Action

Action

This section of the API Data Protection policy page specifies the action to be taken when a policy violation occurs. The actions vary depending on the app chosen. For some apps, the only action is alert. Similarly, restrict access options vary depending on the app chosen.

  1. Select the action you want to take from the drop-down list, like Alert, Block, Change Ownership, Restrict Access, Encrypt, Delete, Quarantine, Legal Hold, Restrict Sharing to View, Apply Azure RMS Template, Data Classification, Disable Print and Download, or IRM Protect.

    – If you use the encrypt policy action, ensure that you have a Netskope real-time deployment i.e., a reverse or forward proxy. The Netskope real-time deployment is required to decrypt the file.
    – For a list of supported actions per cloud app, refer to API Data Protection Policy Actions per Cloud App.
    For folders with 1000+ collaborators, Box does not send the list of collaborators to Netskope. Due to this, Netskope’s API Data Protection rounds off the number of collaborators to zero. API Data Protection policy such as Restrict Access will not work for such folders. This is a limitation in the Box app.

    For Microsoft Office 365 OneDrive for Business and SharePoint Sites apps, you can select the Restrict Access option from the adjacent drop-down list. The Restrict Access Levels are Owner, Internal Users, Remove Public Links, Remove Individual Users, and Remove Organization Wide Link.

    You cannot apply the Restrict Access actions on files with links that are inherited from the parent folder. This is due to a limitation in Microsoft Graph API. This limitation is applicable for Microsoft Office 365 OneDrive and SharePoint apps.
    • Owner: Restrict file sharing access to the owner only.

      In SharePoint, the Restrict Access to Owner action retains access to site owner(s) and site member(s). All other visitors and shared users/groups access are revoked.
    • Internal Users: Restrict file sharing access to internal users only. This action removes any external user who has access to the file and removes any public link on the file.

    • Remove Public Links: Remove public links from files/folder.

    • Remove Individual Users: Remove individual internal and external users from accessing files/folders. This option does not remove AD group email addresses like distribution lists.

    • Remove Organization Wide Link: Remove links from files/folders that are shared within the organization.

  2. Select the action as IRM Protect from the drop-down list and select Vera or MIP as the IRM vendor. If you select Microsoft Information Protection (MIP), you have to select an MIP Profile. If you have successfully connect the MIP instance but do not see the MIP profiles in the drop-down, see Re-grant MPIP Instance.

    – Before you create an IRM policy, you should create a Vera or MIP instance. For more information, see IRM Integration with Vera or IRM Integration with Microsoft Information Protect.
    – If you do not see an MIP profile in the drop-down list, log in to your Microsoft 365 admin center, go to the compliance section. Under Information protection, ensure that the MIP label is published to ‘all’ groups or a group that contains the global administrator account.
    – Microsoft does not allow to create a policy with Remove Encryption action on MIP-encrypted files. The file types that are not allowed are Office 365 file extensions. Due to this limitation, in the Netskope UI, when you set up a policy to apply an MIP label, the policy will not trigger on such Office 365 file types. This is because Netskope cannot replace a label from an MIP-encrypted file with any other label. This issue is not observed in Adobe PDF and .jpeg.png, and .tiff image file types.
    – Netskope API Data Protection supports MIP sub-level labels i.e., if you have a sensitive file handled by a member of the division A; so the MIP tag would be CONFIDENTIAL (parent) and Division A (sub-level).
  3. Select the available action and click Next.

  4. For Quarantine, select an existing quarantine profile from the list, or create a new one. Click New Quarantine Profile from the drop-down list to create a new quarantine profile for this policy. A DLP profile must be selected in section to use Quarantine. In Create Quarantine Profile wizard, complete the Settings, Customize, and Set Profile pages. When finished, click Create Quarantine Profile. When finished, click Next.

    Latest update on Microsoft Office 365 SharePoint’s Require check out of files – If this setting is enabled on a SharePoint site, Netskope API Data Protection can quarantine the file but fails to overwrite the original file with a tombstone file. To gracefully handle this kind of a scenario, API Data Protection now provides administrators to identify such files within Incidents and Alerts UI pages. Following two changes are added in the Netskope tenant UI:

    • Under Incidents > DLP, when you click an incident, the UI displays a new tombstone failure message.

      Api Data Protection Incident Dlp New Tombstone Msg.png
    • Under Skope IT > EVENTS > Alerts, a new alert type Tombstone Failed is introduced for quarantine action.

      Api Data Protection Skope It Alerts Tombstone Failed.png
    Encrypted files sent to the quarantine folder are limited to 20 MB in size.

    To trigger an email notification, you will need to set up a couple of things:

    1. Under Notification, select Send to custodian and to users in profile.

    2. Under Policies > PROFILES > Quarantine, create a new profile or edit an existing profile. Under NOTIFICATION EMAILS, the email notification will be sent to this email address.

  5. For Legal Hold, choose an existing profile from the drop-down list or click Create New. The CREATE LEGAL HOLD PROFILE wizard opens. For more information, refer to the Legal Hold section of Profiles. When files are placed in legal hold, emails are sent to the custodian and the users who created the files. When finished, click Next.

SharePoint Restrict Access to Owner Behavior

In SharePoint, a site owner is the owner of the files and folders of the site. This is the default behavior. In the following scenarios the owner of the site becomes the owner of the uploaded file by default:

  • The site is owned by an administrator and other groups.

  • The site is shared with select users.

  • A folder or file is uploaded on the site by one of the site member users.

When there is an access restriction to an owner of such a file, users are restricted to access from the shared list apart from the author of the file and the owner(s) of the site.

Share this Doc

Action

Or copy link

In this topic ...