# Manually managing access with policies or roles

{% hint style="info" %}
In this setup, **application access and authorization roles are fully governed by you (the provider)**. The provider creates and manages **access policies** and/or **roles**, and is solely responsible for assigning them to customer organizations or to specific users within those organizations.
{% endhint %}

### **Policy assignment model**

* **Manual assignment by provider**:\
  Providers define the access **policies** (which determine what applications or features can be accessed) and **roles** (which define the user's level of access or responsibility). These are manually assigned to:
  * Entire customer organizations, or
  * Individual users within customer organizations.
* **No customer control**:\
  Once a policy or role is assigned, customer organizations - including their administrators - **cannot edit, reassign, or remove them**. This guarantees complete control by the provider over both who gets access and what level of access they receive.
* **Granular targeting**:\
  Providers can tailor access with precision by combining roles and policies, applying them based on internal rules, eligibility, or operational need - without requiring customer intervention.
* **No legal terms or pricing**:\
  These assignments do not depend on pricing tiers or formal contracts. The access model can be used for free, internal, experimental, or restricted-use cases where access is selectively granted.

### **Key Characteristics**

| Feature                     | Description                                                                                |
| --------------------------- | ------------------------------------------------------------------------------------------ |
| **Control**                 | Provider-managed only (for both policies and roles)                                        |
| **Creation & assignment**   | Defined and assigned solely by the provider                                                |
| **Assignment acope**        | Organization-level or user-level                                                           |
| **Customer visibility**     | Customers can view assigned policies/roles, but **cannot modify them**                     |
| **No legal binding needed** | Access and role assignment do **not** require pricing or legal agreements                  |
| **Use case fit**            | Ideal for scenarios requiring strict provider control over access and authorization levels |

### **Example Scenarios**

* A workflow automation platform grants backend access roles to enterprise IT teams in selected companies - without needing any customer-side configuration.
* A beta feature is made available to specific users via a manually assigned role and access policy, managed entirely by the provider.
* A regulated healthcare integration assigns read-only roles and application access based on internal compliance vetting, not customer input.

<details>

<summary>How to set this up</summary>

The following steps apply the same for roles or policies.

1. Refer to [creating Policies](/for-providers/ciam/set-up-access-controls.md#policies) to configure a policy that grants access to (parts of) your application(s).
2. Navigate to the Accounts.
3. Select the account you want to give access to (in case the customer account is not available, see [Customer Accounts](/for-providers/customer-accounts.md)).
4. Determine if you want the entire organization to have access, or only specific users
   1. Entire organization:
      1. Go to Policies > Assigned Policies
      2. Click ‘Assign Policy’ > To organization
      3. Select the account and policy that gives the required access
      4. Confirm the choice and close the dialog by clicking Assign Policy.
      5. This can also be done by going to Accounts > Selecting the account > Expand the Policies section and clicking to 'Assign Policy'.
   2. Specific users:
      1. Go to Policies > Assigned Policies
      2. Click ‘Assign Policy’ > To users
      3. Select the user/s and policy that gives the required access
      4. Confirm the choice and close the dialog by clicking Assign Policy.
      5. This can also be done by going to Users > Selecting the user > Access > 'Assign Policy'
5. Your customer (or user of customer) can now login to your application.

An overview of all Policies assigned to customers (both accounts and users) can be found from the Policies or Role section, depending on the type of policy assigned. Policies can also be removed from these overviews, or from the Policies tab on the Account detail page, or Account - User detail page.

</details>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.myveriam.com/for-providers/setup-guides/manually-managing-access-with-policies-or-roles.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.