How are policies evaluated and prioritized

Protect your data, control app behavior and the use of websites via policies. Learn about policy management, including how policies are prioritized, evaluated, and applied.

Introduction

In the Policies section, you will find lists of policies for the protection of data, controlling the use of applications, and controlling web visits. You can also set up auditing policies for recording data-related operations.

You can see the priority of each policy, whether it is Enabled or Disabled, what action it will take when matched, and to which specific users, devices, or teams it applies. You can click a policy to display its details.

 

How policies work in Safetica

✍️The order of policies in the policy lists is important as they are prioritized and evaluated from the top.

The final restriction for a file operation is based on the following rules:

  • Policies are evaluated from the top of the list.
  • First match always applies. 
  • Each policy has several sections that are evaluated separately (e.g. data classification, destination type, user initiating the operation).
  • A policy is applied, when ALL its sections are matched (AND relationship between sections). The policy action is then performed (i.e. the operation is allowed, logged, blocked, or the user is notified). If the sections are not matched, the evaluation continues with lower-priority policies until a matching policy is found.
  • If no matching policy is found, no action is taken.
  • Disabled policies are skipped during evaluation.

✍️A new policy is always placed to the top of the policy list. You can then prioritize it by drag-and-dropping it to its correct position.

✍️The prioritization of policies allows you to create exceptions for selected users/teams – just place the “exception policy” above more general policies applied to the whole company.

 

Example 1: Policy evaluation in practice

When a policy is found with a first-match rule for upload, the action assigned to that rule will be performed, and upload will not be evaluated any further. Evaluation will continue, however, for other operations (e.g. for email). These will be evaluated by policies placed lower in the list until a first match is found. 

 

Example 2: Policy evaluation in practice

An admin has 3 policies. A user from the Graphics team uploads a file. A policy that does not contain the Graphics team is skipped. Another policy contains the Graphics team, but does not contain Web upload, so it is skipped. The third policy is a general one for the whole company, so it is applied.

✍️This logic is used in all the policy tabs.

 

Read next:

Data classification in Safetica

Policies: How to create them

Auditing policies: what are they

Data policies: how they work