Priority of SIA policies

​SIA​ policy lets you define how you want to handle known or suspected threats, the settings for access control, and more. In Enterprise Center, you can assign a policy to the following ​SIA​ features:

  • Locations and sub-locations
  • ​ETP Client​ or Zero Trust Client
  • Groups within a directory
  • Off-Network traffic for the client

If you allow traffic from unknown locations, the default policy is automatically assigned to unknown locations. You can modify this policy to contain the settings that your organization requires.

As you assign policies to these feature areas, it is possible there may be a conflict between policies. For example, this can occur if administrators created policies where a different action was used for the same traffic or the policies have access control settings for a specific category or application that are not the same.

In this situation, the policy that’s applied is based on this priority:

  1. Policy assigned to directory group
  2. Sub-location policy
  3. Policy for ​ETP Client​ or Zero Trust Client
  4. Location policy
  5. Policy for off-network clients
  6. Default policy for unknown locations

The policies that are not associated with a location or a device (for example, the policy for directory groups) are prioritized over policies that are associated with a location or with the client.