Using Hierarchical Policy Sets

You can apply multiple policy sets to the same role. For example, you might create a global policy set to define basic policies for all users and then create more policy sets for a subset of those users.

Privileged Access Service reads the policy sets from bottom to top on the Policy page when it installs the policies in a device. If the same policy has different settings in different policy sets, the setting in the last policy set — the top-most — is applied.

For users in multiple roles or collection parameters, the Privileged Access Service first determines which policy sets apply to the user and then reads those policy sets from bottom to top to apply the policies. The hierarchical order of the roles has no effect upon the order in which the policy sets are read.

If you want one policy setting to be enforced over another one, drag that policy set up in the list.

If more than one system administrator is updating the same policy or re-prioritizing the policy sets, the changes made first (by clicking the Save button or dragging the policy set) will be saved. The administrator who’s changes were not saved must refresh the policy and make the changes again.