Skip to main content

Netskope Help

Create a Next Generation API Data Protection Policy

To create a Next Generation API Data Protection policy, follow the instruction below:

  1. Log in to the Netskope tenant UI.

  2. Navigate to Policies > API Data Protection.

    The API Data Protection page loads.

  3. Under SAAS, click the Next Gen tab.

  4. Click New Policy.

    The New API Data Protection Policy page loads.

  5. User: Users are individuals or bots associated with an account in the protected application, and with (read or write) access to content in the application. Based on your requirements, select the following options:

    Note

    • You can leave the User field empty (except for Microsoft Yammer). If you do so, all users will be scanned.

    • Workday note: Netskope uses the primary email of the user to calculate the domain exposure.

    • User Domains: User domains are further divided into:

      • Internal Domains: A user within the same domain of the organization. To configure an internal domain, navigate to Settings > Administration > Internal Domains. For more information, see Internal Domains.

        Note

        • GitHub note: Since GitHub does not provide email addresses, internal domains refer to users not labeled as external collaborators in GitHub.

        • Citrix ShareFile & Workday note: Currently, Netskope does not use the internal domains setting to calculate the exposure level for Citrix ShareFile and Workday.

      • External Domains & Anonymous Users: A user outside the domain of the organization. External domains and anonymous users refer to users with email addresses not belonging to the internal domains.

        Note

        • GitHub note: Since GitHub does not provide email addresses, external domains and anonymous users are limited to users labeled as external collaborators in GitHub.

        • Microsoft Yammer note: Anonymous user does not exist in Microsoft Yammer. All users are on the Yammer organization.

      • Domain Profiles: You can select a domain profile consisting of a list of custom domains. To create a domain profile, navigate to Policies > PROFILES > Domain.

        Note

        • GitHub note: Since GitHub does not provide email addresses, Netskope does not support domain profiles for GitHub.

        • Citrix ShareFile & Workday note: Currently, Netskope does not use the domain profiles setting to calculate the exposure level for Citrix ShareFile and Workday.

    • Exception: You can set an exception list whereby the policy excludes scanning. You can set an exception list from internal & external domains, anonymous users, and domain profiles.

      Note

      GitHub note: Currently, GitHub does not support the exception setting.

  6. Under Object, based on your requirements, select the following options:

    • All Applications: Apply the policy to all SaaS apps and instances.

    • App Instance: Apply this policy to the respective SaaS app instance(s) you select.

  7. Under Profile & Action, select the following options:

    • Profile: You can either select the following options:

      • None

      • DLP: If you select this option, select one or more predefined or custom DLP profile(s) from the list. To manage DLP profiles, navigate to Policies > PROFILES > DLP. For more information on managing DLP, see Data Loss Prevention.

    • Action: The action to be taken when a policy violation occurs. When you select Alert and a policy violation occurs, Netskope sends a notification in Skope IT > Alerts page.

      Note

      Alerts are generated for the last 30 days only.

  8. Under Policy Name, enter the policy name. and a short description.

  9. Under Status, based on your requirement, select the following options:

    • Disabled: Keep the policy disabled and enable it later.

    • Enabled: Enable the policy so that it takes effect immediately.

  10. On the top-right, click Save followed by Apply Changes.

    You should see the newly created policy on the policy home page.

    Note

    If you have kept the policy disabled, make sure to enable the policy. You can click the more options icon (...) to the right of the policy entry and click Enable followed by Apply Changes.

Next, you can view the DLP incidents under Incidents > DLP. For more information on DLP incidents, see DLP.