549 votesnExoR LU supported this idea ·nExoR LU commented
agree - policies should be evalueted in the order - just as firewall polices. currently creating any exception is extremely hard and could be addressed with a single 'catch all' policy. in my environment i need to create couple policies for each group/type and they are unsustainable as any change require a full redesign, just because policies are not ordered but summed up.
this is IMHO the biggest pain in CA architecture.