# Policy: Global Allow File Access - Require Approval

<figure><img src="https://762006384-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MJXOXEifAmpyvNVL1to%2Fuploads%2FPCnHxD3B0tMObwhqhei7%2FRequire%20Approval%20to%20Run%20Applications.png?alt=media&#x26;token=0357526a-4fa1-45aa-8b1e-e2e9e56ab163" alt=""><figcaption></figcaption></figure>

This example shows a **File Access Policy** used as a **Global Approval Requirement for running applications**. When enabled, it applies to any application a user tries to launch, creating a single, top‑level control point across all endpoints.  After this **Baseline File Access Policy** is in place, additional policies can be added to allow specific applications, teams, or scenarios to run without approval.

***

### What this Policy Does

When a user on any **in-scope endpoint** tries to run an application:

1. The request is evaluated by the **File Access** policy engine.
2. Because the policy is broadly scoped (all users, all applications), it matches most execution attempts on those endpoints.
3. The policy requires **Approval** within the **Admin Console** before allowing the action to proceed.

### Why it Behaves this Way

This policy is intentionally written as a “broad match” policy, then applies a control:

* **Enforced**: The policy is active and will apply controls (not just log).
* **Approval control on success**: When the policy matches, it triggers an approval workflow.
* **All users**: A wildcard user filter makes it apply to any user account on in-scope machines.
* **All applications**: A wildcard application filter makes it apply to any application being evaluated by this File Access policy.
* **Built-in checks**: Standard checks (user, machine, file, date/time/day, certificate) are present. If those constraints aren’t narrowed (for example, no date/time/day/cert restrictions are provided), the policy behaves like a broad catch-all for execution on the targeted endpoints.

### What the User Experiences

* Most application launches on the targeted endpoints will generate an **approval request**.
* The policy includes a user-facing notification message. If the message references a specific date or one-off event, replace it with something generic (or remove it) to avoid confusion in production.

***

### Important Notes and Common Adjustments

* **High prompt volume**: Because this applies to *all* applications, it can create a lot of approvals—especially when expanded to many endpoints.
* **Narrow the scope** if needed:
  * Restrict the application filter to a specific set of executables or paths
  * Restrict the user filter to specific users/groups
  * Add certificate/publisher constraints to treat trusted vs. untrusted software differently
  * Add time/day/date restrictions for staged rollouts or business-hours-only enforcement

***

## How Build a Baseline File Access Policy

{% stepper %}
{% step %}

#### Create Policy

From the **Policies** tab of the Admin Console's Endpoint Privilege Manager page, click the <mark style="color:blue;">**Create Policy**</mark> button.

<figure><img src="https://762006384-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MJXOXEifAmpyvNVL1to%2Fuploads%2FM1QO8kenP5pfE2MOk3wI%2Fimage.png?alt=media&#x26;token=bbf54174-a4d7-4d6f-bc5f-4036ec7d280d" alt=""><figcaption></figcaption></figure>

This will open the **Create Policy Form** in a modal window.

<figure><img src="https://762006384-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MJXOXEifAmpyvNVL1to%2Fuploads%2FjHvyi8igQKC9DBxO4eCH%2Fimage.png?alt=media&#x26;token=d4af46b8-cb58-424c-949b-7273f5b99026" alt=""><figcaption></figcaption></figure>
{% endstep %}

{% step %}

#### Policy Name

Enter a descriptive name for your new Baseline File Access Policy.

<figure><img src="https://762006384-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MJXOXEifAmpyvNVL1to%2Fuploads%2Fgit-blob-710d7a5d1f7c705f761d6b57a0eabd50d6a0d567%2Fimage.png?alt=media" alt="" width="375"><figcaption></figcaption></figure>
{% endstep %}

{% step %}

#### Policy Type

Select <mark style="color:blue;">**File Access**</mark> from the **Policy Type** select list.

<figure><img src="https://762006384-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MJXOXEifAmpyvNVL1to%2Fuploads%2F8hx5vtPOfgJleKKVwGdv%2Fimage.png?alt=media&#x26;token=f85746ee-9568-4206-88b6-1648290ae187" alt="" width="375"><figcaption></figcaption></figure>
{% endstep %}

{% step %}

#### Status

Select the status that you would like your new **Baseline File Access Policy** to be in upon submission of the completed **Create Policy** form.

