Skip to main contentOverview
Follow the steps below to create a policy defining access permissions to any Control Plane resource for any principal (user, service account, group, and identity).
Prerequisites
Create using the UI Console
- Create a new policy by either:
- Clicking
Policies in the left menu and click New, or
- Click the
Create dropdown in the upper right corner and select Policy
- Select Resource Type:
- Enter a policy name and optional description
- Select a target resource type
- Choose one of the resource types that you’d like to control access to
- You have the option to select specific resources or target all the resources in your org by turning on the
Target All switch
- If you are targeting all the resources, click
Next and skip to step 4.
- Click
Next
- Select Specific Resources:
- Choose one or both of the following methods to select resources:
- Directly assigned:
- A list of available resources will be shown and can be selected
- Dynamically assigned:
- Using the tag query form, configure the match by rule.
- Click
Next
- Add a Binding:
- At least one binding is required. Click
Add Binding.
- Select one or more permissions. These permissions are specific to the selected resource type.
- Browse through the principal tabs and select at least one principal. Click
Add.
- If required, add additional bindings. Note: The bindings must have a unique set of permissions. Click
Create.
- The policy has been created and is now active
Create using the CLI
Refer to the policy create and policy add-binding commands for details and examples on how to create a policy and binding using the CLI.
Summary
Control Plane policies allow for fine-grained authorization to the resources within your org. By granting to principals only the permissions they need to get their job done, policies limit the information they can view and actions they can perform. Most applications and services running on the platform are mission-critical and authorized principals should only have the access they require. 
