Create a Next Generation API Data Protection Policy

Create a Next Generation API Data Protection Policy

To create a Next Generation API Data Protection policy, follow the instruction below.

Based on your requirements, select the following options:

  1. Log in to the Netskope tenant UI.

  2. Navigate to Policies > API Data Protection.

    The API Data Protection page loads.

  3. Under SAAS, click the Next Gen tab.

  4. Click New Policy.

    The New API Data Protection Policy page loads.

  5. Under Collaborators, select the following options:

    • Owner: Owner is a user who owns a file, mailbox, or chat history. There are multiple options under Owner. If you do not select any option, all users are selected by default.

      In Next Generation API Data Protection, there is a concept of “owner”, which means the “mailbox owner.” Currently, Netskope only support outgoing emails for scanning. In this case, the owner will always be the sender. To maintain the policy filter behavior while taking the owner definition into account, Netskope restricts the scanning of emails within the Sent folder only.
      The Owner drop-down is disabled by default. To enable, select a web mail app like Google Mail or Outlook application from Object.
      • User: Displays the total number of mailbox owners in a web mail app. You can select one or many users.

      • User Group: Next Generation API Data Protection supports Active Directory (AD) user group as a collaborator option. With this enhancement, you can include AD user groups from 3rd-party identity vendors. Select a user group from the list. User groups are part of the directory importer installation. If you do not see a populated list, you should import the AD user group. To do so, go to Settings > Tools > Directory Tools > SCIM Integration to set up your SCIM integration. To learn more: SCIM-Based User Provisioning.

        If a file is accessible to only some users within the AD group, Netskope considers it as a policy match.
      • User Profile: A set of users as defined in the user profile. User profiles allow you to upload a CSV file with all the users email addresses to include or exclude in a scan for policy violations. You can select one or many user profiles.

      • Domain: Displays a list of domains. You can select one or many domains.

      • Domain Profile: You can select a domain profile consisting of a list of custom domains. To create a domain profile, navigate to Policies > PROFILES > Domain. You can select one or many domain profiles.

      • Exclusions: You can set an exclusion list whereby the policy excludes scanning for the selected criterion. You can set an exclusion list from user, user group, user profile, domain, and domain profile.

    • Exposure: Users are individuals or bots associated with an account in the protected application, and with (read or write) access to content in the application. There are multiple options under Exposure. If you do not select any option, all exposure types are selected by default. Based on your requirements, select the following options:

      Exposure computation works at a ‘collaborative’ level. For example, if the administrator includes ‘user 1’ in a policy, any file that is shared with ‘user 1’ even by users who are not part of the policy will trigger a policy alert.
      For Atlassian managed accounts, Next Generation API Data Protection can retrieve Atlassian Confluence users’ email address only if the email address visibility is set to either “Anyone” or “”. This is the default setting for Atlassian managed accounts. If the user email is private, the exposure options are not available. To check if the user email address is public:
      1. Log in to your Atlassian account and view the Profile and visibility page: https://id.atlassian.com/manage-profile/profile-and-visibility.
      2. Scroll down to the ​Contact​ section and ensure that your email address visibility is set to either ​Anyone​ or ​your company name​​.
      • You can leave the User field empty (except for Microsoft Yammer). If you do so, all users will be scanned.
      • Workday note: Netskope uses the primary email of the user to calculate the domain exposure.
      • GitHub note: There is a GitHub policy enhancement on exposure options. To learn more: GitHub Policy Enhancement
      • INTERNAL/EXTERNAL: A list of file sharing exposure options are:

        • Owner: Not shared with anyone.

        • Internal: Shared between users and groups from one single domain defined in Internal Domains or defined as an internal user in the app instance.

        • All Internal Users: Shared between all users and groups within the organization.

        • External: Shared with external users and groups.

        • Anonymous: Shared with general public. Accessible by anyone.

          To learn more: Next Gen File Sharing Exposure.

          • Citrix ShareFile & Workday note: Currently, Netskope does not use the internal domains setting to calculate the exposure level for Citrix ShareFile and Workday.
          • GitHub note: There is a GitHub policy enhancement on exposure options. To learn more: GitHub Policy Enhancement
          • Microsoft Yammer note: Anonymous user does not exist in Microsoft Yammer. All users are on the Yammer organization.

          A few examples of the file sharing exposure:

          1. If you want to run a policy to match all the internal named users (e.g, michael@abc[.]com, steve@abc[.]com etc.), you can select the Internal options to show all documents shared with named users.

          2. If you want to run a policy to match all internal users irrespective of the sharing options, whether they are shared with a link or a named user, you would select the following options:

            • Owner

            • Internal

            • All Internal Users

              This will match all files that are shared with either of the above exposure options.

