If you enable the Policy option in the Admin Role profile,
you can then enable, disable, or provide read-only access to specific
nodes within the tab as necessary for the role you are defining.
By enabling access to a specific policy type, you enable the ability
to view, add, or delete policy rules. By enabling read-only access
to a specific policy, you enable the administrator to view the corresponding
policy rule base, but not add or delete rules. Disabling access
to a specific type of policy prevents the administrator from seeing
the policy rule base.
Because policy that is based on specific users (by username or
IP address) must be explicitly defined, privacy settings that disable
the ability to see full IP addresses or usernames do not apply to
the Policy tab. Therefore, you should only allow access to the Policy
tab to administrators that are excluded from user privacy restrictions.