Policy Agent Exclusions Not Honored When Policy Applied to Site #2269
Description
Server Info (please complete the following information):
- OS: Ubuntu 24.04.2 LTS
- Browser: Microsoft Edge Version 138.0.3351.109 (Official build) (64-bit)
- RMM Version (as shown in top left of web UI): v1.2.0
Installation Method:
- [x] Standard
- [ ] Standard with --insecure flag at install
- [ ] Docker
Agent Info (please complete the following information):
- Agent version (as shown in the 'Summary' tab of the agent from web UI): Agent 2.9.1
- Agent OS: Windows 11 Pro, 64 bit v24H2 (build 26100.3476)
Describe the bug
Policy-level agent exclusions are not honored when the policy is applied directly to a Site, causing the policy's tasks/checks to execute on agents that are explicitly marked as excluded within that policy.
To Reproduce
- Create a new Policy (e.g., "Software - LembretePonto").
- In this policy, go to "Show Policy Exclusions" and add one or more specific agents (e.g., "RH-11686") to the "Excluded Agents" list.
- Go to "Show Relations" for this policy.
- In the "Sites" tab, add a Site (e.g., "01 - CDR - Caçador/SC (Matriz)") that contains the excluded agent(s).
- Ensure the policy is active and has assigned checks/tasks.
- Observe that the policy's tasks are executed on the agent(s) listed in the "Excluded Agents" list (e.g., "RH-11686" task status shows "Synced with agent"), despite being excluded.
Expected behavior
When an agent is listed in the "Excluded Agents" for a policy, that agent should not receive or execute any tasks/checks from that policy, regardless of whether the policy is applied to "All Agents", individual agents, Clients, or Sites that the agent may belong to. The exclusion should take precedence over broader inclusions.
Screenshots
Additional context
Through code analysis, this behavior appears to be related to the logic in automation/models.py within the Policy model, specifically the related_agents method.
When a policy is related to a Site (via self.workstation_sites or self.server_sites), the related_agents method generates the list of target agents. The Agent.objects.filter calls within these branches (e.g., those using site_id__in or site__client__in) do not explicitly exclude agents based on excluded_agents_ids within that specific query chain. The exclude(id__in=excluded_agents_ids) logic seems primarily applied only when agents are directly associated with the policy (self.agents) or when evaluating "Default Server/Workstation Policies."
This suggests that the current implementation treats Site-level policy application as a strong inclusion that bypasses agent-specific policy exclusions. This design makes granular exclusions difficult when policies are applied broadly to organizational units (Sites/Clients).
Workaround implemented:
To achieve the desired exclusion, we had to restructure the organizational hierarchy. We created a separate Site (e.g., "01 - CDR - Caçador/SC (Matriz - Gerência)") for the agents that needed to be excluded. The policy was then removed from the original broader Site and reapplied only to the original Site (now containing only the non-manager workstations). This effectively excludes agents by explicit inclusion/exclusion of Sites, rather than relying on policy-level agent exclusions.