5.1 Ordering

Policies are applied to a device through device assignments, user assignments, and zone assignments. Through the application of ordering rules, all of the assigned policies are combined into one list in order of precedence, from most important (highest priority) to least important (lowest priority). There are several steps involved in ordering:

5.1.1 Create Ordered Lists for Device-Assigned and User-Assigned Policies

The order of precedence for device-assigned policies and user-assigned policies is determined by where the assignment occurs in the ZENworks management hierarchy, using the following order of precedence:

  1. Object

  2. Group

  3. Folder

A policy assigned to the object (device or user) precedes a policy assigned to the object’s group or folder. Likewise, a policy assigned to an object’s group precedes a policy assigned to the object’s folder.

The order of precedence also takes into account that each level of the hierarchy includes multiple sublevels. For example, if a device resides in a subfolder of the Workstations root folder, it might inherit assignments from both folders. Likewise, the device might be a member of multiple groups. The following table expands the levels to show the complete order of precedence:

Level

Order of Precedence

Example

Details

Object

  1. First policy listed

  2. Second policy listed

  3. Third policy listed

  1. Policy B

  2. Policy A

The order of precedence for policies assigned to an object is determined by the object’s Assigned Policies list in ZENworks Control Center. A policy at the top of the list has a higher priority than the same-type policies lower in the list.

In the example, Policy B precedes Policy A.

Group

  1. Object folder

    1. First group listed

      1. First policy

      2. Second policy

    2. Second group listed

      1. First policy

      2. Second policy

  2. Parent folder

    1. First group listed

      1. First policy

      2. Second policy

    2. Second group listed

      1. First policy

      2. Second policy

  3. Root folder

    1. First group listed

      1. First policy

      2. Second policy

    2. Second group listed

      1. First policy

      2. Second policy

  1. Object folder

    1. Group 4

      1. Policy D

      2. Policy C

    2. Group 1

      1. Policy F

  2. Parent folder

    1. Group 3

      1. Policy G

      2. Policy J

The order of precedence for policies assigned to an object’s groups is dependent on two factors: 1) the group locations in the folder hierarchy and 2) the policy ordering within the groups.

The first factor is the group locations:

  • For groups within the same folder, the order of precedence follows their order in the folder list, from top to bottom.

  • For groups within different folders, the order of precedence follows the folders’ order of precedence, with the object’s folder preceding any of the object’s parent folders.

In the example, the resulting group order is 4, 1, 3.

The second factor is the policy ordering within the group, which is determined by the group’s Assigned Policies list. A policy at the top of the list has a higher priority than the same-type policies lower in the list.

In the example, the resulting policy order is D, C, F, G, J.

Folder

  1. Object folder

    1. First policy listed

    2. Second policy listed

  2. Parent folder

    1. First policy listed

    2. Second policy listed

  3. Root folder

    1. First policy listed

    2. Second policy listed

  1. Object Folder

    1. Policy I

    2. Policy H

  2. Parent Folder

    1. Policy K

  3. Root folder

    1. Policy R

    2. Policy S

The order of precedence for policies assigned to a folder corresponds to the order in the folder’s Policy Assignments list. In the example, Policy I has a higher precedence than Policy J.

The precedence of an object’s folders is determined by the folder hierarchy. The object’s folder has precedence over folders located in folders higher in the folder hierarchy.

Using the example in the above table, the order of precedence for the policies assigned to the object (device or user) is:

  1. Policy B

  2. Policy A

  3. Policy D

  4. Policy C

  5. Policy F

  6. Policy G

  7. Policy J

  8. Policy I

  9. Policy H

  10. Policy K

  11. Policy R

  12. Policy S

5.1.2 Create an Ordered List for Zone-Assigned Policies

For policies assigned to the Management Zone, the order of precedence is determined by the position of the policies in the assignment list. The precedence is from the top to the bottom of the list. For example, if Policy A and Policy B are the same type and Policy B is higher in the list, the order of precedence is Policy B, Policy A.

5.1.3 Resolve the Order of the Device-Assigned and User-Assigned Policy Lists

After the ordered lists are created for each type of assignment (device-assigned, user-assigned, and zone-assigned), the three ordered lists for a single policy type look similar to the following example:

User Assignments

Device Assignments

Zone Assignments

  1. Policy E

  2. Policy A

  3. Policy I

  1. Policy H (Device Last)

  2. Policy B (User Only)

  3. Policy R (Device Only)

  4. Policy D (User Last)

  1. Policy Q

The goal of ordering is to have one ordered list per location, so the next step is to combine the three lists. By default, the zone-assignments list is always included as the last (lowest priority) list. The order of the user-assignments list and the device-assignments list is determined by the conflict resolution rules configured on the device assignments. There are four conflict resolution rules:

  • User Last: The user-assigned policies are applied after the device-assigned policies. This means that the user-assigned policies have a higher priority than the device-assigned policies and therefore come first in the order of precedence.

  • Device Last: The device-assigned policies are applied after the user-assigned policies. This means that the device-assigned policies have a higher priority than the user-assigned policies and therefore come first in the order of precedence.

  • User Only: The user-assigned policies are applied and the device-assigned policies are ignored. However, if there are no user-assigned policies, the device-assigned policies are applied.

  • Device Only: The device-assigned policies are applied and the user-assigned policies are ignored.

When there are multiple device assignments, the conflict resolution rule on the highest-priority device assignment is used. In the table above, Policy H is the highest-priority device assignment. Therefore, the Device Last rule is used and the result is the following ordered list:

  1. Policy H (Device Assignment)

  2. Policy B (Device Assignment)

  3. Policy R (Device Assignment)

  4. Policy D (Device Assignment)

  5. Policy E (User Assignment)

  6. Policy A (User Assignment)

  7. Policy I (User Assignment)

  8. Policy Q (Zone Assignment)

5.1.4 Create Ordered Lists for Each Assigned Location

At this point in the ordering process, the ordered list includes both location-based policies and global policies. Some policies might be applied in one location, others in another location, and some might be applied globally regardless of location.

Because the Endpoint Security Agent applies only the security policies assigned to the device’s current security location, it requires separate ordered lists for each available location (as defined in the Location Assignment policy) and for the global “location.” This results in lists similar to the following:

Location 1

Location 2

Location 3

Global

1. Policy H

2. Policy D

3. Policy I

1. Policy B

2. Policy D

3. Policy A

4. Policy I

1. Policy R

2, Policy E

1. Policy Q

Some policies might apply to multiple locations, such as Policy D that is included in the ordered lists for Location 2 and Location 3.

Creating the ordered lists for each location is the last step in the ordering process. With ordering complete, inheritance can be applied.