Product Documentation

Prioritize policies and create exceptions

Mar 26, 2013
Prioritizing policies allows you to define the precedence of policies when they contain conflicting settings. The process used to evaluate policies is as follows:
  1. When a user logs on, all policies that match the assignments for the connection are identified.
  2. The identified policies are sorted into priority order and multiple instances of any setting are compared. Each setting is applied according to the priority ranking of the policy.

You prioritize policies by giving them different priority numbers. By default, new policies are given the lowest priority. If policy settings conflict, a policy with a higher priority (a priority number of 1 is the highest) overrides a policy with a lower priority. Settings are merged according to priority and the setting's condition; for example, whether the setting is disabled or enabled. Any disabled setting overrides a lower-ranked setting that is enabled. Policy settings that are not configured are ignored and do not override the settings of lower-ranked settings.

When you create policies for groups of users, user devices, or machines, you may find that some members of the group require exceptions to some policy settings. You can create exceptions by:
  • Creating a policy only for those group members who need the exceptions and then ranking the policy higher than the policy for the entire group
  • Using the Deny mode for an assignment added to the policy
An assignment with the mode set to Deny applies a policy only to connections that do not match the assignment criteria. For example, a policy contains the following assignments:
  • Assignment A is a Client IP address assignment that specifies the range 208.77.88.* and the mode is set to Allow
  • Assignment B is a User assignment that specifies a particular user account and the mode is set to Deny

The policy is applied to all users who log on to the site with IP addresses in the range specified in Assignment A. However, the policy is not applied to the user logging on to the site with the user account specified in Assignment B, even though the user's computer is assigned an IP address in the range specified in Assignment A.