Breadcrumbs

Example Rules

Full DLP Diagram (2).png

Multiple DLP Actions

Each affected user action requires its own individual DLP rule. For instance, if an admin wanted to use the same Rule Expressions to control both DOWNLOAD and SHARE, two rules using the same Rule Expressions would be required.

DLP crawlers run on all daily cron jobs and remove shares that violate any SHARE ENFORCE rules.


Read how to create your own DLP rules

Learn more about DLP Rule Expressions

Objective

Affected User Action

Rule Expressions

Example Rule Expression

DLP Action

RESULT

Control download of files

DOWNLOAD

  • _file.path

  • _file.pathStartsWith

  • _file.ext

  • _file.pathContains

  • _file.pathMatches

  • _file.fileNameContains

 
_file.path == '/myuser/mydir/myfile.pdf'

OR

_file.pathStartsWith('/myuser/mydir')

OR

_file.ext == 'pdf'

OR

_file.pathContains('/myuser/mydir')

OR

_file.pathMatches('/myuser/mydir')

OR

_file.fileNameContains('mrn')

DENY

Users cannot download files from the path expressed in the rule or with the extension or term in the filename.

Control downloads and shares of files based on metadata



DOWNLOAD

SHARE

  • _metadata.exists('metadataValue")

  • _metadata.existsAll('metadataValue")

  • _metadata.existsWithValue(metadataValue, value)

  • _metadata.existsWithValueInArray(metadataValue, value)

  • _metadata.existsWithCondition(metadataValue, operator, value)

Note: The metadata set and the attribute specified cannot contain periods within their names. For example, cce.pii is valid, but cce.x.pii.y is not valid.

 
_metadata.exists('cce.pii')

OR

_metadata.existsAll('cce.pii')


OR

_metadata.existsWithValue('content.category', 'confidential')

OR

_metadata.existsWithValueInArray('content.categories', 'pii')

OR

_metadata.existsWithCondition('content.Risk Level', '>', 6)

ALLOW

Users can download and share files with associated metadata.

Control login/access and downloading of files based on IP/Device/IP Range/country code

DOWNLOAD

LOGIN

  • _request.remoteIp

  • _request.agent

  • _request.inIpv4Range(lowIp, highIp)

  • _request.remoteCountryCode
    Note: To use this expression, the Show Geo IP Chart setting in the Settings > Admin screen must be set to TRUE.

  • _request.inIpV4CidrRange(cidrRange)

 


_request.remoteIp == '43.12.45.78'"


OR

_request.agent == 'Unknown'"

OR

_request.inIpv4Range('138.204.26.1', '138.204.26.254)"

OR

_request.remoteCountryCode == 'US'


OR 

_request.inIpV4CidrRange('10.2.0.0/16')

DENY

Users from the given IP, agent, IP range, country code, or CIDR ip range will not be permitted to login or download.

LOGIN

  • _request.isAdminLogin 

_request.isAdminLogin

DENY

If the 

Control login/access, downloading and sharing of files based on user attributes

DOWNLOAD

LOGIN

SHARE

  • _user.username

  • _user.email

  • _user.userType

  • !_user.inGroup

  • _user.isMasterAdmin

 
 _user.username =='FileCloudUser1'
OR

_user.email == 'john.Doe@mail.com'

OR

user.userType == 'Guest Access'

OR

!_user.inGroup('managers')

OR

_user.isMasterAdmin


DLP Action:

ALLOW/DENY



ALLOW

Users with the given username, email address, user type, any user not in the group 'managers', and the master Admin will be permitted to login, as well as downloading and sharing files.

Control file sharing

DOWNLOAD

SHARE

  • _share.path

  • _share.public

  • _share.onlyAllowedEmails

  • _share.allowedUsers

  • _share.allowedGroups

  • _share.hasUsersFromDomain(domain)

  • _share.onlyUsersFromDomain(domain)

  • _share.pathStartsWith(start)

  • _share.pathContains(text)

  • _share.pathMatches(pattern)

Note: In any of the expressions including share.path, specify the original path of the shared file (for example /user1/textfile1.txt) , not the path in the Shared with Me folder (for example,  /SHARED/user1/textfile1.txt)

Noteshare.pathMatches(pattern) supports the wildcards: 

   `*` - any sequence of characters
   `#` -  a single character

 
Rule Expression: 

_share.public

OR

_share.onlyAllowedEmails

OR

_share.allowedUsers

OR

_share.allowedGroups

OR

_share.hasUsersFromDomain('gmail.com')

OR

_share.onlyUsersFromDomain('mycompany.com')

OR

_share.pathStartsWith('/myuser/mydir')

OR

_share.pathContains('sometext')

OR

_share.pathMatches('*sometext*')



ALLOW

Select users select groups, and users coming from a particular domain can access a specified or matching path.

Control file download and login combinations

DOWNLOAD

LOGIN

  • !_user.inGroup

  • _metadata.existsWithValue

  • _request.remoteIp

  • _request.isAdminLogin

  • !_request.inIpV4CidrRange

 
Rule Expression: 

!_user.inGroup('superadmin') and _metadata.existsWithValue('PII.Confidentiality Level', 'HIGH')



OR

_user.inGroup('external') or _request.remoteIp in ['45.45.45.1', '45.45.45.2', '45.45.45.7']

OR

_request.isAdminLogin && !_request.inIpV4CidrRange('10.2.0.0/16')    


DLP Action:
ALLOW/DENY



DENY

Users in (or not in) the given groups or IP ranges will not be able to download files or access paths with the given metadata (in this case, a HIGH value for the attribute 'PII.Confidentiality Level'

OR

Users logging into the admin portal in the given IP range will not be able to download files or log in.

Control sharing based on domain of user doing the sharing

SHARE

  • _user.isEmailInDomain(domainsToCheck)

 
Rule Expression: 

_user.isEmailInDomain('example.com', 'mail.com')

ALLOW

Users with one of  the specified email domains are permitted to share files.