the process of implementing actual policy has three steps defining the policy where you describe what the policy conditions and effects are.
Assigning the policy where you select the scope but which this policy will take place.
As we mentioned, the Scott can vary from management group to subscription resource group or individual resource,
and once the policies assigned
it is constant. Loosely evaluated against the properties of the resource is that are within the scope and reports are generated.
Let's look at how the policy definitions are created.
Policy definitions are Jason Files that have defined schema.
Each definition contains the following elements.
There are two types of Moz resource manager modes and resource provider modes.
The Resource Manager modes can be all for evaluating all resource groups and resource types,
or index for evaluating only resource types that support tax and location.
The resource provider modes are still in preview mode, and they are only three resource provider modes. Currently,
Microsoft Container Service data Microsoft contained kubernetes Data and Microsoft Keyboard data for managing board since certificates.
The next element is the bottom matters. My element,
the bottom matters element has name type and metadata as well was optional default value and a low. Baylor's
para matters help you simplify the policy management by reducing the number of policies you need to create and reuse those policies for different scenarios.
The bottom matters can be specified at the time of policy assignment.
The default value is used in case the para matter is not explicitly specified during assignment.
The old values can restrict what values can be specified at the time of the assignment.
Para matters are also used in the rule section, which will discuss shortly.
Next. They are display name and description for the policy.
Those are user friendly name and description that you will see National Management portal, for example, and it is useful to identify and understand the purpose of the police. Seen reports
display name is limited 228 characters, while the description is limited to 512 characters.
Last is the policy rule,
which is the most important part of the policy.
It consists of one or more if them blocks that if block contains one or more conditions that determine when the policy's enforced,
you can use logical operations in the if block the them block the term is what the effect is. If the condition in the if block is fulfilled,
there is an extensive list of watching cooperators and conditions that you can use in the if block.
We will look more in tow the grammar details later in this course, when we develop a custom policy
for now, it is enough to know that you have a lot of flexibility in the IV block that allows you to create all kinds of conditions.
You can also use various effects in the *** block. You can deny actions. If the policies violated, you can modify the source properties with happened and modify. Or you cannot just just audit property since on
once again we were looking toe details later in the course.
One important thing to remember is the policy. Have un explicit deny action. This is important to know when you design your policy structure and assigned them toe a scope.
Let's see now what you can do once you have the policy definition.
As we mentioned before, the policy can be assigned to take place within a specific sculpt management group, Subscription resource group and individual resource
skull prefers toe all the management groups, subscriptions, resource groups and resource is that the policy definition is assigned. Toe
assignments are inherited by all. Child. Resource is
for our example,
is the policy definition is assigned to the management group. All subscriptions, research group and re sources that are within this management group will have the policy.
However, you can exclude the sub scope from the policy assignment.
For example, if you want to deny the creation of a specific resource in a subscription but alot its creation in just a single resource group,
you can exclude the resource group from the policy.
One typical example is if you want to have a single Vinet for a subscription and prevent developers creating Venus in other resource groups except the networking resource group,
you can exclude the networking resource group from the scope, and you can grant access only to specific users to create. Resource is in that group.
In the next video, we will look at how you can combine policies and apply them together. US. Initiatives