User and User Group Precedence Options

Application Control establishes precedence rules for user and user group default option settings.

The user and user group options precedence rules are as follows:

  1. An option value set for a specific user and supersedes all other option settings.
  2. When no value is set for a specific user, and a value is set for the user group the user belongs to, the group option setting applies.
  3. If no value is set for the user or any user groups to which the user belongs, the global default option settings in the User/Group tab apply.
  4. If no global default option is set in the User/Group tab, the predefined Ivanti Device and Application Control system default settings apply.
  5. When a specific user belongs to several user groups that have different option settings, the highest precedence option setting applies. The precedence that determines which option setting is used when a user belongs to multiple user groups having different values set for the same option, depends on a predefined precedence value. The predefined precedence value for certain options is shown in the following table:
Option Value Precedence
Execution log 0 - Log everything

1 - Log access denied

2 - Logging disabled

3 - Log denied and unmanaged execution

Execution Blocking 0 - Blocking mode

1 - Non-blocking mode

2 - Ask user for *.exe only

3 - Ask user always

Execution Notification 0 - No notifications

1 - Access-denied

2 - Denied and non-blocking mode access

Execution Eventlog 0 - No events logged

1 - Access-denied logged

2 - Denied and non-blocking mode access

Macro and Script protection 0 - Disabled

1 - Ask user

2 - Deny all

The highest numerical value takes precedence. If the Local Authorization option is disabled, the Ask user for *.exe only and Ask user always values are ignored.

The following flowchart outlines the users/groups precedence rules process.

Related Information: