The Policy Decision Point or PDP can be used to determine if certain users, groups or teams can or cannot access an application. Without a Policy Decision any user of an institution will be granted to access an application. Only the service provider is able to deny access of certain groups or users, through e.g. provisioning or a VOOT-connection. The basics of PDP or 'Authorisatie regels' can be found here (Dutch).
There are two types of rules:
Authorization rules. These result in a "permit" or "deny" access verdict for the user in question. If the user is denied, SURFconext will show an error page with a specific message and not allow the user to proceed to the SP.
Stepup rules. These can add a Level of Assurance requirement to a login. If the policy matches, the user is required to perform a second factor authentication via SURFsecureID before they can proceed to the service.
Both policy types can be combined for an SP without issue.