Next Generation API Data Protection Inventory

Next Generation API Data Protection Inventory

The Next Generation API Data Protection Inventory page provides deep insights on various entities supported by the SaaS apps. Administrators can use the personalized dashboard to perform ad hoc, real-time queries that can quickly group, filter, and drill-down on contextualized data and transactions across an enterprise organization’s cloud activities at a scale and granularity.

For a list of SaaS apps that support inventory, see Next Generation API Data Protection Feature Matrix per Cloud App.

After your SaaS app account and Next Generation API Data Protection are set up on the Netskope tenant, the Next Generation API Data Protection inventory page is automatically populated with the relevant files, folders, user data, wiki, page, comment, and entities.

Once you log in to the Netskope UI tenant, click API-enabled Protection > SAAS (NEXT GEN) > Inventory on the left navigation pane to view the inventory page.

Next Generation API Data Protection has introduced an Export button on the Inventory page. With this enhancement, you can export the inventory data as a CSV file. You can customize the export to include selected columns and number of rows.

You can download a maximum of 500,000 rows.

The Inventory page includes the following entity types:


The Content tab displays a list of comments, emails, files, messages, records, and Confluence page entities from the connected cloud storage SaaS apps.

You can toggle between Comment, Email, File, Message, Page, Record, and Content drop-down. However, the Comment, Email, File, Message, Page, and Record tabs are a subset of Content. What you see under the these tabs are the same as under the Content tab.

The Content tab includes:

  • Comment: List of comments added, edited, or deleted on a Confluence page.

  • Email: Email related activities of your email account. You can click an entry to get additional information like sender email, mailbox owner, email resource ID, folder, attachment, external recipients, exposure, DLP violations, and more. You can also download an email.

  • File: List of files in your connected SaaS apps.

    In Microsoft 365 Teams & Slack Enterprise, only files with DLP violations are stored on the Inventory page.
  • Message: Message content in your collaboration and messenger SaaS apps.

    In Microsoft 365 Teams & Slack Enterprise, only messages with DLP violations are stored on the Inventory page.
  • Page: List of Atlassian Confluence pages created, edited, or deleted.

  • Record: List of ticketing app records in your connected SaaS apps.

You can filter the data based on:

  • App Category: Type of SaaS app solution clubbed together. For e.g., Cloud Storage, Collaboration, Development Tool, HR, etc.

  • App Suite: An application suite is a collection of multiple software applications that are designed to work together and complement each other to provide a comprehensive set of tools and functionalities for a specific purpose. For example, Google App, Office 365.

  • Comment ID: Unique ID of a comment on a Confluence page. You can find the comment ID by clicking the comment name and look for the Comment ID from the Comment Details page.

  • Date Sent: Email sent in the last 24 hours, 3, 7, 30 days.

  • Email ID: Unique email ID of the sent email. You can find the email ID by clicking the sender email event and look for the email ID from the Email Details page.

  • Folders: Email in sent folder.

  • Recipients: Email address of the recipient.

  • Violations In: Email violation in attachment or body of the email.

  • Resource Name: Name of the file.

  • File Type: Also known as a file format, refers to the structure and organization of data within a computer file. File types are identified by their file extensions, which are the three or four letters that follow the period in a file’s name. For example, a file named “document.docx” has the file extension “.docx” indicating that it is a Microsoft Word document file type.

  • Exposure: The exposure of the file i.e.:

    • Public: Entities shared publicly.

    • External: Entities can be accessed by specific users outside of the organization.

    • Org-wide: Entities can be accessed by all users inside the organization.

    • Internal: Entities can be accessed by specific users inside the organization.

    • Private: Entities can be accessed by the owner only.

  • File Owner: Name or email address of the owner of the file.

  • Table ID: Parent table ID, only available for ticketing apps.

The Content tab displays the following data:

  • Name: Name of the file.

  • App Suite: An application suite is a collection of multiple software applications that are designed to work together and complement each other to provide a comprehensive set of tools and functionalities for a specific purpose. For example, Google App, Office 365.

  • App: Name of the connected SaaS app.

  • App Category: Type of SaaS app solution clubbed together. For e.g., Cloud Storage, Collaboration, Development Tool, HR, etc.

  • Instance: Name of the SaaS app instance configured under Settings > Configure App Access > Next Gen > CASB API.

  • File Type: Also known as a file format, refers to the structure and organization of data within a computer file. File types are identified by their file extensions, which are the three or four letters that follow the period in a file’s name. For example, a file named “document.docx” has the file extension “.docx” indicating that it is a Microsoft Word document file type.

  • File Size: The size of the file in bytes, kilobytes, or megabytes.

  • File Owner: Name or email address of the owner of the file.

  • Resource ID: Resource ID is an unique ID to identify a resource (a file, folder, repository, user, etc.) in the system. It is generated by the corresponding SaaS apps. Including or excluding a specific resource to filter can be specified using Resource ID.

