GUI-Based Policy Authoring
Goal
Build policy conditions using the visual Expression Builder in the Admin Console, without writing code. After completing this guide, you can compose attribute-based conditions for ABAC and RADAC policies using drag-and-drop, configure risk evaluation parameters, and switch between visual and expression modes.
Audience
Developers and platform engineers who prefer building policy conditions visually rather than writing FQL expressions directly.
Prerequisites
- Access to a running Admin Console instance
- Policy management permissions (create or update scope on the Policies resource)
- Configured policy vocabulary — the Expression Builder uses vocabulary data to populate attribute dropdowns
Before You Start
The visual authoring mode is the default for two policy types:
| Policy Type | Visual Mode |
|---|---|
| ABAC | Expression Builder — compose conditions from attribute comparisons with drag-and-drop |
| RADAC | Risk controls — configure risk score range and danger factors with visual sliders and selectors |
Both types support switching to the FQL code editor via the Expression Mode (Advanced) toggle. See Policy DSL Tooling for the code editor workflow.
For the full policy creation reference including all six policy types, see Policy Management.
Worked Example
In this guide, you build an ABAC policy that grants access when the user's department is engineering AND their access level is greater than or equal to 3, OR when the user's role is admin.
The target expression: ( user.department == 'engineering' && user.level >= 3 ) || user.role == 'admin'.
Steps
1. Start an ABAC policy
Navigate to Authorization Policies and click Add Policy > ABAC. Enter a Name (for example, Engineering Senior Access) and a Description. Leave the Expression Mode (Advanced) toggle off to use the visual Expression Builder.
The Expression Builder requires a configured policy vocabulary. If a warning message appears stating that no vocabulary data is available, configure attribute definitions first under Attribute Management.
2. Add the first attribute condition
Click Add Attribute in the Expression Builder toolbar. A popover form appears with four fields:
| Field | Selection for This Example |
|---|---|
| Attribute Type | Select the category (for example, user) |
| Attribute | Select the specific field (for example, department) |
| Operator | Select == |
| Value | Enter engineering |
Click Save to add the condition. The expression area displays: user.department == 'engineering'.
3. Add logical operators and more conditions
Click AND in the toolbar to insert a logical AND operator. Then click Add Attribute again to add the second condition:
| Field | Selection |
|---|---|
| Attribute Type | user |
| Attribute | level |
| Operator | >= |
| Value | 3 |
The expression now reads: user.department == 'engineering' && user.level >= 3.
Click OR to insert a logical OR operator, then add the third condition:
| Field | Selection |
|---|---|
| Attribute Type | user |
| Attribute | role |
| Operator | == |
| Value | admin |
The full expression: user.department == 'engineering' && user.level >= 3 || user.role == 'admin'.
4. Control evaluation order with parentheses
To ensure AND conditions evaluate before OR, use parentheses. Click ( before the first condition and ) after the second condition to group them.
Result: ( user.department == 'engineering' && user.level >= 3 ) || user.role == 'admin'.
5. Reorder and edit items
Reorder: Drag any expression item (attribute, operator, or parenthesis) to a new position. The Expression Builder updates the expression string as you rearrange items.
Edit: Click an attribute item to reopen the popover form with its current values. Modify the fields and click Save to update the item in place.
Remove: Click the remove button on any item to delete it from the expression.
6. Review validation feedback
The Expression Builder validates the expression in real time and checks for:
- Unbalanced parentheses
- Consecutive operators (for example,
&& ||without a condition between them) - Expressions that start or end with an operator
Validation errors appear as inline indicators with a tooltip describing the issue. Fix errors before saving the policy.
7. Build RADAC conditions visually
For RADAC policies, the visual mode offers risk-specific controls instead of the Expression Builder.
Navigate to Add Policy > RADAC. With Expression Mode (Advanced) off, the form shows:
| Control | Description |
|---|---|
| Risk Score | A range slider from 0 to 10 — drag the handles to set the minimum and maximum acceptable risk score |
| Danger Factors | Multi-select dropdown for risk signals to evaluate |
Available danger factor options:
| Factor | Description |
|---|---|
| IP_BLACKLISTED | Request from a blacklisted IP address |
| VPN_USAGE | Request routed through a VPN |
| SUSPICIOUS_LOCATION | Request from an unusual geographic location |
Set the risk score range and select the danger factors relevant to your use case. The visual controls generate the corresponding expression automatically.
8. Switch between visual and expression modes
Enable the Expression Mode (Advanced) toggle to switch to the FQL code editor. The editor displays the expression generated by the visual builder, and you can refine it further with the FQL syntax.
Switching from visual to expression mode preserves the current expression. Switching back to visual mode re-parses the expression into builder items. Complex expressions that the builder cannot parse may not round-trip perfectly — verify the expression after switching.
9. Save the policy
Click Create to save the policy. Optionally, enable Also save as template before creating to save the policy as a reusable template.
Validation Scenario
Scenario
You build an ABAC policy with two conditions connected by AND using the Expression Builder and verify the expression is valid and saved.
Expected Result
- The Expression Builder shows no validation errors
- The expression area displays the composed expression correctly
- The policy appears in the policy list with type ABAC
How to Verify
- UI evidence: Navigate to Authorization Policies, find the policy, click its name. Verify the Expression Builder shows the conditions you configured. Toggle to expression mode and verify the FQL expression text
- Logs: Check the browser network tab for a successful create response
- Audit evidence: Review the audit log for the policy creation event
Troubleshooting
- "No vocabulary data" warning — The policy vocabulary has not been configured. Set up attribute definitions under Attribute Management before using the Expression Builder.
- Attribute Type dropdown is empty — No vocabulary categories are configured. Add vocabulary items with their categories to populate the dropdown.
- Validation error: "Unbalanced parentheses" — Ensure every
(has a matching). Remove extra parentheses or add the missing ones. - Validation error: "Consecutive operators" — Insert an attribute condition between two operators. The expression cannot have
&& ||without a condition in between. - Expression does not survive mode switch — Some complex FQL expressions written in expression mode may not fully parse back into visual builder items. If this happens, continue editing in expression mode.
Next Steps
To write expressions directly in the code editor instead of using the visual builder, see Policy DSL Tooling.
Related Docs
Policy Management
Complete policy CRUD operations including all six policy types.
Policy DSL Tooling
FQL code editor with auto-completion, validation, and formatting.
Attribute Management
Configure the policy vocabulary for Expression Builder and FQL editor.
Policy Authoring with DSL
FQL expression syntax, patterns, and writing strategies.