Organization Adaptive Policy Configuration

Dashboard Location: Organization > Adaptive Policy

Organization-Wide Adaptive Policy and Dynamic Security Management

Adaptive Policy configuration in Meraki organizations provides administrators with comprehensive dynamic security capabilities, enabling Security Group Tag (SGT) based network segmentation, policy-driven access control, contextual security enforcement, and automated security group assignment. This functionality supports zero-trust network architectures, micro-segmentation strategies, identity-based access control, threat containment, and dynamic policy enforcement based on user identity, device type, location, and behavioral analysis. Adaptive Policy is essential for advanced network security, regulatory compliance, data protection, insider threat mitigation, and maintaining granular security controls across distributed enterprise networks while supporting software-defined perimeter concepts and continuous security assessment.

Diagram

Classes

organizations (meraki.domains)

Name	Type	Constraint	Mandatory	Default Value
adaptive_policy	Class	`[adaptive_policy]`	No

adaptive_policy (meraki.domains.organizations)

Name	Type	Constraint	Mandatory
name	String	min: `1`, max: `127`	No
settings_enabled_networks	List	String[min: `1`, max: `127`]	No
acls	List	`[acls]`	No
groups	List	`[groups]`	No
policies	List	`[policies]`	No

acls (meraki.domains.organizations.adaptive_policy)

Name	Type	Constraint	Mandatory
name	String	min: `1`, max: `127`	No
description	String	min: `1`, max: `1024`	No
rules	List	`[rules]`	No
ip_version	Choice	`any`, `ipv4`, `ipv6`	No

groups (meraki.domains.organizations.adaptive_policy)

Name	Type	Constraint	Mandatory
name	String	min: `1`, max: `127`	No
sgt	Integer	min: `0`, max: `65535`	No
description	String	min: `1`, max: `1024`	No
policy_objects	List	String[min: `1`, max: `127`]	No

policies (meraki.domains.organizations.adaptive_policy)

Name	Type	Constraint	Mandatory
source_group	Class	`[source_group]`	No
destination_group	Class	`[destination_group]`	No
acls	List	String[min: `1`, max: `127`]	No
last_entry_rule	Choice	`allow`, `default`, `deny`	No
organization_name	String	min: `1`, max: `127`	Yes
name	String	min: `1`, max: `127`	Yes

rules (meraki.domains.organizations.adaptive_policy.acls)

Name	Type	Constraint	Mandatory	Default Value
policy	Choice	`allow`, `deny`	Yes
protocol	Choice	`any`, `icmp`, `tcp`, `udp`	Yes
log	Boolean	`true`, `false`	No
tcp_established	Boolean	`true`, `false`	No
source_port	Any	Integer[min: `0`, max: `65535`] or String[matches: `(?:[1-9][0-9]3	[1-5][0-9]4	6[0-4][0-9]3
destination_port	Any	Integer[min: `0`, max: `65535`] or String[matches: `(?:[1-9][0-9]3	[1-5][0-9]4	6[0-4][0-9]3

source_group (meraki.domains.organizations.adaptive_policy.policies)

Name	Type	Constraint	Mandatory	Default Value
name	String	min: `1`, max: `127`	Yes
sgt	Integer	min: `0`, max: `65535`	No

destination_group (meraki.domains.organizations.adaptive_policy.policies)

Name	Type	Constraint	Mandatory	Default Value
name	String	min: `1`, max: `127`	Yes
sgt	Integer	min: `0`, max: `65535`	No

Examples

Example-1: The example below demonstrates adaptive policy configuration.

This configuration enables adaptive policy across the organization for identity-based access control, defining Security Group Tags (SGTs) for “USERS” (SGT 30) and “IOT” (SGT 40), and applying the “Corp Policy” that permits TCP traffic from ports 4000–6000 using the “Permit Corp” ACL, denies TCP traffic from ports 4001–6001 using the “Deny Corp” ACL, and allows all remaining traffic by default, providing granular zero-trust network segmentation and enforcement between corporate users and IoT devices.

meraki:
  domains:
    - name: !env domain
      administrator:
        name: !env org_admin
      organizations:
        - name: !env org
          adaptive_policy:
            settings_enabled_networks:
              - !env network_name
            policies:
              - name: Corp Policy
                organization_name: !env org
                source_group:
                  name: USERS
                  sgt: 30
                destination_group:
                  name: IOT
                  sgt: 40
                acls:
                  - Permit Corp
                  - Deny Corp
                last_entry_rule: allow
            groups:
              - name: USERS
                sgt: 30
                description: Corporate Users
                # policy_objects:
                #   - Corp Policy
              - name: IOT
                sgt: 40
                description: Corporate IOT Devices
                # policy_objects:
                #   - Corp Policy
            acls:
              - name: Permit Corp
                description: Permit Example
                rules:
                  - policy: allow
                    protocol: tcp
                    source_port: 4000
                    destination_port: 6000
                ip_version: ipv4
              - name: Deny Corp
                description: Deny Example
                rules:
                  - policy: deny
                    protocol: tcp
                    source_port: 4001
                    destination_port: 6001
                ip_version: ipv4