--- title: Policies in the UI description: You manage authorization policies through the AM native admin console native console. You can only create a policy as part of a policy set. component: pingoneaic page_id: pingoneaic:am-authorization:policies-ui canonical_url: https://docs.pingidentity.com/pingoneaic/am-authorization/policies-ui.html keywords: ["Authorization", "Policy", "Configuration"] page_aliases: ["authorization-guide:policies-ui.adoc"] section_ids: policy-names: Policy type names resources: Resources policy-actions: Policy actions conditions: Conditions subjects: Subjects environments: Environments response-attributes: Response attributes example: Example --- # Policies in the UI You manage authorization policies through the AM native admin console native console. You can only create a policy as part of a [policy set](policy-sets-ui.html). To configure a policy, go to Native Consoles > Access Management > Realms > *Realm Name* > Authorization > Policy Sets and select the name of the policy set in which to configure the policy. | To... | Action | | --------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | Create a policy | Click Add a Policy.When creating a policy, specify a [name](#policy-names), a [resource type](configuring-resource-types.html), and at least one [resource](#resources).Click Create. | | Modify a policy | Click the policy name or the pencil icon ([icon: pencil-alt, set=fa]). | | Delete a policy | Click the delete icon ([icon: times, set=fa]) or click the policy name then x Delete. | ## Policy type names Don't use any of the following characters in policy, policy set, or resource type names: * Double quotes (`"`) * Plus sign (`+`) * Comma (`,`) * Less than (`<`) * Equals (`=`) * Greater than (`>`) * Backslash (`\`) * Forward slash (`/`) * Semicolon (`;`) * Null (`\u0000`) ## Resources To define resources that the policy applies to: 1. Click the Resources pencil icon ([icon: pencil-alt, set=fa]) or the Resources tab. 2. Select a resource type from the Resource Type list. The resource type determines which resource patterns are available. The `OAuth2 Scope` resource type contains the same resource patterns as the `URL` resource type, as well as the `*` pattern. Use the resource patterns that are most relevant for the scopes in your environment. Learn more about resource types in [Resource types](configuring-resource-types.html). 3. Select a resource pattern from the Resources drop-down list. 4. Replace the asterisks with values for matching resources, and click Add. Learn more about resource patterns in [Resource type patterns](resource-types-ui.html#policy-patterns-wildcards). 5. Optionally, click Add Resource to add more resource patterns, or click ([icon: times, set=fa]) to delete a resource pattern. 6. Save your changes. ## Policy actions To define policy actions that allow or deny access to a resource: 1. Click the Actions pencil icon ([icon: pencil-alt, set=fa]) or the Actions tab. 2. Click Add an Action to select an action from the drop-down list. 3. Select whether to allow or deny the action on the resources. 4. Optionally, add further actions, or click ([icon: times, set=fa]) to delete actions. 5. Save your changes. ## Conditions To define subject and environment conditions: * Combine logical operators with blocks of configured parameters to create a rule set. The policy uses this rule set to filter requests for resources. * Use drag and drop to nest logical operators at multiple levels to create complex rule sets. ![Nested subject conditions](_images/policy-subjects.png) * A gray horizontal bar indicates a valid point to drop a block. ![Drop blocks into drop points, which are shown as a gray horizontal band.](_images/policy-editor-valid-drop-points.png) ### Subjects To define the subject conditions that the policy applies to: 1. Click Add a Subject Condition, choose the [type](#subject-types) from the drop-down menu, and provide any required subject values. 2. When complete, click the check icon ([icon: check, set=fa]) and drag the block into a valid drop point in the rule set. 3. To add a logical operator, click Add a Logical Operator, choose between `All Of`, `Not`, and `Any Of` from the drop-down list, and drag the block into a valid drop point in the rule set. 4. To edit a condition, click the edit icon ([icon: pencil-alt, set=fa]), or click ([icon: times, set=fa]) to delete. 5. Continue combining logical operators and subject conditions and click Save Changes when you've finished. | Subject condition types | Description | | ------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | Authenticated Users | Any user that has successfully authenticated with Advanced Identity Cloud. | | Users & Groups | Search for and select one or more users or groups under the Realms > *Realm Name* > Identities or the Groups tab. | | OpenID Connect/Jwt Claim | Validate a claim within a JSON Web Token (JWT).Type the name of the claim to validate in the Claim Name field, for example, `sub`, and the required value in the Claim Value field, and click the check icon ([icon: check, set=fa]).Repeat the step to enter additional claims.The claim(s) will be part of the JWT payload together with the JWT header and signature. The JWT is sent in the authorization header of the bearer token.This condition type only supports string equality comparisons, and is case-sensitive. | | Never Match | Never match any subject. This disables the policy.If you do not set a subject condition, `Never Match` is the default. In other words, you must set a subject condition for the policy to apply.To match