Views:

Advanced permissions apply when you grant limited permissions to most storage devices. The permission can be any of the following:

  • Modify

  • Read and execute

  • Read

  • List device content only

You can keep the permissions limited but grant advanced permissions to certain programs on the storage devices and on the local endpoint.

To define programs, configure the following program lists.

Table 1. Program Lists

Program List

Description

Valid Inputs

Programs with read and write access to devices

This list contains local programs and programs on storage devices that have read and write access to the devices.

An example of a local program is Microsoft Word (winword.exe), which is usually found in C:\Program Files\Microsoft Office\Office. If the permission for USB storage devices is "List device content only" but "C:\Program Files\Microsoft Office\Office\winword.exe" is included in this list:

  • A user will have read and write access to any file on the USB storage device that is accessed from Microsoft Word.

  • A user can save, move, or copy a Microsoft Word file to the USB storage device.

Program path and name

For details, see Wildcard Support for the Device Control Allowed Programs List.

Programs on devices that are allowed to execute

This list contains programs on storage devices that users or the system can execute.

For example, if you want to allow users to install software from a CD, add the installation program path and name, such as "E:\Installer\Setup.exe", to this list.

Program path and name or Digital Signature Provider

For details, see Wildcard Support for the Device Control Allowed Programs List or Specifying a Digital Signature Provider.

There are instances when you need to add a program to both lists. Consider the data lock feature in a USB storage device, which, if enabled, prompts users for a valid user name and password before the device can be unlocked. The data lock feature uses a program on the device called "Password.exe", which must be allowed to execute so that users can unlock the device successfully. "Password.exe" must also have read and write access to the device so that users can change the user name or password.

Each program list on the user interface can contain up to 100 programs.

If you want to add more programs to a program list, you will need to add them to the ofcscan.ini file, which can accommodate up to 1,000 programs. For instructions on adding programs to the ofcscan.ini file, see Adding Programs to the Device Control Lists Using ofcscan.ini.

Warning:

Programs added to the ofcscan.ini file will be deployed to the root domain and will overwrite programs on individual domains and agents.

Parent topic: Permissions for Storage Devices