--- title: Self-governance use cases description: You can use self-governance to control access to Policy Editor entities and operations in a wide variety of ways. component: pingauthorize version: 11.0 page_id: pingauthorize:pingauthorize_policy_administration_guide:paz_self_gov_use_cases canonical_url: https://docs.pingidentity.com/pingauthorize/11.0/pingauthorize_policy_administration_guide/paz_self_gov_use_cases.html revdate: February 19, 2025 section_ids: use-case-preventing-a-user-from-viewing-a-branch: "Use case: Preventing a user from viewing a branch" about-this-task: About this task steps: Steps result: Result use-case-preventing-users-from-updating-a-policy-set: "Use case: Preventing users from updating a policy set" about-this-task-2: About this task steps-2: Steps result-2: Result use-case-preventing-users-from-deleting-policies: "Use case: Preventing users from deleting policies" about-this-task-3: About this task steps-3: Steps result-3: Result --- # Self-governance use cases You can use self-governance to control access to Policy Editor entities and operations in a wide variety of ways. Controls that you can configure using self-governance include: * Protecting a policy set from deletion * Ensuring a policy can never be updated * Preventing policies from being added or created in a policy set * Blocking a user's ability to delete attributes * Restricting a user's ability to read policies or policy sets * Allowing attributes to be elevated to secret status while forbidding secret attributes from moving to non-secret status The following use cases demonstrate how to build and deploy some common self-governance policies. | | | | - | ------------------------------------------------------------------------------------------------------------------------------------------ | | | To view a visual flow of your self-governance policy decisions, see [Visualizing a policy decision response](paz_visualize_pol_resp.html). | ## Use case: Preventing a user from viewing a branch ### About this task The following are the general steps needed to prevent a user from viewing a branch: ### Steps 1. Create a policy named `Prevent a user from viewing a branch` in the **System Policy Set** of the **Admin Point Governance** branch. 2. Add a rule and name it `Deny if branch is Admin Point Governance and user is Steve Smith`. 3. Add a condition that returns true when **Branch.Name** equals `Admin Point Governance`. 4. Add a condition that returns true when **user.name** equals `Steve Smith`. 5. Select **Components** and drag the **Core.Branch** service to the **Applies to** section of the rule. 6. Drag the **Read** action to the **Applies to** section of the rule. 7. Save the policy. 8. Commit the changes to the **Admin Point Governance** branch in **Branch Manger > Version Control**. ### Result This self-governance policy returns a `Deny` response if a user named Steve Smith tries to view the **Admin Point Governance** branch. ## Use case: Preventing users from updating a policy set ### About this task The following are the general steps needed to prevent users from updating a policy set: ### Steps 1. Create a policy named `Prevent users from updating a policy set` in the **System Policy Set** of the **Admin Point Governance** branch. 2. Add a rule that returns a `Deny` if **Object.Existing.Name** equals `examplePolicySet`. 3. Select **Components** and drag the **Core.PolicySet** service to the **Applies to** section of the rule. 4. Drag the **Modify.Update** action to the **Applies to** section of the rule. 5. Save the policy. 6. Commit the changes to the **Admin Point Governance** branch in **Branch Manger > Version Control**. ### Result This self-governance policy returns a `Deny` response when a user tries to modify a policy set with the name **examplePolicySet**. ## Use case: Preventing users from deleting policies ### About this task The following are the general steps needed to prevent users from deleting policies: ### Steps 1. Create a policy named `Prevent users from deleting policies` in the **System Policy Set** of the **Admin Point Governance** branch. 2. Add a rule that always returns a `Deny` response. 3. Select **Components** and drag the **Core.Policy** service to the **Applies to** section of the rule. 4. Drag the **Modify.Delete** action to the **Applies to** section of the rule. 5. Save the policy. 6. Commit the changes to the **Admin Point Governance** branch in **Branch Manger > Version Control**. ### Result This self-governance policy returns a `Deny` response when a user tries to delete a policy within the system.