Policies, Entitlements, the Risk Model, and Conditions are the primary tools for configuring and controlling fine grained access to resources protected by the Gateways or Connectors. However these tools only affect the internal operation of Appgate SDP (Client routing, Secure tunnels, firewall rules, etc). All the other application/network access components such as cabling, DNS, routes, firewalls, traffic shaping, group permissions, etc. also needs to be in place to ensure the required route/permissions are in place all the way from a user to the (protected) host behind a Gateway or Connector.
Routing Client traffic will help you to understand more about some of the networking aspects relating to the provisioning of user access.
Authentication services will help you to understand more about mapping groups and Claims across to the Appgate SDP system.
Before setting up access controls it is worth taking a moment to consider how you would like the system to behave for your user community.
Are you trying to provide your users with (vpn like) background connectivity to a network?
Are your current (LDAP) group structures able to support a new access control model?
Are you trying to tighten up your access controls to limit individual user access rights?
Are you wanting to provide users with a UI that help the user by presenting app shortcuts?
Are you planning on adding additional use-time authentication steps (MFA)?
Do you plan using scripts to dynamically configure user rights?
Are your users actually unattended machines such as iot devices or servers?
The required behaviors you want to achieve will have an influence on some of the design decisions you take relating to access controls.
Before diving into Using Policies and Using Entitlements, it's also worth considering the balance between Policy decisions (which are made in the Controller) and Entitlement decisions (which are made in the Gateway). If you have very many Policies then the sign-in times will be extended in the Controller. If you have very many individual Entitlements then the sign-in times will be extended in the Gateways. It is good to design a balanced model that spreads the load between the two. Having a bias towards the Controller will also help by reducing the load on the Gateways when fail-over events occurs such as during upgrades