Create DLP Incidents Reviewer for Each Independent Departments (Business Units)
Think about such scenario on the enterprise environment:
The Development Department regards the Source Code as the confidential data, at the same time, the Finance Department regards the Finance Report as the confidential data. When an incident generated, you need someone to review this incident to determine whether it's a real incident; and, if so, what kind of remediation steps should be triggered.
But, the Finance Department may not want a reviewer from Development Department to review the incidents which came from his department. The same situation may happen on the Development Department.
So, you need a reviewer for each independent department. For example, the reviewer from Finance Department only have the access rights to the incidents came from Finance Department, he/she cannot access the incidents came from Development Department.
Here is the sample configuration on DLP to achieve this:
1. We assume there are two departments: Development and Finance. And, there is one user on each department: dev01 and finance01:
For each user, there is an AD attribute named 'department', this attribute stores the department information of the user.
2. On DLP, add a Custom Attribute named 'Department':
3. Configure the DLP to enable LDAP Lookup, lookup the department information in AD, and map to the custom attribute added on Step 2.
4. Assume there are two incidents on DLP, generated by each user on Step 1:
As you can see from the screenshot above, the Administrator can review these two incidents.
5. Confirm the LDAP Lookup work properly by checking the incident detail:
6. Create a role on DLP named DevReviewer, just assign View rights to Incidents:
7. Change to 'Incident Access' tab, choose the item as 'Department' from the drop-down list, select 'Is Any Of' as the condition, input 'Development' in the box:
8. Follow the same steps to create the FinanceReviewer:
9. Create a user named 'DevReviewer', and choose the Role as 'DevReviewer':
10. Create another role named as 'FinanceReviewer' which the Role is 'FinanceReviewer':
Then, if you log into DLP as the user DevReviewer, you can only see the incidents of Development Department:
The same thing happen to the FinanceReviewer, he can only see the incident of Finance Department: