PortalGuard uses the concept of policy-based settings to enforce rules for users. You can have multiple sets of rules defined within PortalGuard. Each set of rules is referred to as a policy. You can then assign users to a policy on an individual basis or to a group or domain hierarchy. If a policy is not applied to anyone, then its rules will never be enforced.
Policies can be enabled or disabled. Only policies which are both enabled and have users assigned to them are enforced. (NOTE: the default policy does not need to have users assigned). A disabled policy will not be enforced regardless of the number of people to which it is applied. Disabling policies is simple way to eliminate complexity when debugging a problem.
If a user is not assigned to at least one policy, then the rules of the default policy will automatically apply to them. The default policy has the lowest priority and is never applied to a user if some other policy is applied to them.
With policies capable of being applied to groups and domain hierarchies, it is a common occurrence for a user to have multiple policies applied to them. At run-time however, only a single policy will be enforced for the user. This disparity is resolved by searching for applicable policies in the following manner:
- Policies applied directly to a user
- Policies applied to a group
- Policies applied to a domain or OU
- The default policy
The policy search always occurs in this order. If one or more policies are found in step 1, then searching stops. Otherwise, the search continues to step 2. If one or more policies are found in step 2, then search stops, and so on.
If any one step produces multiple policies that match, then policy precedence is used to determine the applicable policy. Precedence is simply a ranking automatically applied to a policy once it has been created. Precedence 1 is the highest ranking policy and will thus override any other policies. Precedence 2 is the second highest and so on.