diff --git a/resources/deployment.toml b/resources/deployment.toml
new file mode 100644
index 000000000..ca7e1a47c
--- /dev/null
+++ b/resources/deployment.toml
@@ -0,0 +1,169 @@
+[[resource.access_control]]
+context = "(.*)/api/identity/entitlement/v1/entitlements/policies(.*)"
+secure = "true"
+http_method = "GET"
+scopes = ["internal_entitlement_policy_mgt_view"]
+
+[[resource.access_control]]
+context = "(.*)/api/identity/entitlement/v1/entitlements/policies(.*)"
+secure = "true"
+http_method = "POST"
+scopes = ["internal_entitlement_policy_mgt_create"]
+
+[[resource.access_control]]
+context = "(.*)/api/identity/entitlement/v1/entitlements/policies(.*)"
+secure = "true"
+http_method = "PATCH"
+scopes = ["internal_entitlement_policy_mgt_update"]
+
+[[resource.access_control]]
+context = "(.*)/api/identity/entitlement/v1/entitlements/policies(.*)"
+secure = "true"
+http_method = "DELETE"
+scopes = ["internal_entitlement_policy_mgt_delete"]
+
+# Entitlement Subscriber API
+[[resource.access_control]]
+context = "(.*)/api/identity/entitlement/v1/entitlements/subscribers(.*)"
+secure = "true"
+http_method = "GET"
+scopes = ["internal_entitlement_subscriber_mgt_view"]
+
+[[resource.access_control]]
+context = "(.*)/api/identity/entitlement/v1/entitlements/subscribers(.*)"
+secure = "true"
+http_method = "POST"
+scopes = ["internal_entitlement_subscriber_mgt_create"]
+
+[[resource.access_control]]
+context = "(.*)/api/identity/entitlement/v1/entitlements/subscribers(.*)"
+secure = "true"
+http_method = "PATCH"
+scopes = ["internal_entitlement_subscriber_mgt_update"]
+
+[[resource.access_control]]
+context = "(.*)/api/identity/entitlement/v1/entitlements/subscribers(.*)"
+secure = "true"
+http_method = "DELETE"
+scopes = ["internal_entitlement_subscriber_mgt_delete"]
+
+# Entitlement Policy Publish API
+[[resource.access_control]]
+context = "(.*)/api/identity/entitlement/v1/entitlements/publish(.*)"
+secure = "true"
+http_method = "POST"
+scopes = ["internal_entitlement_policy_publish"]
+
+# Entitlement Global Policy Combining Algorithm API
+[[resource.access_control]]
+context = "(.*)/api/identity/entitlement/v1/entitlements/combining-algorithm(.*)"
+secure = "true"
+http_method = "GET"
+scopes = ["internal_entitlement_gpa_get"]
+
+[[resource.access_control]]
+context = "(.*)/api/identity/entitlement/v1/entitlements/combining-algorithm(.*)"
+secure = "true"
+http_method = "PATCH"
+scopes = ["internal_entitlement_gpa_set"]
+
+[[api_resources]]
+name = "Entitlement Policies API"
+identifier = "/api/identity/entitlement/v1/entitlements/policies"
+requiresAuthorization = true
+description = "API representation of the Entitlements Policy Management API"
+type = "TENANT"
+
+[[api_resources.scopes]]
+displayName = "Create Policy"
+name = "internal_entitlement_policy_mgt_create"
+description = "Create new Policy"
+
+[[api_resources.scopes]]
+displayName = "Update Policy"
+name = "internal_entitlement_policy_mgt_update"
+description = "Update Policy"
+
+[[api_resources.scopes]]
+displayName = "View Policy"
+name = "internal_entitlement_policy_mgt_view"
+description = "View Policy"
+
+[[api_resources.scopes]]
+displayName = "Delete Policy"
+name = "internal_entitlement_policy_mgt_delete"
+description = "Delete Policy"
+
+[[api_resources]]
+name = "Entitlement Subscriber API"
+identifier = "/api/identity/entitlement/v1/entitlements/subscribers"
+requiresAuthorization = true
