# Policies

# Preamble

The EE server supports policies, that can be used to specify certain restrictions on a user or group level. These can be used to overwrite certain compliance settings so that individual users or groups have less restrictions. We assume that your webclient is running on https://example.com, the portal is reachable with https://example.com/portal/

TIP

This feature is only available in the Enterprise Edition.

# Create Policy

In the portal go to Policies
Click on the plus to create a new policy
Enter a title for your policy and click "Create Policy"
Adjust Priority

Once created, the system should directly open the new policy so you can fine-tune the settings. Adjust the priority as necessary. Settings specified in policies with higher priorities will override those with lower priorities.
Configure settings

Under the Settings tab, chose the parameters that you'd like to overwrite and configure the value accordingly.
Configure users

You can now apply this policy to users and/or groups. To apply this policy to users, choose the Users tab, use the search function to find the user, and then check the checkbox in the Mapped column.
Configure groups

To apply this policy to groups, choose the Groups tab, use the search function to find the group, and then check the checkbox in the Mapped column.

WARNING

Users in general are allowed to leave groups. As such policies should eather only grant permissions, so that a user cannot bypass restrictions by leaving a group. An alternative approach would be to configure "Forced Membership" on the group, which will prevent that a user can leave the group.
(Optional) Configure Forced Membership

Go to Users -> Groups and click the pencil button next to the group to edit the group. Afterwards check Forced Membership and click on Save. That way a user cannot leave the group nor deny the request to join the group. Policies for these groups are also applied before a user accepts the group membership.

← OIDC - Zitadel SCIM →