Add or Manage Policy
Master Policy management in Nodinite v7 with this comprehensive guide. Learn how to create, edit, delete, and restore Policies that group Claims and assign them to Roles for OIDC/OAuth 2.0 authorization.
✅ Name and describe your Policy for clear intent
✅ Select Claims using three-tab interface (New, All, Selected)
✅ Assign Policy to one or more Roles - vital for activation
✅ Create new Claims directly while building Policies
Note
Policies are only available when Nodinite is configured for OIDC/OAuth 2.0 authentication mode.
New to Policies? Read What is a Policy? first to understand the authorization model.
Accessing Policy Management
Navigate to Administration → Access Management → Policies in the Nodinite Web Client.
Location of the Policies menu item in the Administration sidebar.
Policies List View
The Policies management page displays all Policies with:
- Status - Available or Deleted indicator
- Name - The Policy name (clickable link)
- Description - Policy purpose
- Created/Changed - Timestamps
- Actions - Edit, Delete, Restore options
Example of the Policies list.
Adding a New Policy
Step 1: Click "Add Policy"
Click the "Add Policy" button in the top-right corner.
Example of the Add Policy button.
Step 2: Enter General Information
Fill in the Policy details:
| Field | Required | Description |
|---|---|---|
| Name | Yes | Unique name for the Policy (can be changed later) |
| Description | Recommended | Clear description of the Policy's intent and purpose |
Example of the Policy General Information form.
Tip
Use descriptive names like "Finance Admin Policy" or "Europe Read-Only Access". The Description should explain what access this Policy grants and why it exists.
At the bottom of the page you will find buttons to Save and Delete the Policy.
Buttons to Save and Delete the Policy.
Step 3: Select Claims
[!DANGER] CRITICAL: Adding Claims to Existing Policies Can Lock You Out!
Before adding any Claim to an existing Policy:
- Verify the Claim exists in your Identity Provider (IDP) - The exact key and value must match what your IDP provides to users
- Understand AND logic - ALL Claims in a Policy must match. Adding one more Claim makes the Policy harder to satisfy
- Risk of lockout - If you add a Claim that doesn't exist in your IDP, NO users (including you as admin) will match the Policy
- Test with non-admin first - Never test Policy changes with your admin account first
- Token caching delays recovery - Even if you fix the IDP, tokens cache for 1+ hours. Lockout persists!
Example of dangerous operation:
Existing Policy "Administrators" contains: - Group=Admin You add (thinking it helps): - Department=IT Result: Now users need BOTH Group=Admin AND Department=IT If your IDP doesn't provide Department claim, ALL admin access is blocked! ❌ You try to fix it: - Update IDP to send Department=IT claim - Logout and login again - Still locked out! ❌ (Tokens cached in Nodinite for 1+ hours) - Clear browser cache - still locked out! ❌ (Server-side cache) - Need database access to remove the bad Claim from PolicyWhy token caching makes this worse:
- Nodinite caches authentication tokens from your IDP (typically 1 hour lifetime)
- Cached tokens contain the OLD claims (before your IDP fix)
- Logging out doesn't help - session token is cached
- Clearing browser cache doesn't help - server-side cache
- You must wait for token expiration OR fix via database
Safe alternatives:
- Create a NEW Policy instead of modifying existing ones
- Test with a test role first, not production admin roles
- Document what Claims your IDP actually provides
- Have a backup admin account before making changes
- Understand token caching means changes aren't instant
- Have database access ready for emergency rollback
The Policy detail page includes a Claims card with three tabs for managing Claims:
New Tab
Create new Claims directly within this Policy:
Example of the New/Edit Tab.
- Key (Required) - The claim key
- Value (Required) - The claim value
- Description (Optional) - Claim description
Save Options:
- "Add and Use" - Creates the Claim AND adds it to this Policy (recommended)
- "Add" - Creates the Claim only (doesn't add to Policy)
Tip
Use the "+ New" tab when you need to create Claims specifically for this Policy. This is the quickest way to build a new Policy from scratch.
All Tab
Browse and select from all existing Claims in the system:
Example of the All Tab.
- View all Claims in the system
- Use checkboxes to select Claims to add to this Policy
- Search and filter Claims
- Toggle "Include Deleted" to show deleted Claims
- Edit button opens Claim in New/Edit tab for modification
Actions:
- Check boxes to add Claims to the Policy
- Master checkbox selects/deselects all visible Claims
- Click edit icon to modify an existing Claim
Selected Tab
View and manage Claims currently assigned to this Policy:
Example of the Selected Tab.
- Shows only Claims included in this Policy
- Uncheck boxes to remove Claims from the Policy
- Warning badges appear for deleted Claims
- Search within selected Claims
- Displays count of selected Claims
Actions:
- Uncheck boxes to remove Claims from Policy
- Master checkbox (red) removes all Claims
- Shows total count: "X Claims selected"
[!DANGER] REMOVING Claims from Active Policies:
Removing Claims makes the Policy EASIER to satisfy (fewer conditions), but may grant access to unintended users.
Example:
Policy "Finance Admins" currently requires: - Department=Finance (AND) - AccessLevel=Admin (AND) If you remove "Department=Finance": - Now ANY user with AccessLevel=Admin gets access (including IT, HR, etc.)Best practice: Create a NEW Policy instead of removing Claims from existing ones.