      • User Group: Next Generation API Data Protection supports Active Directory (AD) user group as a collaborator option. With this enhancement, you can include AD user groups from 3rd-party identity vendors. Select a user group from the list. User groups are part of the directory importer installation. If you do not see a populated list, you should import the AD user group. To do so, go to Settings > Tools > Directory Tools > SCIM Integration to set up your SCIM integration. To learn more: SCIM-Based User Provisioning.

        If a file is accessible to only some users within the AD group, Netskope considers it as a policy match.
      • User Profile: A set of users as defined in the user profile. User profiles allow you to upload a CSV file with all the users email addresses to include or exclude in a scan for policy violations.

        • User profiles must be added before they are listed here. To download a CSV file that contains your user profiles, go to Policies > Profiles > User, and then click New User Profile. Complete the steps in the New User Profile wizard, and then select a user profile here.
        • GitHub note: There is a GitHub policy enhancement on exposure options. To learn more: GitHub Policy Enhancement
      • Domain: Displays a list of domains. You can select one or many domains.

      • Domain Profiles: You can select a domain profile consisting of a list of custom domains. To create a domain profile, navigate to Policies > PROFILES > Domain.

        • Citrix ShareFile & Workday note: Currently, Netskope does not use the domain profiles setting to calculate the exposure level for Citrix ShareFile and Workday.
        • GitHub note: There is a GitHub policy enhancement on exposure options. To learn more: GitHub Policy Enhancement
      • # Internal Named Users: To set thresholds for when content sharing triggers a policy violation, click to set the range and number of internal users. Select the More Than or Less Than radio button and enter the number of internal collaborators that need to be detected for a policy violation to occur.

      • Exclusions: You can set an exclusion list whereby the policy excludes scanning. You can set an exception list from user profiles, internal & external domains, anonymous users, and domain profiles.

        GitHub note: There is a GitHub policy enhancement on exposure options. To learn more: GitHub Policy Enhancement
  6. Under Object, based on your requirements, select the following options:

    • All Applications: Apply the policy to all SaaS apps and instances.

    • Applications: Apply the policy to the respective SaaS app(s) you select. On selecting this option, all app instances of a specific SaaS app gets included for policy scanning.

    • App Instance: Apply this policy to the respective SaaS app instance(s) you select.

      To identify if the Microsoft 365 OneDrive or SharePoint app instance is GCC High or commercial, a GCC High app instance name will be suffixed by .us.
    • Categories: Apply the policy based on the type of SaaS app solution. If you select a category, all the corresponding SaaS app and instances are included for policy scanning. Here are the SaaS app categories and corresponding SaaS apps:

      • Development Tools: Atlassian Jira, GitHub

      • Cloud Storage: Google Drive, Microsoft 365 OneDrive Commercial & GCC High, Citrix ShareFile

      • Collaboration: Atlassian Confluence, Microsoft 365 Teams GCC High, Microsoft 365 SharePoint Commercial & GCC High, and Microsoft 365 Yammer, and Zoom.

      • Helpdesk Management: Zendesk

      • HR: Workday

      • Identity & Access Management: Okta

      • Webmail: Google Mail, Outlook

        For Application and Categories, you can also exclude certain SaaS apps and instances from the purview of policy scanning. To do so, select the Application or Categories option from the Object drop-down list and click the Exclusions drop-down list and select the SaaS app/instance.

    • Content: Click the Specify App Instance drop-down list, select the SaaS app instance. The scan content window opens. You can either select All content or Specific resources. On selecting Specific resources, include and exclude the resource IDs to scan. Click Save.

      Currently, Netskope can scan outgoing emails’ sent folder only. It is recommended to set the scan content to All content.
      To get the resource ID, navigate to API-enabled Protection > CASB API (NEXT GEN) > Inventory. Click an entry from the Name field to view the details page. Note down the Resource ID value.
      Sample Resource ID:
      If you plan to scan a specific repository in GitHub, follow the procedure below.
      1. Navigate to API-enabled Protection > CASB API (NEXT GEN) > Inventory.
      2. Click the Content Collections > Repository tab.
      3. Identify the GitHub repository from the Name field. Click it.
        The details pane opens.
      4. Copy the Resource ID value.
      5. This the resource ID for a repository in GitHub
      6. Go back to the policy wizard page Content > Specify App Instance > Specific resources, paste the resource ID under Specify Resources to scan.
      7. Click Save.
    • Resource Type: Apply the policy for a specific specific resource category. A few resource type category examples are file attachment, email message body, chat message body, etc. Based on the SaaS apps you have selected, choose the appropriate resource type:

      • File/Attachment: Files attached in email app like Gmail. Select this resource type for email app like Gmail.

