# Custom
Use **Custom** policies when you need a non-standard policy classification for specialized workflows, integrations, or custom evaluators.
### Step-by-step: Create a Custom policy (via Advanced JSON)
{% stepper %}
{% step %}
**Navigate to Endpoint Privilege Manager → Policies**
{% endstep %}
{% step %}
**Click Create Policy**
This will spawn the Create Policy modal form.
{% endstep %}
{% step %}
**Define Policy Attributes**
Choose a aptly discriptive name for your new policy.
Choose **any existing policy type available in the UI** for your new policy(this is just a starting template since Update Settings is set in JSON).
Choose a status for your new policy. We recommend monitor mode when initially setting up a policy.
Add one or more Controls by clicking on the "Add Control" button and then selecting the controls that you would like to see applied to your new policy.
Choose a User Group, a Machine Collection, and an Application Collection.
{% endstep %}
{% step %}
**Configure Policy Targeting**
Configure any **targeting** you want in the UI (collections/users/machines/apps/platforms). Who or What does your policy apply to?
{% endstep %}
{% step %}
**Open the Policy’s Advanced Mode (JSON view)**
To open the Policy's Advanced Mode, click on the "Advanced Mode" link in the bottom left corner of the Policy Form.
{% endstep %}
{% step %}
**Redefine Policy Type in JSON**
Set: `PolicyType` to **`"Custom"`**
{% endstep %}
{% step %}
**Add Your Custom Fields**
Add any custom fields your internal integration/evaluator expects (this is implementation-specific).
{% endstep %}
{% step %}
**Save the Policy**
{% endstep %}
{% endstepper %}
### Important Note
“Custom” is intentionally schema-less at the documentation level unless you publish:
* the required JSON schema/keys,
* what component consumes it,
* and how customers verify enforcement.
## Example JSON Snippets
## Example 1: Custom policy (baseline allow)
Use this when you want a Custom policy that simply “matches” based on the same built-in checks, but does not require MFA/Justification/Approval.
```
{
"PolicyName": "Custom - Baseline Allow",
"PolicyType": "Custom",
"PolicyId": "REPLACE_WITH_ID",
"Status": "on",
"Actions": {
"OnSuccess": {
"Controls": [
"ALLOW"
]
},
"OnFailure": {
"Command": ""
}
},
"NotificationMessage": "A custom policy matched and allowed this action.",
"NotificationRequiresAcknowledge": false,
"RiskLevel": 25,
"Operator": "And",
"Rules": [
{
"RuleName": "UserCheck",
"ErrorMessage": "This user is not included in this policy",
"RuleExpressionType": "BuiltInAction",
"Expression": "CheckUser()"
},
{
"RuleName": "MachineCheck",
"ErrorMessage": "This Machine is not included in this policy",
"RuleExpressionType": "BuiltInAction",
"Expression": "CheckMachine()"
},
{
"RuleName": "ApplicationCheck",
"ErrorMessage": "This application is not included in this policy",
"RuleExpressionType": "BuiltInAction",
"Expression": "CheckFile(false)"
},
{
"RuleName": "DateCheck",
"ErrorMessage": "Current date is not covered by this policy",
"RuleExpressionType": "BuiltInAction",
"Expression": "CheckDate()"
},
{
"RuleName": "TimeCheck",
"ErrorMessage": "Current time is not covered by this policy",
"RuleExpressionType": "BuiltInAction",
"Expression": "CheckTime()"
},
{
"RuleName": "DayCheck",
"ErrorMessage": "Today is not included in this policy",
"RuleExpressionType": "BuiltInAction",
"Expression": "CheckDay()"
},
{
"RuleName": "CertificateCheck",
"ErrorMessage": "Certificate hash is not included in this policy",
"RuleExpressionType": "BuiltInAction",
"Expression": "CheckCertificate()"
}
],
"UserCheck": [],
"MachineCheck": [],
"ApplicationCheck": [],
"DayCheck": [],
"DateCheck": [],
"TimeCheck": [],
"CertificationCheck": [],
"Extension": {}
}
```
## Example 2: Custom policy that requires MFA + Justification + Approval
This mirrors `Actions.OnSuccess.Controls`, but with multiple controls.