Warning
Avoid Conflicting Claims: Do not add multiple Claims with the same key but different values to a single Policy. This creates an impossible-to-satisfy condition that will block all users.
Example:
❌ Invalid: Country=Sweden AND Country=Norway in same Policy ✅ Valid: Create separate Policies for each countrySee [Understanding Claim Logic][What is a Policy] for details.
Step 4: Assign to Roles
The Policy detail page includes a Roles card showing which Roles have this Policy assigned.
Example of the Roles Card.
Select Roles:
- View all available Roles in the system
- Use checkboxes to assign this Policy to one or more Roles
- Toggle "Include deleted" to show deleted Roles
- The Administrators role is built-in and cannot be deleted
Actions:
- Check boxes to assign the Policy to those Roles
- Uncheck boxes to remove the Policy from those Roles
- Master checkbox selects/deselects all visible Roles
Important
A Policy without Role assignments is useless. Users receive permissions through their Role assignments. If a Policy is not assigned to any Role, no users will be affected by it.
Tip
You can assign the same Policy to multiple Roles. This is common for cross-functional permissions like "Production Environment Access" that applies to multiple departments.
Step 5: Save the Policy
Click the "Save" button in the top-right corner to save the Policy with its Claims and Role assignments.
Click the "Save" button to create the new Policy.
Example of Invalid Configuration:
❌ Policy contains: Country=Sweden (AND) Country=Norway (AND) Result: No user can satisfy this (can't be in two countries)Correct approach: Create separate Policies and assign both to the same Role for OR logic. See Understanding Claim Logic for details.
Editing an Existing Policy
Step 1: Navigate to Policy
From the Policies list:
- Click the Policy name link, OR
- Click "Actions" → "Edit"
Step 2: Modify Fields
Update the Policy:
- Change Name or Description
- Add/remove Claims using the three tabs (New, All, Selected)
- Assign/unassign Roles using checkboxes
- Review warning badges for any deleted Claims or Roles
Step 3: Save Changes
Click "Save" to apply all changes to the Policy.
Deleting a Policy
You can delete a Policy using two methods:
Method 1: Delete from Overview Page
From the Policies Overview list:
- Click "Actions" dropdown on the Policy row
- Select "Delete" from the menu
- Confirm deletion in the modal dialog
Method 2: Delete from Policy Detail Page
- Navigate to the Policy by clicking the Policy name link or "Actions" → "Edit"
- At the bottom of the Policy detail page, click the "Delete" button
Click the "Delete" button at the bottom of the Policy detail page.
Confirm Deletion
Both deletion methods will show a confirmation modal:
Confirm deletion of the Policy.
Review the information:
- Policy Name and Description being deleted
- Warning about impact on Roles
Click "Delete" to confirm, or "Cancel" to abort.
If the operation is successful you will see a success notification.
Success notification after deleting a Policy.
Important Notes About Deletion
Important
Deleted Policies and Roles:
Tip
Best Practice: Review the "Used In" information in the confirmation modal to understand which Roles will be affected.
Verify Deletion
- Policy is removed from the main list
- Success notification appears
- To see deleted Policies, enable the "Include Deleted" filter
Restoring a Deleted Policy
Step 1: Enable "Include Deleted" Filter
From the Policies list page, check the "Include Deleted" checkbox at the top.
Enable "Include Deleted" to show deleted Policies.
Step 2: Locate the Deleted Policy
Deleted Policies appear with:
- Red "Deleted" status badge
- Grayed-out or strike-through text
- Full historical information preserved
Deleted Policies are marked with a "Deleted" badge.
Step 3: Open Actions Menu
Click the "Action" dropdown button on the deleted Policy row.
Open the Actions dropdown menu for the deleted Policy.
Step 4: Select Restore
Select "Restore" from the menu.
Select "Restore" to recover the deleted Policy.
Step 5: Confirm Restoration
A confirmation modal appears:
Confirm restoration of the Policy.
If the operation is successful, you will see a success notification.
Success notification after restoring a Policy.
Review the information and click "Restore" to confirm.
Step 6: Verify Restoration
- Policy returns to active status
- "Deleted" badge removed
- Policy is available for assignment to Roles again
- Note: Policy is NOT automatically reassigned to Roles - administrator must manually reassign if needed
Note
Policy-Role Reassignment: After restoring a Policy, you'll need to contact your system administrator to reassign it to Roles if needed. The restoration does not automatically restore previous Role assignments.
Best Practices and Common Scenarios
For comprehensive guidance on Policy best practices, including:
- Naming conventions - Clear, descriptive names
- Claim selection rules - One value per key, avoiding conflicts
- AND/OR logic - Understanding how Claims combine within and between Policies
- Logical grouping - Department, regional, and functional Policies
- Reusability - Designing Policies for multiple Roles
- Common scenarios - Department-based access, multi-permission, tiered access, environment separation
See the comprehensive guide: What is a Policy?
Tip
Looking for more examples? See Common Scenarios for comprehensive implementation guides including department-based policies, regional authorization, and multi-tenant setups.
Note
Having issues? Check the Troubleshooting Guide for solutions to common Policy management problems.
Next Step
What is a Role?
What is a Claim?
Policies Overview
Related Topics
What is a Policy?
Policies Overview
Claims
Add or manage Claim
Access Management
Guides:
Common Scenarios - Implementation examples
Troubleshooting Guide - Solutions to common issues