> ## Documentation Index
> Fetch the complete documentation index at: https://anaconda.com/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# Policy management

export const GCell = ({children, className}) => <div className={`grid-table-cell ${className || ""}`} role="cell">
    {children}
  </div>;

export const GTH = ({children, className}) => <div className={`grid-table-th ${className || ""}`} role="columnheader">
    {children}
  </div>;

export const GRow = ({children}) => <div className="grid-table-row" role="row">{children}</div>;

export const GBody = ({children}) => <div className="grid-table-body" role="rowgroup">{children}</div>;

export const GHead = ({children}) => <div className="grid-table-head" role="rowgroup">{children}</div>;

export const GTable = ({children, className, cols}) => <div className={`grid-table not-prose overflow-hidden rounded-2xl ${className || ""}`} style={{
  "--grid-table-cols": cols
}} role="table">
    {children}
  </div>;

<Warning>
  Policy filters are only available to customers on Business or Custom plans.
</Warning>

A policy filter is an additional security measure you can apply to a <Tooltip tip="A location (URL or file path) in a repository where conda looks for packages.">channel</Tooltip> to restrict the available <Tooltip tip="Software files and information about the software, such as its name, version, and description, bundled into a file that can be installed and managed by a package manager.">packages</Tooltip> that can be sourced from it. Once configured, policy filters automatically ensure that only packages that meet your organization's security requirements are available from a given channel, eliminating the need for administrators to manually review or re-approve packages when new <Tooltip tip="A public identifier for a known security flaw in software, used to track and assess vulnerabilities.">CVEs</Tooltip> are reported.

<Accordion title="Policy filter parameters">
  <AccordionGroup>
    <Accordion title="License Family">
      Excludes packages with the specified license family.

      <GTable cols="25% 75%">
        <GHead>
          <GRow>
            <GTH>Comparators</GTH>
            <GTH>Options</GTH>
          </GRow>
        </GHead>

        <GBody>
          <GRow>
            <GCell>`is`<br />`is not`</GCell>
            <GCell>`AGPL`, `APACHE`, `BSD`, `CC`, `GPL`, `GPL2`, `GPL3`, `LGPL`, `MIT`, `MOZILLA`, `None`, `OTHER`, `PSF`, `Public-Domain`</GCell>
          </GRow>
        </GBody>
      </GTable>
    </Accordion>

    <Accordion title="CVE Score">
      Excludes packages with the specified [CVE score](/anaconda-platform/cloud/admin/cve).

      <GTable cols="40% 60%">
        <GHead>
          <GRow>
            <GTH>Comparators</GTH>
            <GTH>Options</GTH>
          </GRow>
        </GHead>

        <GBody>
          <GRow>
            <GCell>`Greater than`<br />`Greater than or equal to`</GCell>
            <GCell>`1`-`10`</GCell>
          </GRow>
        </GBody>
      </GTable>
    </Accordion>

    <Accordion title="CVE Status">
      Excludes packages that are associated with a CVE that has the specified status.

      <GTable cols="25% 75%">
        <GHead>
          <GRow>
            <GTH>Comparators</GTH>
            <GTH>Options</GTH>
          </GRow>
        </GHead>

        <GBody>
          <GRow>
            <GCell>`is`<br />`is not`</GCell>
            <GCell>`Active`, `Reported`, `Mitigated`, `Cleared`, `Disputed`</GCell>
          </GRow>
        </GBody>
      </GTable>

      <Note>Keep in mind that packages can be associated with multiple CVEs.</Note>
    </Accordion>

    <Accordion title="Package Age">
      Excludes packages with the specified package age.

      <Note>
        The package age is calculated based on the date the package was last updated.
      </Note>

      <GTable cols="40% 60%">
        <GHead>
          <GRow>
            <GTH>Comparators</GTH>
            <GTH>Options</GTH>
          </GRow>
        </GHead>

        <GBody>
          <GRow>
            <GCell>`Greater than`<br />`Greater than or equal to`</GCell>
            <GCell>**Value:** Enter a number<br />**Unit:** `days`, `months`, or `years`</GCell>
          </GRow>
        </GBody>
      </GTable>
    </Accordion>

    <Accordion title="Platform">
      Excludes packages with the specified platform.

