If you will be using the Authorize User policy action to control access to a virtual service at run time, you should strongly consider including an approval step in your consumer-registration policy. When you use this form of access control on a virtual service, registering a consumer application with the virtual service grants that consumer application permission to invoke the service. To ensure that only authorized applications are registered with a virtual service, you might want to have a security administrator review and approve this type of registration request.