Creating policies
Policies define the conditions under which access to a Safe is allowed, denied, or requires additional approval. This guide walks you through creating a new policy.
Prerequisites
- Role: Org Admin or Policy Manager
- At least one Safe to assign the policy to
Create a policy
- Go to Policies in the VaultPAM console sidebar.
- Click New policy.
- Enter a name and optional description for the policy.
- In the Conditions section, add one or more conditions. Each condition limits when the policy applies (see the condition types table below).
- Under Action, select the outcome when conditions are met: Allow, Deny, or Require approval.
- Click Assign to Safe and select the Safe(s) this policy applies to.
- Review the policy summary and click Activate.
Success state: The policy appears in the Policies list with status Active. The assigned Safe(s) show the policy name under Settings > Policies.
Policy condition types
| Condition type | Description | Example |
|---|---|---|
| Time window | Restrict access to specific hours or days | Allow Mon-Fri 08:00-18:00 only |
| Source IP | Restrict access to requests from specified IP ranges | Allow only from corporate VPN (10.0.0.0/8) |
| MFA required | Require MFA verification before access is granted | Require MFA even if not globally enforced |
| Resource type | Apply the policy only to specific resource types | Apply only to RDP resources |
Test your policy
After activating a policy:
- Log in as a test user who is a member of the assigned Safe.
- Attempt to access a resource covered by the policy.
- Verify the expected behaviour (access granted, denied, or approval requested).
- Check the audit log for a policy evaluation event.
If the policy does not behave as expected, go to Policies > select the policy > Edit to review the conditions and action.