Content Groups

Content control allows you to control the accessibility of privileged content. Content groups provide a means of targeting specific types of content, based on file or folder, drive, or controlling process. Rules determining the behavior for that content are applied to each Content Group in a Workstyle.

There are two main use cases for applying content control:

  1. To allow standard users to modify privileged content, without having to assign admin rights to either the user, or the application used to modify the content.

    Content groups can be added to content rules where the content can be assigned admin rights. When this is done, any user who receives the Workstyle can modify matching content without requiring an administrator account.

  2. To block access to content or directories.

    Content groups can be added to content rules where the ability to open the content can be controlled with a Block Action. When this is done, any user who can normally open and read the content is blocked from opening the content.

The following sections explain how to create Content Groups including content definitions, and how to assign groups to content rules to apply the specific content control rules that meet your requirements.

Create Content Groups

To create a Content Group:

  1. Navigate to Privilege Management Settings > Windows > Content Groups.
  2. Right-click and select New Content Group. This creates a Content Group with the default name Content Group x, where x increments numerically.
  3. Right-click on the new Content Group and select Rename. Enter the new name you want and press Return to save your new Content Group.

Duplicate Content Groups

You can duplicate a Content Group if you need a new Content Group that contains the same content as an existing Content Group. You can edit a duplicated Content Group independently of the Content Group it was duplicated from.

To duplicate a Content Group:

  1. Navigate to Privilege Management Settings > Windows > Content Groups.
  2. Right-click on the Content Group you want to duplicate and select Copy.
  3. Select the Content Groups node, right-click, and select Paste. This makes a new copy of the Content Group and all the Content rules it contains.

A new duplicate Content Group with an incremental number in brackets appended to the name is created that you can add content to.

Target Content Definitions

The Content dialog box provides various Content Definitions. Privilege Management for Windows must match every definition you configure before it triggers a match (the rules are combined with a logical AND). The following definitions are available:

File or Folder Name

Applications are validated by matching the file or folder name. You can choose to match based on the following options (wildcard characters ? and * may be used):

  • Exact Match
  • Starts With
  • Ends With
  • Contains
  • Regular Expressions

Although you can enter relative filenames, we strongly recommend you enter the full path to a file or the COM server. Environment variables are also supported.

We do not recommend the definition File or Folder Name does NOT Match be used in isolation for executable types, as it would result in matching every application, including hosted types such as Installer packages, scripts, batch files, registry files, management consoles, and Control Panel applets.

When creating blocking rules for applications or content, and the File or Folder Name is used as matching criteria against paths which exist on network shares, this should be done using the UNC network path and not by the mapped drive letter.

For more information, please see Regular Expressions Syntax.


This option can be used to check the type of disk drive where the file is located. Choose from one of the following options:

  • Fixed disk: Any drive that is identified as being an internal hard disk.
  • Network: Any drive that is identified as a network share.
  • RAM disk: Any drive that is identified as a RAM drive.
  • Any Removable Drive or Media: If you want to target any removable drive or media, but are unsure of the specific drive type, this option will match any of the removable media types below. Alternatively, if you want to target a specific type, choose from one of the following removable media types:
    • Removable Media: Any drive that is identified as removable media.
    • USB: Any drive that is identified as a disk connected by USB.
    • CD/DVD: Any drive that is identified as a CD or DVD drive.
    • eSATA Drive: Any drive that is identified as a disk connected by eSATA.

Controlling Process

This option allows you to target content based on the process (application) used to open the content file. The application must be added to an Application Group. You can also define whether any parent of the application matches the definition.

Insert Content

To insert a content rule:

  1. Select the Content Group you want to add the content control to.
  2. Right-click and select Insert Content.
  3. Enter a description, if required.
  4. You need to configure the matching criteria for the executable and then click Next. You can configure:
    • File or Folder Name
    • Drive
    • Controlling Process
  5. Click Finish. The content is added to the Content Group.