Jetico Central Manager - User Manual

Protection rules define which users and applications are allowed to access protected data in BestCrypt Data Shelter.

Each rule is assigned to one or more protected folders within a protection policy and determines how access to the data is controlled.

For an overview of how policies, folders, rules, and additional protection settings work together, see the Protection Policies article.

A protection rule consists of:

• allowed users,
• allowed programs,
• and optional additional restrictions.

Applications or users that are not explicitly permitted by the rule are prevented from accessing the protected data.

Allowed Users

The Allowed users section defines which users are permitted to access data protected by the rule.

The following options are available:

• 🗹 All users
  
  Allows all users who can access the computer to work with protected data.
  
  This option can still be useful when access is restricted primarily by allowed applications rather than by user accounts.
  
  
• 🗹 Only users who have logged in to the computer
  
  Allows access only to users who have previously logged in to the computer.This can help limit access to users already known to the workstation, even in domain environments where many domain accounts may exist.
  
  
• 🗹 All local users
  
  Allows access for all local user accounts on the computer.This option can be useful when protection should apply only to domain users while allowing unrestricted access for local maintenance or service accounts.
  
  
• 🗹 Domain users from the list
  
  Allows administrators to explicitly select domain users or groups that are permitted to access protected data. Users who are not included in the list will be denied access to the protected folders.

Allowed Programs

The Allowed programs section defines which applications are permitted to access protected data.

The following options are available:

• All programs
  
  Allows all applications to access protected data.
  
  This option can still be useful when access is restricted primarily by allowed users rather than by applications.
  
  
• Selected programs
  
  

• 🗹 Signed and WRPS programs - when enabled, allows trusted applications to access protected data automatically.
  
  This option includes:
  
  - digitally signed applications whose integrity and publisher can be verified,
  - and Windows components protected by Windows Resource Protection Service (WRPS).
  
  Using this option can reduce the need to manually maintain large lists of trusted applications.
  
  
• 🗹 Programs from list - enable this to explicitly administrators can explicitly define trusted applications that are allowed to work with the protected files. Applications that are not permitted by the rule will be blocked from accessing the protected data.

Additional Restrictions

Rules can also include additional restrictions that strengthen access control behavior.

🗹 All related programs must be signed or protected by WRPS - when enabled, requires processes interacting with allowed applications to also be trusted. Data Shelter verifies that related applications participating in interprocess communication are digitally signed or protected by Windows Resource Protection Service (WRPS).

This helps reduce the risk of unauthorized or malicious applications interacting with trusted processes to gain indirect access to protected data.

🗹 Do not allow processes to copy files from a protected folder when enabled, prevents applications from copying files outside protected folders.

This helps reduce the risk of unauthorized data extraction or data leakage.

Reusing Rules

After a protection rule is configured and saved, it can be reused across multiple protected folders, policies, and computers. This allows administrators to build consistent protection configurations without recreating the same access rules each time.

For example, the same rule can be applied to different folders that should be accessible by the same users and applications.

Reusing rules simplifies the management of large-scale protection deployments and helps maintain consistent access control policies across the environment.

Next Step

Now that you understand how protection rules work, continue with the Creating a Protection Policy article to learn how to configure folders, rules, and policy-wide protection settings in Jetico Central Manager.