Instances of network, workspace, and device are considered secured resources and are managed under the network, workspace, and device levels, respectively.
The specific secured resources must be explicitly and individually associated to the Principal before permission assignment can be made for the Principal. Not explicitly associating a resource to the Principal is equivalent to the Principal having no permission on that resource. Permissions can be assigned in two ways against the resources for the Principal.