Content-Aware Rules (Regular Profile) : Rules for Devices : Access Control
  
Access Control
When Content-Aware Rules apply to access control operations, they control read, write and delete operations for specified content. No separate rules can be configured for delete operations. Delete and write operations are controlled together by the Write access right.
By using Content-Aware Rules for devices, one can do the following:
Grant read/write access to specified file content when access is denied at the device type-level.
Deny read/write access to specified file content when access is granted at the device type-level.
 
Note: DeviceLock can check access to devices at two levels: the interface (port) level and the device type level. Some devices are checked at both levels, while others only at one level - either interface (port) or device type. For example, a USB flash drive belongs to both levels: interface (USB port) and device type (Removable). Content-Aware Rules work only when access checking occurs at the device type level (Removable, Floppy, etc.). DeviceLock does not perform the access check for USB devices at the device type level if the following conditions are true:
The device is not added to the USB Devices White List, Access control for USB storage devices is enabled in Security Settings, and the user has no access by user, group, or built-in context membership in the ACL for USB port.
- OR -
The device is added to the USB Devices White List and the Control As Type check box is not selected for the white list device assignment.
The following table provides summary information on access rights that can be specified in Content-Aware Rules.
 
Access rights
Description
Generic: Read
Controls whether the user can read files with specified content from a device. Applies to Optical Drive, Floppy and Removable devices.
Generic: Write
Controls whether the user can write files with specified content to a device. Applies to Floppy and Removable devices.
Generic: Read, Write
Controls whether the user can read and write files with specified content from and to a device. Applies to Floppy and Removable devices.
Generic: Print
Controls whether the user can print documents with specified content. Applies only to the Printer device type.
Generic: Mapped Drives Read
Controls whether the user can read data with specified content from a mapped drive during a terminal session. Applies only to TS Devices.
Generic: Mapped Drives Write
Controls whether the user can write data with specified content to a mapped drive during a terminal session. Applies only to TS Devices.
Generic: Clipboard Incoming Text
Controls whether the user can paste text data with specified content from the clipboard to a terminal session/virtual machine. Applies only to TS Devices.
Generic: Clipboard Incoming File
Controls whether the user can paste files with specified content from the clipboard to a terminal session/virtual machine. Applies only to TS Devices.
Generic: Clipboard Incoming Image
Controls whether the user can paste images with specified content from the clipboard to a terminal session/virtual machine. Applies only to TS Devices.
Generic: Clipboard Incoming Unidentified Content
Controls whether the user can paste any other uncategorized data with specified content from the clipboard to a terminal session/virtual machine. Applies only to TS Devices.
Generic: Clipboard Outgoing Text
Controls whether the user can paste text data with specified content from the clipboard from a terminal session/virtual machine. Applies only to TS Devices.
Generic: Clipboard Outgoing File
Controls whether the user can paste files with specified content from the clipboard from a terminal session/virtual machine. Applies only to TS Devices.
Generic: Clipboard Outgoing Image
Controls whether the user can paste images with specified content from the clipboard from a terminal session/virtual machine. Applies only to TS Devices.
Generic: Clipboard Outgoing Unidentified Content
Controls whether the user can paste any other uncategorized data with specified content from the clipboard from a terminal session/virtual machine. Applies only to TS Devices.
Encrypted: Read
Controls whether the user can read files with specified content from a DeviceLock-verified encrypted device. Applies only to Removable devices.
Encrypted: Write
Controls whether the user can write files with specified content to a DeviceLock-verified encrypted device. Applies only to Removable devices.
Encrypted: Read, Write
Controls whether the user can read and write files with specified content from and to a DeviceLock-verified encrypted device. Applies only to Removable devices.
Special Permissions: Copy Text
Controls whether the user can paste text data with specified content from the clipboard. Applies only to the Clipboard device type.
Special Permissions: Copy Unidentified Content
Controls whether the user can paste any other uncategorized data with specified content from the clipboard. Applies only to the Clipboard device type.
Special Permissions: Copy File
Controls whether the user can paste files with specified content from the clipboard. Applies only to the Clipboard device type.
Special Permissions: Copy Image
Controls whether the user can paste images with specified content from the clipboard. Applies only to the Clipboard device type.
Special Permissions: Screenshot
Controls whether the user can paste screenshots with specified content from the clipboard. Applies only to the Clipboard device type.
 
