migrate legacy policy

ranbel · ranbel · commit e0e0ab47032a · 2025-01-15T19:30:26.000-05:00
diff --git a/src/content/docs/cloudflare-one/applications/non-http/private-network-app.mdx b/src/content/docs/cloudflare-one/applications/non-http/private-network-app.mdx
diff --git a/src/content/docs/cloudflare-one/applications/non-http/self-hosted-private-app.mdx b/src/content/docs/cloudflare-one/applications/non-http/self-hosted-private-app.mdx
@@ -36,7 +36,7 @@ You can configure a self-hosted Access application to manage access to specific
 	Private hostnames are currently only available over port `443` over HTTPS.
 	:::
 
-7. Add [Access policies](/cloudflare-one/policies/access/) to control who can connect to your application.
+7. Add [Access policies](/cloudflare-one/policies/access/) to control who can connect to your application. All Access applications are deny by default -- a user must match an Allow policy before they are granted access.
 
 8. <Render file="access/access-choose-idps" product="cloudflare-one" />
 
@@ -63,7 +63,7 @@ Users can now connect to your private application after authenticating with Clou
 
 ## Modify order of precedence in Gateway
 
-By default, Cloudflare will evaluate Access private application policies after evaluating all Gateway network policies. To evaluate Access private application policies before or after specific Gateway policies, create the following [Gateway network policy](/cloudflare-one/policies/gateway/network-policies/):
+By default, Cloudflare will evaluate a private application's Access policies after evaluating all Gateway network policies. To evaluate Access private applications before or after specific Gateway policies, create the following [Gateway network policy](/cloudflare-one/policies/gateway/network-policies/):
 
 
 | Selector | Operator | Value        | Action |
@@ -73,5 +73,5 @@ By default, Cloudflare will evaluate Access private application policies after e
 You can now drag and drop this policy in the Gateway policy builder to change its [order of precedence](/cloudflare-one/policies/gateway/order-of-enforcement/#order-of-precedence).
 
 :::note
-All Access applications are deny by default -- a user must match an associated Access Allow policy before they are granted access. The Gateway policy is strictly for routing and connectivity purposes.
+Users must pass the policies in your Access application before they are granted access. The Gateway policy is strictly for routing and connectivity purposes.
 :::
diff --git a/src/content/docs/cloudflare-one/policies/access/policy-management.mdx b/src/content/docs/cloudflare-one/policies/access/policy-management.mdx
@@ -6,7 +6,9 @@ sidebar:
 
 ---
 
-Access policies are properties of applications. When setting up an Access application, you will be prompted to create at least one policy for the application. You can go back and create, edit, or delete policies at any time.
+import {Tabs, TabItem } from "~/components";
+
+Access policies define the users who can log in to your Access applications. You can create, edit, or delete policies at any time and reuse them across multiple applications.
 
 ## Create a policy
 
@@ -80,3 +82,30 @@ The policy tester reports the following information:
 * Whether the user is allowed or denied access to the application based on all configured policies.
 * The user's identity from their most recent Access login attempt.
 * Whether the user matches individual Allow, Block, or Bypass policies.
+
+## Legacy policies
+
+Legacy policies are scoped to a specific application and cannot be added to newly created Access applications.
+
+### Migrate to reusable policies
+
+To migrate legacy policies to reusable policies:
+
+1. [Create a reusable policy](#create-a-policy) that will replace the legacy policy.
+2. Go to the application associated with the legacy policy.
+3. Add the reusable policy to the application and remove the legacy policy.
+4. Repeat these steps for each legacy policy. If you have duplicate legacy policies, you can replace them with a single reuseable policy.
+
+### Convert a legacy policy
+
+You can use the API to convert a legacy policy into a reusable policy. Once converted, you will only be able to manage the policy using the [reusable policies endpoints](/api/resources/zero_trust/subresources/access/subresources/policies/).
+
+To convert a legacy policy, make a `PUT` request with an empty request body:
+
+```bash
+curl --request PUT \
+https://api.cloudflare.com/client/v4/accounts/{account_id}/access/apps/{app_id}/policies/{legacy_policy_id}/make_reusable \
+--header "Authorization: Bearer <API_TOKEN>" \
+```
+
+A success response returns the policy details. The policy is now removed from `/access/apps/{app_id}/policies` and available at `/access/policies/{policy_id}`.
diff --git a/src/content/partials/cloudflare-one/access/self-hosted-app.mdx b/src/content/partials/cloudflare-one/access/self-hosted-app.mdx
@@ -23,7 +23,7 @@ import { Render } from "~/components"
 
 		Alternatively, to use a [Cloudflare for SaaS custom hostname](/cloudflare-for-platforms/cloudflare-for-saas/security/secure-with-access/), set **Input method** to _Custom_ and enter your custom hostname.
 
-8. Add [Access policies](/cloudflare-one/policies/access/) to control who can connect to your application.
+8. Add [Access policies](/cloudflare-one/policies/access/) to control who can connect to your application. All Access applications are deny by default -- a user must match an Allow policy before they are granted access.
 
 9. <Render file="access/access-choose-idps" product="cloudflare-one" />
 
