Access Policies

Access policies define automated approval rules for access review campaigns. When configured properly, policies significantly reduce manual effort during access reviews by automatically approving access that meets predefined criteria.

Overview

Policies work alongside Campaign Rules to automate review decisions. Each policy contains conditions and actions that are evaluated against accounts during a campaign. When an account matches a policy's criteria, the policy can automatically approve, reject, or flag the access for review.

How Policies and Rules Work Together

Policies and rules are evaluated together during campaigns to make automated decisions:

Reject takes priority - If any policy or rule matches a reject condition, the account is rejected
Approve if matched - If a policy or rule matches an approve condition (and no reject matched), the account is approved
Manual review otherwise - If no conditions match, the account is set to pending for manual review

Key Benefits

Reduce reviewer workload - Automatically approve routine access that meets compliance criteria
Ensure consistency - Apply the same approval logic across all campaigns
Enforce standards - Build policies that encode your organization's access governance requirements
Accelerate reviews - Complete campaigns faster by automating obvious decisions

Policy Types

Hydden.Control supports four policy types, each designed for different access governance scenarios:

Type	Description	Use Case
Role-Based Access	Auto-approve access based on user roles within the organization	Approve access when users have appropriate roles for their job function
Owner Account Approval	Auto-approve all accounts owned by users with specific roles	Trust managers or team leads to own accounts appropriately
Application Access	Auto-approve access to specific applications based on role assignments	Grant standard application access to users in certain roles
Group Membership	Auto-approve group memberships based on role assignments	Automatically approve expected group memberships

Role-Based Access

Use role-based access policies when access decisions should be based on a user's role in the organization. For example, automatically approve access to finance applications for users with the "Finance Analyst" role.

Owner Account Approval

Use owner account approval policies to trust certain role holders with their account ownership decisions. For example, automatically approve all accounts owned by users with the "Manager" role, since managers are trusted to appropriately manage their team's access.

Application Access

Use application access policies to grant standard application access based on roles. For example, automatically approve access to the company intranet for all employees, or grant CRM access to sales team members.

Group Membership

Use group membership policies to automatically approve expected group memberships. For example, automatically approve membership in the "Engineering" group for users with the "Developer" role.

Policy Statuses

Policies can be in one of three statuses:

Status	Description
Active	Policy is enforcing rules and will be evaluated during campaigns
Inactive	Policy exists but is not being evaluated (paused)
Draft	Policy is under development and not yet enforcing rules

Managing Policy Status

Use the Inactive status to temporarily pause a policy without deleting it. This is useful when troubleshooting or when a policy needs temporary adjustments.

Creating a Policy

Creating or editing a policy follows a four-step wizard that guides you through the configuration process.

Step 1: Basic Information

Start by providing foundational information about your policy.

Navigate to Policies and click + Create Policy (or use From Template to start with a predefined template).
Enter a Policy Name that clearly describes the policy's purpose (e.g., "Auto-Approve Manager Accounts").
Optionally add a Description to explain when and why this policy applies.
Select a Policy Type from the dropdown:
- Role-Based Access
- Owner Account Approval
- Application Access
- Group Membership
Click Next.

Step 2: Settings

Select the settings for the policy.

Choose a Status:
- Active - Policy will be evaluated immediately
- Inactive - Policy is saved but not evaluated
- Draft - Policy is in development
Set the Priority level (1-100). Higher priority policies are evaluated first.
Toggle Auto-Approve Enabled if this policy should automatically approve matching access without requiring rule evaluation.

Priority Matters

Policies with higher priority numbers are evaluated first. If a high-priority policy approves an account, lower-priority policies may not be evaluated. Plan your priority hierarchy carefully.

Step 3: Associated Resources

Select the resources this policy applies to. The available resources depend on your policy type.

Associated Roles - Select roles from your configured roles. The policy will apply to accounts associated with these roles.
Target Applications - Select applications from your connected data sources. The policy will evaluate access to these applications.
Target Groups - Select groups for which this policy manages membership access.

Use the search field to quickly find resources. Click on a resource to select or deselect it. Selected resources appear with a checkmark.

Resource Selection

For Role-Based Access policies, focus on selecting the appropriate roles. For Application Access policies, select both the roles and the target applications.