Note: Generic access rights specified for Removable devices apply only to unencrypted devices. Encrypted access rights specified for Removable devices apply only to encrypted devices. To specify access rights for both encrypted and unencrypted Removable devices, both Generic and Encrypted access rights must be specified. For a list of devices that DeviceLock Service recognizes as encrypted, see Encryption.
The following table shows how different device type-level and file-level permissions affect the user permission state. Device type-level permissions are permissions set for a device type. File-level permissions are permissions defined by Content-Aware Rules.
 
 
Full Access
device type-level
No Access
device type-level
Allow Read
Deny Write
device type-level
Allow Read
file-level
Allows read access to all content. Allows creation, deletion, and renaming of empty folders and zero byte (0) files.
Denies read access to all but specified content. Denies creation, deletion, and renaming of empty folders and zero byte (0) files.
Allows read access to all content. Denies creation, deletion, and renaming of empty folders and zero byte (0) files.
Deny Read
file-level
Denies read access to specified content. Allows creation, deletion, and renaming of empty folders and zero byte (0) files.
Denies read and write access to all content. Denies creation, deletion, and renaming of empty folders and zero byte (0) files.
Denies read access to specified content. Denies creation, deletion, and renaming of empty folders and zero byte (0) files.
Allow Write
file-level
Allows write access to all content. Allows creation, deletion, and renaming of empty folders and zero byte (0) files.
Denies write access to all but specified content. Allows creation, deletion, and renaming of empty folders and zero byte (0) files.
Denies write access to all but specified content. Allows creation, deletion, and renaming of empty folders and zero byte (0) files.
Deny Write
file-level
Denies write access to specified content. Allows creation, deletion, and renaming of empty folders and zero byte (0) files.
Denies read and write access to all content. Denies creation, deletion, and renaming of empty folders and zero byte (0) files.
Denies write access to all content. Denies creation, deletion, and renaming of empty folders and zero byte (0) files.
Allow Read
Allow Write
file level
Allows read and write access to all content. Allows creation, deletion, and renaming of empty folders and zero byte (0) files.
Denies read and write access to all but specified content. Allows creation, deletion, and renaming of empty folders and zero byte (0) files.
Allows read access to all content. Denies write access to all but specified content. Allows creation, deletion, and renaming of empty folders and zero byte (0) files.
Deny Read
Deny Write
file-level
Denies read and write access to specified content. Allows creation, deletion, and renaming of empty folders and zero byte (0) files.
Denies read and write access to all content. Denies creation, deletion, and renaming of empty folders and zero byte (0) files.
Denies read access to specified content. Denies write access to all content. Denies creation, deletion, and renaming of empty folders and zero byte (0) files.
Allow Read
Deny Write
file-level
Allows read access to all content. Denies write access to specified content. Allows creation, deletion, and renaming of empty folders and zero byte (0) files.
Denies read access to all but specified content. Denies write access to all content. Denies creation, deletion, and renaming of empty folders and zero byte (0) files.
Allows read access to all content. Denies write access to all content. Denies creation, deletion, and renaming of empty folders and zero byte (0) files.
Deny Read
Allow Write
file-level
Denies read access to specified content. Allows write access to all content. Allows creation, deletion, and renaming of empty folders and zero byte (0) files.
Denies read access to all content. Denies write access to all but specified content. Allows creation, deletion, and renaming of empty folders and zero byte (0) files.
Denies read access to specified content. Denies write access to all but specified content. Allows creation, deletion, and renaming of empty folders and zero byte (0) files.
Shadowing:
Allow / Deny
file-level
Allows read and write access to all content. Allows creation, deletion, and renaming of empty folders and zero byte (0) files.
Denies read and write access to all content. Denies creation, deletion, and renaming of empty folders and zero byte (0) files.
Allows read access to all content. Denies write access to all content. Denies creation, deletion, and renaming of empty folders and zero byte (0) files.
Detection:
Allow Read / Allow Write
file-level
Allows read and write access to all content. Allows creation, deletion, and renaming of empty folders and zero byte (0) files.
Denies read and write access to all content. Denies creation, deletion, and renaming of empty folders and zero byte (0) files.
Allows read access to all content. Denies write access to all content. Denies creation, deletion, and renaming of empty folders and zero byte (0) files.
 
