1.5 How the Effective Policy is Determined

Because of the flexibility in assigning security policies (see How User, Device, and Zone Policy Assignments Operate), it is possible for multiple security policies of the same type to be applied to a device through different sources. For example, one Firewall policy might be assigned to a workstation device, a second Firewall policy to the device’s user, and a third Firewall policy to a device group in which the device is a member. Because of multiple assignments, the ZENworks system must determine the effective policy for the device. The Endpoint Security Agent can then enforce the one effective policy on the device.

Determination of the effective policy is based on ordering and merging rules.

1.5.1 How Policy Precedence is Ordered

Policies are applied to a device through device assignments, user assignments, and zone assignments. Through the application of ordering rules, all of the assigned policies are combined into one list in order of precedence, from most important (highest priority) to least important (lowest priority). There are several steps involved in ordering:

Create Ordered Lists for Device-Assigned and User-Assigned Policies

The order of precedence for device-assigned policies and user-assigned policies is determined by where the assignment occurs in the ZENworks management hierarchy, using the following order of precedence:

  1. Object

  2. Group

  3. Folder

A policy assigned to the object (device or user) precedes a policy assigned to the object’s group or folder. Likewise, a policy assigned to an object’s group precedes a policy assigned to the object’s folder.

The order of precedence also takes into account that each level of the hierarchy includes multiple sub-levels. For example, if a device resides in a subfolder of the Workstations root folder, it might inherit assignments from both folders. Likewise, the device might be a member of multiple groups. The following table expands the levels to show the complete order of precedence:

Level

Order of Precedence

Example

Details

Object

  1. First policy listed

  2. Second policy listed

  3. Third policy listed

  1. Policy B

  2. Policy A

The order of precedence for policies assigned to an object is determined by the object’s Assigned Policies list in ZENworks Control Center. A policy at the top of the list has a higher priority than the same-type policies lower in the list.

In the example, Policy B precedes Policy A.

Group

  1. Object folder

    1. First group listed

      1. First policy

      2. Second policy

    2. Second group listed

      1. First policy

      2. Second policy

  2. Parent folder

    1. First group listed

      1. First policy

      2. Second policy

    2. Second group listed

      1. First policy

      2. Second policy

  3. Root folder

    1. First group listed

      1. First policy

      2. Second policy

    2. Second group listed

      1. First policy

      2. Second policy

  1. Object folder

    1. Group 4

      1. Policy D

      2. Policy C

    2. Group 1

      1. Policy F

  2. Parent folder

    1. Group 3

      1. Policy G

      2. Policy J

The order of precedence for policies assigned to an object’s groups is dependent on two factors: 1) the group locations in the folder hierarchy and 2) the policy ordering within the groups.

The first factor is the group locations:

  • For groups within the same folder, the order of precedence follows their order in the folder list, from top to bottom.

  • For groups within different folders, the order of precedence follows the folders’ order of precedence, with the object’s folder preceding any of the object’s parent folders.

In the example, the resulting group order is 4, 1, 3.

The second factor is the policy ordering within the group, which is determined by the group’s Assigned Policies list. A policy at the top of the list has a higher priority than the same-type policies lower in the list.

In the example, the resulting policy order is D, C, F, G, J.

Folder

  1. Object folder

    1. First policy listed

    2. Second policy listed

  2. Parent folder

    1. First policy listed

    2. Second policy listed

  3. Root folder

    1. First policy listed

    2. Second policy listed

  1. Object Folder

    1. Policy I

    2. Policy H

  2. Parent Folder

    1. Policy K

  3. Root folder

    1. Policy R

    2. Policy S

The order of precedence for policies assigned to a folder corresponds to the order in the folder’s Policy Assignments list. In the example, Policy I has a higher precedence than Policy J.

The precedence of an object’s folders is determined by the folder hierarchy. The object’s folder has precedence over folders located in folders higher in the folder hierarchy.

Using the example in the above table, the order of precedence for the policies assigned to the object (device or user) is:

  1. Policy B

  2. Policy A

  3. Policy D

  4. Policy C

  5. Policy F

  6. Policy G

  7. Policy J

  8. Policy I

  9. Policy H

  10. Policy K

  11. Policy R

  12. Policy S

Create an Ordered List for Zone-Assigned Policies

For policies assigned to the Management Zone, the order of precedence is determined by the position of the policies in the assignment list. The precedence is from the top to the bottom of the list. For example, if Policy A and Policy B are the same type and Policy B is higher in the list, the order of precedence is Policy B, Policy A.

Resolve the Order of the Device-Assigned and User-Assigned Policy Lists

After the ordered lists are created for each type of assignment (device-assigned, user-assigned, and zone-assigned), the three ordered lists for a single policy type look similar to the following example:

User Assignments

Device Assignments

Zone Assignments

  1. Policy E

  2. Policy A

  3. Policy I

  1. Policy H (Device Precedence)

  2. Policy B (User Only)

  3. Policy R (Device Only)

  4. Policy D (User Precedence)

  1. Policy Q

The goal of ordering is to have one ordered list per location, so the next step is to combine the three lists. By default, the zone-assignments list is always included as the last (lowest priority) list. The order of the user-assignments list and the device-assignments list is determined by the conflict resolution rules configured on the device assignments. There are four conflict resolution rules:

  • User Precedence: The user-associated policies override device-associated policies. This means that the user-assigned policies have a higher priority than the device-assigned policies.

  • Device Precedence: The device-associated policies override the user-associated policies. This means that the device-assigned policies have a higher priority than the user assigned policies.

  • User Only: The user-assigned policies are applied and the device-assigned policies are ignored. However, if there are no user-assigned policies, the device-assigned policies are applied.

  • Device Only: The device-assigned policies are applied and the user-assigned policies are ignored.

