search

Policy: File Access Allow Policy for pgAdmin

This example shows a File Access policy that explicitly allows file activity for a specific application (pgAdmin) on targeted endpoints. It’s useful for demonstrating how to ensure a trusted tool keeps working when other File Access policies might otherwise block or require approval.

hashtag
What This Policy Does

  • Applies a File Access rule in enforce mode.

  • Targets:

    • Any user (*)

    • A specific application (one App ID, representing pgAdmin)

    • One specific endpoint (one Machine ID)

  • On a match, it applies an ALLOW control.

  • Does not require the user to acknowledge the notification.

hashtag
Why It Behaves This Way

  • Application-Scoped Allowlist: Because the application targeting is a single App ID (not *), only that specific application is matched.

  • Broad User Scope: The wildcard user targeting means any user on the targeted endpoints can benefit from the allow rule.

  • Enforced Allow: The policy is set to enforce and the OnSuccess control is ALLOW, so matching activity is permitted.

  • Standard Checks With No Extra Constraints: Date/Time/Day/Certificate restrictions are empty, so the behavior largely depends on whether the user, machine, and application match.

hashtag
What The User Experiences

  • When users run pgAdmin on an in-scope endpoint, they should not see blocks or approval prompts caused by File Access restrictions—because this policy explicitly allows it (assuming your policy precedence/conflict handling permits the allow to take effect).

  • The policy includes a notification message, but acknowledgement is not required, so it should not interrupt the workflow.

hashtag
Important Notes And Common Adjustments

  • Fix The Notification Message: The current notification text references “monitor mode” and mentions MFA/justification/request for elevation, but this policy is enforced and performs an ALLOW for File Access. Update or remove the message so it accurately reflects what the policy does.

  • Narrow The User Scope If Needed: Replace * with specific users/groups if pgAdmin should only be allowed for a subset of users.

  • Add Certificate Constraints For Higher Assurance: If supported in your environment, restrict the allow rule to a known signer/publisher or certificate hash so only trusted builds are permitted.

  • Consider Whether You Need File-Path Scoping: If the intent is “allow pgAdmin only in specific directories” (or only to specific file types), add folder/file pattern constraints rather than allowing broadly for the app.

hashtag
Example JSON

PreviousPolicy: Allow Specific Git-Related Applications to Access FilesNextPolicy: File Access Allow Policy for Cursor

Last updated

Was this helpful?