+description = "API representation of the Entitlement Subscriber Management API"
+type = "TENANT"
+
+[[api_resources.scopes]]
+displayName = "Create Subscriber"
+name = "internal_entitlement_subscriber_mgt_create"
+description = "Create new Subscriber"
+
+[[api_resources.scopes]]
+displayName = "Update Subscriber"
+name = "internal_entitlement_subscriber_mgt_update"
+description = "Update Subscriber"
+
+[[api_resources.scopes]]
+displayName = "View Subscriber"
+name = "internal_entitlement_subscriber_mgt_view"
+description = "View Subscriber"
+
+[[api_resources.scopes]]
+displayName = "Delete Subscriber"
+name = "internal_entitlement_subscriber_mgt_delete"
+description = "Delete Subscriber"
+
+[[api_resources]]
+name = "Entitlement Global Policy Combining Algorithm API"
+identifier = "/api/identity/entitlement/v1/entitlements/combining-algorithm"
+requiresAuthorization = true
+description = "API representation of the Entitlement Global Policy Combining Algorithm API"
+type = "TENANT"
+
+[[api_resources.scopes]]
+displayName = "Set Global Policy Combining Algorithm API"
+name = "internal_entitlement_gpa_set"
+description = "Set Global Policy Combining Algorithm"
+
+[[api_resources.scopes]]
+displayName = "Get Global Policy Combining Algorithm API"
+name = "internal_entitlement_gpa_get"
+description = "Get Global Policy Combining Algorithm"
+
+[[api_resources]]
+name = "Entitlement Policy Publish API"
+identifier = "/api/identity/entitlement/v1/entitlements/publish"
+requiresAuthorization = true
+description = "API representation of the Entitlements Policy Publish API"
+type = "TENANT"
+
+[[api_resources.scopes]]
+displayName = "Publish Policy"
+name = "internal_entitlement_policy_publish"
+description = "Publish new Policy"
+
+[[api_resources]]
+name = "Entitlement Policy Mgt API"
+identifier = "/api/identity/entitlement/v1/decision"
+requiresAuthorization = true
+description = "API representation of the Entitlements Policy Mgt API"
+type = "TENANT"
+
+[[api_resources.scopes]]
+displayName = "Policy Mgt"
+name = "internal_manage_pep"
+description = "Policy Mgt"
+
+[console.policyAdministration]
+enabled = "true"
+
+[console.ui]
+isXacmlConnectorEnabled = "true"
diff --git a/resources/policies/authn_group_based_policy_template.xml b/resources/policies/authn_group_based_policy_template.xml
new file mode 100644
index 000000000..cb31697e3
--- /dev/null
+++ b/resources/policies/authn_group_based_policy_template.xml
@@ -0,0 +1,33 @@
+
+ This policy template provides ability to authorize users to a given service provider(defined by SP_NAME) in the authentication flow based on the groups of the user (defined by GROUP_1 and GROUP_2). Users who are in at least one of the given groups, will be allowed and any others will be denied.
+
+
+
+
+ SP_NAME
+
+
+
+ authenticate
+
+
+
+
+
+
+
+
+
+ GROUP_1
+
+
+
+ GROUP_2
+
+
+
+
+
+
+
diff --git a/resources/policies/authn_role_based_policy_template.xml b/resources/policies/authn_role_based_policy_template.xml
new file mode 100644
index 000000000..484351938
--- /dev/null
+++ b/resources/policies/authn_role_based_policy_template.xml
@@ -0,0 +1,33 @@
+
+ This policy template provides ability to authorize users to a given service provider(defined by SP_NAME) in the authentication flow based on the roles of the user (defined by ROLE_1 and ROLE_2). Users who have at least one of the given roles, will be allowed and any others will be denied.
