1 Reply Latest reply on Aug 15, 2012 11:04 PM by tonyw

    DLP Policy UAG Hierarchy


      Does anyone know the logic behind the User Assignment Group settings?  For instance, I'd like to do the following:


      Block All USB Storage Devices except Encrypted USB devices

      Assign the rule to "Domain Users and Local Users"

      Exclude users via an AD group "Excluded Users"


      It seems I could do the following:


      1. Create a single UAG that includes Domains User and Local Users, but excludes the AD group Excluded Users

      2. Create two UAG's, one that includes Domain User and Local Users and one that excludes Excluded Users


      Are both options valid?  There will be overlap in that the Excluded Users group will have users that are also in Domain Users, so could there be random results with one or both of these UAG options?

        • 1. Re: DLP Policy UAG Hierarchy

          That's correct.


          Usually you will have 2 rules and 2 groups. 


          UAG group block include "domain users and local" exclude "exclude group" assigned to rule "block everything".

          UAG group monitor include "exclude group" assigned to rule "monitor everything".


          The issue you are asking about would come in where you have a group assigned to both a monitor and a block rule as above set to include (include exclude group in example a and b).  In this case, the "block" feature will override the less aggressive "monitor" feature.