      • Email Message Body: Subject and body of the email. Select this resource type for email app like Gmail.

      • Chat Message Body: Content of a chat message. Select this resource type for chat messenger apps.

      • Comment: A comment left in a Confluence page. Select this resource type for Confluence app.

      • Page: A page created, edited, or deleted in Atlassian Confluence. Select this resource type for Confluence app.

      • Source Code Commit: This is applicable to development tools like GitHub where you’d like to monitor source code commits.

    • File Type: Apply the policy for a specific file type category. A few file type category examples are audio, image, word processor, presentation, video, etc.

      • The file type option is available for HR, email, and cloud storage apps only.
      • The file type criterion will only be matched against files. Other non-file resources will ignore this criteria.
    • Google Badged Labels: This option gets enabled only if you select Google Drive under Applications. Under Label Value(s), enter the Google badge label values. Separate multiple values by a new line. To know the label values, log in to your Google Drive admin account. With this capability, Netskope can read through the badged labels in Google Drive and apply a policy action. For example, if a document matches a badged label value which is deemed sensitive, an alert action can be taken. Currently, you can apply the alert policy action only.

      This is a controlled-GA feature. Contact Netskope support or your sales representative to enable this feature.
  7. Under Profile & Action, select the following options:

    For a complete list of apps that support various profiles and actions, see Next Generation API Data Protection Feature Matrix per Cloud App.
    • Profile: You can select either of the following options:

      • None

      • DLP: If you select this option, select one or more predefined or custom DLP profile(s) from the list. To manage DLP profiles, navigate to Policies > PROFILES > DLP. For more information on managing DLP, see Data Loss Prevention.

      • Threat Protection: If you select this option, choose the default predefined malware scan profile.

        If you select threat protection, the quarantine action is not allowed. It will be introduced in due course. All other actions supported by DLP are supported by threat protection.
        • Next Generation API Data Protection supports files up to 128 MB for DLP and threat protection. The default file size is set to 32 MB. However, if you’d like to try this enhancement, contact your Netskope sales representative/support to enable this on your tenant.
        • Atlassian Confluence note: Netskope can detect malware in Atlassian Confluence file attachments only.
    • Action: The action to be taken when a policy violation occurs.

      • Alert: When you select this action and a policy violation occurs, Netskope sends a notification in Skope IT > Alerts page.

        Alerts are generated for the last 30 days only.
      • Change owner to a specific user: This action changes the owner of the file to a specific user. On clicking this option, the UI prompts you to enter the email address of the specific user.

        Currently, this action is available for Google Drive and Workday apps only. To learn more: Policy Action Special Behavior.
      • Delete: This action deletes violating files and folders.

        Ensure that you refine the policy as required. If you set the exposure level to ‘all’ and policy action to ‘delete’, the policy will delete all content from the storage app.

        Unlike classic API Data Protection, the delete action does not require to be bound with a DLP profile, which means the policy can delete content collections such as folders. However, due to SaaS apps’ upstream API capability, some of the special content collections may not be deleted even if the policy matches:

        SaaS app / Containers that can be deletedFilesFoldersPersonal DriveShared DriveSites
        Google DriveYesYesNoYesNot applicable
        Microsoft 365 OneDriveYesYesNoNot applicableNo
        Microsoft 365 SharePointYesYesNot applicableYesNo
      • Quarantine: This action isolates the affected file and tombstones it. Select an existing quarantine profile from the list, or create a new one.

        This action is currently available for Microsoft OneDrive and SharePoint.
      • Restrict access to owner: This action restricts the access of the file to the owner only.

        Special note on Google Drive. To learn more: Policy Action Special Behavior.
      • Restrict access to internal collaborators: This action restricts the access of the file to users within the organization and domains as defined under Settings > Administration > Internal Domains.

      • Restrict access to specific domains and internal collaborators: This action restricts the access of the file to selected domain(s) and internal collaborators as defined in the previous bullet item. On clicking this option, the UI prompts you to enter the domain profile name.

        If you do not have a domain profile defined, click Manage Domain Profiles to create a new domain profile.
      • Revoke organization-wide sharing: This action removes any kind of organization-wide sharing links and access.

      • Revoke specific domains: This action removes access for users matching the specified domain profile. On clicking this option, the UI prompts you to enter the domain profile name.

