A Policy is a collection of rules that apply to specific Services or endpoints. A Catalog Policy applies to all Services unless overridden at the Service or endpoint level. You can create one Catalog Policy. Each rule in the Catalog Policy has a checkbox that determines whether the Catalog rule overrides Service and endpont rules. With the Always use Catalog rule box:

• Unchecked: Service and endpoint Policies that contain the same rule override the Catalog Policy rule.
• Checked: The Catalog Policy rule overrides any Service or endpoint Policies that contain the same rule.

Policy rules take precedence in the following order: endpoint, Service, Catalog. Take the example of an IP restriction rule with different values at the Catalog, Service, and endpoint levels. Unless the Always use Catalog rule box is checked for that rule in the Catalog Policy, the endpoint rule applies. When you apply a Policy to a Service version or it's endpoints, the interface shows the rule that would take precedence in a blue box and any that would be overridden in a red box:

Create a Policy from the Policy Catalog. Click Catalog Policy to create a Policy that applies to all Services in the catalog. Click New Policy to add a new Policy that you can later associate with a Service or endpoint.

Add Policy rules to the Catalog or regular Policy:

The Policy Studio categorizes rules by their type and shows the general order in which they apply during the request and response. For example, authentication and authorization follow validation. There are some exceptions, such as request transformation, retries, and client throttling, that don't strictly execute in the order in which they appear.

The first five request rule categories apply to all requests. The outbound category only applies to requests to external endpoints as described in Request execution flow. The following provide an overview of the available rules by category and some common use cases:

• Inbound rules
• Outbound rules
• Response rules