Using Inclusion and Exclusion Filters

When a filter is placed in the Inclusion Filters or Exclusion Filters under the Conditions tab of a policy definition, it can be used to explicitly include or exclude what is defined in the filter with respect to a policy. By combining inclusion and exclusion filters, you can create highly specific policies. For example, you can include all users in a department but exclude those who are part of a special project team.

Inclusion Filters

Inclusion filters are used to explicitly include specific users, groups, applications, network locations, or other criteria within a policy. This means that the policy will only be applied to the items defined in the inclusion filter. For example, you might use an inclusion filter to apply a policy only to applications signed by a specific company's digital certificate or to users belonging to a particular Active Directory group.

Exclusion Filters

Exclusion filters in Privilege Manager are used to specify conditions or entities that should be excluded from a policy. Use exclusion filters to remove specific users, groups, or applications from the policy's scope. For instance, you might exclude the "Executives" group from a policy that applies to all other users.

Policy Management

When a filter is placed in the Inclusion Filters or Exclusion Filters of a policy definition, it can be used to explicitly include or exclude what is defined in the filter with respect to a policy.

Conditions

Applications Targeted are treated as OR operations. If an application matches, the policy will target it.

Inclusions are treated as AND operations. All inclusions must be met for the policy to apply. Inclusions apply the policy only if the workstation is on the corporate, and apply the policy only to applications signed by a specific company's digital certificate, etc.

Exclusions are treated as OR operations. If any exclusions are met, the policy will not apply. Exclusions are a powerful filter. Exclusions apply the policy only if the user is NOT an administrator.

File Specifications

These parameters define the criteria that determine whether or not this filter is evaluated as met or not. Once created, the filter can be added to a policy under the policy Conditions.

The administrator can add additional logic in the Additional Filters (optional) section of a File Specification Filter in order to combine filters.

File Specification Filter

In addition to the filter parameters in a policy, a File Specification Filter can be created. This filter identifies files based on their file name, extension, path, or location on a computer. Refer to File Specification Filter for detailed configuration.

Files defined in a policy are treated as OR operations. If a file is identified, the filter will target it. Add Include only filters are treated as AND operations. All inclusions must be met for the filter to apply. Add Exclude any filters are treated as OR operations, if any exclusions are met, the filter will not apply.

Environmental Variables

Environment variables can be used in the file path field in some filters which offer it. For example, Win32 Executable Filters or File Specification Filters.

The environment variables that can be used are limited to the system wide variables. Environment variables belonging to a user's desktop session cannot be used as they don't exist in the context of the ACS (Application Control Service) service mode process running as local system.