When there are multiple device assignments, the conflict resolution rule on the highest-priority device assignment is used. In the table above, Policy H is the highest-priority device assignment. Therefore, the Device Precedence rule is used and the result is the following ordered list:

  1. Policy H (Device Assignment)

  2. Policy B (Device Assignment)

  3. Policy R (Device Assignment)

  4. Policy D (Device Assignment)

  5. Policy E (User Assignment)

  6. Policy A (User Assignment)

  7. Policy I (User Assignment)

  8. Policy Q (Zone Assignment)

Create Ordered Lists for Each Assigned Location

At this point in the ordering process, the ordered list includes both location-based policies and global policies. Some policies might be applied in one location, others in another location, and some might be applied globally regardless of location.

Because the Endpoint Security Agent applies only the security policies assigned to the device’s current security location, it requires separate ordered lists for each available location (as defined in the Location Assignment policy) and for the global “location.” This results in lists similar to the following:

Location 1

Location 2

Location 3

Global

1. Policy H

2. Policy D

3. Policy I

1. Policy B

2. Policy D

3. Policy A

4. Policy I

1. Policy R

2, Policy E

1. Policy Q

Some policies might apply to multiple locations, such as Policy D that is included in the ordered lists for Location 2 and Location 3.

Creating the ordered lists for each location is the last step in the ordering process. With ordering complete, inheritance can be applied.

1.5.2 Policy Merging Explained

All security policies, except for the Data Encryption and VPN Enforcement policies, support merging of settings from multiple policies to create the effective policy.

After ordering is complete for a policy type, ordered lists exist for each assigned location and for the “global” location. The Endpoint Security Agent then completes the following process to merge policies and generate the final effective policy for each location:

Apply Inheritance to the Location Ordered Lists

Security policies support inheritance, which is the passing of a setting from one policy to another policy of the same type. This allows settings from multiple policies to be merged into the single effective policy. Without inheritance, the effective policy would simply be the highest priority policy in the ordered list.

A policy setting is either single-valued, such as a Firewall policy’s Default Behavior field, or is multi-valued, such as a Firewall policy’s Port/Protocol Rules list. Single-valued settings can have assigned values, or they can inherit values from higher-level policies. Multi-valued settings can have their own values; in addition, they automatically inherit values from higher-level policies.

Consider the following example, where Policy A, B, and C are listed in order of precedence:

Policy

Setting 1

Setting 2

List 3

1

A

Inherit

Disable

Item 1, Item 2

2

B

Inherit

Inherit

Item 1, Item 4

3

C

Enable

Enable

Item 3, Item 5

 

Effective

Enable

Disable

Item 1, Item 2, Item 3, Item 4, Item 5

To determine the effective policy settings, the policies are evaluated and aggregated so that proper settings can be applied to the device. Higher priority settings take precedence over lower priority settings if there is a conflict.

For Setting 1 (a single-valued setting), Policy A inherits from Policy B, which inherits the Enable value from Policy C. Therefore, the effective value for Setting 1 is Enable.

For Setting 2 (a single-valued setting), Policy A is set to Disable, so the remaining policies are ignored. Therefore, the effective value for Setting 2 is Disable.

For List 3 (a multi-valued setting), the values from all three policy lists are used. Values that are exact matches, such as Item 1, are included only one time. Therefore, the effective values for List 3 are Item 1, Item 2, Item 3, Item 4, and Item 5.

Policy setting inheritance can be blocked at any policy. When it is blocked, inheritance stops at that policy. Consider the following example:

Policy

Inheritance

Setting 1

Setting 2

List 3

1

D

Allowed

Inherit

Disable

Item 1, Item 2

2

E

Blocked

Enable

Disable

Item 1, Item 4

3

F

Allowed

Inherit

Enable

Item 3, Item 5

 

Effective

 

Enable

Disable

Item 1, Item 2, Item 4

Policy E blocks setting inheritance from any lower priority policies.

For Setting 1 (a single-valued setting), Policy D inherits from Policy E, which blocks inheritance from F. Therefore, the effective value for Setting 1 is Enable.

For Setting 2 (a single-valued setting), Policy D is set to Disable, so the remaining policies are ignored. Therefore, the effective value for Setting 2 is Disable.

For List 3 (a multi-valued setting), the values from Policy D and Policy E are used. The values from Policy F are not used because Policy D blocks the inheritance of those values. Therefore, the effective values for List 3 are Item 1, Item 2, and Item 4.

Merge the Location Effective Policies with the Global Effective Policy

At this point, inheritance has been applied to all of the location ordered lists, including the global ordered list. The result is an effective policy for each location and for the global location.

When you assign policies to locations, you have the option of enabling the Merge policy with assigned global policies setting. When it is enabled, this setting causes an effective location policy to inherit any “unset” values from the effective global policy. Consider the following example:

Setting

Location 1 Policy

Location 2 Policy

Location 3 Policy

Global Policy

Setting 1

Enable

Disable

Inherit

Disable

Setting 2

Inherit

Disable

Disable

Disable

Setting 3

Enable

Inherit

Enable

Enable

Any location policy setting whose value is Inherit receives the value from the global policy setting.

Setting 1 in the Location 3 policy is set to Inherit. Therefore, it receives the value (Disable) assigned to Setting 1 in the Global policy. The same is true for Setting 2 in the Location 1 policy and Setting 3 in the Location 2 policy.

Merge Location Effective Policies with Default Effective Policy

The Endpoint Security Agent has a default policy of every type. Generally, the setting values for the default policy cause no change to the device.

If, after inheritance has been applied to all of the assigned policies, a setting value in the effective policy is still set to Inherit, the default value is used. The final result is that every setting value is defined for the effective policy.