Applies To: WatchGuard Cloud
Precedence is how Zero Trust determines which policy to use when multiple policies could apply to a user authentication. When two policies conflict, the order of your policies determines precedence. To determine whether a user can access a resource and how they authenticate, Zero Trust uses the highest policy in the list that matches these parameters:
- The resource the user authenticates to.
- The groups the user is a member of.
- The location of the user (for geofence).
- The time of the authentication (for time schedules).
- The user's IP address (for network locations).
Policies with network locations only apply to user authentications that originate from that network location. If the authentication request does not contain the origin IP address, the policy does not apply.
In the example below, if a user is a member of both the Support group and the Sales group, the policies for their groups conflict.
- The Support policy requires a password and an OTP to log in to Salesforce.
- The General policy requires a password and a push to log in to Salesforce.
In this example, when a user that is a member of both the Support group and the Sales group logs in to Salesforce, the Support policy applies because it is the highest policy that matches the conditions of the authentication.
Set Policy Precedence
When two policies conflict, the order of your policies determines precedence.
To change the order of policies in the list, you can:
- Drag a policy to move it
- Type a number in the Order column
You are prompted to confirm your changes when you reorder your policies.
