# Policies

Policies control user access to the web console. This is done by matching the *Roles* in the policy with roles in the user. If a policy matches one of the users roles that policy will apply to the user. Policies should be configured carefully as it can block access to the web console. If policies are preventing access to the web console the command `sudo pritunl-cloud disable-policies` will disable all policies.

### WebAuthn

WebAuthn will provide the best secondary authentication and this is the recommended secondary factor to use. First configure the *WebAuthn Domain* in the node settings to the highest level domain for the configuration. The WebAuthn domain can't be changed without invalidating all the existing devices. If a domain such as `admin.cloud.pritunl.com` and `user.cloud.pritunl.com` is used the WebAuthn domain should be `cloud.pritunl.com`


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.pritunl.com/kb/cloud/components/policies.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.