Windows Access Control Rule Processing
The permissions list for a Windows Access Control Rule can contain both individual users as well as user groups. For each entry, you can also specify whether the user or group is to be Allowed or Denied access to the associated disk or folder. This allows you to give access permission to an entire AD group while denying access to specific members in that group.
When determining a user's permission level, the Entrust KeyControl Policy Agent uses the order of the entries in the Access Control Rule. As soon as it finds a match for the user requesting access, it allows or denies access to that user based on the matching entry and stops processing the permissions list. If the first entry is "Allow", it allows the user access even if there is a rule further down the list that denies the user access.
For example, let's say you want to give access permissions to the AD group development-all but deny access to the sub-group development-interns and the individual users Joe Smith (jsmith) and Mary Carson (mcarson) because they are both temporary contractors. In order to do this, you would specify the following permissions in the rule:
|
User or Group Name |
Domain |
Permission |
|---|---|---|
| jsmith | mycompany.com | Deny |
|
mcarson |
mycompany.com |
Deny |
| development-interns | mycomany.com | Deny |
|
development-all |
mycompany.com |
Allow |
If the AD user jsmith, mcarson, or one of the users listed in development-interns logs in, they will be denied access even if they are a member of the group development-all because the Deny entries come before development-all in the list. If someone signs into the VM locally, access to the data will be denied because no local users are defined in the permissions list.
However, let's say the permissions list looked like this:
|
User or Group Name |
Domain |
Permission |
|---|---|---|
|
development-all |
mycompany.com |
Allow |
| jsmith | mycompany.com | Deny |
|
mcarson |
mycompany.com |
Deny |
| development-interns | mycomany.com | Deny |
Now if the AD user jsmith, mcarson, or one of the users listed in development-interns logs in, the Policy Agent will grant them access if they are a member of the group development-all, because the development-all group comes first in the list and all members of that group are automatically allowed access regardless of the other entries in the permissions list.
