An asset can belong to multiple Asset Groups, but it can only be assigned to one policy, which is known as its effective policy. Ranking policies in order of precedence allows for fine-tuned control over automatic policy assignments.
Ranks determine which policy should be enforced for an asset that is a member of multiple Asset Groups. By giving a high ranking to the policies that are assigned to your most critical assets, you can ensure that important assets, such as domain controllers, are protected by the appropriate policy.
Policy Ranking and Asset Groups
Policy ranking best practices work the best when you have developed a pyramid-like Asset Groups structure such as that shown in Best Practices for Using Asset Groups.
After you create the pyramid, create policies that map appropriately to the pyramid levels.
The lowest-ranking policies represent your organization’s baseline level of prevention. These policies will apply to most of your fleet, so they should be assigned to the groups in the pyramid’s lowest levels.
The highest-ranking policies represent very specific prevention settings. These policies protect critical assets in the top levels of the pyramid. By ranking these highly, those critical assets will always have the right effective policy — even if they belong to multiple groups to which policies are assigned.
The policies assigned to the groups in the middle of the pyramid are ranked according to how group membership is defined. If group membership is mutually exclusive — meaning assets are only members of one group — then the ranking does not need to be exact. If assetsare members of multiple groups, use the pyramid to decide which rank would work best to make sure that specific assets receive the correct policy assignment.
For example, consider that a CTO laptop is a member of two groups: “Developers” and “C-Suite”.” If the CTO laptop needs Policy C as its effective policy, then Policy C should be ranked higher than Policy D.
Piloting or Troubleshooting Policy Changes
You can create groups to troubleshoot asset behavior or to test new policy changes.
Start by creating an asset group for testing purposes and manually adding a handful of assets to it. This action will not affect their other Asset Group memberships. Then, duplicate the policy you want to change, rank it higher than the original policy, and assign it to the new asset group.
You can now make changes to the copied policy and see how the assets react.
After you have finalized the policy changes, copy the settings back to the original policy and manually remove every asset from the test group. Their original policy assignment will take effect, which now includes the validated changes. You can then delete the duplicated policy.