A policy is a grouping of one or more rules and user directories. By creating a policy, you specify which users are allowed to access which resources.
For example, you can create a policy that gives members of a team complete access to three data sources that the team uses regularly. YOu could also create a policy that specifies the system administrator as the only user who can use the write action of the cffile tag.
If you specify a resource to protect but do not include it in any policy, the resource is fully protected within the security context. In other words, no users can access the resource.