```
{
"PolicyName": "Custom - Require MFA + Justification + Approval",
"PolicyType": "Custom",
"PolicyId": "REPLACE_WITH_ID",
"Status": "on",
"Actions": {
"OnSuccess": {
"Controls": [
"MFA",
"JUSTIFY",
"APPROVAL"
]
},
"OnFailure": {
"Command": ""
}
},
"NotificationMessage": "This custom policy requires MFA, justification, and approval before continuing.",
"NotificationRequiresAcknowledge": false,
"RiskLevel": 75,
"Operator": "And",
"Rules": [
{
"RuleName": "UserCheck",
"ErrorMessage": "This user is not included in this policy",
"RuleExpressionType": "BuiltInAction",
"Expression": "CheckUser()"
},
{
"RuleName": "MachineCheck",
"ErrorMessage": "This Machine is not included in this policy",
"RuleExpressionType": "BuiltInAction",
"Expression": "CheckMachine()"
},
{
"RuleName": "ApplicationCheck",
"ErrorMessage": "This application is not included in this policy",
"RuleExpressionType": "BuiltInAction",
"Expression": "CheckFile(false)"
},
{
"RuleName": "DateCheck",
"ErrorMessage": "Current date is not covered by this policy",
"RuleExpressionType": "BuiltInAction",
"Expression": "CheckDate()"
},
{
"RuleName": "TimeCheck",
"ErrorMessage": "Current time is not covered by this policy",
"RuleExpressionType": "BuiltInAction",
"Expression": "CheckTime()"
},
{
"RuleName": "DayCheck",
"ErrorMessage": "Today is not included in this policy",
"RuleExpressionType": "BuiltInAction",
"Expression": "CheckDay()"
},
{
"RuleName": "CertificateCheck",
"ErrorMessage": "Certificate hash is not included in this policy",
"RuleExpressionType": "BuiltInAction",
"Expression": "CheckCertificate()"
}
],
"UserCheck": [],
"MachineCheck": [],
"ApplicationCheck": [],
"DayCheck": [],
"DateCheck": [],
"TimeCheck": [],
"CertificationCheck": [],
"Extension": {}
}
```
## Example 3: Custom policy with a custom payload (for a plugin/integration)
This uses the same shape as our templated policies, but puts a structured payload into `Extension`. Your (plugin/integration) can read this.
```
{
"PolicyName": "Custom - Integration Payload",
"PolicyType": "Custom",
"PolicyId": "REPLACE_WITH_ID",
"Status": "on",
"Actions": {
"OnSuccess": {
"Controls": [
"ALLOW"
]
},
"OnFailure": {
"Command": ""
}
},
"NotificationMessage": "Custom policy payload published for integration consumption.",
"NotificationRequiresAcknowledge": false,
"RiskLevel": 30,
"Operator": "And",
"Rules": [
{
"RuleName": "UserCheck",
"ErrorMessage": "This user is not included in this policy",
"RuleExpressionType": "BuiltInAction",
"Expression": "CheckUser()"
},
{
"RuleName": "MachineCheck",
"ErrorMessage": "This Machine is not included in this policy",
"RuleExpressionType": "BuiltInAction",
"Expression": "CheckMachine()"
},
{
"RuleName": "ApplicationCheck",
"ErrorMessage": "This application is not included in this policy",
"RuleExpressionType": "BuiltInAction",
"Expression": "CheckFile(false)"
}
],
"UserCheck": [],
"MachineCheck": [],
"ApplicationCheck": [],
"DayCheck": [],
"DateCheck": [],
"TimeCheck": [],
"CertificationCheck": [],
"Extension": {
"Schema": "com.company.integration.v1",
"Mode": "monitor",
"Endpoint": "https://integration.example/api/decision",
"TimeoutSeconds": 10
}
}
```
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://docs.keeper.io/keeperpam/endpoint-privilege-manager/policies/policy-types/advanced-policy-types/custom-policy-type.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.