[Yandex Cloud documentation](../../../index.md) > [Yandex Identity Hub](../../index.md) > [Step-by-step guides](../index.md) > Authentication > Managing authentication policies > Editing an authentication policy

# Editing an authentication policy

{% note info %}

This feature is at the [Preview](../../../overview/concepts/launch-stages.md) stage.

{% endnote %}

In Yandex Identity Hub, [authentication policies](../../concepts/authentication-policy.md) are used for granular management of [user](*user_accounts) and [user group](*user_groups) access to Yandex Identity Hub [applications](*applications) by denying or allowing authentication based on the policy criteria.

[*user_groups]: You can group Yandex Identity Hub users to simplify access management in Yandex Cloud. For more information, see [User groups](../../concepts/groups.md).

[*applications]: Yandex Identity Hub SAML and OIDC applications allow Yandex Cloud users to authenticate in services of third-party service providers. For more information, see [Applications in Yandex Identity Hub](../../concepts/applications.md).

[*user_accounts]: Yandex Cloud uses Yandex accounts as well as federated and local user accounts. For more information, see [Accounts in Yandex Cloud](../../../iam/concepts/users/accounts.md).

[*organization]: An organization is the highest resource in the Yandex Cloud resource model hierarchy that consolidates the resources of all other services. It is also used for user management as well as authentication and authorization management. For more information, see [Organization](../../concepts/organization.md).

Authentication policies can be managed by users with the `organization-manager.admin` [role](*org_manager_admin) or higher.

[*org_manager_admin]: The `organization-manager.admin` role enables managing organization settings, identity federations, user pools, SAML applications, OIDC applications, users and user groups, and users' access permissions to the organization and its resources. To learn more, see [Access management in Yandex Identity Hub](../../security/index.md#organization-manager-admin).

To edit an authentication policy:

{% list tabs group=instructions %}

- Cloud Center UI {#cloud-center}

  1. Log in to [Yandex Identity Hub](https://center.yandex.cloud/organization).
  1. In the left-hand panel, select ![shield](../../../_assets/console-icons/shield.svg) **Security settings** and go to the **Authentication policies** tab.
  1. In the row with the authentication policy, click ![ellipsis](../../../_assets/console-icons/ellipsis.svg) and select ![pencil](../../../_assets/console-icons/pencil.svg) **Edit**.
  1. Optionally, change the policy [name](*policy_name) in the **Name** field.
  1. Optionally, change the policy description in the **Description** field.
  1. Optionally, set [labels](*labels) for the policy in the **Labels** field.
  1. Optionally, toggle **Policy active** to deactivate or activate the policy.
  1. Optionally, configure **Conditions** policies:

      {% note info %}
      
      The conditions specified in the policy are applied with the `AND` logic when checking whether the user can authenticate.
      
      {% endnote %}

      1. Under **Users and groups**, specify users or groups your policy will apply to:
         
         1. In the **Include** field, select:
         
             * `All users`: Your newly created authentication policy will apply to all users of the [organization](*organization).
             * `Selected`: Your policy will apply to selected users and/or user groups.
         
                 Click **Add** to select users or user groups the policy will apply to. If required, use the search bar.
         1. Optionally, in the **Exclude** field, click **Add** to select users or user groups the policy will not apply to.
         
             {% note info %}
         
             You cannot specify the same users or user groups simultaneously in both inclusion and exclusion lists.
         
             {% endnote %}
      1. Under **Apps**, specify the [applications](*applications) for which authentication will be managed by the policy you are creating:
         
         1. In the **Include** field, select:
         
             * `All apps`: To ensure the policy applies to authentication by users connecting from any applications of the organization.
             * `Selected`: To apply the policy only to authentication in selected applications.
         
                 In the field that appears, select the applications you need. If required, use the search bar and enter the application name or ID.
         1. Optionally, under **Exclude**, select the applications for which the policy will not be applied to authentication.
         
             {% note info %}
         
             You cannot specify identical applications simultaneously in both inclusion and exclusion lists.
         
             {% endnote %}
      1. Under **Networks and IP addresses**, specify the IP addresses for the policy to allow or deny user authentication from:
         
         1. In the **Include** field, select:
         
             * `Any networks`: For the policy to apply to user authentication events from any IP address.
             * `Selected`: For the policy to apply to user authentication events from IP addresses in specified ranges.
         
                 In the field that appears, enter one or more IPv4 or IPv6 address ranges in [CIDR](https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing) notation.
         1. Optionally, in the **Exclude** field, specify the IP address ranges to exclude from the policy.
         
             {% note info %}
         
             You cannot specify the same IP address ranges in both inclusion and exclusion lists at the same time.
         
             {% endnote %}
      1. Under **Result**, select an action to apply to the authentication event that matches the policy criteria.
         
         Currently, you can only use authentication policies to deny authentication.
      1. Click **Save**.

{% endlist %}

#### Useful links {#see-also}

* [Applications in Yandex Identity Hub](../../concepts/applications.md)
* [Authentication policies in Yandex Identity Hub](../../concepts/authentication-policy.md)
* [Creating an authentication policy](create.md)
* [Activating/deactivating an authentication policy](activate-deactivate.md)
* [Deleting an authentication policy](delete.md)

[*policy_name]: The naming requirements are as follows:
* It must be between 3 and 63 characters in length.
* It can only contain lowercase Latin letters, numbers, and hyphens.
* It must start with a letter and cannot end with a hyphen.

[*labels]: Labels are `key:value` pairs you can use to logically group your resources. For more information, see [Service resource labels](../../../resource-manager/concepts/labels.md).