Step 4: Review & Save

Review your policy configuration before saving.

Review all configured settings:
- Basic information (name, type, status, priority)
- Associated resources (roles, applications, groups)
- Rules and conditions
Click Edit on any section to make changes.
Click Save Policy to create or update the policy.

Active Policy Changes

Changes to active policies take effect immediately and may impact ongoing campaigns. Consider setting the policy to Inactive while making significant changes.

Policy Evaluation

Understanding how policies are evaluated helps you design effective automation rules.

Evaluation Flow

Status Check - Only Active policies are evaluated. Inactive and Draft policies are skipped.
Resource Matching - The policy checks if the account's associated resources (roles, applications, groups, owners) match the policy's configured resources.
Auto-Approve Check - If the policy has Auto-Approve Enabled and the resources match, the account is immediately approved.
Rule Evaluation - If campaign rules are configured and the policy is applied to a campaign, each rule's conditions are evaluated against the account's attributes.
Action Execution - If conditions match, the specified action (approve, reject, or flag) is applied.
Default Behavior - If no rules match and auto-approve is disabled, the account continues to the next policy or remains pending.

Priority Order

Policies are evaluated in priority order (highest number first). This allows you to:

Create high-priority rejection policies that block access regardless of other policies
Layer approval policies where more specific policies take precedence
Set catch-all policies with lower priority as fallbacks

Example Evaluation Scenario

Consider these policies in order of evaluation:

Priority 90: Reject if account is terminated (Reject action)
Priority 80: Auto-approve if owner is a manager (Auto-approve enabled)
Priority 50: Approve if role is "Standard Employee" for internal applications
Priority 10: Flag for review if no other policy matched

An account owned by a manager would be approved by policy #2, never reaching policies #3 or #4.

Auto-Approve Feature

The Auto-Approve Enabled toggle provides a simplified approval mechanism.

How Auto-Approve Works

When enabled:

If the account's resources match the policy's configured resources → Immediate Approval
No rule evaluation is required
Fastest path to approval

When disabled:

Rules must be configured and evaluated
More granular control over approval decisions
Better for complex conditional logic

When to Use Auto-Approve

Use Auto-Approve when:

You trust certain role holders completely (e.g., all manager-owned accounts)
Standard application access should be automatic for certain roles
You want simple, resource-based approval without conditions

Use Rules instead when:

Approval depends on specific attribute values
You need to combine multiple conditions
Different actions should apply based on different criteria

Campaign Integration

Policies are applied to campaigns to automate review decisions.

Applying Policies to Campaigns

When creating a campaign, select the policies to apply in the Automation & Rules step.
Each policy can have a threshold percentage (0-100) - the percentage of conditions that must match for the policy to apply. For example:
- 100% threshold: All conditions must match (strict enforcement)
- 75% threshold: At least 75% of conditions must match (flexible enforcement)
- 0% threshold: At least one condition must match (lenient enforcement)
Enable or disable individual policies per campaign.
Policies can be updated for a campaign at any time, with changes taking effect immediately.

Threshold Configuration

The threshold percentage is configured per campaign-policy association, not in the policy itself. This allows the same policy to be applied with different strictness levels across multiple campaigns.

Policy Behavior in Campaigns

During campaign execution:

Selected policies are evaluated for each account in the campaign
Policies are evaluated in priority order
The first matching policy determines the decision
Accounts that don't match any policy remain pending for manual review

Viewing Campaign Policies

To see which policies are applied to a campaign:

Open the campaign details
Navigate to the Policies & Rules tab
View applied policies, their rules, and conditions

Managing Policies

The Policies page provides tools for managing your policy library.

