---
title: Creating a policy to restrict the ability to delete based on resource type
description: For a given resource type, restrict the ability to delete.
component: pingauthorize
version: 11.0
page_id: pingauthorize:pingauthorize_policy_administration_guide:paz_create_policy_restrict
canonical_url: https://docs.pingidentity.com/pingauthorize/11.0/pingauthorize_policy_administration_guide/paz_create_policy_restrict.html
revdate: December 9, 2025
section_ids:
  steps: Steps
---

# Creating a policy to restrict the ability to delete based on resource type

For a given resource type, restrict the ability to delete. In particular, the policy focuses on the delete action and then denies the action when the resource type is Devices.

## Steps

1. In the Policy Editor, go to **Policies** in the left pane and then click **Policies** along the top.

2. From the **[icon: plus, set=fa]**menu, select **Add Policy**.

3. For the name, replace **Untitled** with `User cannot delete a Device resource`.

4. Click the **[icon: plus, set=fa]**icon next to **Applies to**.

5. Click **Add definitions and targets, or drag from Components** and add the **delete** action.

6. Set **Combining Algorithm** to **Unless one decision is deny, the decision will be permit**.

   You should have a screen similar to the following one for the policy so far.

   ![Screen capture of the Policies tab showing the User cannot delete a Device resource policy, configured as specified](_images/paz-policy-solution-cannot-delete-device.png)

7. Add a rule to deny the deletion of Device resources.

   1. Click **[icon: plus, set=fa]Add Rule.**

   2. For the name, replace **Untitled** with `If the SCIM resource type is Device, then deny`.

   3. Set **Effect** to **Deny**.

   4. Click **[icon: plus, set=fa]Comparison**.

   5. In the **Select an Attribute** list, select the `SCIM2.resource.meta.resourceType` attribute.

   6. In the second field, select **Equals**.

   7. In the third field, specify `Devices` as the constant.

   8. Add a statement to provide a custom message.

      1. Within the rule, click **Show Statements**.

      2. Click the **[icon: plus, set=fa]**icon next to **Statements**.

      3. Click **[icon: plus, set=fa]Add Statement > Denied Reason**.

      4. For the name, specify `denied-reason`.

      5. Set **Applies To** to **Deny**.

      6. In the **Payload** field:

         * Remove

           `Example:`

         * Change

           `Human-readable error message`

           to

           `System has restricted the ability to delete Device resources`

   9. Click **Save changes**.

      Your rule should be similar to the following one.

      ![Screen capture of the rule to deny the deletion of Device resources, configured as specified](_images/wxe1610644588293.png)

8. Send test requests to the SCIM service, and verify data using the Policy Editor's Decision Visualiser.