Policy Hierarchy and Overrides

Policy sets are applied to users and resources from top to bottom when viewing the Policy Sets on the Policy page. If the same policy has different settings in different policy sets, the setting in the first policy set — the top-most — is applied.

You can apply multiple policy sets to the same role or the same resource set. For example, you might create a policy to define basic policies for Everything (all users and resources) and then create more policy sets for a subset of those users or resources. If you want one policy setting to be enforced over another one, drag that policy set up in the list.

If more than one system administrator is updating the same policy or re-prioritizing the policy sets, the changes made first (by clicking the Save button or dragging the policy set) will be saved. The administrator who’s changes were not saved must refresh the policy and make the changes again.

Configuring policy settings for resources are available in various locations in the Admin Portal: Settings > Resources > Security Settings , Access > Policies > Resources, and Resources > Policies.

In most cases, you can override global settings (configured in the Access or Settings page) for individual resource in the specific Policy page for the resource (Resources > Policies). The global settings only apply where you have not explicitly configured a setting for an individual resource. Delinea PAS prioritizes the policy settings using the following order:

1. Account overrides configured in Resources > Accounts > Policies

2. Account policy settings configured in Access > Policies > Resources > Accounts

3. Resource overrides configured in the Resources > Systems > Policies

4. Resource policy setting configured in Access > Policies > Resources > Systems

5. Resource Global policies configured in Settings > Resources > Security Settings

6. System default value.

   If the account is a domain or database account, all references to “system” are “domain.”