Access Control Rule Types

Linux Access Control Rule Type

Linux only allows one type of Access Control Rule, and it controls local user access to both the files and blocks on the associated disks. Because the default is to deny access to the disk, the Linux policy rule is basically a "whitelist" of the users who can access the files and data blocks on the encrypted disk.

Entrust supports only local Linux users. You cannot add domain-qualified user names to the access control rule.

Windows Access Control Rule Types

For Windows, there are three types of Access Control Rules that you can create:

  • Filesystem-Level Access Rules control which local VM users, local VM groups, Active Directory (AD) users, and AD groups can access the files on the encrypted disk. This is the standard type of disk access and a majority of users will be covered by these rules. You can have one filesystem-level rule per disk.
  • Folder-Level Access Rules control which local VM users, local VM groups, Active Directory (AD) users, and AD groups can access the files and subfolders in a specific folder on the encrypted disk. As soon as you apply one or more folder-level access rules to a disk, the folders protected by those rules can only be seen by those users who have been granted specific permission to view those folders. You can have as many folder-level rules per disk as you need.
  • Block-Level Access Rules control which local VM users, local VM groups, AD users, and AD groups can access the individual blocks on the encrypted disk. We highly recommend that you create a block-level access rule in every Windows Access Control Policy that you create and that you make sure the permissions list is kept up to date because block-level access can be used by hackers to bypass filesystem-level restrictions. Only those programs that legitimately require block-level access (such as back up utilities) should be included on the permissions list. You can have one block-level access rule per disk.

Each rule you include in an Access Control Policy functions independently with its own permissions list. Adding a filesystem-level or folder-level access rule does not turn on block-level restrictions, and adding a block-level rule does not turn on filesystem-level or folder-level restrictions. In addition, users with filesystem-level access to the disk will not be able to see the folders protected by a folder-level access rule unless they are included in both the filesystem-level rule and in the folder-level access rule.

Note: We recommend that you include only AD users and groups in the permissions list for all three rule types. If you specify an invalid local user account, or if a local user account on the permissions list is deleted after the Access Control Policy has been applied, the next time the Policy Agent validates the permissions list the entire Access Control Policy will fail validation and the Policy Agent will disable all access controls on the disk. For more information, see Windows Access Control Rule Recommendations and Considerations.

For all rules, the order of the entries in the rule determines how permission conflicts are resolved. For details, see Windows Access Control Rule Processing.