Identity Precedence Within the Same Policy

Please note, this article refers to final matching identities within a single policy only. For multiple policies and determining which policy applied, see our policy precedence article. 

The following article refers to which identity will be the primary matching Identity and affects statistics and reports only. Regardless of where along the flow chart the identity finishes, the same policy will be applied. At this time, the Activity Search and Security Overview only list the primary match identity; however, this is currently planned to show all matching identities in the future. 

In cases where a user belongs to multiple Identities on the same policy, for example a Roaming Client and Network Identity, an Identity Precedence order takes place. 

For Umbrella configurations without a Virtual Appliance setup, the Identity Precedence order is as follows (topmost is first priority):

• Mobile Devices*
• Networks
• Roaming Clients

* Mobile Devices connect via a VPN and will always be the first match.  Mobile Devices are also not available for most customers as an identity type. 

Therefore, if the Roaming Client and Network are on the same policy, and the Roaming Client is behind the Network,  the Network policy will apply instead of the Roaming Client policy. The Reports will show activity based on the Network, not the individual Roaming Client.

For Umbrella configurations with a Virtual Appliance, identities will apply in the following order:

• AD User
• AD Computer
• Internal Network (Site)
• Default Site (Traffic on VA with no other Identity)
• Networks**
• Roaming Clients**

** Network and Roaming Client identities can only appear when a VA is present on the network if their DNS is not configured to point to the VA. Generally, all computers should be configured to point to the VA, and seeing network identities may indicate an incomplete configuration.

A full Identity Precedence chart is provided below starting from the top and moving down: