---
title: Creating a policy to permit or deny the creation of resources
description: This policy allows the creation of one resource type but not another. In particular, the policy focuses on the create action and then allows the creation of Device resources but denies the creation of User resources.
component: pingauthorize
version: 11.0
page_id: pingauthorize:pingauthorize_policy_administration_guide:paz_create_policy_permit_deny
canonical_url: https://docs.pingidentity.com/pingauthorize/11.0/pingauthorize_policy_administration_guide/paz_create_policy_permit_deny.html
revdate: May 22, 2024
section_ids:
  steps: Steps
---

# Creating a policy to permit or deny the creation of resources

This policy allows the creation of one resource type but not another. In particular, the policy focuses on the create action and then allows the creation of Device resources but denies the creation of User resources.

## Steps

1. In the Policy Editor, go to **Policies** in the left pane and then click **Policies** along the top.

2. From the **[icon: plus, set=fa]**menu, select **Add Policy**.

3. For the name, replace **Untitled** with `User can only create Device resources`.

4. Click the **[icon: plus, set=fa]**next to **Applies to**.

5. Click **Add definitions and targets, or drag from Components** and add the **create** action.

6. Set **Combining Algorithm** to **Unless one decision is deny, the decision will be permit**.

7. Add a rule to allow the creation of Device resources.

   1. Click **[icon: plus, set=fa]Add Rule.**

   2. For the name, replace **Untitled** with `Permit the creation of Device resources`.

   3. Click **[icon: plus, set=fa]Comparison**.

   4. In the first field, click the **A** to toggle to an **R**, and from that field's drop-down list, select **Service**.

   5. In the second field, select **Equals**.

   6. In the third field, select the **SCIM2.Devices** service.

   7. Click **Save changes**.

      You should have a screen similar to the following one for the policy and this rule.

      ![Screen capture of the Policies tab with the User can only create Device resources policy showing, configured as specified](_images/jxo1687903704287.png)

8. Add a rule to deny the creation of User resources.

   1. Click **[icon: plus, set=fa]Add Rule.**

   2. For the name, replace **Untitled** with `Deny the creation of User resources`.

   3. Set **Effect** to **Deny**.

   4. Click **[icon: plus, set=fa]Comparison**.

   5. In the first field, click the **A** to toggle to an **R**, and from that field's drop-down list, select **Service**.

   6. In the second field, select **Equals**.

   7. In the third field, select the **SCIM2.Users** service.

   8. Add statements to provide a custom message.

      1. Within the rule, click **Show Statements**.

      2. Click **[icon: plus, set=fa]**next to **Statements**.

      3. Click **[icon: plus, set=fa]Add Statement → Denied Reason**.

      4. For the name, specify `denied-reason`.

      5. Set **Applies To** to **Deny**.

      6. In the **Payload** field:

         * Remove

           `Example:`

         * Change

           `Human-readable error message`

           to

           `System has restricted the ability to create User resources`

   9. Click **Save changes**.

      You should have a screen similar to the following one for the second rule.

      ![Screen capture of the Deny the creation of User resources rule and its statement, configured as specified](_images/onu1687904009376.png)

9. Send test requests to the SCIM service and verify data using the Policy Editor's Decision Visualiser.