Note: DeviceLock can check access to devices at two levels: the interface (port) level and the device type level. Some devices are checked at both levels, while others only at one level - either interface (port) or device type. For example, a USB flash drive belongs to both levels: interface (USB port) and device type (Removable). Content-Aware Rules work only when access checking occurs at the device type level (Removable, Floppy, etc.). DeviceLock does not perform the access check for USB devices at the device type level if the following conditions are true: •The device is not added to the USB Devices White List, Access control for USB storage devices is enabled in Security Settings, and the user has no access by user, group, or built-in context membership in the ACL for USB port. - OR - •The device is added to the USB Devices White List and the Control As Type check box is not selected for the white list device assignment. |
Access rights | Description |
Generic: Read | Controls whether the user can read files with specified content from a device. Applies to Optical Drive, Floppy and Removable devices. |
Generic: Write | Controls whether the user can write files with specified content to a device. Applies to Floppy and Removable devices. |
Generic: Read, Write | Controls whether the user can read and write files with specified content from and to a device. Applies to Floppy and Removable devices. |
Generic: Print | Controls whether the user can print documents with specified content. Applies only to the Printer device type. |
Generic: Mapped Drives Read | Controls whether the user can read data with specified content from a mapped drive during a terminal session. Applies only to TS Devices. |
Generic: Mapped Drives Write | Controls whether the user can write data with specified content to a mapped drive during a terminal session. Applies only to TS Devices. |
Generic: Clipboard Incoming Text | Controls whether the user can paste text data with specified content from the clipboard to a terminal session/virtual machine. Applies only to TS Devices. |
Generic: Clipboard Incoming File | Controls whether the user can paste files with specified content from the clipboard to a terminal session/virtual machine. Applies only to TS Devices. |
Generic: Clipboard Incoming Image | Controls whether the user can paste images with specified content from the clipboard to a terminal session/virtual machine. Applies only to TS Devices. |
Generic: Clipboard Incoming Unidentified Content | Controls whether the user can paste any other uncategorized data with specified content from the clipboard to a terminal session/virtual machine. Applies only to TS Devices. |
Generic: Clipboard Outgoing Text | Controls whether the user can paste text data with specified content from the clipboard from a terminal session/virtual machine. Applies only to TS Devices. |
Generic: Clipboard Outgoing File | Controls whether the user can paste files with specified content from the clipboard from a terminal session/virtual machine. Applies only to TS Devices. |
Generic: Clipboard Outgoing Image | Controls whether the user can paste images with specified content from the clipboard from a terminal session/virtual machine. Applies only to TS Devices. |
Generic: Clipboard Outgoing Unidentified Content | Controls whether the user can paste any other uncategorized data with specified content from the clipboard from a terminal session/virtual machine. Applies only to TS Devices. |
Encrypted: Read | Controls whether the user can read files with specified content from a DeviceLock-verified encrypted device. Applies only to Removable devices. |
Encrypted: Write | Controls whether the user can write files with specified content to a DeviceLock-verified encrypted device. Applies only to Removable devices. |
Encrypted: Read, Write | Controls whether the user can read and write files with specified content from and to a DeviceLock-verified encrypted device. Applies only to Removable devices. |
Special Permissions: Copy Text | Controls whether the user can paste text data with specified content from the clipboard. Applies only to the Clipboard device type. |
Special Permissions: Copy Unidentified Content | Controls whether the user can paste any other uncategorized data with specified content from the clipboard. Applies only to the Clipboard device type. |
Special Permissions: Copy File | Controls whether the user can paste files with specified content from the clipboard. Applies only to the Clipboard device type. |
Special Permissions: Copy Image | Controls whether the user can paste images with specified content from the clipboard. Applies only to the Clipboard device type. |
Special Permissions: Screenshot | Controls whether the user can paste screenshots with specified content from the clipboard. Applies only to the Clipboard device type. |
Note: Generic access rights specified for Removable devices apply only to unencrypted devices. Encrypted access rights specified for Removable devices apply only to encrypted devices. To specify access rights for both encrypted and unencrypted Removable devices, both Generic and Encrypted access rights must be specified. For a list of devices that DeviceLock Service recognizes as encrypted, see
