the set of actions for a specific resource

For a given resource, control the outcomes (deny or permit) of actions on the resource. In particular, the policy focuses on the Users resource and then denies deletes but permits retrieves.

## Steps

1. In the Policy Editor, go to **Policies** in the left pane and then click **Policies** along the top.

2. From the **[icon: plus, set=fa]**menu, select **Add Policy**.

3. For the name, replace **Untitled** with `Control actions for the User resource`.

4. Click the **[icon: plus, set=fa]**next to **Applies to**.

5. Click **Add definitions and targets, or drag from Components** and add the **SCIM2.Users** service.

6. Set **Combining Algorithm** to **Unless one decision is deny, the decision will be permit**.

   You should have a screen similar to the following one for the policy so far.

   ![Screen capture of the Policies tab displaying the Control actions for the User resource policy, configured as specified](_images/paz-policy-solutions-control-users-resource.png)

7. Add a rule to deny the deletion of User resources.

   1. Click **[icon: plus, set=fa]Add Rule**.

   2. For the name, replace **Untitled** with `Action: delete`.

   3. Set **Effect** to **Deny**.

   4. Click **[icon: plus, set=fa]Comparison**.

   5. In the first field, click the **A** to toggle to an **R**, and in that field's list, select **Action**.

   6. In the second field, select **Equals**.

   7. In the third field, select the **delete** action.

   8. Add a statement to provide a custom message.

      1. Within the rule, click **Show Statements**.

      2. Click **[icon: plus, set=fa]**next to **Statements**.

      3. Click **[icon: plus, set=fa]Add Statement > Denied Reason**.

      4. For the name, specify `denied-reason`.

      5. Set **Applies To** to **Deny**.

      6. In the **Payload** field:

         * Remove

           `Example:`

         * Change

           `Human-readable error message`

           to

           `System has restricted the ability to delete User resources`

   9. Click **Save changes**.

      Your rule should be similar to the following one.

      ![Screen capture of the Rule to deny deletion of User resources with a custom denied reason , configured as specified](_images/nzd1687903208250.png)

8. Add a rule to permit the retrieval of User resources.

   1. Click **[icon: plus, set=fa]Add Rule.**

   2. For the name, replace **Untitled** with `Action: retrieve`.

   3. Set **Effect** to **Permit**.

   4. Click **[icon: plus, set=fa]Comparison**.

   5. In the first field, click the **A** to toggle to an **R**, and in that field's list, select **Action**.

   6. In the second field, select **Equals**.

   7. In the third field, select the **retrieve** action.

   8. Click **Save changes**.

      Your rule should be similar to the following one.

      ![Screen capture of the rule to permit retrieval of User resources, configured as specified](_images/lad1687903375368.png)

9. Send test requests to the SCIM service, and verify data using the Policy Editor's Decision Visualiser.