(SA) Support Tip: Precedence Rules for Patch Policy Exceptions and Server Group Nesting.
A patch policy exception allows one to specify that a given patch will either "always" or "never" be installed on either a server or a group of servers. The absolute nature of the terms "always" and "never" can lead one to think that these exceptions apply globally regardless of context. It turns out that there are precedence rules that depend upon whether the patch policy exception or patch policy are attached at the server and/or server group levels.
These precedence rules are documented in the section titled "Precedence Rules for Applying Policies" of the "SA User Guide: Server Patching" document:
- Patch policy exceptions that are directly attached to a server always take precedence over patch policies that are directly attached to a server.
- Patch policies that are directly attached to a server take precedence over patch policies and patch policy exceptions that are attached to a public device group.
- Patch policy exceptions that are attached to a public device group take precedence over patch policies that are attached to a public device group.
- If a server is in multiple public device groups, a Never Installed patch policy exception type always take precedence over an Always Installed patch policy exception type for the same package.
Another potential point of ambiguity is that when a patch policy or patch policy exception are attached to a server group, only the servers that are direct members of that specific group will inherit the attachment. The attachment does not follow to servers that are members of a server group that is itself a member of the server group to which the policy or exception are attached. In other words, even though you can nest server groups for organizational purposes, the attachments are only inherited by those servers directly attached to the server group.
You can view the patch policies attached to a server by visiting the "Patch Policies" item of the "Management Policies" navigation area in the server dialog window. The icon of the patch policy indicates whether the policy is attached directly to the server or inherited from a server group of which the server is currently a member.
You can view the patch policy exceptions attached to a server by visiting "Patches" item of the "Inventory" navigation area in the server dialog window and selecting Show "Patches with Exceptions" from the drop down menu. The icon of the patch policy exception indicates whether the exception is directly attached to the server or inherited from a server group of which the server is currently a member. (See section titled "Finding an Existing Patch Policy Exception" of the "Server Patching" user guide.)