6
Click Save.
How Policy Assignment Rules work
Policy assignment rules give you the ability to create user-specific policy assignments. These
assignments are enforced at the target system when a user logs on. On a managed system,
the agent keeps a record of the users who log on to the network. The policy assignments you
create for each user are pushed down to the system they log on to, and are cached during each
agent-server communication. The agent applies the policies that you have assigned to each
user.
NOTE:
When a user logs on to a managed system for the first time, there can be a slight delay
while the agent contacts its assigned server for the policy assignments specific to this user.
During this time, the user has access only to that functionality allowed by the default machine
policy, which typically is your most secure policy.
Policy assignments rules reduce the overhead of managing numerous policies for individual
users, while maintaining more generic policies across your System Tree. For example, you can
create a policy assignment rule that is enforced for all users in your engineering group. You
can then create another policy assignment rule for members of your IT department so they can
log on to any computer in the engineering network with the access rights they need to
troubleshoot problems on a specific system in that network. This level of granularity in policy
assignment limits the instances of broken inheritance in the System Tree needed to accommodate
the policy settings that particular users require to perform special functions.
Policy assignment rule priority
Policy assignment rules can be prioritized to simplify maintenance of policy assignment
management. When you set priority to a rule, it is enforced before other assignments with a
lower priority. In some cases, the outcome can be that some rule settings are overridden.
For example, consider a user who is included in two policy assignment rules, rules A and B.
Rule A has priority level 1, and allows included users unrestricted access to internet content.
Rule B has priority level 2, and heavily restricts the same user's access to internet content. In
this scenario, rule A is enforced because it has higher priority. As a result, the user has
unrestricted access to internet content.
How multi-slot policies work with policy assignment rule priority
Priority of rules is not considered for multi-slot policies. When a single rule containing multi-slot
policies of the same product category is applied to a user, all settings of the multi-slot policies
are combined. Similarly, if multiple rules applied to a user contain multi-slot policy settings, all
settings from each multi-slot policy are combined. As a result, the user gets a policy that
combines the settings of each individual rule.
For example, consider the previous example where a user is included in two policy assignment
rules with different assigned priorities. When these rules consist of multi-slot policy assignments,
the settings for both policies are applied without regard to priority. You can prevent application
of combined settings from multi-slot policies across multiple policy assignment rules by excluding
a user (or other Active Directory objects such as a group or organizational unit) when creating
the policy assignment rule.
Configuring EEFF policies using ePO
How Policy Assignment Rules work
23
McAfee Endpoint Encryption for Files and Folders version 4.0.0 Product Guide