      <GTable cols="25% 75%">
        <GHead>
          <GRow>
            <GTH>Comparators</GTH>
            <GTH>Options</GTH>
          </GRow>
        </GHead>

        <GBody>
          <GRow>
            <GCell>`is`<br />`is not`</GCell>
            <GCell>`linux-32`, `linux-64`, `linux-armv6l`, `linux-armv7l`, `linux-ppc64`, `linux-ppc64le`, `linux-s390x`, `noarch`, `osx-64`, `win-32`, `win-64`, `zos-z`</GCell>
          </GRow>
        </GBody>
      </GTable>
    </Accordion>

    <Accordion title="Conda Spec">
      Excludes packages with the specified [conda spec](https://docs.conda.io/projects/conda-build/en/latest/resources/package-spec.html#package-match-specifications).
    </Accordion>
  </AccordionGroup>
</Accordion>

## Creating a policy filter

1. From the <Icon icon="network-wired" iconType="regular" /> **Channels** page, click **Create** <Icon icon="plus" iconType="regular" /> under **POLICIES**.

2. Provide a unique name for your policy. Anaconda recommends naming it something descriptive.

3. In the **Exclude package if** section, click <Icon icon="filter" iconType="solid" /> **Add filter**.

4. In the **FILTER GROUP** section that appears, set filter parameters for packages you want to *exclude*.

5. Click <Icon icon="filter" iconType="solid" /> **Add Filter to Group** to include additional parameters for this filter group, or click <Icon icon="filter" iconType="solid" /> **Add filter** to add a separate filter for this policy.

   <Note>
     Filters can be applied using either `and` or `or` logic. Click the operator to toggle between the two options.

     <Frame>
       <img src="https://mintcdn.com/anaconda-29683c67/6tejmKOgBEue4gFz/images/ap_policy_filter_and_or_operators.png?fit=max&auto=format&n=6tejmKOgBEue4gFz&q=85&s=2dc9d85653155be49d610671f8041bee" alt="Policy filter and or operators" width="1922" height="1082" data-path="images/ap_policy_filter_and_or_operators.png" />
     </Frame>

     This operator can greatly impact which packages are excluded.

     * Using the `and` operator means that all filter parameters must be met by a package for it to be excluded.
     * Using the `or` operator means that at least one filter parameter must be met by a package for it to be excluded.

     For example, setting a filter to exclude packages with a CVE score greater than 7 `and` a Platform of linux-64 excludes linux-64 packages that have a CVE score greater than 7.

     However, a filter that excludes packages with a CVE score greater than 7 `or` a Platform of linux-64 excludes:

     * All packages that have a CVE score greater than 7
     * All linux-64 packages
   </Note>

6. Repeat this process to apply further package filtering preferences.

7. If necessary, in the **Override exclusions and include a package if** section, click <Icon icon="filter" iconType="solid" /> **Add filter**.

   <Note>
     In some cases, the exclusion parameters of a policy filter might inadvertently remove packages (or dependencies) that are critical for production projects. The *override* filter allows administrators to add these specific packages back to the channel.

     You can apply overrides using [conda spec](https://docs.conda.io/projects/conda-build/en/latest/resources/package-spec.html#package-match-specifications) and CVE Status.
   </Note>

   <Warning>
     Be cautious when using overrides based on CVE Status! Packages contain multiple files, and each file can be associated with different CVEs. For example, let's say you've set up a policy that excludes packages with a CVE Score of 8 or higher, or that have an Active CVE Status.

     Now, suppose that there is a package that contains a file that's associated with an active CVE that has a score of 9.0, while another file in the same package is associated with a different CVE that has been cleared.

     If you override the policy to allow packages with a cleared CVE status to be pulled back into the channel, *all* files for that package are added back to the channel, even though one of the files is associated with an active CVE and the score exceeds the CVE score threshold you set for the policy. Because most packages contain files that are associated with CVEs that have been cleared, this can result in files that are not compliant with your security policy being added back to the channel.
   </Warning>

   <Accordion title="Example policy filter">
     Let's say you want to exclude packages that have a CVE score greater than 8, unless the package file is associated with a CVE that has a **Cleared** status. Your policy filter would look like this:

     <Frame>
       <img src="https://mintcdn.com/anaconda-29683c67/6tejmKOgBEue4gFz/images/ap_policy_filter_example.png?fit=max&auto=format&n=6tejmKOgBEue4gFz&q=85&s=98814aa9b80334c1734492b994774264" alt="Example policy filter" width="1922" height="1082" data-path="images/ap_policy_filter_example.png" />
     </Frame>
   </Accordion>

## Applying a policy filter

Applying a policy filter to a channel restricts the packages that are able to be sourced from it.

