# Traffic Permissions
This policy provides access control rules that can be applied on our service traffic to determine what traffic is allowed across the Mesh via configurable sources and destinations.
When Mutual TLS is disabled, Kuma will not enforce any
TrafficPermission and by default it will allow all service traffic to work. Even if Mutual TLS is disabled, we can still create and edit
TrafficPermission resources that will go into effect once Mutual TLS is enabled on the Mesh.
The reason why this policy only works when Mutual TLS is enabled in the Mesh is because only in this scenario Kuma can validate the identity of the service traffic via the usage of data plane proxy certificates.
On the other end when Mutual TLS is disabled, Kuma cannot extract the service identity from the request and therefore cannot perform any validation.
You can determine what source services are allowed to consume specific destination services. The service field is mandatory in both sources and destinations.
Match-All: You can match any value of a tag by using
You can use any Tag in the
destinations selector, which makes
TrafficPermissions quite powerful when it comes to creating a secure environment for our services.
For the time being the
sources field only allows the
service tag. This limitation will be removed in the future.