[Yandex Cloud documentation](../../index.md) > [Yandex Identity Hub](../index.md) > Concepts > Authentication policies

# Authentication policies in Yandex Identity Hub

{% note info %}

This feature is at the [Preview](../../overview/concepts/launch-stages.md) stage.

{% endnote %}

In Yandex Identity Hub, _authentication policies_ are used for granular management of [user](*user_accounts) and [user group](*user_groups) access to Yandex Identity Hub [applications](*applications) by [denying or allowing](#action) authentication based on conditions specified in the [policy scope](#conditions).

Currently, you can manage authentication policies via the [Cloud Center UI](https://center.yandex.cloud/organization). To [create](../operations/authentication-policies/create.md), [update](../operations/authentication-policies/update.md), [activate](../operations/authentication-policies/activate-deactivate.md#activate), [deactivate](../operations/authentication-policies/activate-deactivate.md#deactivate), or [delete](../operations/authentication-policies/delete.md) authentication policies, users need the `organization-manager.admin` [role](*org_manager_admin) or higher.

## Policy scope {#conditions}

Authentication policies apply to user authentication events based on the following conditions:

* [Users and user groups](#users-and-groups).
* [Applications](#applications).
* [Networks and IP addresses](#ip-addresses).

{% note info %}

The conditions specified in the policy are applied with the `AND` logic when checking whether the user can authenticate.

{% endnote %}

### Users and user groups {#users-and-groups}

You can apply an authentication policy to all users within your [Yandex Identity Hub](*organization) or restrict it to specific users or user groups.

You can also explicitly exclude certain users or user groups from a policy. Note that you cannot add the same users or user groups to both inclusion and exclusion lists at the same time.

### Applications {#applications}

You can apply an authentication policy to all applications created in your Yandex Identity Hub or restrict it to specific applications.

You can also exclude certain applications from a policy.

### Networks and IP addresses {#ip-addresses}

You can apply an authentication policy to either all possible IP addresses or specific IPv4 and IPv6 ranges in [CIDR](https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing) notation.

You can also exclude certain address ranges from a policy. Note that you cannot add the same IP address ranges to both inclusion and exclusion lists at the same time.

## Policy outcomes {#action}

Currently, you can use authentication policies to deny user authentication if the authentication event meets the policy [conditions](#conditions).

## Policy statuses {#status}

An authentication policy may be either `Active` or `Inactive`. An inactive policy does not apply to user authentication events.

#### Useful links {#see-also}

* [Creating an authentication policy](../operations/authentication-policies/create.md)
* [Activating/deactivating an authentication policy](../operations/authentication-policies/activate-deactivate.md)
* [Editing an authentication policy](../operations/authentication-policies/update.md)
* [Deleting an authentication policy](../operations/authentication-policies/delete.md)
* [Applications in Yandex Identity Hub](applications.md)

[*organization]: An organization is the highest resource in the Yandex Cloud resource model hierarchy that consolidates the resources of all other services. It is also used for user management as well as authentication and authorization management. For more information, see [Organization](organization.md).

[*user_groups]: You can group Yandex Identity Hub users to simplify access management in Yandex Cloud. For more information, see [User groups](groups.md).

[*applications]: Yandex Identity Hub SAML and OIDC applications allow Yandex Cloud users to authenticate in services of third-party service providers. For more information, see [Applications in Yandex Identity Hub](applications.md).

[*user_accounts]: Yandex Cloud uses Yandex accounts as well as federated and local user accounts. For more information, see [Accounts in Yandex Cloud](../../iam/concepts/users/accounts.md).

[*org_manager_admin]: The `organization-manager.admin` role enables managing organization settings, identity federations, user pools, SAML applications, OIDC applications, users and user groups, and users' access permissions to the organization and its resources. To learn more, see [Access management in Yandex Identity Hub](../security/index.md#organization-manager-admin).