Read only policy affects score
mrapoc opened this issue · 3 comments
The "Built-In Protection Policy" for Safe links cannot be edited (read only) but still negatively effects score. The setting is set by a different policy so should be ignored
Hey @mrapoc just checking are you referring to the "Do not let users click through safe links to original URL" check?
Hey @cammurray
I have a tenant which should have a perfect score and yes it is that check where I get a -15 points. As it's read only policy there is no way to make it compliant. Forgive my ignorance but if its read only it can be ignored as long as another policy is present with the correct option present?
Is this because of the bug showing standard preset as disabled when it is not?
Thanks!
Hey @mrapoc
You can't configure the BIP policy that's why we mark it as read only but the settings on that policy are designed to reduce any end-user impact, so the "Do not let users click through" config is disabled on that policy and maybe others will be in a similar situation in future changes in the product. This was done as a design choice in MDO as we don't want to force user impacting changes.
How ORCA represents this should be fixed to some degree in #283
The "Built-In Policies" will apply in the absence of any other policy in your environment, very similar to how a default (spam/malware) policy would apply in the absence of another policy. Our Built-In policies however are designed
In #283, what we do is consider the Built-In Policy disabled in the event that you have a "Preset Policy" applied in a "catch-all" mode, e.g with no exceptions. By configuring the preset, you're ensuring that if no other policy in your environment applies, you atleast at minimum have the strict/or standard config level. That preset policy would apply before the BIP policy applies (based on policy priority precedence). The preset policy with no exceptions basically makes the BIP redundant.