# Policy evaluation logic
<a name="reference_policies_evaluation-logic"></a>

When a principal tries to use the Amazon Web Services Management Console, the Amazon API, or the Amazon CLI, that principal sends a *request* to Amazon. When an Amazon service receives the request, Amazon completes several steps to determine whether to allow or deny the request.

1. **Authentication** – Amazon first authenticates the principal that makes the request, if necessary. This step is not necessary for a few services, such as Amazon S3, that allow some requests from anonymous users.

1. **[Processing the request context](reference_policies_evaluation-logic_policy-eval-reqcontext.md)** – Amazon processes the information gathered in the request to determine which policies apply to the request.

1. **[How Amazon enforcement code logic evaluates requests to allow or deny access](reference_policies_evaluation-logic_policy-eval-denyallow.md)** – Amazon evaluates all of the policy types and the order of the policies affects how they are evaluated. Amazon then processes the policies against the request context to determine whether the request is allowed or denied.

## Evaluating identity-based policies with resource-based policies
<a name="policy-eval-basics-id-rdp"></a>

Identity-based policies and resource-based policies grant permissions to the identities or resources to which they are attached. When an IAM entity (user or role) requests access to a resource within the same account, Amazon evaluates all the permissions granted by the identity-based and resource-based policies. The resulting permissions are the union of the permissions of the two types. If an action is allowed by an identity-based policy, a resource-based policy, or both, then Amazon allows the action. An explicit deny in either of these policies overrides the allow.

![\[Evaluation of identity-based policies and resource-based policies\]](http://docs.amazonaws.cn/en_us/IAM/latest/UserGuide/images/permissions_policies_effective.png)


## Evaluating identity-based policies with permissions boundaries
<a name="policy-eval-basics-id-bound"></a>

When Amazon evaluates the identity-based policies and permissions boundary for a user, the resulting permissions are the intersection of the two categories. That means that when you add a permissions boundary to a user with existing identity-based policies, you might reduce the actions that the user can perform. Alternatively, when you remove a permissions boundary from a user, you might increase the actions they can perform. An explicit deny in either of these policies overrides the allow. To view information about how other policy types are evaluated with permissions boundaries, see [Evaluating effective permissions with boundaries](access_policies_boundaries.md#access_policies_boundaries-eval-logic).

![\[Evaluation of identity-based policies and permissions boundaries\]](http://docs.amazonaws.cn/en_us/IAM/latest/UserGuide/images/permissions_boundary.png)


## Evaluating identity-based policies with Amazon Organizations SCPs or RCPs
<a name="policy-eval-basics-id-scp"></a>

When a user belongs to an account that is a member of an organization and accesses a resource that doesn't have a resource-based policy configured, the resulting permissions are the intersection of the user's policies, service control policies (SCPs), and resource control policy (RCP). This means that an action must be allowed by all three policy types. An explicit deny in the identity-based policy, an SCP, or an RCP overrides the allow.

![\[Evaluation of identity-based policies and SCPs or RCPs\]](http://docs.amazonaws.cn/en_us/IAM/latest/UserGuide/images/permissions_scp-idp.png)


You can learn [whether your account is a member of an organization](https://docs.amazonaws.cn/organizations/latest/userguide/orgs_manage_org_details.html#orgs_view_account) in Amazon Organizations. Organization members might be affected by an SCP or RCP. To view this data using the Amazon CLI command or Amazon API operation, you must have permissions for the `organizations:DescribeOrganization` action for your Amazon Organizations entity. You must have additional permissions to perform the operation in the Amazon Organizations console. To learn whether an SCP or RCP is denying access to a specific request, or to change your effective permissions, contact your Amazon Organizations administrator.