Policies Dashboard

The Policies page displays:

Statistics - Active count, Inactive count, Auto-Approval enabled count, Total count
Search - Find policies by name or description
Filters - Filter by type and/or status
Sort Options - Sort by priority, name, status, or last updated
View Modes - Toggle between grid view (cards) and table view

Policy Cards

In grid view, each policy displays:

Policy name and description
Policy type badge
Status indicator (active/inactive/draft)
Priority level
Auto-approve indicator
Action menu (View, Edit, Deactivate, Delete)

Quick Actions

Action	Description
+ Create Policy	Start the policy creation wizard
From Template	Create a policy from a predefined template
Generate from Role	Auto-generate a policy based on role analysis
Toggle Status	Quickly activate or deactivate a policy

Generate from Role

Hydden.Control can automatically generate policies based on role analysis:

Click Generate from Role on the Policies page.
Select a role to analyze.
The system performs a comprehensive role analysis:
- Total owners and accounts: Count of users with the role and their accounts
- Group memberships: Groups commonly associated with role members, including membership percentage
- Application access: Applications commonly accessed by role members, including access percentage
- Access patterns: Statistical analysis of typical access for the role
A policy is generated with rules to approve access matching these patterns:
- Group membership policies for groups where >75% of role members belong
- Application access policies for applications where >75% of role members have access
Review and adjust the generated policy as needed.

Generated Policies

Auto-generated policies use a default priority of 50 and are created with Active status. The system stores detailed role analysis data including account counts, membership percentages, and access percentages. Always review generated policies to ensure they meet your requirements.

Role Analysis Details

Role analysis provides deep insights into access patterns:

Analysis Component	Description
Group Relationships	Shows which groups role members typically belong to, with member/non-member counts and membership percentage
Application Relationships	Shows which applications role members typically access, with access/no-access counts and access percentage
Statistical Thresholds	Uses percentage thresholds to identify "typical" vs "unusual" access patterns
Job Tracking	Role analysis runs as a background job, allowing monitoring of progress and results

Keyboard Shortcuts

Shortcut	Action
`/`	Focus the search field
`Escape`	Close open panels or dialogs

Default System Policies

Hydden.Control includes a default system policy:

Default Owner Account Approval

Type: Owner Account Approval
Priority: 100 (highest)
Auto-Approve: Enabled
Condition: Owner status is "active"
Behavior: Automatically approves accounts owned by active users

This policy ensures that accounts with active, trusted owners receive automatic approval. You can disable or modify this policy if your organization requires different behavior.

Best Practices

Policy Design

Start with high-priority rejections - Create policies that reject obvious violations first
Layer approvals by specificity - More specific policies should have higher priority
Use auto-approve sparingly - Reserve for truly trusted scenarios
Document your policies - Use clear names and descriptions
Test before activating - Use Draft status to test policy logic

Policy Management

Review regularly - Audit policies periodically to ensure they remain appropriate
Version control - Keep track of policy changes and their reasons
Monitor effectiveness - Review campaign results to see how policies perform
Clean up unused policies - Delete or archive policies that are no longer needed

Common Patterns

Terminate Access Pattern

Type: Role-Based Access
Priority: 100
Condition: account_status equals "terminated"
Action: Reject

Manager Trust Pattern

Type: Owner Account Approval
Priority: 80
Auto-Approve: Enabled
Resources: Manager role

Standard Employee Access Pattern

Type: Application Access
Priority: 50
Conditions: role equals "Employee" AND application in [approved_apps]
Action: Approve

Campaigns - Creating and managing access review campaigns
Campaign Rules - Creating automation rules for campaigns
Role Configuration - Configuring roles for policy assignment
Platform Users - Managing users who own accounts

Access Policies ​

Overview ​

How Policies and Rules Work Together ​

Key Benefits ​

Policy Types ​

Role-Based Access ​

Owner Account Approval ​

Application Access ​

Group Membership ​

Policy Statuses ​

Creating a Policy ​

Step 1: Basic Information ​

Step 2: Settings ​

Step 3: Associated Resources ​

Step 4: Review & Save ​

Policy Evaluation ​

Evaluation Flow ​

Priority Order ​

Example Evaluation Scenario ​

Auto-Approve Feature ​

How Auto-Approve Works ​

When to Use Auto-Approve ​

Campaign Integration ​

Applying Policies to Campaigns ​

Policy Behavior in Campaigns ​

Viewing Campaign Policies ​

Managing Policies ​

Policies Dashboard ​

Policy Cards ​

Quick Actions ​

Generate from Role ​

Role Analysis Details ​

Keyboard Shortcuts ​

Default System Policies ​

Default Owner Account Approval ​

Best Practices ​

Policy Design ​

Policy Management ​

Common Patterns ​

Related Topics ​