1. From the <Icon icon="network-wired" iconType="regular" /> **Channels** page, click **Apply** <Icon icon="plus" iconType="regular" /> beside a channel's name.
2. Select a policy to apply to the channel.
3. Click **Apply** to confirm.

Once the policy is applied, the status beneath the policy transitions through the following phases:

* In Queue
* In Progress
* Completed
* Scheduled

The **Scheduled** status indicates the channel is set to auto-update. This means the filter will be reapplied to the channel every four hours and will update the channel's contents accordingly.

<Note>
  Remove the policy filter by clicking <Icon icon="xmark" iconType="regular" /> **Remove Policy** beside the policy name in the channel list.
</Note>

Package files that have been removed from a channel due to a policy filter display the specific reasons they were excluded.

<Frame>
  <img src="https://mintcdn.com/anaconda-29683c67/38V1XTpdo_dUNFXe/images/ap_channel_artifacts_removed.png?fit=max&auto=format&n=38V1XTpdo_dUNFXe&q=85&s=af3db351fdd23ec5b614a9666dfdb39f" alt="Channel artifacts removed" width="1922" height="1082" data-path="images/ap_channel_artifacts_removed.png" />
</Frame>

<Note>
  Removed files are not grouped, and some packages have multiple pages of files. For packages with many files, it is best to use the search box to narrow results.
</Note>

## Editing a policy filter

<Warning>
  Policies that are currently in use cannot be edited.
</Warning>

1. Select the policy name from the **POLICIES** list.
2. Change the parameters of the filter as if you were creating a policy.
3. Click **Save**.

<Note>
  A <Icon icon="triangle-exclamation" iconType="solid" /> warning displayed beside your filter indicates that it has become deprecated. Deprecated filters still work, but Anaconda recommends you update your policies to no longer use these filters.
</Note>

## Viewing the policy report

Once you have applied a policy filter to a channel, view the **Policy Report** to see a breakdown of the number of package files across various platforms that have been removed, and how many remain.

From the <Icon icon="filter" iconType="solid" /> **Channels** page, click the **POLICY RESULTS** for any channel to open the **Policy Report**.

<Frame>
  <img src="https://mintcdn.com/anaconda-29683c67/38V1XTpdo_dUNFXe/images/ap_artifacts_removed.png?fit=max&auto=format&n=38V1XTpdo_dUNFXe&q=85&s=c1ebd329c80ac4bcab817fba6f631405" alt="Policy report dialog" width="1922" height="1082" data-path="images/ap_artifacts_removed.png" />
</Frame>

<Note>
  From here, you can download the policy report or the [policy report delta](#policy-deltas) in `.csv` format.
</Note>

## Policy deltas

Sometimes, due to newly reported CVEs or an updated CVE score or status, the contents of your channel will change when the filter performs its scheduled run. A package may become available that was not available previously, or you could find that a package you've been using is removed from your channel!

From the channel details page, click **View Policy Deltas** to view a list of deltas. Deltas are the recorded changes to your channel's contents. Policy delta history begins from the first change that occurs after you start tracking the channel. Once the policy is removed from the channel (if you need to edit it, for example) the policy delta history is lost. A new policy delta history is established once the policy is reapplied to the channel. Use the **Start** and **End** date filters to narrow your timeline to locate a specific delta, if necessary. Click the count under either **FILES ADDED** or **FILES REMOVED** to see a list of package files from a specific run.

<Frame>
  <img src="https://mintcdn.com/anaconda-29683c67/6tejmKOgBEue4gFz/images/ap_policy_deltas_view.gif?s=d90424434e1decd0b6f6f6c2957359fe" alt="Policy deltas UI navigation" width="1276" height="718" data-path="images/ap_policy_deltas_view.gif" />
</Frame>

<Tip>
  Click the arrow <Icon icon="arrow-left" iconType="regular" /> at the top of the file list to return to your channel policy deltas.
</Tip>