Use Custom policies when you need a non-standard policy classification for specialized workflows, integrations, or custom evaluators.
Step-by-step: Create a Custom policy (via Advanced JSON)
1
Navigate to Endpoint Privilege Manager → Policies
2
Click Create Policy
This will spawn the Create Policy modal form.
3
Define Policy Attributes
Choose a aptly discriptive name for your new policy.
Choose any existing policy type available in the UI for your new policy(this is just a starting template since Update Settings is set in JSON).
Choose a status for your new policy. We recommend monitor mode when initially setting up a policy.
Add one or more Controls by clicking on the "Add Control" button and then selecting the controls that you would like to see applied to your new policy.
Choose a User Group, a Machine Collection, and an Application Collection.
4
Configure Policy Targeting
Configure any targeting you want in the UI (collections/users/machines/apps/platforms). Who or What does your policy apply to?
5
Open the Policy’s Advanced Mode (JSON view)
To open the Policy's Advanced Mode, click on the "Advanced Mode" link in the bottom left corner of the Policy Form.
6
Redefine Policy Type in JSON
Set: PolicyType to "Custom"
7
Add Your Custom Fields
Add any custom fields your internal integration/evaluator expects (this is implementation-specific).
8
Save the Policy
Important Note
“Custom” is intentionally schema-less at the documentation level unless you publish:
the required JSON schema/keys,
what component consumes it,
and how customers verify enforcement.
Example JSON Snippets
Example 1: Custom policy (baseline allow)
Use this when you want a Custom policy that simply “matches” based on the same built-in checks, but does not require MFA/Justification/Approval.
Example 2: Custom policy that requires MFA + Justification + Approval
This mirrors Actions.OnSuccess.Controls, but with multiple controls.
Example 3: Custom policy with a custom payload (for a plugin/integration)
This uses the same shape as our templated policies, but puts a structured payload into Extension. Your (plugin/integration) can read this.
{
"PolicyName": "Custom - Baseline Allow",
"PolicyType": "Custom",
"PolicyId": "REPLACE_WITH_ID",
"Status": "on",
"Actions": {
"OnSuccess": {
"Controls": [
"ALLOW"
]
},
"OnFailure": {
"Command": ""
}
},
"NotificationMessage": "A custom policy matched and allowed this action.",
"NotificationRequiresAcknowledge": false,
"RiskLevel": 25,
"Operator": "And",
"Rules": [
{
"RuleName": "UserCheck",
"ErrorMessage": "This user is not included in this policy",
"RuleExpressionType": "BuiltInAction",
"Expression": "CheckUser()"
},
{
"RuleName": "MachineCheck",
"ErrorMessage": "This Machine is not included in this policy",
"RuleExpressionType": "BuiltInAction",
"Expression": "CheckMachine()"
},
{
"RuleName": "ApplicationCheck",
"ErrorMessage": "This application is not included in this policy",
"RuleExpressionType": "BuiltInAction",
"Expression": "CheckFile(false)"
},
{
"RuleName": "DateCheck",
"ErrorMessage": "Current date is not covered by this policy",
"RuleExpressionType": "BuiltInAction",
"Expression": "CheckDate()"
},
{
"RuleName": "TimeCheck",
"ErrorMessage": "Current time is not covered by this policy",
"RuleExpressionType": "BuiltInAction",
"Expression": "CheckTime()"
},
{
"RuleName": "DayCheck",
"ErrorMessage": "Today is not included in this policy",
"RuleExpressionType": "BuiltInAction",
"Expression": "CheckDay()"
},
{
"RuleName": "CertificateCheck",
"ErrorMessage": "Certificate hash is not included in this policy",
"RuleExpressionType": "BuiltInAction",
"Expression": "CheckCertificate()"
}
],
"UserCheck": [],
"MachineCheck": [],
"ApplicationCheck": [],
"DayCheck": [],
"DateCheck": [],
"TimeCheck": [],
"CertificationCheck": [],
"Extension": {}
}
{
"PolicyName": "Custom - Require MFA + Justification + Approval",
"PolicyType": "Custom",
"PolicyId": "REPLACE_WITH_ID",
"Status": "on",
"Actions": {
"OnSuccess": {
"Controls": [
"MFA",
"JUSTIFY",
"APPROVAL"
]
},
"OnFailure": {
"Command": ""
}
},
"NotificationMessage": "This custom policy requires MFA, justification, and approval before continuing.",
"NotificationRequiresAcknowledge": false,
"RiskLevel": 75,
"Operator": "And",
"Rules": [
{
"RuleName": "UserCheck",
"ErrorMessage": "This user is not included in this policy",
"RuleExpressionType": "BuiltInAction",
"Expression": "CheckUser()"
},
{
"RuleName": "MachineCheck",
"ErrorMessage": "This Machine is not included in this policy",
"RuleExpressionType": "BuiltInAction",
"Expression": "CheckMachine()"
},
{
"RuleName": "ApplicationCheck",
"ErrorMessage": "This application is not included in this policy",
"RuleExpressionType": "BuiltInAction",
"Expression": "CheckFile(false)"
},
{
"RuleName": "DateCheck",
"ErrorMessage": "Current date is not covered by this policy",
"RuleExpressionType": "BuiltInAction",
"Expression": "CheckDate()"
},
{
"RuleName": "TimeCheck",
"ErrorMessage": "Current time is not covered by this policy",
"RuleExpressionType": "BuiltInAction",
"Expression": "CheckTime()"
},
{
"RuleName": "DayCheck",
"ErrorMessage": "Today is not included in this policy",
"RuleExpressionType": "BuiltInAction",
"Expression": "CheckDay()"
},
{
"RuleName": "CertificateCheck",
"ErrorMessage": "Certificate hash is not included in this policy",
"RuleExpressionType": "BuiltInAction",
"Expression": "CheckCertificate()"
}
],
"UserCheck": [],
"MachineCheck": [],
"ApplicationCheck": [],
"DayCheck": [],
"DateCheck": [],
"TimeCheck": [],
"CertificationCheck": [],
"Extension": {}
}
{
"PolicyName": "Custom - Integration Payload",
"PolicyType": "Custom",
"PolicyId": "REPLACE_WITH_ID",
"Status": "on",
"Actions": {
"OnSuccess": {
"Controls": [
"ALLOW"
]
},
"OnFailure": {
"Command": ""
}
},
"NotificationMessage": "Custom policy payload published for integration consumption.",
"NotificationRequiresAcknowledge": false,
"RiskLevel": 30,
"Operator": "And",
"Rules": [
{
"RuleName": "UserCheck",
"ErrorMessage": "This user is not included in this policy",
"RuleExpressionType": "BuiltInAction",
"Expression": "CheckUser()"
},
{
"RuleName": "MachineCheck",
"ErrorMessage": "This Machine is not included in this policy",
"RuleExpressionType": "BuiltInAction",
"Expression": "CheckMachine()"
},
{
"RuleName": "ApplicationCheck",
"ErrorMessage": "This application is not included in this policy",
"RuleExpressionType": "BuiltInAction",
"Expression": "CheckFile(false)"
}
],
"UserCheck": [],
"MachineCheck": [],
"ApplicationCheck": [],
"DayCheck": [],
"DateCheck": [],
"TimeCheck": [],
"CertificationCheck": [],
"Extension": {
"Schema": "com.company.integration.v1",
"Mode": "monitor",
"Endpoint": "https://integration.example/api/decision",
"TimeoutSeconds": 10
}
}
