Implementation Guide › Preparing Your Endpoint Implementation › Deciding on the Policy Objects to Protect › Groups › Predefined Groups for Resource Access

Predefined Groups for Resource Access

Other types of predefined groups in CA ControlMinder define the type of access that is allowed or prohibited to a particular resource. These groups include the following:

• _network

  (Windows only) The _network group defines access from the network to a particular resource. All users are treated as if they are members of the group; no user has to be explicitly added to the group.

  For example, you can specify that a particular resource can only be read from the network. Using selang, you define the new resource as follows:

  newres FILE c:\temp\readonly defaccess(none)
  

  Then specify the access allowed through the network:

  authorize FILE c:\temp\readonly gid(_network) access(read)
  

  You can also do this using CA ControlMinder Endpoint Management.

  Now when accessing c:\temp\readonly from the network, users can read the file only from the network.

• _interactive

  The _interactive group defines the access permitted to a particular resource from the computer on which the resource resides. For example, You can authorize READ access to a file from the computer on which it is defined, although no access is permitted to the resource from the network.

The following points are important:

• There is no connection in CA ControlMinder between the _network and _interactive groups. This means that there can be a rule in the _network group that defines access from the network to a specific resource. Another rule in the _interactive group can define access to the same resource.
• You do not have to add users to the _network and _interactive groups.
• These groups can protect all the Windows resources defined in the database.