User and User Group Precedence Options
Application Control establishes precedence rules for user and user group default option settings.
The user and user group options precedence rules are as follows:
- An option value set for a specific user and supersedes all other option settings.
- When no value is set for a specific user, and a value is set for the user group the user belongs to, the group option setting applies.
- If no value is set for the user or any user groups to which the user belongs, the global default option settings in the User/Group tab apply.
- If no global default option is set in the User/Group tab, the predefined Ivanti Device and Application Control system default settings apply.
- When a specific user belongs to several user groups that have different option settings, the highest precedence option setting applies. The precedence that determines which option setting is used when a user belongs to multiple user groups having different values set for the same option, depends on a predefined precedence value. The predefined precedence value for certain options is shown in the following table:
|
Option |
Value Precedence |
|---|---|
|
Execution log |
0 - Log everything 1 - Log access denied 2 - Logging disabled 3 - Log denied and unmanaged execution |
|
Execution Blocking |
0 - Blocking mode 1 - Non-blocking mode 2 - Ask user for *.exe only 3 - Ask user always |
|
Execution Notification |
0 - No notifications 1 - Access-denied 2 - Denied and non-blocking mode access |
|
Execution Eventlog |
0 - No events logged 1 - Access-denied logged 2 - Denied and non-blocking mode access |
|
Macro and Script protection |
0 - Disabled 1 - Ask user 2 - Deny all |
|
The highest numerical value takes precedence. If the Local Authorization option is disabled, the Ask user for *.exe only and Ask user always values are ignored. |
|
The following flowchart outlines the users/groups precedence rules process.