<figure><img src="https://762006384-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MJXOXEifAmpyvNVL1to%2Fuploads%2F8VRMMpXz1NTRHPUleqnY%2Fimage.png?alt=media&#x26;token=eea2fa90-618e-4d0c-bfaa-19f89e7853e9" alt="" width="375"><figcaption></figcaption></figure>
{% endstep %}

{% step %}

#### Controls

Select <mark style="color:blue;">**Require approval**</mark> from the **Add Control** sub-form.

<figure><img src="https://762006384-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MJXOXEifAmpyvNVL1to%2Fuploads%2Fu9EaMoXeE7xFvYEtOF8Y%2Fimage.png?alt=media&#x26;token=1c36fd00-fbaa-4e74-bd6a-6aea7e7ab99f" alt="" width="307"><figcaption></figcaption></figure>
{% endstep %}

{% step %}

#### User Groups

Click the <mark style="color:blue;">**Add Group**</mark> link in the Create Policy form.  This will open the **Add Group** sub-form.

<figure><img src="https://762006384-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MJXOXEifAmpyvNVL1to%2Fuploads%2Fgt90kNhaIryQPk62BDAI%2Fimage.png?alt=media&#x26;token=3e9133a9-ecb1-42b4-8280-7f9be9ffbbad" alt="" width="273"><figcaption></figcaption></figure>

Check the <mark style="color:blue;">**Select all users**</mark> checkbox in the **Add Group** sub-form then click off of the sub-form to close it.  **All Users and Groups** will now appear under **User Groups** as applied to your **Baseline File Access Policy.**

<figure><img src="https://762006384-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MJXOXEifAmpyvNVL1to%2Fuploads%2FWSO9QeoLTiUkbXfT5nID%2Fimage.png?alt=media&#x26;token=2cb0ab91-7bbd-42c9-a9a6-0a15f572b756" alt="" width="375"><figcaption></figcaption></figure>
{% endstep %}

{% step %}

#### Machine Collections

Click the <mark style="color:blue;">**Add Collection**</mark> link in the Create Policy form.  This will open the **Add Collection** sub-form.

<figure><img src="https://762006384-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MJXOXEifAmpyvNVL1to%2Fuploads%2Fgit-blob-3ba47cb0293c1909051c9e8ebb8b97c2df8dbdc3%2Fimage.png?alt=media" alt="" width="375"><figcaption></figcaption></figure>

Check the <mark style="color:blue;">**Select all machines**</mark> checkbox in the **Add Collection** sub-form then click off of the sub-form to close it.  **All Machines** will now appear under **machine Collections** as applied to your **Baseline File Access Policy.**
{% endstep %}

{% step %}

#### Applications

Click the <mark style="color:blue;">**Add Applications**</mark> link in the Create Policy form.  This will open the **Add Applications** sub-form.

<figure><img src="https://762006384-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MJXOXEifAmpyvNVL1to%2Fuploads%2FgTjVxd0D1WUBBgM3mi27%2Fimage.png?alt=media&#x26;token=a14547b7-cf27-407a-bcb1-b8e9611bb054" alt="" width="259"><figcaption></figcaption></figure>

Check the <mark style="color:blue;">**Select all applications**</mark> checkbox in the **Add Applications** sub-form then click off of the sub-form to close it.  **All Applications** will now appear under **Applications** as applied to your **Baseline File Access Policy.**

<figure><img src="https://762006384-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MJXOXEifAmpyvNVL1to%2Fuploads%2FiPf757GNEMkXkki445Zu%2Fimage.png?alt=media&#x26;token=f99b28d6-2f0f-4264-8f41-09568a139baa" alt="" width="375"><figcaption></figcaption></figure>
{% endstep %}

{% step %}

#### Date & Time

For a **Baseline File Access Policy,** it is recommended that the **Date and Time Ranges** be set to <mark style="color:blue;">**Always**</mark>, ensuring the block is continuously enforced with no time-based gaps.

<figure><img src="https://762006384-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MJXOXEifAmpyvNVL1to%2Fuploads%2F3BRuOjyoa7tN2eskBUCu%2Fimage.png?alt=media&#x26;token=2dfa47bf-dddb-4091-a203-d0111420ec4b" alt="" width="375"><figcaption></figcaption></figure>
{% endstep %}

{% step %}

#### Save Your New Baseline File Access Policy

Once the form has been sufficiently filled in per the previous steps, the <mark style="color:blue;">**Save**</mark> button will be changed from an inactive to an active state. Click on the <mark style="color:blue;">**Save**</mark> button.  The **Create Policy** modal form will be closed and your **Baseline File Access Policy** will be saved.

