## Creating policies This guide walks you through creating a new policy in Agen for SaaS. Policies define conditional rules that are evaluated when AI agents invoke tools, allowing you to enforce deny, step-up, or approval actions based on request attributes. ### Create a new policy 1. Navigate to the **Policies** section in the control plane (accessible from the Guardrails area of the pipeline view, or from the left sidebar). 2. Click **Create policy**. 3. Fill in the policy form fields described below. 4. Click **Create policy** to save. ### Policy form fields #### Name A descriptive name for the policy. Use a naming convention that indicates the action and context (e.g., "Step-up: Create expense", "Deny: External IP access"). #### Description (optional) A brief explanation of the policy's purpose. Maximum 160 characters. Placeholder: "Enter policy description" #### Policy tools Assign the policy to specific tools. The policy only evaluates when one of the assigned tools is invoked. - Click the dropdown and select one or more tools. - Selected tools appear as chips with an X button to remove them (e.g., `Update_expense`). Placeholder: "Select policy tools" #### Policy attributes: definition and function Define the conditional expression that determines when the policy action is triggered. > Specify the policy attribute and value, and detail the manner in which the policy is applied Each condition follows the format: **IF** `[Attribute]` `[Operator]` `[Value]` | Component | Description | Examples | | --- | --- | --- | | **Attribute** | The request attribute to evaluate. Free-text field. | `IP`, `amount`, `country`, `user_role` | | **Operator** | The comparison operator. Dropdown selection. | `Contains`, `In`, `Equals`, `Greater than`, `Less than` | | **Value** | The value(s) to compare against. Can be a single value or multiple values (shown as chips). | `192.168`, `United States`, `10000` | To add multiple conditions, click **+ and**. All conditions must be true (AND logic) for the policy to trigger. To remove a condition, click the minus icon next to it. #### Policy action Select the enforcement action when all conditions match: | Action | Behavior | Additional configuration | | --- | --- | --- | | **Deny** | Block the tool call. | None. | | **Step up** | Require additional authentication. | None. | | **Request approval** | Pause the tool call and route to an approval flow. | A dropdown to select the approval flow (e.g., "Approve from admins"). | Click **Create policy** to save, or **Cancel** to discard. ### Example: Step-up authentication for large expenses **Scenario:** Require step-up authentication when creating an expense with an amount greater than 10,000. 1. Click **Create policy**. 2. Set **Name** to "Step-up: Create expense". 3. Select `Create_a_new_expense` in **Policy tools**. 4. In **Policy attributes**, set: IF `amount` `Greater than` `10000`. 5. Select **Step up** as the **Policy action**. 6. Click **Create policy**. Result: When an AI agent calls `Create_a_new_expense` with an amount exceeding 10,000, the user is prompted for additional authentication before the tool call proceeds. ### Example: Require approval for updates from specific IPs **Scenario:** Require manager approval when updating expenses from internal network IPs. 1. Click **Create policy**. 2. Set **Name** to "Approval: Internal IP updates". 3. Select `Update_expense` in **Policy tools**. 4. In **Policy attributes**, set: IF `IP` `Contains` `192.168`. 5. Select **Request approval** as the **Policy action**. 6. Select "Approve from admins" from the approval flow dropdown. 7. Click **Create policy**. Result: When an AI agent calls `Update_expense` from an IP containing `192.168`, the request is paused and routed to the "Approve from admins" flow for human review. ### Managing existing policies #### Activate or deactivate a policy Use the toggle in the **Status** column of the policies list. Active policies are evaluated during tool calls; inactive policies are preserved but not enforced. #### Filter policies Use the **Action** filter dropdown to show only policies with a specific action type (Deny, Step up, Request approval) or set to "All" to see everything. #### Edit a policy Click the three-dot menu on a policy row and select edit. You can modify the name, description, tools, conditions, and action. #### Delete a policy Click the three-dot menu and select delete to permanently remove the policy. ### Related topics - [Conditional expressions](/agen-for-saas/policies/conditional-expressions) - [Approval flows](/agen-for-saas/policies/approval-flows) - [Policies overview](/agen-for-saas/policies/overview) - [Access control](/agen-for-saas/access-control/overview)