In this invention, when security policy is attached to a file, a device protection manager is given the protected file's name. If the file is a special device file, then the device manager records the device specification in a device database. When a device access occurs, the device specification is extracted from the special device file used in the access. This extracted device specification is then used to search the device database. If a matching device specification is found in the database and the accessed device file has the same name as the protected resource, then authorization policy rules on that resource determine the access. If the match is a different device file name from the protected file name for the same device, then the search continues until the exact accessed device is found or until all device specification matches are found. In the absence of an exact device file match, all the matching device files are presented to the external security manager for authorization checking and the most restrictive outcome prevails.