Policy Stacking & Merge Rules

Overview

Stairwell policies are flexible and additive. When multiple policies apply to a single asset, they are "stacked" to create a final, effective configuration. This page details exactly how conflicts are resolved and how the final settings are calculated.

How Stacking Works

Environment Level: Policies are applied at the environment level.
Order of Operations: The Default Policy is applied first. Any Supplemental Policies are then added on top of the default.
Pairwise Merging: Policies are merged pairwise. The order in which supplemental policies are merged does not change the final result.

Conflict Resolution Rules

When settings differ between stacked policies, the following rules determine which setting wins.

General Settings

Setting	Rule	Result
Extensions	Union	All extensions specified in every policy are combined.
Exclusions	Union	All "Do not upload" and "Do not scan" exclusions are merged.

Forwarder Performance & Limits

Setting	Rule	Result
Sightings Rate Limits	Strictest	Set to the lowest value defined in any policy.
CPU Limit	Strictest	Set to the smallest percentage limit.
Network Limit	Strictest	Set to the smallest bandwidth limit.
Process Priority	Strictest	Set to the lowest priority option.

Scan & Driver Behavior

Setting	Rule	Result
Scan Mode	Restrictive	Realtime scan is only enabled if all policies enable it. If any policy sets backscan only, backscan only is used.
Backscan Schedule	Earliest	If backscan only is active, the schedule uses the earliest defined start time.
Sleep Mode	Infectious	If any policy enables Start New Installations in Sleep Mode, it will be enabled.
Kernel Driver	Disable Preference	If any policy disables the Windows Kernel Driver, the driver is disabled.

Example Scenario

If your Default Policy sets a CPU limit of 50% and a Supplemental Policy sets a CPU limit of 25%, the forwarder will use 25% because the logic enforces the strictest (smallest) limit.