Allowed Items

In this section:

About Allowed Items

Add Allowed items to group rules to grant users access to specific items without providing them with full administrative privileges. The Allowed items are displayed in the Allowed Items list under a selected group rule:

Add an Allowed Item

  1. Select the Allowed Items node in Rules > Group > Everyone.
  2. Click Add Item and from the drop-down arrow select Allowed.
  3. Select the item that you want to make allowed, for example File.

    The Add a File dialog displays.

  4. Enter or browse for the file to be made allowed.

    The Substitute environment variables where possible check box is selected by default. If it is not selected, environment variables will not be replaced with a generic environment variable.

  5. If applicable, enter any further information relating to the allowed item, in the Description field.
  6. Select Allow file to run even if it is not owned by a trusted owner if you want the file to run regardless of the owner.
  7. Select Ignore Audit Event filtering if you want to capture all events for this item regardless of what is set in Event filtering.

The selected item is listed in the Allowed Items work area.

If you want to disable a specific rule item, highlight the item, right-click and select Change State. This toggles between disable and enable. This can be useful when needing to troubleshoot with Support.

Remove an Allowed Item

  1. Select the Allowed Items node in Rules > Group > Everyone.
  2. Highlight the item to be removed.
  3. Click Remove Item in the Rule Items ribbon.

    The Remove Items dialog displays.

  4. Click Yes to remove the item or No to abort the task.

The selected application is listed in the Allowed Items work area.

Access Times

Access times allow you to specify what time and on what days a particular application is allowed to be run and can be applied to Allowed Items in Groups, Users, Devices, Custom Scripts, and Process Rules. Access periods can only be assigned when you check the Only allow files to run at certain access times option in the Access Times tab when adding or amending an allowed Item. Times can be amended using the Access Times option from the Rule Items ribbon. Access times can be added for file, folder and signature allowed items.

Assign Access Times

This task explains how to assign access times to an allowed item:

  1. Select the Allowed Items node in Rules > Group > Everyone.

    For the purpose of this example, the Everyone group is being used. This will vary depending on the group you select.

  2. Click Add Item and from the drop-down arrow select Allowed.
  3. Select the item that you want to make allowed, for example File.

    The Add a File dialog displays.

  4. Enter or browse for the file to be made allowed.
  5. From the Access Times tab, select Only allow files to run at certain access times.
  6. Right-click on the time and day an item can be accessed and select New Allowed Period. Repeat this step above to add any other access times.
  7. When the allowable periods have been selected, click Add.

Application Limits

Application Limits allow you to specify how many times an application can be run by a user during a session. You can configure limits when you check the Enable application limits option located in the Application Limits tab when you add or edit an Allowed item. You can use the Application Limits option from the Rule Items ribbon once you have added an item to a rule. Session-based Application limits can only be applied to Allowed Items in the Group, User, Device, Custom, Scripted, and Process rules. You can configure a message to displays to the user when the time limit is exceeded by using the Message Settings dialog, which you can access from the Global Settings ribbon.

Apply Application Limits

  1. Select the Allowed Items node in Rules > Group > Everyone.

    For the purpose of this example, the Everyone group is being used.

  2. Click Add Item and from the drop-down arrow select Allowed.
  3. Select the item that you want to make allowed, for example, File.

    The Add a File dialog displays.

  4. Enter or browse for the file to be made allowed.
  5. From the Application Limits tab, select Enable application limits.
  6. Select the application limit.
  7. Click Add.

Allowed Items and Trusted Ownership

By default, trusted ownership checking is enabled, therefore an application must always pass trusted ownership checking if it is enabled, even if the application is an allowed item. Although trusted ownership checking can be disabled completely, this is not recommended. However, if you need to provide a user with access to file, folders or groups that are not owned by a trusted user then you can disable the trusted ownership check when creating or editing the item by checking the Allow File to run even if it is not owned by a trusted owner option.

Related topics