Follow the steps below to create a policy defining access permissions to any Control Plane resource for any principal (user, service account, group, and identity).


Create using the UI Console

  1. Create a new policy by either:
    • Clicking Policies in the left menu and click New, or
    • Click the Create dropdown in the upper right corner and select Policy
  2. Select Resource Type:
    • Enter a policy name and optional description
    • Select a target resource type
      • Choose one of the resource types that you’d like to control access to
      • You have the option to select specific resources or target all the resources in your org by turning on the Target All switch
      • If you are targeting all the resources, click Next and skip to step 4.
      • Click Next
  3. Select Specific Resources:
    • Choose one or both of the following methods to select resources:
      • Directly assigned:
        • A list of available resources will be shown and can be selected
      • Dynamically assigned:
        • Using the tag query form, configure the match by rule.
    • Click Next
  4. Add a Binding:
    • At least one binding is required. Click Add Binding.
    • Select one or more permissions. These permissions are specific to the selected resource type.
    • Browse through the principal tabs and select at least one principal. Click Add.
    • If required, add additional bindings. Note: The bindings must have a unique set of permissions. Click Create.
    • The policy has been created and is now active

Create using the CLI

Refer to the policy create and policy add-binding commands for details and examples on how to create a policy and binding using the CLI.


Control Plane policies allow for fine-grained authorization to the resources within your org. By granting to principals only the permissions they need to get their job done, policies limit the information they can view and actions they can perform. Most applications and services running on the platform are mission-critical and authorized principals should only have the access they require.