Docs
Free trial

Policies best practices

Best practices for creating policies within Platform Hub

Policies administration

Establish a naming standard

Use a [ Prefix ] - [ Policy Name ] that is easy for everyone to understand the policy’s purpose. The [ Prefix ] should reflect when the policy will run.

For example:

  • Deployments - [ Policy Name ] for policies designed to run during deployments only.
  • Runbook Runs - [ Policy Name ] for policies designed to run during runbooks runs only.
  • Deployments and Runbook Runs - [ Policy Name ] for policies for designed to run for deployments or runbooks runs.

Turn on SIEM audit log streaming

All policy evaluations are logged to the audit log. Ensure audit log streaming is enabled to log those evaluations to Splunk, SumoLogic, or an OpenTelemetry collector. SIEM tools can provide alerting and visualizations that you can customize to your requirements.

Creating and Updating Policies

Start restrictive, then make generic

Consider a policy that will block the execution of deployments and runbook runs. By default that policy applies to all deployments and runbook runs.

When creating a new policy, be as restrictive as possible by limiting it to:

  • A specific hook - such a deployment or a runbook run (not both)
  • A specific project

That will limit a policy’s “blast radius.” Once you are confident the policy is working as intended, extend the policy to cover more projects or tenants. When acceptable, switch the policy to project groups or spaces.

Provide a verbose failure reason

A policy violation will be the first experience for must users with policies within Octopus Deploy. For example, when a policy blocks a deployment or runbook run. Provide a verbose failure reason to help the user self-service the solution.

An example of a verbose policy violation error message to help users self-service

Check for both the existence of steps and if they’ve been skipped

Policies can be written to check for the existence of specific steps within a deployment or runbook process. It’s important to remember that in many cases those deployments and runbook processes have existed for years. Octopus Deploy has the capability to require a step and prevent it from being skipped. But it is unlikely that all of those required steps in all of your deployment and runbook processes have been configured to prevent them from being skipped.

It is not enough for a policy to simply check for the existence of a specific step. The policy must also ensure users don’t elect to skip the required step (for whatever reason).

An example of a step that can be skipped before scheduling a deployment or runbook run

The resulting policy will have two conditions.

An example of a policy that has both the existence and that isn't skipped

Help us continuously improve

Please let us know if you have any feedback about this page.

Send feedback

Page updated on Thursday, September 11, 2025

Edit on GitHub