The policy should test where the user is accessing the cluster from. The location of the user is determined by mapping the user's IP address with the geo.txt. So, for example, you can set a policy that allows access to users located in the US only. To test the reverse, set a policy to deny access to users located in the US.
In order to enable the ability to set deny/exclude conditions in HDP 2.5 please follow the below: