Default Settings Permissions Priority
For device permissions assigned to a user or user group, priority settings govern whether a Machine-specific Settings permission rule can override a Default Settings permission rule.
You can change the priority for Default Settings and Machine-specific Settings permission rules from High to Low. All permissions are automatically assigned High priority by default. Permissions can be assigned as:
- Read
- Read/Write
- None
- When a Default Settings permission rule is set as None and the permission priority is set as High priority, a Machine-specific Settings permission rule cannot override the Default Settings permission rule.
- When a Default Settings permission rule is set as None and the permission priority is set a Low priority, a Machine-specific Settings permission rule set as High priority can override the Default Settings permission rule.
- When a Machine-specific Settings permission rule is set as None and the permission priority is set as High priority, a Machine-specific Settings permission rule can override the Default Settings permission rule.
The following table illustrates how permission are applied for combinations Default Settings and Machine-specific Settings, depending upon priority settings.
Configuring permissions in Default Settings is optional. If no permission is defined at any level, the default behavior enforced is to block access to the device.
|
Default Setting |
Default Settings Permission Priority |
Computer Specific (or Device) Permission |
Computer Specific (or Device) Permission Priority |
Resulting Permission |
|---|---|---|---|---|
|
Read |
High |
Read/Write |
High |
Read/Write |
|
Low |
Read/Write |
|||
|
None |
High |
None |
||
|
Low |
Read |
|||
|
Read |
High |
Read |
||
|
Low |
Read |
|||
|
Low |
Read/Write |
High |
Read/Write |
|
|
Low |
Read/Write |
|||
|
None |
High |
None |
||
|
Low |
None |
|||
|
Read |
High |
Read |
||
|
Low |
Read |
|||
|
Read/Write |
High |
Read/Write |
High |
Read/Write |
|
Low |
Read/Write |
|||
|
None |
High |
None |
||
|
Low |
Read/Write |
|||
|
Read |
High |
Read/Write |
||
|
Low |
Read/Write |
|||
|
Low |
Read/Write |
High |
Read/Write |
|
|
Low |
Read/Write |
|||
|
None |
High |
None |
||
|
Low |
None |
|||
|
Read |
High |
Read/Write |
||
|
Low |
Read/Write |
|||
|
None |
High |
Read/Write |
High |
None |
|
Low |
None |
|||
|
None |
High |
None |
||
|
Low |
None |
|||
|
Read |
High |
None |
||
|
Low |
None |
|||
|
Low |
Read/Write |
High |
Read/Write |
|
|
Low |
None |
|||
|
None |
High |
None |
||
|
Low |
None |
|||
|
Read |
High |
Read |
||
|
Low |
None |
The following diagram can be used to determine the resultant policy permission when two policies that contain different permissions merge:
Two Device Control policies with different permissions:
Do both policies have equal priority?
Yes = If one of the policies is None then it wins, otherwise Read/Write wins
No = go to the next question:
Does one policy have a None permission?
Yes = Higher priority policy wins
No = Read/Write wins
Related Information
- Permissions Dialog
- File Filters
- BitLocker Encrypted Devices
- Working with Custom File Types
- File Type Filtering and Data Loss Prevention Combination Matrix
Related Tasks
- Assigning Permission to a BitLocker Encrypted Device
- Assign Permissions by Devices
- Assign Permission by Computers
- Manage Online Permission
- Manage Offline Permissions
- Assign Scheduled Permissions to Users
- Assign Temporary Permissions to Users
- Add Shadowing
- Manage Shadowing
- Add Copy Limit
- Remove Copy Limit
- Add Event Notification
- Manage Event Notification
- Creating a Data Loss Prevention (DLP) Filter
- Assigning a Data Loss Prevention Filter to a Specific User or Group