Encryption. |
Full Access device type-level | No Access device type-level | Allow Read Deny Write device type-level | |
Allow Read file-level | Allows read access to all content. Allows creation, deletion, and renaming of empty folders and zero byte (0) files. | Denies read access to all but specified content. Denies creation, deletion, and renaming of empty folders and zero byte (0) files. | Allows read access to all content. Denies creation, deletion, and renaming of empty folders and zero byte (0) files. |
Deny Read file-level | Denies read access to specified content. Allows creation, deletion, and renaming of empty folders and zero byte (0) files. | Denies read and write access to all content. Denies creation, deletion, and renaming of empty folders and zero byte (0) files. | Denies read access to specified content. Denies creation, deletion, and renaming of empty folders and zero byte (0) files. |
Allow Write file-level | Allows write access to all content. Allows creation, deletion, and renaming of empty folders and zero byte (0) files. | Denies write access to all but specified content. Allows creation, deletion, and renaming of empty folders and zero byte (0) files. | Denies write access to all but specified content. Allows creation, deletion, and renaming of empty folders and zero byte (0) files. |
Deny Write file-level | Denies write access to specified content. Allows creation, deletion, and renaming of empty folders and zero byte (0) files. | Denies read and write access to all content. Denies creation, deletion, and renaming of empty folders and zero byte (0) files. | Denies write access to all content. Denies creation, deletion, and renaming of empty folders and zero byte (0) files. |
Allow Read Allow Write file level | Allows read and write access to all content. Allows creation, deletion, and renaming of empty folders and zero byte (0) files. | Denies read and write access to all but specified content. Allows creation, deletion, and renaming of empty folders and zero byte (0) files. | Allows read access to all content. Denies write access to all but specified content. Allows creation, deletion, and renaming of empty folders and zero byte (0) files. |
Deny Read Deny Write file-level | Denies read and write access to specified content. Allows creation, deletion, and renaming of empty folders and zero byte (0) files. | Denies read and write access to all content. Denies creation, deletion, and renaming of empty folders and zero byte (0) files. | Denies read access to specified content. Denies write access to all content. Denies creation, deletion, and renaming of empty folders and zero byte (0) files. |
Allow Read Deny Write file-level | Allows read access to all content. Denies write access to specified content. Allows creation, deletion, and renaming of empty folders and zero byte (0) files. | Denies read access to all but specified content. Denies write access to all content. Denies creation, deletion, and renaming of empty folders and zero byte (0) files. | Allows read access to all content. Denies write access to all content. Denies creation, deletion, and renaming of empty folders and zero byte (0) files. |
Deny Read Allow Write file-level | Denies read access to specified content. Allows write access to all content. Allows creation, deletion, and renaming of empty folders and zero byte (0) files. | Denies read access to all content. Denies write access to all but specified content. Allows creation, deletion, and renaming of empty folders and zero byte (0) files. | Denies read access to specified content. Denies write access to all but specified content. Allows creation, deletion, and renaming of empty folders and zero byte (0) files. |
Shadowing: Allow / Deny file-level | Allows read and write access to all content. Allows creation, deletion, and renaming of empty folders and zero byte (0) files. | Denies read and write access to all content. Denies creation, deletion, and renaming of empty folders and zero byte (0) files. | Allows read access to all content. Denies write access to all content. Denies creation, deletion, and renaming of empty folders and zero byte (0) files. |
Detection: Allow Read / Allow Write file-level | Allows read and write access to all content. Allows creation, deletion, and renaming of empty folders and zero byte (0) files. | Denies read and write access to all content. Denies creation, deletion, and renaming of empty folders and zero byte (0) files. | Allows read access to all content. Denies write access to all content. Denies creation, deletion, and renaming of empty folders and zero byte (0) files. |
Note: If the No Access permission condition is set for a device type and there is a Content-Aware Rule that allows write access to certain content, or content detection for the same device type for specified users/groups, the Traverse Folder permission is granted to these users/groups for this device type. The Traverse Folder permission allows the user to move through folders and see files and folders located in subdirectories even if the user has no Read permission for the traversed folders. |