When you create an Authorization policy, you need to configure one or more rules. Each rule consists of two parts: (1) one or more conditions the user must meet and (2) the action to perform when the user meets conditions or does not meet conditions. The action can be allow or deny access to the resource. This section describes how to use the following elements when creating a policy: