Before you start to manage policies for your directory objects, you should have an understanding of policy types and how they work together to determine the actual resolved policy values for a directory object.
There are three policy types.
The Policy type is the actual granting policy that defines the object’s entitlement to services.
The Default Policy type is a policy that neither grants nor denies access. However, if access has been granted to a directory object, then the values in the Default Policy are used as a default template for the policy assigned to the object.
The Override Policy type is a policy that neither grants nor denies access. However, if access has been granted to a directory object, then the values in the Override Policy will override any equivalent attributes in the actual granting policy.
For a given application, more than one default may be encountered when resolving policy. In this case the defaults are ranked lowest to highest priority based on the pri
attribute with the lower numeric value having a higher priority. The same applies to Override Policy.
The actual resulting policy that is returned to the Configuration Server will be the logical set union performed as an ordered overlay. In other words, same named attributes are replaced. This will be performed as follows: