Policies are built by business analysts who understand your application requirements and the regulations that you’re complying with. Your organization imposes many conditions and constraints on access control. Policies capture these constraints in rules that define the circumstances under which users can access certain resources.

Structuring policies

You can group policies using policy sets organized hierarchically in a tree structure. PingOne Authorize owns the Policies root policy set.

The Shield (Screen capture of the shield icon.) icon indicates that this policy set is system-owned and editing restrictions apply. You can’t move or delete the Policies policy set. This ensures that it is configured correctly and always available.

Screen capture showing the Policies root policy set, the shield icon , and a policy nested under root policy set.

You can nest your own policy sets and policies under the Policies policy set:

  • Add a root policy set to contain all other policy sets. This is useful when you publish the policy tree to a decision endpoint.
  • Branches can include policies and other policy sets as children. You can branch the policy tree up to 20 levels deep.
  • Policies are evaluated in order from top to bottom in the tree. This allows you to control the order of execution through the structure of the tree.
  • Place frequently used policies and policies for lightweight decisions near the top of the tree.

Each environment can have up to 2000 entities. This limit includes policies and rules, and also entities in the Trust Framework.

For more information, see Adding a policy or policy set.

Policy components

Use the following components in policies and rules to capture authorization logic:


Targets use comparisons to enable the decision service to determine which policies or rules are relevant to a particular request.


Statements instruct the policy decision service to perform additional processing in conjunction with an authorization decision. In addition to allowing or blocking access to a resource, using statements, the decision service can attach information to decision responses and filter and transform API payloads.

Combining algorithms

To evaluate the overall decision of a policy, the decision service applies a combining algorithm. The algorithm determines how rules are combined to produce an authorization decision.

Testing policies

You can test policies from end-to-end with visualization tools that show the complete decision flow. For more information, see Testing a policy.