regardless of the subject, configure a `Never Match` subject condition inside a logical `Not` block. | ### Environments To define the environment conditions the policy applies to: 1. Click Add an Environment Condition, select an environment condition type from the Type list, and provide any required values. The fields differ, according to the type you've selected. Learn more in [Environment condition types](#environment-types). | | | | - | ---------------------------------------------------------------------------- | | | `Script` is the only environment condition available for OAuth 2.0 policies. | 2. When complete, click the check icon ([icon: check, set=fa]) button and drag the block into a valid drop point in the rule set. 3. To add a logical operator, click Add a Logical Operator, choose between `All Of`, `Not`, and `Any Of` from the drop-down list, and drag the block into a valid drop point in the rule set. 4. To edit a condition, click the edit icon ([icon: pencil-alt, set=fa]), or click ([icon: times, set=fa]) to delete. 5. Continue combining logical operators and subject conditions and click Save Changes when you've finished. **Environment condition types** | Environment condition type | Description | Additional fields | | ----------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | Active Session Time | Set a condition for the maximum duration the authenticated session has been active. | * `Max Session Time`: Set the period the session can be active, in seconds. * `Terminate Session`: Set to `True` if the session must end when it reaches the `Max Session Time`. If set to `True`, the end user will need to reauthenticate. | | Authentication Level (greater than or equal to) | The policy tests the required authentication level. | - `Authentication level`: Set the minimum acceptable authentication level. | | Authentication Level (less than or equal to) | The policy tests the required authentication level. | * `Authentication level`: Set the maximum acceptable authentication level. | | Authentication by Module Instance | This property doesn't apply to Advanced Identity Cloud. | | | Authentication by Service | The policy tests the authentication journey used. | `Authenticate To Service`: Set the journey through which the end user must authenticate. | | Authentication to a Realm | The policy evaluates the realm to which the end user authenticated. A session can belong to only one realm. Session upgrade between realms is not allowed. | `Authenticate to a realm`: Set the realm to which the end user must authenticate. | | Current Session Properties | The policy evaluates property values set in the authenticated session. | - `Ignore Value Case`: Set to `True` to make the test case-insensitive. - `Properties`: Set the properties you want to evaluate using the format `property:value`. For example, use `clientType:genericHTML` to test whether the value of the `clientType` property is equal to `genericHTML`. | | IDM User | Lets you query an IDM resource to form the basis of the policy evaluation. | * `Identity Resource`: The identity resource to query, for example, `managed/alpha_user`. * `Query Field`: The unique IDM attribute that identifies the user, for example, `userName`. * `Decision Field`: The IDM attribute whose value is evaluated, for example, `roles/*/name` or `/manager/userName`. * `Comparator`: Select the comparator to create the query, for example, `Equal to`. * `Value`: Enter the value of the `Decision Field` property that must match for the policy to evaluate to true, for example `administrator`. | | IPv4 Address/DNS Name | The policy evaluates the IP version 4 address from which the request originated.The IP address is taken from the `requestIp` value of policy decision requests. If the `requestIp` isn't provided, Advanced Identity Cloud uses the IP address stored in the SSO token. | - `Start IP`, `End IP`: Specify a range of addresses to test against. In each field, enter four sets of up to three digits, separated by periods (.).. If you set only one of the `Start IP` or `End IP` fields, it's used as a single IP address to match. - `DNS Name`: Optionally, specify a domain against which requests are filtered. | | IPv6 Address/DNS Name | The policy evaluates the IP version 6 address from which the request originated.The IP address is taken from the `requestIp` value of policy decision requests. If the `requestIp` isn't provided, Advanced Identity Cloud uses the IP address stored in the SSO token. | * `Start IP` and `End IP`: Specify a range of addresses to test against. In each field, enter eight sets of four hexadecimal characters, separated by a colon (`:`). If you set only one of the Start IP or End IP fields, it's used as a single IP address to match. * `DNS Name`: Optionally, specify a domain against which requests are filtered. Use an asterisk (`*`) in the DNS name to match multiple subdomains. For example, `*.example.com` applies to requests from `www.example.com`, `secure.example.com`, or any other subdomain of `example.com`. | | Identity Membership | The policy evaluates the user's UUID. | `AM Identity Name`: The policy applies if the end user's UUID is a member of at least one of the AMIdentity objects specified here.For example, use this type to filter requests on the identity of a Web Service Client (WSC). Java agents and web agents don't support the Identity Membership environment condition. Use the Users & Groups subject condition instead. | | OAuth2 Scope | The policy evaluates whether an authorization request includes all the specified OAuth 2.0 scopes. | `Scopes`: Enter the OAuth 2.0 