This section of the API Data Protection policy page specifies the action to be taken when a policy violation occurs. The actions vary depending on the app chosen. For some apps, the only action is alert. Similarly, restrict access options vary depending on the app chosen.
- Select the action you want to take from the drop-down list, like Alert, Block, Change Ownership, Restrict Access, Encrypt, Delete, Quarantine, Legal Hold, Restrict Sharing to View, Apply Azure RMS Template, Data Classification, Disable Print and Download, or IRM Protect.
- If you use the encrypt policy action, ensure that you have a Netskope real-time deployment i.e., a reverse or forward proxy. The Netskope real-time deployment is required to decrypt the file.
- For a list of supported actions per cloud app, refer to API Data Protection Policy Actions per Cloud App.
For some actions, like Restrict Access, you can select additional options from the adjacent drop-down list. For example, if you selected Specific Sharing Options and Shared Externally in the Content section, then the option to allowlist or blocklistan External Domain appears in the drop-down list.
For folders with 1000+ collaborators, Box does not send the list of collaborators to Netskope. Due to this, Netskope’s API Data Protection rounds off the number of collaborators to zero. API Data Protection policy such as Restrict Access will not work for such folders. This is a limitation in the Box app.
- Select the action as IRM Protect from the drop-down list and select Vera as the IRM vendor.
- Before you create an IRM policy, you should create a Vera instance. For more information, see IRM Integration with Vera.
- Select the available action and click Next.
Restrict Access to Domain and User Profiles
Up until release 47, allowlist and blocklist domain profiles under Restrict Access were linked to the domain profiles under Content > File Sharing Options to Scan policy workflow. These two are independent of each other. An administrator access based on domain profiles. In addition, administrators can now allow (allowlist) or deny (blocklist) certain users (user profile) from accessing files and folders.
Before restricting access to a domain or user profile, you need to create the profile from the Policies > Profiles page. Once the profile is created, they get listed as part of the Restrict Access action. Restrict Access is available as part of the Action policy workflow. You must select Restrict to select Allowlist Domains, Blocklist Domains, Allowlist User , or Blocklist User from the Restrict Access Level drop-down list. Based on the choice, the Domain Profile or User Profile dropdown list is displayed.
In Contents > File Sharing Options to Scan, if you select Specific Sharing Options > Private, the Restrict Access option is not available under Actions.
Egnyte Policy Action
Admin and power users can use a link to share one or more files users. When you share a file link in Egnyte, the recipient receives containing the URL of the file. Clicking the URL downloads the file. need not be an Egnyte user. If a user belongs to a blocklist user profile, Netskope removes the shared link for all users irrespective user/domain profile. A couple of used cases to be noted:
- If a user has shared a file with a.com, followed by b.com domain users at a time difference, restrict access to blocklista.com domain denies access to a.com domain users only. B.com domain users can continue to access the file.
- If a user has shared a file with a.com and b.com domain users at the same time using a single URL, restrict access to blocklista.com domain denies access to both a.com and b.com domain users. Netskope changes the exposure of the file to private.