  • Exposure: The exposure of the file i.e.:

    • Public: Entities shared publicly.

    • External: Entities can be accessed by specific users outside of the organization.

    • Org-wide: Entities can be accessed by all users inside the organization.

    • Internal: Entities can be accessed by specific users inside the organization.

    • Private: Entities can be accessed by the owner only.

  • Last Modified Time: The date and time this entity got modified.

In addition, you can click the name entry in the table to get a detailed view of the entity.

The Inventory page has introduced two new sections on the side panel details – Sharing and Links

  • Sharing: Displays a list of user email addresses with whom the file is shared and the corresponding permission access level.

  • Links: Displays a list of file exposure level, permission access level, link expiry date, and the shared link

These new sections are available for Microsoft 365 OneDrive & SharePoint apps only.

Content Collection

The Content Collections tab displays a list of channels from messenger apps, folders from cloud storage apps, repositories from development tools apps (like GitHub), tables from ticketing apps ServiceNow, Zendesk, and wikis from collaboration apps like Atlassian Confluence. You can toggle between Content Collection, Channel, Folder, Repository, Table, and Wiki drop-down menu. The Content Collection tab displays a combination of channels, folders, repositories, tables, and wikis from the connected SaaS apps.

  • The Channel tab lists the name of channels from a messenger app like Cisco Webex, Microsoft Teams/Yammer, Slack Enterprise, and Zoom. This table also displays the exposure type.

  • The Folder tab lists all the folders (collections of files) from the connected cloud storage SaaS apps.

  • The Repository tab lists all the repositories (collections of commits) from the connected development tools SaaS apps.

  • The Table tab lists all the tables (collections of records) from the connected ticketing SaaS apps.

  • The Wiki tab lists the Confluence wiki spaces including exposure, and other details.

In addition to the filters available in Users, User Groups, and Content tabs, you can filter the data based on:

  • Resource Type: Type of resource like a folder or repository.

The Content Collections, Folders, and Repository tabs displays the following data:

  • Name: Name of the SaaS app entity (folder, repository).

  • App Suite: An application suite is a collection of multiple software applications that are designed to work together and complement each other to provide a comprehensive set of tools and functionalities for a specific purpose. For example, Google App, Office 365.

  • App: Name of the connected SaaS app.

  • App Category: Type of SaaS app solution clubbed together. For e.g., Cloud Storage, Collaboration, Development Tool, HR, etc.

  • Instance: Name of the SaaS app instance configured under Settings > Configure App Access > Next Gen > CASB API.

  • Resource Type: Type of resource like a folder or repository.

  • Resource ID: Resource ID is an unique ID to identify a resource (a file, folder, repository, user, etc.) in the system. It is generated by the corresponding SaaS apps. Including or excluding a specific resource to filter can be specified using Resource ID.

  • Last Modified Time: The date and time this entity got modified.

The following data is specific to the Repository tab:

  • Owner: Name of the owner of the repository.

  • Repository URL: URL link of the repository.

  • Exposure: The exposure of the repository i.e.:

    • Public: Entities shared publicly.

    • Internal: Entities can be accessed by specific users inside the organization.

    • Private: Entities can be accessed by the owner only.

In addition, you can click the name entry in the table to get a detailed view of the entity.


The Users tab displays a list of external collaborators and all users from the connected SaaS apps.

You can filter the data based on:

  • User name: Name of the user and email address.

  • App: Name of the connected SaaS app.

  • Instance: Name of the SaaS app instance configured under Settings > Configure App Access > Next Gen > CASB API.

  • App Suite: An application suite is a collection of multiple software applications that are designed to work together and complement each other to provide a comprehensive set of tools and functionalities for a specific purpose. For example, Google App, Office 365.

  • App Category: Type of SaaS app solution clubbed together. For e.g., Cloud Storage, Collaboration, Development Tool, HR, etc.

  • Exposure: Exposure of the user i.e., internal, external.

    In Salesforce, users with user type as either standard or cloud integration user will be treated as internal users. Rest all will be treated as external users.
    Standard – This user type includes Salesforce, Salesforce Platform and Salesforce Platform One user licenses.
    Cloud Integration User: Also known as platform integration user. To learn more: Platform Integration User.
  • User Status: Indicates the status of the user i.e., active, deleted, suspended, unspecified.

  • Resource ID: Resource ID is an unique ID to identify a resource (a file, folder, repository, user, etc.) in the system. It is generated by the corresponding SaaS apps. Including or excluding a specific resource to filter can be specified using Resource ID.

The Users tab displays the following data:

  • User name: Name of the user and email address.

  • App Suite: An application suite is a collection of multiple software applications that are designed to work together and complement each other to provide a comprehensive set of tools and functionalities for a specific purpose. For example, Google App, Office 365.