+
+
+
+
+ SP_NAME
+
+
+
+ authenticate
+
+
+
+
+
+
+
+
+
+ Internal/ROLE_1
+
+
+
+ Internal/ROLE_2
+
+
+
+
+
+
+
diff --git a/resources/policies/authn_scope_based_policy_template.xml b/resources/policies/authn_scope_based_policy_template.xml
new file mode 100644
index 000000000..ea5e8347d
--- /dev/null
+++ b/resources/policies/authn_scope_based_policy_template.xml
@@ -0,0 +1,32 @@
+
+ This template policy provides ability to authorize users to a given service provider(defined by SP_NAME) in the authentication flow based on the oauth scope(s) (SCOPE1, SCOPE2). Users who are granted with the given scopes will be allowed and any other user will be denied.
+
+
+
+
+ SP_NAME
+
+
+
+ authenticate
+
+
+
+
+
+
+
+
+
+ SCOPE1
+
+
+
+ SCOPE2
+
+
+
+
+
+
+
diff --git a/resources/policies/authn_time_and_role_based_policy_template.xml b/resources/policies/authn_time_and_role_based_policy_template.xml
new file mode 100644
index 000000000..523acd668
--- /dev/null
+++ b/resources/policies/authn_time_and_role_based_policy_template.xml
@@ -0,0 +1,42 @@
+
+ This policy template provides ability to authorize users to a given service provider(defined by SP_NAME) in the authentication flow based on the Roles of the user (defined by ROLE_1 and ROLE_2) and the time of the day (eg. between 09:00:00 to 17:00:00). Users who have at least one of the given roles will be able to login within the given time. Any other requests will be denied.
+
+
+
+
+ SP_NAME
+
+
+
+ authenticate
+
+
+
+
+
+
+
+
+
+
+
+
+ 09:00:00
+ 17:00:00
+
+
+
+ Internal/ROLE_1
+
+
+
+ Internal/ROLE_2
+
+
+
+
+
+
+
+
diff --git a/resources/policies/authn_time_and_scope_based_policy_template.xml b/resources/policies/authn_time_and_scope_based_policy_template.xml
new file mode 100644
index 000000000..c3c7c4b62
--- /dev/null
+++ b/resources/policies/authn_time_and_scope_based_policy_template.xml
@@ -0,0 +1,41 @@
+
+ This template policy provides ability to authorize users to a given service provider(defined by SP_NAME) in the authentication flow based on the oauth scope(s) (SCOPE1 or SCOPE2) and the time of the day (eg. between 09:00:00 to 17:00:00). Users who are logging in between the given time and who grant the given scopes will be allowed to login and any other user will be denied.
+
+
+
+
+ SP_NAME
+
+
+
+ authenticate
+
+
+
+
+
+
+
+
+
+
+
+
+ 09:00:00
+ 17:00:00
+
+
+
+ SCOPE1
+
+
+
+ SCOPE2
+
+
+
+
+
+
+
+
diff --git a/resources/policies/authn_time_and_user_claim_based_policy_template.xml b/resources/policies/authn_time_and_user_claim_based_policy_template.xml
new file mode 100644
index 000000000..cb94b3744
--- /dev/null
+++ b/resources/policies/authn_time_and_user_claim_based_policy_template.xml
@@ -0,0 +1,43 @@
+
+ This template policy provides ability to authorize users to a given service provider(defined by SP_NAME) in the authentication flow based on the claim values of the user (CLAIM_URI_1=CLAIM_VALUE_1 and CLAIM_URI_2=CLAIM_VALUE_2) and the time of the day (eg. between 09:00:00 to 17:00:00). Users with the given claim values and who are logged in within the given time range will be allowed and any other users will be denied.