        • If you do not have a domain profile defined, click Manage Domain Profiles to create a new domain profile.
        • Read Guest/External User Parsing Limitation under the appendix section for additional information.
    • + Email Notification: You can now define an email notification for events in the policy wizard. These notifications, triggered by events like policy violations or alerts, provide administrators and designated user groups with timely information about important activities. Click + Email Notification to configure additional settings.

      This enhancement is currently available for Gmail, Google Drive, Microsoft OneDrive, Microsoft SharePoint, Citrix ShareFile, and Workday apps only. If you select all apps or non-supported apps, this option will remain disabled.
      • How often to notify people: You can select either a periodic interval (30 minutes, 60 minutes, 6 hours, 24 hours) or after each event.

      • Send notification to: You can send a notification to:

        • Owner: Creator of the email, message, or file.

        • Admin: Admin email that was configured as part of the instance setup.

        • Collaborators: Everyone with whom the email, message, or file is shared.

        • Selected Users: Specified users.

        You can either use the default email template or create a new template for the notification.

      • From User: Optionally, you can enter an email address from whom the notification will be sent.

  8. Under Policy Name, enter the policy name. and a short description.

  9. Under Status, based on your requirement, select the following options:

    • Disabled: Keep the policy disabled and enable it later.

    • Enabled: Enable the policy so that it takes effect immediately.

  10. On the top-right, click Save followed by Apply Changes.

    You should see the newly created policy on the policy home page.

    If you have kept the policy disabled, make sure to enable the policy. You can click the more options icon () to the right of the policy entry and click Enable followed by Apply Changes.

Next, you can view the DLP incidents under Incidents > DLP. For more information on DLP incidents, see About DLP.

Appendix – Special Behavior of SaaS Apps

GitHub Policy Enhancement

Originally, certain data protection policy exposure options were unavailable for GitHub, like user profile, internal domains, external domains and anonymous users, domain profiles, and exclusions. This limitation stemmed from Netskope’s inability to retrieve users’ email IDs from GitHub. With the latest update, Netskope can now retrieve users’ email IDs from GitHub, opening up a world of possibilities for improved data protection. But there are some prerequisites:

  • SAML SSO Configuration: To unlock this functionality, you must have SAML Single Sign-On (SSO) configured in your GitHub organization.

  • Email as NameID: Ensure that the NameID for your SAML configuration is set to an email address.

  • Enforced SSO: It’s crucial to enforce SSO for all members within your organization.

Once you’ve met these criteria, Netskope seamlessly retrieves users’ email IDs from GitHub. This breakthrough empowers you to leverage advanced policy exposure options, enhancing your GitHub data protection strategy.

Microsoft 365 OneDrive & SharePoint Commercial

  • Guest/External User Parsing Limitation: Guest/external users included in a user profile will not be considered for exposure computation in OneDrive and SharePoint. This is currently a known limitation. As a workaround, guest/external user domains can be added to the domain profile.

  • Delete Inherited Link: In Microsoft 365 OneDrive & SharePoint, files can inherit sharing link(s) from a parent folder. Such sharing link(s) cannot be deleted at the file level, but must be deleted at the folder level where they originate. For files with inheriting permissions, Next Generation API Data Protection deletes the sharing link(s) at the parent folder level.

  • Exposure Calculation for Deleted Groups: A file shared with a group that was deleted before provisioning the Netskope API Data Protection, the Exposure Status of the file on the Inventory page will be blank. To fix this, the Microsoft tenant administrator should revoke the permissions of the deleted group in the Microsoft tenant. Thereafter, Netskope can correctly calculate the exposure and execute policy actions for the file.

Policy Action Special Behavior

Use caseGoogle DriveWorkday
Change owner to a specific userSince there is no owner in Google shared drive, Netskope cannot change owner on files or folders in a shared drive. This action applies to My Drive only.Workday automatically restricts the access to the new owner only. The others including the previous owner will no longer have access to the file.
Restrict access to ownerSince there is no owner in Google shared drive, Netskope cannot restrict access to owner on files or folders in a shared drive. This action applies to My Drive only.-
Restrict access for inherited permissionNetskope does not delete inherited permissions from files or folders in a shared drive, as removing these inherited permissions would also remove them from any files or folders that have those permissions. Therefore, Netskope retains inherited permissions and does not remove them.-
Policy action for files and folders in a shared driveNetskope only applies policy actions to files or folders in a shared drive if there is a user with a Manager/Content Manager/Writer role on the shared drive. Netskope impersonates that user to carry out the policy action. If there are no permissions granted to any user with these roles on the shared drive, Netskope will not perform the policy action, even if there is a policy hit.-
Share this Doc

Create a Next Generation API Data Protection Policy

Or copy link

In this topic ...