Order of Precedence for Policies
A policy takes effect when DNS traffic arrives at WebTitan for filtering. As such, only one policy can take effect at a time for a given DNS request.
While policies can be applied to users, groups, locations and devices, the policy that is selected for a single DNS request is done following an order of precedence, using a principle of the policy closest to the user wins.
The following is the order of precedence WebTitan uses to select a policy, starting at 1 and going to 4:
Order | Policy | Description |
---|---|---|
1 | User | NoteFor a user policy to take effect, that user must be identified through WebTitan AD integration or using WebTitan OTG. When traffic arrives at WebTitan from an identified user that has a policy explicitly assigned to them, that user will always be filtered using that policy -- even if there is a policy assigned to a group the user is a member of, or the location from which the user's traffic arrives has a policy assigned. If a user does not have a policy assigned to them, the policy on their AD group is the next in order of precedence. |
2 | Group | NoteFor group policies to take effect, WebTitan AD integration must be in place. If a user is a member of an active directory group, the policy from their AD group applies if that user does not have a policy explicitly assigned to them. A user can be a member of more than one active directory group. In this case, Group Ranking is used to determine which group's policy is applied. See Group Ranking. |
3 | Location Policy | If there is no user or group policy explicitly assigned, the policy that takes effect for a DNS request is the policy applied to the location that the user's traffic is coming through. |
4 | Customer Default Policy | If no user, group, or location policy is assigned, the customer default policy always applies. This policy can be viewed and updated from Settings > (Global) Default Policy. |