Understanding Policy Scopes

Understanding Policy Scopes

The GRS Global Policies are assigned to a Policy Scope Object. The scope defines the recipient endpoints that will inherit the policies.

The Goverlan Reach Server includes the root scope object: All Users & Devices, which defines your entire network. To fine tune Global Policy distribution, you must create a hierarchy of policy scopes.

Here are some examples of hierarchies that can be configured:

For instance, you can design a policy scope hierarchy by hardware type:

Or choose a geographical mapping:

Or for IT Service Providers, by active clients:

It is best to first configure the default set of policies at the root level, then build a sub-hierarchy of scopes to answer exceptions.

Creating a Policy Sub-Scope

To create a Policy Sub-Scope object, place the mouse cursor over the parent scope object, and click on the Add Filter button, specify a relevant name for the scope and press [ENTER]:

  • To rename a Policy Scope Object, simply double-click on its name.
  • To delete a Policy Scope Object, click twice on the cross on the left of the name.

Policy Scope Object Filters

Once a Policy Scope Object is created, configure the endpoint selection criteria to be associated with it. To do so, place the mouse cursor over it and click on the […] button on its right:

A Policy filter definition is a set of AND/OR statements based on one or more of the following machine attributes:

Local Active Directory OU Any machine with an AD account that belongs to the specified Active Directory OU (local network only)
Local Active Directory Group Any machine with an AD account that belongs to the specified Active Directory Group (local network only)
Goverlan REACH Site Any Reach node endpoint registered under the specified Reach Site name
IP Range Any machine with an IP address that belongs to the specified IP range
OS Type Any machine with an Operating System with the specified attributes
Individual Objects Any machine that belongs to the list of specified individual machine sets

Use the Policy Filter Definition window to configure the filters of the selected Policy Scope Object. Filters can have one or more conditions that are grouped with AND / OR operators.

http://assets.goverlan.com/userguide_img/images/policy%20definition%20screen%20copy.png

Policy Scope Objects that have a filter configured will display the […] indicator.

NOTE:

Filter definitions are not required on a Policy Scope Object. However, if no filter definition is configured, all machines resulting from the parent scope will inherit the policies. Such filter-less Policy Scope Objects can be used to categorize the policies themselves.

How are Policies Assigned to Endpoints?

When an endpoint queries the Goverlan Reach Server policies, the endpoint’s information is passed through the entire policy scope hierarchy tree. If the endpoint’s characteristics match the Policy Scope’s filter, only then does it inherit the policies.

Let’s consider the following configuration:

Following the configured policy assignments, all machines get the All Users & Devices policies, however, if the machine belongs to the Legal Department, it inherits from that node’s policies, as well as the Servers node’s policy if it is a server, etc. In other words, a machine node will receive all policies throughout the hierarchy that applies to it.

Order of Precedence

Policies configured on lower scope objects take precedence over policies configured higher up. Consequently, if the same policy is configured multiple times within a branch, then the policy of the lowest nodes is applied to the recipient.

Precedence can also be used to un-enforce a policy for a subset of machines within a branch. Simply apply a DO NOT ENFORCE policy configuration on a sub-scope object.

Was this article helpful?

Related Articles