Assign/change OpenSCAP policy for a host confusion

On Foreman/Katello 3.3/4.5 and been testing OpenSCAP scanning for some test hosts.
As far as I can understand, there is no way to assign a OpenSCAP policy to an individual host, only to host groups and a host can only be part of one host group. So I created 3 policies and linked them with 3 hosts groups. Each host group had the same parent.

I now added the host to group 1, performed a scan, changed host group again to group 2 and performed a new scan and then again changed it to group 3 and performed a scan.
To my surprise, when I moved the host from group 1 to 2, the scap policy from group 1 was not removed. So after I changed it to group 3, I ended up with a host with 3 scap policies. Also shown when I click dashboard on each policy that the same host is in each policy. When I perform a scan, it scans the same host 3 times with different policies generating 3 reports!

Is this really they way it should work?
How do I even add/remove a policy to/from a host without using host groups?

Has it got to do with the usage of the parent1 group? I have not added the parent1 host group to any of the policies so assumed the parrent1 group should never give a policy to a host.
I am so confused :slight_smile:

There is a way to assign the policy directly to the hosts, but it’s well hidden (as a bulk action) because it’s not encouraged. I was under the impression that the policy should always get updated to what’s currently assigned to the host group. Are the host groups sub-host groups of each other by any chance?