+
+
+
+
+ SP_NAME
+
+
+
+ authenticate
+
+
+
+
+
+
+
+
+
+
+
+
+ 09:00:00
+ 17:00:00
+
+
+
+
+
+ CLAIM_VALUE_1
+
+
+
+
+
+ CLAIM_VALUE_2
+
+
+
+
+
+
diff --git a/resources/policies/authn_time_and_user_store_based_policy_template.xml b/resources/policies/authn_time_and_user_store_based_policy_template.xml
new file mode 100644
index 000000000..52acf39ec
--- /dev/null
+++ b/resources/policies/authn_time_and_user_store_based_policy_template.xml
@@ -0,0 +1,45 @@
+
+ This template policy provides ability to authorize users to a given service provider(defined by SP_NAME) in the authentication flow based on the user store (USERSTORE_1 or USERSTORE_2) and the time of the day (eg. between 09:00:00 to 17:00:00). Users who are in the given userstores and who are logged in within the given time range will be allowed and any other users will be denied.
+
+
+
+
+ authenticate
+
+
+
+ SP_NAME
+
+
+
+
+
+
+
+
+
+
+
+
+ 09:00:00
+ 17:00:00
+
+
+
+
+
+
+ USERSTORE_1
+
+
+
+
+
+ USERSTORE_2
+
+
+
+
+
+
+
\ No newline at end of file
diff --git a/resources/policies/authn_time_based_policy_template.xml b/resources/policies/authn_time_based_policy_template.xml
new file mode 100644
index 000000000..6277dc3a8
--- /dev/null
+++ b/resources/policies/authn_time_based_policy_template.xml
@@ -0,0 +1,29 @@
+
+ This template policy provides ability to authorize users to a given service provider(defined by SP_NAME) in the authentication flow based on the login time. Any authentication attempt outside the specified time range(09:00:00 to 17:00:00) will be denied.
+
+
+
+
+ SP_NAME
+
+
+
+ authenticate
+
+
+
+
+
+
+
+
+
+
+
+ 09:00:00
+ 17:00:00
+
+
+
+
+
diff --git a/resources/policies/authn_user_claim_based_policy_template.xml b/resources/policies/authn_user_claim_based_policy_template.xml
new file mode 100644
index 000000000..255a4e75d
--- /dev/null
+++ b/resources/policies/authn_user_claim_based_policy_template.xml
@@ -0,0 +1,36 @@
+
+ This template policy provides ability to authorize users to a given service provider(defined by SP_NAME) in the authentication flow based on the claim values of the user (CLAIM_URI_1=CLAIM_VALUE_1 and CLAIM_URI_2=CLAIM_VALUE_2). Users with the given claim values will be allowed and any other users will be denied.
+
+
+
+
+ SP_NAME
+
+
+
+ authenticate
+
+
+
+
+
+
+
+
+
+
+
+
+ CLAIM_VALUE_1
+
+
+
+
+
+ CLAIM_VALUE_2
+
+
+
+
+
+
diff --git a/resources/policies/authn_user_store_based_policy_template.xml b/resources/policies/authn_user_store_based_policy_template.xml
new file mode 100644
index 000000000..fc3a8392b
--- /dev/null
+++ b/resources/policies/authn_user_store_based_policy_template.xml
@@ -0,0 +1,36 @@
+
+ This template policy provides ability to authorize users to a given service provider(defined by SP_NAME) in the authentication flow based on the user store (USERSTORE_1 or USERSTORE_2). Users who are in the given userstores will be allowed and any other users will be denied.
+
+
+
+
+ authenticate
+
+
+
+ SP_NAME
+
+
+
+
+
+
+
+
+
+
+
+
+ USERSTORE_1
+
+
+
+
+
+ USERSTORE_2
+
+
+
+
+
+
\ No newline at end of file
diff --git a/resources/policies/eval_permission_tree_policy.xml b/resources/policies/eval_permission_tree_policy.xml
new file mode 100644
index 000000000..270aa4137
--- /dev/null
+++ b/resources/policies/eval_permission_tree_policy.xml
@@ -0,0 +1,26 @@
+
+ This policy provides the ability to authorize users based on permission tree.
