An access control policy is a set of conditions that, after they have been evaluated, determine access decisions.
The conditions are a combination of attributes, obligations, authentication policies, and a risk profile.
When all of the attributes, obligations, and authentication policies are available and the risk profile you want to use is set active, use the policy editor to select the conditions for your policy.