# Setup Security Policies ## Overview Security Policies implement Attribute-Based Access Control (ABAC) in Welkin. They define rules that determine which patient records, data types, and actions are accessible to users based on their attributes (role, region, care team assignment, etc.). This page covers the initial setup process. For detailed policy rule configuration, see [Security Policy Detail](/designer/security/security-policy-detail.md). For an overview of how policies work, see [Configuring Security Policies](/designer/security/configuring-security-policies.md). *** ## Before You Begin Before creating security policies: 1. Define your user roles in the Admin Portal 2. Define regions and territories if your organization uses geographic access control (see [Defining Regions and Territories](/designer/security/defining-regions-and-territories.md)) 3. Understand your organization's data access requirements – which users should see which patients *** ## Creating a Security Policy 1. In the Designer, navigate to **Security Policies**. 2. Click **+ Add Policy**. 3. Enter a **Name** for the policy (e.g., "Care Manager – Own Patients Only"). 4. Define the **access rules**: * Select the **entity** the policy applies to (Patient, CDT, Program, etc.) * Set the **conditions** that must be true for access to be granted * Set the **permitted actions** (View, Edit, Delete) 5. Save the policy. *** ## Attaching Policies to Roles 1. Go to **Roles** in the Designer or Admin Portal. 2. Edit the target role. 3. Under **Security Policies**, attach the appropriate policy. 4. Save and publish. *** ## Testing Policies After publishing, test the policy by logging in as a user with the affected role and verifying: * They can see the records they should have access to * They cannot see records outside their permitted scope *** ## Publishing Security policy changes require a draft and publish cycle before taking effect. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.welkinhealth.com/designer/security/setup-security-policies.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.