Table of Contents
Advertisement
How multi-slot policies work with policy assignment rule priority
Priority of rules is not considered for multi-slot policies. When a single rule containing multi-slot
policies of the same product category is applied, all settings of the multi-slot policies are combined.
Similarly, if multiple rules containing multi-slot policy settings are applied, all settings from each
multi-slot policy are combined. As a result, the applied policy is a combination of the settings of each
individual rule.
When multi-slot policies are aggregated, they are aggregated only with multi-slot policies of the same
type; user-based or system-based. However, multi-slot policies assigned using policy assignment rules
are not aggregated with multi-slot policies assigned in the System Tree. Multi-slot policies assigned
using policy assignment rules override policies assigned in the System Tree. Furthermore, user-based
policies take priority over system-based policies. Consider the following scenario where:
Policy type
Assignment type
Generic policy Policy assigned in the
System Tree
System-based Policy assignment rule
User-based
Policy assignment rule
Scenario: Using multi-slot policies to control Internet access
In your System Tree, there is a group named "Engineering" which consists of systems tagged with
either "IsServer" or "IsLaptop." In the System Tree, policy A is assigned to all systems in this group.
Assigning policy B to any location in the System Tree above the Engineering group using a policy
assignment rule overrides the settings of policy A, and allows systems tagged with "IsLaptop" to
access the internet. Assigning policy C to any group in the System Tree above the Engineering group
allows users in the Admin user group to access the internet from all systems, including those in the
Engineering group tagged with "IsServer."
Excluding Active Directory objects from aggregated policies.
Because rules that consist of multi-slot policies are applied to assigned systems without regard to
priority, you might need to prevent policy setting aggregation in some instances. You can prevent
aggregation of user-based multi-slot policy settings across multiple policy assignment rules by
excluding a user (or other Active Directory objects such as a group or organizational unit) when
creating the rule. For more information on the multi-slot policies that can be used in policy assignment
rules, refer to the product documentation for the managed product you are using.
About user-based policy assignments
User-based policy assignment rules give you the ability to create user specific policy assignments.
These assignments are enforced at the target system when a user logs on.
Using policies to manage products and systems
How policy assignment rules work
Policy
Policy settings
name
A
Prevents internet access from all systems to
which the policy is assigned.
B
Allows internet access from systems with the
tag "IsLaptop."
C
Allows unrestricted internet access to all
users in the Admin user group from all
systems.
®
®
McAfee
ePolicy Orchestrator
4.6.0 Software Product Guide
15
167
Advertisement
Chapters
Table of Contents
