# Configure a signing policy

This page walks you through building a Signing Policy in the web UI. Changes are drafted and then submitted in a single atomic operation.

## Open the policy editor

1. In the sidebar, click **Signing Policy**.
2. The page shows the current active rule list. Rules are numbered top to bottom.
3. Click **Edit Rules** to enter draft mode.

## Add a rule

1. While in draft mode, click **Add Rule**.
2. The **Add Rule** modal opens. Configure the conditions:
   * **User groups:** select which groups this rule applies to. Leave empty to match any signing identity.
   * **Key security groups:** select which key groups this rule covers. Leave empty to match any key.
   * **Allow raw signing:** check this if the rule should apply to raw signing requests.
3. Choose the **Action** for matching requests:
   * **Approve:** allow the signing request.
   * **Deny:** block it.
   * **External Rule Server (ERS):** forward to your rule server. Enter the ERS URL, the JWT algorithm (ES256 or RS256), and the rule server's public key (PEM).
4. Click **Add** to insert the rule into the draft.

![Add Policy Rule dialog with an initiator group and key group under IF and the action under THEN](/img/guide/signing-policy/add-rule-form.png)
*Adding a signing rule: choose the initiator group and the key (security) group it covers, add optional conditions, then pick the action. The staging UI offers Approve and Deny.*

## Order rules

Drag rules up or down in the draft list to set their priority. The topmost rule is evaluated first. The permanent "deny all" baseline stays pinned at the bottom and cannot be moved.

## Review and submit

1. When the draft looks correct, click **Submit**.
2. A summary modal shows a diff of the changes: added rules, removed rules, and changed rules.
3. Confirm the diff. Your browser prompts you for a passkey assertion to authenticate the submission.
4. Authenticate with Face ID, Touch ID, or your security key. The new policy activates immediately.

## Discard a draft

To abandon all changes in the current draft, click **Discard** in edit mode and confirm. The active policy is unchanged.

## Worked example: allow trading machines, block everything else

The goal: machines in the **Trading Bots** group can sign with any key; all other requests are denied.

| Position | Conditions | Action |
|---|---|---|
| 1 | User group: Trading Bots | Approve |
| 2 (baseline) | (none) | Deny all |

Steps:

1. Click **Edit Rules**, then **Add Rule**.
2. Under **User groups**, select **Trading Bots**.
3. Leave key security groups empty.
4. Set the action to **Approve**.
5. Click **Add**. The rule appears above the baseline.
6. Click **Submit**, review the diff, and confirm with your passkey.

Any signing request from a machine in Trading Bots now matches rule 1 and is approved. All other requests fall through to the baseline deny.

:::tip
Add a second rule with action **Deny** and no conditions above your approve rules to force an explicit block. This makes the policy intention easier to read during audits.
:::
