How do policies work

Question

Hello 
 Still trialing Sophos - but I have a basic question about policies. 
 As I understand it Sophos ships with base policies that are un-assignable to users and group and consequently have made these the most restrictive. I also now that I can create new policies (or clone the base policies) that I can assign to users/computers and that these 'override' the base policy: my question is around the word override. 
 So, hypothetically (as an example only), if my Base Peripheral control policy allows everything except Portable storage (which is blocked) and I create a new policy for IT that allows Portable storage, would I have to allow everything else in the IT Peripheral policy to ensure only IT can use Portable storage as well as the other types? I think what I'm trying to ask is are policies merged, or would they stop processing lower policies if the found a match in a higher policy? 
 Thanks 
 Tony

Shweta · Accepted Answer

Hi KarnIXEval 
 For the policies, the order in which you arrange determines which is applied to a specific user and devices. Sophos Central looks through the policies from the top down and applies the first policy it finds that applies to those users or devices and hence topmost assigned policy will be applied. It does not merge the policies. You may refer to this document . Also, there is an excellent example explained by QC in this post . Let us know if you have further concerns.