In our environment, we use policy assignment rules to apply certain policies to say Tags. As an example, I have a policy assignment rule called Virus Scan 8.8i Patch 9 Test. As shown below, this rule is tied to a Tag called Patch9Test and a policy that pulls a patch from the evaluation branch. So when I want to test a new VSE Patch, then all I have to do is apply that Tag to select systems. These systems would then pull is the assigned policy. I use policy assignment rules a lot. We have ones that deactivate encryption, test scan engines, enable ENS Firewall etc.
Is it okay to define, PA is the Policy that will be permanently assigned to Groups, and PAR is like add-on method to assigned test or temporary Policy, since PAR is much more easy to be used with Tags and Tags computer sometimes doesn't really sits in a group if u have multiple sites in your Organization.
Policy assignment : You create your custom policies and apply to containers in system tree. Now, IF a system is moved out of a particular container where you have that policy applied, depending on the parent container, it may get lost and it will revert to default policies. If you have a tight grip on movement on system tree movement, this is fine.
Policy assignment rules : To overcome the issue I just described above, you can create custom "Tags", associate your desired policies with these tags and finally apply that tag to systems. This way, even if the systems are moved around in the system tree, they will retain policies as long as they have the tags.
If you have well organized system tree, folder/container based policy assignment is fine. If you want to make sure certain systems get certain policies, you can add PAR in addition. So you can use both.
Very nice explanation Sir, thanks for this
Now i understand the difference for this two methods