Skip to main content

Create a service policy

A service policy defines which identities can access which services across the network. This guide walks you through creating one.

Service policies also enforce security conditions, known as posture checks. Posture checks are conditions continually evaluated to ensure the posture of the client still meets the requirements specified in the posture check, adding another layer of security to the network connection.

Steps

  1. From the console, select your network from the dropdown in the left-hand menu.

  2. Click Policies from the same menu.

  3. Click the plus icon (+) to open the Create New Service Policy form.

  4. Fill in the required fields:

    • Service Policy Name: Enter a unique name for the policy (e.g., hr-access-policy).

  5. Configure the policy rules:

    • Select Service Attributes: Enter the attributes or direct references that define the services this policy applies to (e.g., #finance-app).
    • Select Identity Attributes: Enter the attributes or direct references that define the identity groups authorized to use the service (e.g., #employees-finance).
    • Select Posture Check Attributes (Optional): Enter the attributes or direct references of any required posture checks (e.g., #mac-check). The client identity must pass all checks to gain access and are continually evaluated.

  6. Configure the policy type:

    • Type: Select the type of authorization this policy provides:
      • Dial: Allows the identities to initiate a connection to the service. This is used for client access.
      • Bind: Specifies the host identity (or router identity) where the service data is to be sent across the overlay. The receiving identity then determines how to handle the data, such as offloading it to the underlay network or processing it directly (as in application-embedded zero trust).
    • Semantic: Select the logical operator for matching multiple rules:
      • AnyOf: Matches if the attributes meet any of the defined rule sets.
      • AllOf: Matches only if the attributes meet all of the defined rule sets.

  7. (Optional) Toggle Show more options to ON to configure custom tags:

    Custom tags: Use the Name and Value fields to attach non-functional metadata to the policy for tracking or inventory purposes.

  8. Click Save.

    After clicking Save, the console displays the created policy and all associated service attributes, identity attributes, and post checks.