Note: If the No Access permission condition is set for a device type and there is a Content-Aware Rule that allows write access to certain content, or content detection for the same device type for specified users/groups, the Traverse Folder permission is granted to these users/groups for this device type. The Traverse Folder permission allows the user to move through folders and see files and folders located in subdirectories even if the user has no Read permission for the traversed folders.
When using Content-Aware Rules, consider the following:
Content-Aware Rules with Deny settings take priority over rules with Allow settings if they apply to the same users or groups (or any of the same group member users) over the same device type.
Exception: Content-Aware Rules with Allow settings based on a Document Properties group with the Text extraction not supported option selected will take priority over rules with Deny settings and will allow transfer of any matching content, including split (or multi-volume) archives.
Exception: An Allow Content-Aware Rule based on a Document Properties group with the Password protected option selected takes priority over Deny rules (if any) and allows transfer of any matching content. A Complex Allow Content-Aware Rule Boolean will take priority only if there is a Document Properties group with the Password protected option selected among a set of logically connected content groups that the file matched.
Exception: An Allow Content-Aware Rule based on a Digital Fingerprints group with the Exact file match option selected takes priority over Deny rules (if any) and allows transfer of any matching content. A Complex Allow Content-Aware Rule Boolean will take priority only if there is a Digital Fingerprints group with the Exact file match option selected among a set of logically connected content groups that the file matched.
Content-Aware Rules with Allow settings will allow transfer of the whole data object (message or file, including archives and other containers) when the content matches these rules and when the content does not match a Content-Aware Rule with Deny settings.
To prevent the deletion of the original file when users try to overwrite the existing file with a new file to which they are denied write access, enable the Safe file overwrite parameter in Service Options.
To prevent the deletion of the original file when users try to modify a file to which they are denied write access, enable the Safe file overwrite parameter in Service Options.
To prevent the deletion of the original file when users open the file, modify it by inserting the content to which they are denied write access, and then try to save changes, enable the Safe file overwrite parameter in Service Options.
Unsafe removal of a device can result in the corruption of the device’s file system and data.
When users try to copy files to which they are denied write access, these files appear to be temporarily visible in Windows Explorer or other file manager applications. In actuality, these files do not really exist on the target device, but they are located in the memory cache and are removed from this cache immediately after DeviceLock finishes checking their content.
Checking the content of files can be a time-consuming operation. The device cannot be safely removed while this operation is in progress, even if the copied files become visible in Windows Explorer or other file manager applications. In this situation, the user receives an error message indicating that the device is currently busy.
Newly copied files cannot be opened for reading until DeviceLock finishes checking their content.
Checking the content of files can be a time-consuming operation. The DeviceLock administrator can define a content verification message to be displayed to users when content inspection is in progress. For detailed information on this message, see the Content verification message parameter description in Service Options.
When users try to read or write files to which they are denied read or write access, they will be displayed a content-aware blocked read or write message if the respective message is enabled in Service Options. For detailed information on these messages, see description of the Content-Aware blocked read message and Content-Aware blocked write message parameters in Service Options.