creating-service-policies
- New Service Policy via UI
- New Service Policy via CLI
- On the left side nav bar, click "Ziti Policies"
- On the top nav bar, click "Service Policies"
- In the top right corner of the screen click the "plus" image to add a new Service Policy
- Choose a name for the Service Policy, such as "My Service Policy"
- Select "Dial" or "Bind" in the Type dropdown- Dial policies allow identities to use or connect to the service
- Bind policies allow identities to host or provide the service
 
- Enter the services you want to include in the policy- Specific services can be referenced by ID or name using @. For example, a service calledsshcan be referenced using@ssh.
- Services can be referenced by role attribute using #. For example, any service which has thesalesrole attribute will be included if#salesis included in the service roles list.
 
- Specific services can be referenced by ID or name using 
- Enter the identities you want to include in the policy- Specific identities can be referenced by ID or name using @. For example, as identity calledjsmith-desktopcan be referenced using@jsmith-desktop.
- Identities can be referenced by role attribute using #. For example, any identity which has thesalesrole attribute will be included if#salesis included in the identities roles list.
 
- Specific identities can be referenced by ID or name using 
- Specify the role semantic- If you select Has Any Rolethen if you specify multiple roles then all entities which include any of the roles will be included.
- If you select Must Have All Roles, then if you specify multiple roles then only entities which include all of the given roles will be included
 
- If you select 
- Click save
To create a Service Policy using the CLI issue the following commands.
- ensure you are logged in with the CLI. - The - zitiCLI will help you get an API Session from the controller's management API. You will be prompted to trust any new server certificates. Your login token cache and trust store are managed by the CLI in your home directory.- # implies https://localhost:1280
 ziti edge login -u admin -p admin- # implies https://
 ziti edge login ctrl.ziti.example.com:8441 -u admin -p admin
- Create a service policy named - my-policywhich allows all identities to dial/connect to all services.- ziti edge create service-policy my-policy Dial --identity-roles '#all' --service-roles '#all'