You should understand the MSP workflow

Media Security Policy (MSP) follows a specific workflow in the generation of policies and assignments to protect your media content.

You should have a rough understanding of this workflow before using the UI to either create a new scenario or edit an existing one.

Phase Description
Phase 1: Set up a Media Services Live 3.x configuration

A Media Services Configuration is a collection of settings used to target and deliver your media content. You enable MSP within this configuration and later associate it with a Security Policy via a Policy Assignment. Creation of this Configuration is performed outside of MSP via another tool in Control Center.

Note: You don't have to create a configuration before beginning a workflow, but we recommend that you do. This way, it will be ready for use when required later in this process.
Phase 2: Create a security policy

Here, you generate the policy and define the Security Services you wish to apply to protect your media content. You can select services individually or include a combination of any of the following, Token Authentication, Media Encryption, Content Targeting or Player Verification (HDS-format media, only).

Note: After you finish, we recommend that you simply Save the policy (vs. Save and Promote). This lets you test before going live in the Production network.
Phase 3: Assign the security policy

At this stage, you associate the Security Policy with the Media Services Configuration . You can define a specific range of time to apply the protection or leave it open-ended. The Media Services Configuration must be active in the Staging Network to be accessible at this stage.

Note: After this phase, the association exists in the Staging Network where it can be tested and verified (using the "Staging" instance of any Digital Property associated with the Policy Assignment). The Digital Property is a value you establish in a Media Services Configuration—typically the end-user-facing hostname or domain name of your website. It serves as the identifier used to target the specific Media Services Configuration for use in processing requests for media. For example, requests made to this hostname/domain are redirected to an Edge Server which uses this identifier to query the Configuration for instructions/settings to be used in the delivery of your MSL media content.
Phase 4: Promote the security policy

Here, you promote the policy to the Production Network to ready it to protect your content in a live environment.

Phase 5: Promote the policy assignment

The final phase in a workflow is to promote the Policy Assignment to the Production Network to actively protect your media content. The Media Services Configuration must also be active in the Production Network to be accessible at this stage.