+
+
+
+
+ ui.execute
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
diff --git a/resources/policies/provisioning_role_based_policy_template.xml b/resources/policies/provisioning_role_based_policy_template.xml
new file mode 100644
index 000000000..f7a83f2eb
--- /dev/null
+++ b/resources/policies/provisioning_role_based_policy_template.xml
@@ -0,0 +1,70 @@
+
+ This template policy provides ability to authorize provisioning requests initiated from a given service provider(defined by SP_NAME) to a given identity provider(defined by IDP_NAME) in the outbound provisioning flow based on the roles of the user (ROLE_1, ROLE_2). Provisioning attempts to the users with given role(s) will be allowed and all others will be denied.
+
+
+
+
+ SP_NAME
+
+
+
+ IDP_NAME
+
+
+
+ provisioning
+
+
+
+
+
+
+
+
+
+
+ POST
+
+
+
+
+
+
+
+
+ ROLE_1
+
+
+
+ ROLE_2
+
+
+
+
+
+
+
+
+
+
+ PUT
+
+
+
+
+
+
+
+
+ Internal/ROLE_1
+
+
+
+ Internal/ROLE_2
+
+
+
+
+
+
+
\ No newline at end of file
diff --git a/resources/policies/provisioning_time_and_role_based_policy_template.xml b/resources/policies/provisioning_time_and_role_based_policy_template.xml
new file mode 100644
index 000000000..4cdd60b1d
--- /dev/null
+++ b/resources/policies/provisioning_time_and_role_based_policy_template.xml
@@ -0,0 +1,89 @@
+
+ This template policy provides ability to authorize provisioning requests initiated from a given service provider(defined by SP_NAME) to a given identity provider(defined by IDP_NAME) in the outbound provisioning flow based on the roles of the user (ROLE_1, ROLE_2) and time of the day (eg. between 09:00:00 to 17:00:00). Provisioning attempts to the users with given role(s) between the given time will be allowed and all others will be denied.
+
+
+
+
+ SP_NAME
+
+
+
+ IDP_NAME
+
+
+
+ provisioning
+
+
+
+
+
+
+
+
+
+
+ POST
+
+
+
+
+
+
+
+
+
+
+
+ 09:00:00
+ 17:00:00
+
+
+
+ ROLE_1
+
+
+
+ ROLE_2
+
+
+
+
+
+
+
+
+
+
+
+
+ PUT
+
+
+
+
+
+
+
+
+
+
+
+ 09:00:00
+ 17:00:00
+
+
+
+ Internal/ROLE_1
+
+
+
+ Internal/ROLE_2
+
+
+
+
+
+
+
+
diff --git a/resources/policies/provisioning_time_and_user_claim_based_policy_template.xml b/resources/policies/provisioning_time_and_user_claim_based_policy_template.xml
new file mode 100644
index 000000000..0a5c6a52e
--- /dev/null
+++ b/resources/policies/provisioning_time_and_user_claim_based_policy_template.xml
@@ -0,0 +1,96 @@
+
+ This template policy provides ability to authorize provisioning requests initiated from a given service provider(defined by SP_NAME) to a given identity provider(defined by IDP_NAME) in the outbound provisioning flow based on the claim values of the user (CLAIM_URI_1=CLAIM_VALUE_1 and CLAIM_URI_2=CLAIM_VALUE_2) and time of the day (eg. between 09:00:00 to 17:00:00). Provisioning attempts to the users with the given claim values between the given time will be allowed and all others will be denied.
+
+
+
+
+ SP_NAME
+
+
+
+ IDP_NAME
+
+
+
+ provisioning
+
+
+
+
+
+
+
+
+
+
+ POST
+
+
+
+
+
+
+
+
+
+
+
+ 09:00:00
+ 17:00:00
+
+
+
+
+
+
+ CLAIM_VALUE_1
+
+
+
+
+
+ CLAIM_VALUE_2
+
+
+
+
+
+
+
+
+
+
+ PUT
+
+
+
+
+
+
+
+
+
+
+
+ 09:00:00
+ 17:00:00
+
+
+
+
+
+
+ CLAIM_VALUE_1
+
+
+
+
+
+ CLAIM_VALUE_2
+
+
+
+
+
+
+
diff --git a/resources/policies/provisioning_time_based_policy_template.xml b/resources/policies/provisioning_time_based_policy_template.xml
new file mode 100644
index 000000000..18845fdfb
--- /dev/null
+++ b/resources/policies/provisioning_time_based_policy_template.xml
@@ -0,0 +1,33 @@
+
+ This template policy provides ability to authorize provisioning requests initiated from a given service provider(defined by SP_NAME) to a given identity provider(defined by IDP_NAME) in the outbound provisioning flow based on the requested time. Any provisioning attempt outside the specified time range(09:00:00 to 17:00:00) will be denied.
