# Custom Policy Type

Use **Custom** policies when you need a non-standard policy classification for specialized workflows, integrations, or custom evaluators. *** ### Step-by-step: Create a Custom policy (via Advanced JSON) {% stepper %} {% step %} **Navigate to Endpoint Privilege Manager → Policies**

{% endstep %} {% step %} **Click Create Policy** This will spawn the Create Policy modal form.

{% endstep %} {% step %} **Define Policy Attributes** Choose a aptly discriptive name for your new policy. Choose **any existing policy type available in the UI** for your new policy(this is just a starting template since Update Settings is set in JSON). Choose a status for your new policy. We recommend monitor mode when initially setting up a policy. Add one or more Controls by clicking on the "Add Control" button and then selecting the controls that you would like to see applied to your new policy. Choose a User Group, a Machine Collection, and an Application Collection. {% endstep %} {% step %} **Configure Policy Targeting** Configure any **targeting** you want in the UI (collections/users/machines/apps/platforms). Who or What does your policy apply to? {% endstep %} {% step %} **Open the Policy’s Advanced Mode (JSON view)** To open the Policy's Advanced Mode, click on the "Advanced Mode" link in the bottom left corner of the Policy Form.

{% endstep %} {% step %} **Redefine Policy Type in JSON** Set: `PolicyType` to **`"Custom"`** {% endstep %} {% step %} **Add Your Custom Fields** Add any custom fields your internal integration/evaluator expects (this is implementation-specific). {% endstep %} {% step %} **Save the Policy** {% endstep %} {% endstepper %} ### Important Note “Custom” is intentionally schema-less at the documentation level unless you publish: * the required JSON schema/keys, * what component consumes it, * and how customers verify enforcement. *** ## Example JSON Snippets ## Example 1: Custom policy (baseline allow) Use this when you want a Custom policy that simply “matches” based on the same built-in checks, but does not require MFA/Justification/Approval. ``` { "PolicyName": "Custom - Baseline Allow", "PolicyType": "Custom", "PolicyId": "REPLACE_WITH_ID", "Status": "on", "Actions": { "OnSuccess": { "Controls": [ "ALLOW" ] }, "OnFailure": { "Command": "" } }, "NotificationMessage": "A custom policy matched and allowed this action.", "NotificationRequiresAcknowledge": false, "RiskLevel": 25, "Operator": "And", "Rules": [ { "RuleName": "UserCheck", "ErrorMessage": "This user is not included in this policy", "RuleExpressionType": "BuiltInAction", "Expression": "CheckUser()" }, { "RuleName": "MachineCheck", "ErrorMessage": "This Machine is not included in this policy", "RuleExpressionType": "BuiltInAction", "Expression": "CheckMachine()" }, { "RuleName": "ApplicationCheck", "ErrorMessage": "This application is not included in this policy", "RuleExpressionType": "BuiltInAction", "Expression": "CheckFile(false)" }, { "RuleName": "DateCheck", "ErrorMessage": "Current date is not covered by this policy", "RuleExpressionType": "BuiltInAction", "Expression": "CheckDate()" }, { "RuleName": "TimeCheck", "ErrorMessage": "Current time is not covered by this policy", "RuleExpressionType": "BuiltInAction", "Expression": "CheckTime()" }, { "RuleName": "DayCheck", "ErrorMessage": "Today is not included in this policy", "RuleExpressionType": "BuiltInAction", "Expression": "CheckDay()" }, { "RuleName": "CertificateCheck", "ErrorMessage": "Certificate hash is not included in this policy", "RuleExpressionType": "BuiltInAction", "Expression": "CheckCertificate()" } ], "UserCheck": [], "MachineCheck": [], "ApplicationCheck": [], "DayCheck": [], "DateCheck": [], "TimeCheck": [], "CertificationCheck": [], "Extension": {} } ``` *** ## Example 2: Custom policy that requires MFA + Justification + Approval This mirrors `Actions.OnSuccess.Controls`, but with multiple controls. ``` { "PolicyName": "Custom - Require MFA + Justification + Approval", "PolicyType": "Custom", "PolicyId": "REPLACE_WITH_ID", "Status": "on", "Actions": { "OnSuccess": { "Controls": [ "MFA", "JUSTIFY", "APPROVAL" ] }, "OnFailure": { "Command": "" } }, "NotificationMessage": "This custom policy requires MFA, justification, and approval before continuing.", "NotificationRequiresAcknowledge": false, "RiskLevel": 75, "Operator": "And", "Rules": [ { "RuleName": "UserCheck", "ErrorMessage": "This user is not included in this policy", "RuleExpressionType": "BuiltInAction", "Expression": "CheckUser()" }, { "RuleName": "MachineCheck", "ErrorMessage": "This Machine is not included in this policy", "RuleExpressionType": "BuiltInAction", "Expression": "CheckMachine()" }, { "RuleName": "ApplicationCheck", "ErrorMessage": "This application is not included in this policy", "RuleExpressionType": "BuiltInAction", "Expression": "CheckFile(false)" }, { "RuleName": "DateCheck", "ErrorMessage": "Current date is not covered by this policy", "RuleExpressionType": "BuiltInAction", "Expression": "CheckDate()" }, { "RuleName": "TimeCheck", "ErrorMessage": "Current time is not covered by this policy", "RuleExpressionType": "BuiltInAction", "Expression": "CheckTime()" }, { "RuleName": "DayCheck", "ErrorMessage": "Today is not included in this policy", "RuleExpressionType": "BuiltInAction", "Expression": "CheckDay()" }, { "RuleName": "CertificateCheck", "ErrorMessage": "Certificate hash is not included in this policy", "RuleExpressionType": "BuiltInAction", "Expression": "CheckCertificate()" } ], "UserCheck": [], "MachineCheck": [], "ApplicationCheck": [], "DayCheck": [], "DateCheck": [], "TimeCheck": [], "CertificationCheck": [], "Extension": {} } ``` *** ## Example 3: Custom policy with a custom payload (for a plugin/integration) This uses the same shape as our templated policies, but puts a structured payload into `Extension`. Your (plugin/integration) can read this. ``` { "PolicyName": "Custom - Integration Payload", "PolicyType": "Custom", "PolicyId": "REPLACE_WITH_ID", "Status": "on", "Actions": { "OnSuccess": { "Controls": [ "ALLOW" ] }, "OnFailure": { "Command": "" } }, "NotificationMessage": "Custom policy payload published for integration consumption.", "NotificationRequiresAcknowledge": false, "RiskLevel": 30, "Operator": "And", "Rules": [ { "RuleName": "UserCheck", "ErrorMessage": "This user is not included in this policy", "RuleExpressionType": "BuiltInAction", "Expression": "CheckUser()" }, { "RuleName": "MachineCheck", "ErrorMessage": "This Machine is not included in this policy", "RuleExpressionType": "BuiltInAction", "Expression": "CheckMachine()" }, { "RuleName": "ApplicationCheck", "ErrorMessage": "This application is not included in this policy", "RuleExpressionType": "BuiltInAction", "Expression": "CheckFile(false)" } ], "UserCheck": [], "MachineCheck": [], "ApplicationCheck": [], "DayCheck": [], "DateCheck": [], "TimeCheck": [], "CertificationCheck": [], "Extension": { "Schema": "com.company.integration.v1", "Mode": "monitor", "Endpoint": "https://integration.example/api/decision", "TimeoutSeconds": 10 } } ```