Highlighted
Micro Focus Frequent Contributor
Micro Focus Frequent Contributor
151 views

(SA) Support Tip: Precedence Rules for Patch Policy Exceptions and Server Group Nesting.

A patch policy exception allows one to specify that a given patch will either "always" or "never" be installed on either a server or a group of servers. The absolute nature of the terms "always" and "never" can lead one to think that these exceptions apply globally regardless of context. It turns out that there are precedence rules that depend upon whether the patch policy exception or patch policy are attached at the server and/or server group levels.

These precedence rules are documented in the section titled "Precedence Rules for Applying Policies" of the "SA User Guide: Server Patching" document:

  • Patch policy exceptions that are directly attached to a server always take precedence over patch policies that are directly attached to a server.
  • Patch policies that are directly attached to a server take precedence over patch policies and patch policy exceptions that are attached to a public device group.
  • Patch policy exceptions that are attached to a public device group take precedence over patch policies that are attached to a public device group.
  • If a server is in multiple public device groups, a Never Installed patch policy exception type always take precedence over an Always Installed patch policy exception type for the same package.

Another potential point of ambiguity is that when a patch policy or patch policy exception are attached to a server group, only the servers that are direct members of that specific group will inherit the attachment. The attachment does not follow to servers that are members of a server group that is itself a member of the server group to which the policy or exception are attached. In other words, even though you can nest server groups for organizational purposes, the attachments are only inherited by those servers directly attached to the server group.

You can view the patch policies attached to a server by visiting the "Patch Policies" item of the "Management Policies" navigation area in the server dialog window. The icon of the patch policy indicates whether the policy is attached directly to the server or inherited from a server group of which the server is currently a member.

You can view the patch policy exceptions attached to a server by visiting "Patches" item of the "Inventory" navigation area in the server dialog window and selecting Show "Patches with Exceptions" from the drop down menu. The icon of the patch policy exception indicates whether the exception is directly attached to the server or inherited from a server group of which the server is currently a member. (See section titled "Finding an Existing Patch Policy Exception" of the "Server Patching" user guide.)

Labels (1)
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.