  • App: Name of the connected SaaS app.

  • Instance: Name of the SaaS app instance configured under Settings > Configure App Access > Next Gen > CASB API.

  • App Category: Type of SaaS app solution clubbed together. For e.g., Cloud Storage, Collaboration, Development Tool, HR, etc.

  • User Type: Exposure of the user i.e., internal, external.

  • Resource ID: Resource ID is an unique ID to identify a resource (a file, folder, repository, user, etc.) in the system. It is generated by the corresponding SaaS apps. Including or excluding a specific resource to filter can be specified using Resource ID.

  • User Status: Indicates the status of the user i.e., active, deleted, suspended, unspecified.

  • Last Modified Time: The date and time this entity got modified.

In addition, you can click the user name entry in the table to get a detailed view of the entity.

The Users tab also displays external collaborators or domains. You can toggle between Users, and External Collaborators drop-down. However, the External Collaborators tab is a subset of Users. What you see under this tab is the same as under the Users tab.

Unsupported Conversation Members in Microsoft 365 Teams

Next Generation API Data Protection does not currently support the following Microsoft 365 Teams conversation members:

  • azureCommunicationServicesUserConversationMember: Represents an Azure Communication Services user in a chat.

  • skypeForBusinessUserConversationMember: Represents a Skype for Business user in a chat.

  • skypeUserConversationMember: Represents a Skype (consumer) user in a chat.

The users listed above are not displayed on the API-enabled Protection > SAAS (NEXT GEN) > Inventory page and are excluded from exposure calculation

User Groups

The User Groups tab displays a list of all the user groups from the connected SaaS apps. An administrator can create users, groups, and assign users to a group in most of SaaS apps. Netskope retrieves these data from the SaaS apps.

In Slack Enterprise, workspaces are displayed under User Groups.

In addition to the filters available in Users tab, you can filter the data based on:

  • Resource Name: Name of the user group.

The User Groups tab displays the following data:

  • Name: Name of the user group.

  • App Suite: An application suite is a collection of multiple software applications that are designed to work together and complement each other to provide a comprehensive set of tools and functionalities for a specific purpose. For example, Google App, Office 365.

  • App: Name of the connected SaaS app.

  • Instance: Name of the SaaS app instance configured under Settings > Configure App Access > Next Gen > CASB API.

  • App Category: Type of SaaS app solution clubbed together. For e.g., Cloud Storage, Collaboration, Development Tool, HR, etc.

  • Resource ID: Resource ID is an unique ID to identify a resource (a file, folder, repository, user, etc.) in the system. It is generated by the corresponding SaaS apps. Including or excluding a specific resource to filter can be specified using Resource ID.

  • Last Modified Time: The date and time this entity got modified.

In addition, you can click the name entry in the table to get a detailed view of the entity.

Manual Remediation Actions

In addition to providing deep insights on various entities supported by the SaaS apps, you can take remediation action for certain types of entities in the SaaS app. The available remediation actions are as follows:

The Netskope UI performs the remediation action asynchronously. Users can only see a successful popup at the current time.
  • Change owner to a specific user: This action changes the owner of the file to a specific user. On clicking this option, the UI prompts you to enter the email address of the specific user. Click Proceed.

  • Restrict access to owner: This action restricts the access of the file to the owner only.

  • Restrict access to internal collaborators: This action restricts the access of the file to users within the organization and domains as defined under Settings > Administration > Internal Domains.

  • Restrict access to specific domains and internal collaborators: This action restricts the access of the file to selected domain(s) and internal collaborators as defined in the previous bullet item. On clicking this option, the UI prompts you to enter the domain profile name. Click Proceed.

    If you do not have a domain profile defined, click Manage Domain Profiles to create a new domain profile.
  • Revoke organization-wide sharing: This action removes any kind of organization-wide sharing links and access.

  • Revoke specific domains: This action removes access for users matching the specified domain profile. On clicking this option, the UI prompts you to enter the domain profile name. Click Proceed.

    If you do not have a domain profile defined, click Manage Domain Profiles to create a new domain profile.

In addition to taking remediation action, you can send an email notification too. To do so, click an app entry. In the details page, under the Take Action drop-down, select an option. A pop-up window opens. Select the Notify Users checkbox and the available options to send an email notification.

This enhancement is currently available for Google Drive, Microsoft OneDrive, Microsoft SharePoint, Citrix ShareFile, and Workday apps only. If you select all apps or non-supported apps, this option will remain disabled.

The list of available remediation actions are determined by:

  • App capability check (same as in policy wizard).

  • Resource type check, currently only enabled for file type.

  • For bulk actions, only actions supported by all selections are enabled.

Share this Doc

Next Generation API Data Protection Inventory

Or copy link

In this topic ...