scopes using the syntax described in RFC 6749, [Access Token Scope](https://www.rfc-editor.org/rfc/rfc6749.html#section-3.3).Separate multiple scope strings with spaces, for example, `openid profile`.Scope strings match regardless of the order in which they occur, so `openid profile` is equivalent to `profile openid`.The condition is also met when additional scope strings are provided beyond those required to match the specified list. For example, if the condition specifies `openid profile`, then `openid profile email` also matches. | | Resource/Environment/IP Address | The policy evaluates a complex condition, such as whether the end user is making a request from a specific host, and has also authenticated in a particular way. | `Resource/Environment/IP Address`: Enter a condition in the form of an `IF…​ELSE` statement.The `IF` statement can specify either `IP` to match the end user's IP address, or `dnsName` to match their DNS name.If the `IF` statement is true, the `THEN` statement must also be true for the condition to be fulfilled. If not, {} returns relevant advice in the policy evaluation request.The available parameters for the `THEN` statement are as follows:* `service`: The authentication journey used to authenticate the end user * `authlevel`: The minimum required authentication level * `role`: The role of the authenticated end user * `user`: The name of the authenticated end user * `redirectURL`: The URL the end user was redirected from. * `realm`: The realm to which the end user authenticated.The IP address can be IPv4, IPv6, or a hybrid of the two. Example: `IF IP=[127.0.0.1] THEN role=admins`. | | Script | The policy evaluates the outcome of a JavaScript. | `Script Name`: Select the script the policy evaluates. Learn more about scripting policy conditions in [Scripted policy conditions](scripted-policy-condition.html).`Script` is the only environmental condition available for OAuth 2.0 policies. Use scripts to capture the `ClientId` environmental attribute. | | Time (day, date, time, and timezone) | The policy evaluates a time condition. | - `Start Time` - `End Time` - `Start Day` - `End Day` - `Start Date` - `End Date`Set values in start:end pairs.* `Time Zone`: Select a time zone from the list.> **Collapse: Example** > > ![Day, date and time conditions in policies must consist of a start and an end value.](_images/policy-environment-time.png) | | Transaction | The policy evaluates successful completion of a [transactional authorization](transactional-authorization.html).Transactional authorization requires the end user to authenticate for each access to the resource. | * `Authentication Strategy`: Select from the following: * `Authenticate to Realm`: The full path of a realm in which the end user must successfully authenticate to access the protected resource. For example, `/alpha`. * `Authenticate to Tree`: The authentication journey the end user must successfully traverse to access the protected resource. * `Auth Level`: The minimum [authentication level](../am-authentication/auth-nodes-and-journeys.html#authentication-levels-trees) the end user must achieve to access the protected resource. `Authenticate to Chain` and `Authenticate to Module` are *not applicable to Advanced Identity Cloud*. * `Strategy Specifier`: Enter the realm, tree or level. If you specify an Auth Level, you must ensure there are methods available to end users to reach that level. If none are found, the policy returns a 400 Bad request error when attempting to complete the transaction. | | | | | - | --------------------------------------------------------------------- | | | The LDAP Filter Condition isn't supported in Advanced Identity Cloud. | ## Response attributes Add user attributes from the identity repository as response attributes—​either as subject attribute or static attributes—​to the request header at policy decision time. Note that response attributes are not available for the `OAuth2 Scope` resource type. The web or Java agent for the protected resources/applications, or the protected resources/applications themselves, retrieve the policy response attributes to customize the application. To define response attributes in the policy: 1. Click the Response Attributes edit icon ([icon: pencil-alt, set=fa]) or the Response Attributes tab. 2. To add subject attributes, select them from the Subject attributes drop-down list. To remove an entry, select the value, and click Delete (Windows/GNU/Linux) or `Backspace` (Mac OS X). 3. To add a static attribute, specify the key-value pair for each static attribute. Enter the Property Name and its corresponding Property Value in the fields, and click Add (`+`). To edit a static attribute, click the edit icon ([icon: pencil-alt, set=fa]), or click ([icon: times, set=fa]) to delete. 4. Continue adding subject and static attributes, and when finished, click Save Changes. ## Example This example policy requires authenticated end users to have a session no longer than 30 minutes to access resources at `https://www.example.com:*/*`. ![Example policy](_images/policy-example.png) | | | | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | | Before testing your OAuth 2.0 policies, ensure your OAuth 2.0 provider is configured to interact with Advanced Identity Cloud's authorization service:1) Under Native Consoles > Access Management, go to Realms > *Realm Name* > Services > OAuth2 Provider. 2) Ensure that Use Policy Engine for Scope decisions is enabled.For more information about testing OAuth 2.0 policies, refer to [Dynamic OAuth 2.0 authorization](oauth2-authorization.html). |