Actual DLP version 11.6.400 under ePO 5.10 up 11, but, as I'm suspecting, this is not important - that question is regarding DLP rules architecture.

The goal is to implement DLP behavior for removable storage devices with such logics:

- If the device S/N and logged-in user name pair are in "RW White List",  the user gets the Read-Write access to device;

- If the device S/N and logged-in user name pair are in "RO White List",  the user gets the Read-Only access to device;

- Any other combination must give no access;

- All attempts to attach the device should be logged;

- The 'exception' like "the same pair is listed in both lists" is treated as 'OK', it might lead to particular result (RW or RO access).

The problem is:

- I see the solution for S/N device identification only. Three DLP storage device rules and two white lists  by serial number (RW and RO) - the blocking one with 2 white list exceptions, the read-only one, and read-write one (look at the picture);

But I see no solution for triple (Block / RW / RO) choice by S/N+User pair. Just because the S/N+User pair list allowed to be used as DLP rule exception, but does not allowed to be used as DLP rule condition.

Is it possible to overcome that DLP limitation?