search

Policy: File Access Approval Policy for pgAdmin Application

This example shows a File Access policy that targets a specific application (pgAdmin) and requires Approval before allowing the file access action to proceed. It’s useful for demonstrating how to introduce an approval workflow for a trusted tool without applying prompts to every application on the endpoint.

hashtag
What This Policy Does

  • Applies a File Access rule in enforce mode.

  • Targets:

    • Any user (*)

    • A specific application (one App ID, representing pgAdmin)

    • One specific endpoint (one Machine ID)

  • On a match, it requires Approval (OnSuccess: APPROVAL).

  • Does not require the user to acknowledge the notification.

hashtag
Why It Behaves This Way

  • Application-Scoped Policy: Because the application targeting is a single App ID (not *), only that specific application is evaluated by this rule.

  • Broad User Scope: The wildcard user targeting means any user on the targeted endpoint can trigger the approval workflow.

  • Approval On Success: When the policy matches, it intentionally routes the action into an approval flow instead of allowing it silently.

  • Standard Checks With No Extra Constraints: Date/Time/Day/Certificate restrictions are empty, so the behavior largely depends on whether the user, machine, and application match

hashtag
What The User Experiences

  • When users run pgAdmin (or the targeted pgAdmin component) on an in-scope endpoint, they will be prompted to request Approval for the covered file activity.

  • Because acknowledgement is not required, the notification itself should not add an extra “click to continue” step beyond the approval workflow.

hashtag
Important Notes And Common Adjustments

  • Fix The Notification Message: The current notification text references “monitor mode” and mentions MFA/justification/request to run as administrator, but this is a File Access policy requiring Approval. Update or remove the message so it matches actual behavior.

  • Reduce Approval Noise: If the approval prompts are too frequent, narrow scope further (for example, limit the covered file paths or file types in the policy’s Extension section, where applicable).

  • Narrow The User Scope If Needed: Replace * with specific users/groups if only certain users should be able to request approval for pgAdmin activity.

  • Consider Certificate Constraints: If supported in your environment, restricting to a known signer/publisher can help ensure approvals apply only to trusted builds of the application.

hashtag
Example JSON

PreviousPolicy: File Access Allow Policy for Visual Studio CodeNextPolicy: File Access Deny Policy for PowerShell File

Last updated

Was this helpful?