Previous Topic: Resource Classes and Access RulesNext Topic: Installing and Customizing a Windows Endpoint


Using defaccess and _default

When access to a resource is requested, the database is searched in the following order to determine how the request should be treated, and CA ControlMinder uses the first access rule that is found. Notice the distinction between default access (defaccess) and _default.

  1. If the resource has a record in the database, and the record has a rule governing the accessor, then CA ControlMinder uses that rule.
  2. If the record exists but does not have a rule governing the accessor, that record's default access rule—its defaccess value—is applied to the accessor.
  3. If the record does not exist, but in the resource class the _default record has a rule governing the accessor, then CA ControlMinder uses that rule.
  4. If the record does not exist, and in the resource class the _default record does not have a rule governing the accessor, then the _default record's default access rule-its defaccess value-is applied to the accessor. For files and registry keys, this applies only to _restricted users.

    The flow diagram shows how CA ControlMinder uses default access and the _default record

Note: For more information about resource classes and access rules see the selang Reference Guide.