When you design a policy, remember the following principles:
Logged-in users are allowed access to a protected resource unless the policy denies access.
Priority determines the order in which rules are applied.
The Conditions section of the rule must evaluate to True for the Action section to be applied. If the Condition section evaluates to False, the Action section is ignored and the policy moves to the next rule. If another rule does not exist, the user is granted access to the resource.
Rules are only processed until a user matches the conditions in a rule and its action is applied. If a user matches the first rule in a policy, that action is applied, and the rest of the rules in the policy are ignored.
If two rules have the same priority, Deny rules are applied before Permit rules.
After you have designed your policy, created it, and assigned it to a resource, you need to test the policy. You need to log in as the type of user who must be granted access, as the type of user who must not be granted access, and as a user who generates an error on condition evaluation.