+
+
+
+
+ SP_NAME
+
+
+
+ IDP_NAME
+
+
+
+ provisioning
+
+
+
+
+
+
+
+
+
+
+
+ 09:00:00
+ 17:00:00
+
+
+
+
+
\ No newline at end of file
diff --git a/resources/policies/provisioning_user_claim_based_policy_template.xml b/resources/policies/provisioning_user_claim_based_policy_template.xml
new file mode 100644
index 000000000..1e92df072
--- /dev/null
+++ b/resources/policies/provisioning_user_claim_based_policy_template.xml
@@ -0,0 +1,78 @@
+
+ This template policy provides ability to authorize provisioning requests initiated from a given service provider(defined by SP_NAME) to a given identity provider(defined by IDP_NAME) in the outbound provisioning flow based on the claim values of the user (CLAIM_URI_1=CLAIM_VALUE_1 and CLAIM_URI_2=CLAIM_VALUE_2). Users with the given claim values will be allowed and any other users will be denied.
+
+
+
+
+ SP_NAME
+
+
+
+ IDP_NAME
+
+
+
+ provisioning
+
+
+
+
+
+
+
+
+
+
+ POST
+
+
+
+
+
+
+
+
+
+
+
+ CLAIM_VALUE_1
+
+
+
+
+
+ CLAIM_VALUE_2
+
+
+
+
+
+
+
+
+
+ PUT
+
+
+
+
+
+
+
+
+
+
+
+ CLAIM_VALUE_1
+
+
+
+
+
+ CLAIM_VALUE_2
+
+
+
+
+
+
\ No newline at end of file
diff --git a/resources/policies/scope_based_token_issuance_policy_template.xml b/resources/policies/scope_based_token_issuance_policy_template.xml
new file mode 100755
index 000000000..2fd08daa3
--- /dev/null
+++ b/resources/policies/scope_based_token_issuance_policy_template.xml
@@ -0,0 +1,41 @@
+
+ This policy template provides ability to validate OAuth2 access token to a given service provider(defined by SP_NAME) in the issuance flow based on the scope (defined by SCOPE_1). It allows validation of token on time of the day (eg. between 09:00:00 to 18:00:00).
+
+
+
+
+ playground2
+
+
+
+ scope_validation
+
+
+
+
+
+
+
+
+
+
+
+
+ 09:00:00
+ 22:00:00
+
+
+
+ SCOPE_1
+
+
+
+ SCOPE_2
+
+
+
+
+
+
+
+
diff --git a/resources/policies/scope_based_token_validation_policy_template.xml b/resources/policies/scope_based_token_validation_policy_template.xml
new file mode 100755
index 000000000..90b37ab4f
--- /dev/null
+++ b/resources/policies/scope_based_token_validation_policy_template.xml
@@ -0,0 +1,38 @@
+
+ This policy template provides ability to validate OAuth2 access token to a given service provider(defined by SP_NAME) in the validation flow based on the scope (defined by SCOPE_1). It allows validation of token on time of the day (eg. between 09:00:00 to 18:00:00).
+
+
+
+
+ test_server
+
+
+
+ token_validation
+
+
+
+ SCOPE_1
+
+
+
+
+
+
+
+
+
+
+
+
+ 09:00:00
+ 18:00:00
+
+
+
+
+
+
+
+
+