<div align="right"><figure><img src="https://762006384-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MJXOXEifAmpyvNVL1to%2Fuploads%2FbknoaYLYtDqubMgpY115%2Fimage.png?alt=media&#x26;token=0d24784b-31b1-4a6e-a6ce-3038b182ed35" alt="" width="44"><figcaption></figcaption></figure></div>
{% endstep %}
{% endstepper %}

***

## Use-Case Definitions

<h3 align="center"><mark style="color:blue;">Why this Baseline File Access Policy Should be your First Policy</mark></h3>

This pattern — a **Baseline File Access** which **Requires Approval** that catches everything by default — serves a very specific and important strategic purpose in endpoint privilege management. Here's a full breakdown of the use-cases and the reasoning behind it:

### The Core Concept: "Default-Deny via Default-Require-Approval"

Rather than trying to enumerate every dangerous application upfront (which is nearly impossible), this approach **inverts the model**: everything requires approval by default, and you then carve out exceptions for trusted, known-good applications. It's conceptually similar to a default-deny firewall rule at the bottom of a ruleset.

### Primary Use-Cases

#### 1. Regulated or High-Security Environments

Organizations subject to compliance frameworks like HIPAA, PCI-DSS, SOC 2, or government/defense mandates often need to demonstrate that **no unauthorized software can execute** on managed endpoints without a documented approval chain. A global file access with required approval as a baseline policy creates a single, auditable control point for every application launch.

#### 2. Application AllowListing Rollouts

This policy is the ideal **foundation layer** when an organization is building out an application allowlist. Rather than blocking everything immediately (which would be disruptive), you:

* Start with a global approval requirement within a baseline policy (less disruptive — users can still run things, but must request approval)
* Observe what gets requested
* Add targeted **Allow policies** above it for IT-approved software (approved apps pass through without triggering the approval gate)
* Over time, transition toward a true deny policy at the baseline once the allowlist matures

This policy structure is intentionally written as a "broad match" policy that applies a control — because the user and application filters both use wildcards, it functions as a broad catch-all for execution on targeted endpoints.

#### 3. Pilot or Phased Deployment

This type of policy is useful for demonstrating how to introduce an approval workflow for application execution across a group of endpoints — for example, a pilot group or a department. Security teams can validate the approval workflow, tune approver capacity, and build the exception list before rolling out to the full fleet.

#### 4. Zero-Trust Endpoint Posture

In a zero-trust model, **implicit trust is eliminated** — even for standard user applications. A global file access with required approval as a baseline policy enforces that posture at the execution layer. No application is implicitly trusted simply because it's present on the machine.

#### 5. Incident Response / Breach Containment

If an organization has experienced (or suspects) a compromise, this policy can be rapidly deployed to **lock down a segment of endpoints** — requiring every application launch to be human-approved — while the investigation proceeds, without immediately blocking everything and causing a full outage.

#### 6. High-Risk User Groups or Machines

For specific populations like contractors, third-party vendors, or endpoints in sensitive network segments (e.g., OT adjacent, finance systems), a global approval policy provides maximum oversight without requiring granular per-app policy authoring upfront.

***

### Why File Access Policy (Not Privilege Elevation) for the use-cases?

This is a nuanced but important distinction. A **File Access policy** intercepts the *execution* of a file (the moment an application is launched), while a Privilege Elevation policy only intercepts attempts to run something with elevated privileges. By using File Access here, the approval requirement applies to **any application launch** — regardless of whether the user needs admin rights — giving broader coverage.

#### The Layered Policy Strategy That Follows

Implement sophisticated policy combinations using layered policies — applying multiple policies to the same resources for defense-in-depth. Once this baseline file access policy is in place, the operational model looks like this:

| Priority        | Policy                                                | Scope                    |
| --------------- | ----------------------------------------------------- | ------------------------ |
| High            | **Allow** — IT-approved apps (browsers, Office, etc.) | Specific apps, all users |
| High            | **Allow** — Developer tools                           | Specific users/groups    |
| Low (catch-all) | **Require Approval** — Everything else                | All users, all apps      |

Applications matched by a higher-priority Allow policy pass silently. Anything not explicitly allowed falls through to the baseline file access policy with required approval.

***

### Key Operational Consideration

Because this policy applies to all applications, it can create a high volume of approval requests — especially when expanded to many endpoints. This is why the documentation recommends starting with a **pilot group** and building out the exception (Allow) policies *before* broad deployment. Deploying in batches while monitoring system performance and user feedback, and adjusting policies based on operational requirements, is the recommended approach.