Each service that is protected by either the MicroPerimeter™ Sidecar or the MicroPerimeter™ Edge Gateway may have assigned authorization policy to each of its APIs. Such authorizaiton policy determines access rules and is validated with each and every API call.
The policy complexity may vary. The simplest policy may perform offline authorization by checking whether the OAuth access token has a certain scope. More complex policies may perform attribute checks (user, session, request, context), role checks, risk checks and have conditional flows.
The best way to understand how policies work is to see how to use them policy management how-tos.