Skip to main content

Policy Override Behavior

How Overrides Work

When a user encounters a blocking action with an override option, they’re temporarily granted permission for that specific file and policy combination. This behavior is tracked using a unique internal identifier based on the combination of:

  • The dataset the file matched
  • The policy that enforced the block

This combination creates a unique override ID.

Why This Matters

If a file matches multiple datasets that are part of the same blocking policy, each dataset-policy pair generates a unique override ID.
The same applies when a file matches a single dataset but triggers multiple policies.

When a user performs the override, it only applies to one of those combinations — not all of them.

As a result, if the same file triggers a different dataset the next time it is evaluated, the override may not be recognized, and the block will reappear.

Example Scenario: Multiple Datasets + One Policy

  • A document matches Dataset A, Dataset B, and Dataset C.
  • All three datasets are used in the same policy that blocks uploads.
  • The first time the user is blocked, the system evaluates Dataset A and creates an override ID for A + Policy.
  • The second time, the document is evaluated against Dataset B, and a new override ID is generated.
  • Since the override was only for A + Policy, the block appears again — even though it’s the same file.

Example Scenario: One Dataset + Multiple Policies

  • A document matches Dataset X, which is referenced in both Policy 1 (e.g., blocks uploads to webmail) and Policy 2 (e.g., blocks uploads to cloud drives).
  • The user attempts to upload the file, and both policies are triggered simultaneously.
  • Due to prompt throttling, only one block prompt is shown.
  • The user self-unblocks, and an override is generated for the first evaluated combination: Dataset X + Policy 1.
  • The system also evaluates the second combination — Dataset X + Policy 2 — and generates a separate override ID for it.

Even though it’s a single file and a single user action, the system records two blocks because each dataset-policy pair is tracked independently.

This approach ensures fine-grained control and separate auditability for every policy involved, even if triggered by the same event.

Recommendations

  • Consolidate similar datasets: If datasets represent overlapping content, consider merging them to reduce ambiguity.
  • Test with single-dataset matches: Try replicating the behavior with a file that only matches one dataset to verify that overrides function as designed.

Still Need Help?

If you continue to see inconsistent override behavior, feel free to contact Cyberhaven Support.