I spoke a little too soon, this (group based url whitelists) is currently apart of the policy in the beta environment -- so this should going live pretty soon.

Thanks Jon for your responses. Any idea when this system in the beta environment will be going live?

It was added over the weekend.

I can now see you can now block certain groups and that "allow" is the catch all and primary action (previously when you created a new rule using a URL list, you could not block a certain group). However, this does not solve my problem, it's close but not what I'm looking for. I'm looking to have the rule default to block and only allow certain groups, not the other way around. For other rules, you can move the "Block" action to the bottom to make it the catch all (primary) and then force it to allow only for the groups you specify. However, when you create a new rule using URL Lists, the "Move Down" and "Move Up" action is greyed out (see screenshot) and I cannot change the primary action of the rule I would like to create. You can change the primary action of the rule if you create a new rule using "Web Categories" as the "Move Up" and "Move Down" action are not greyed out.

I have the same problem.

I dont understand if is possible or not now in the 2019?

I try to set the rules in the Access Protection as indicated in the manual:

Create a rule using exceptions

You can provide or deny certain access to the user groups by creating a rule using exceptions to specify user

groups.

Assume that you are creating a rule to deny executive user group access to social networking sites.

Task

1 From the McAfee ePO Cloud menu, select Policy | Web Policy.

2 Create a rule in the Access Protection feature area.

a

From Policy Browser, click of the feature policy.

b Select New Rule.

3 Assign the required rule type.

a From the Catalog pane, select Web Applications from the drop-down list.

b From the Catalog pane, click to the right of Social Networking.

In the Rule Details pane, you see that the rule name is now Social Networking.

4 Assign the required user groups.

a In the Rule Details pane, click located next to the Block option, to display the list of User Groups.

b In the Catalog pane, click to the right of Executives.

You can add one or more user groups to an action.

5 In the Rule Details pane, click Save.

I have the same config, but with WEB MAIL.

BUT if i set this rules in access protection, the rules match only with the WEB MAIL LIST. But this works only for the link in this list.

If i try to open gmail.com it's blocked because is in the list, but if i try five "regional" web mail are not blocked.

If i create a rules in the WEB CATEGORY FILTER all web mail are blocked. BUT here i cant create different rules for different group with different category to block.