66481: DeviceLock DLP: How to use the logic of applying different access permissions

use Google Translate

Applies to: 

Last update: Tue, 2020-11-17 13:14

Description

This article describes the logic of applying different access permissions and their combinations.

How it works

1. Restrictive rules override the allowing ones;
2. Any user account not explicitly listed in an access control list (ACL) gets blocked by default.

ACL 1
Users:Read-only
Administrators:Full control
Everyone:No access
---
Wrong unless you don't want to block access for everyone: 'Everyone:No access entry does not mean 'everyone except the accounts from the list'. It means 'everyone including those listed'.

ACL 2
Users:Read-only
Administrators:Full control
---
Right: All accounts are blocked but for those that belong to 'Users' and 'Administrators' groups.

*In some cases it might be required that you add 'SYSTEM:Full control' entry for hard- or software to function properly.