Video Screencast Help

Create DLP Policy for Special User Group

Created: 01 Oct 2011 • Updated: 14 Oct 2011 | 4 comments
yang_zhang's picture
+5 5 Votes
Login to vote

The purpose of the DLP product is preventing the leakage of enterprise's confidential data. But, under an enterprise environment, the confidential data are different between each department.

For example, the key word 'Finance' maybe a sensitivity word of the Finance Department, but, the Research Department may regard this word as useless. That's mean the policy of key word 'Finance' should be implement to the Finance Department only. On the other hand, the key word 'Research' should be implement to the user on the Research Department only.

Symantec Data Loss Prevention provides Directory Group Matching (DGM) to detect the exact identities of users, senders, and recipients.

You select the group from the users, groups, and business units that are defined in your company's directory server. After the user group is constructed, you can associate it with the User/Sender and Recipient conditions, or with Discover targets. After you apply the policy or target to the group, it only applies to users who are in the group. Or, an alternate example is that you want to create a policy that applies to your entire company except the CEO. You can create a user group that contains only the CEO as a member and use that group as an exception to the policy.

Symantec Data Loss Prevention supports directory server connections to Microsoft Active Directory (AD). But, actually, you can implement this kind of policy within an AD environment or without an AD environment.

Below are the steps of the configuration within an AD environment:

1. Log into Enforce Console, choose 'System' --> 'Settings' --> 'Group Directories', click 'Create New Connection', enter the information of the AD:

You can choose to index the gorup directory:

2. Select 'Manage' --> 'Policies' --> 'User Groups', click 'Create New Group', under the 'Directory Server', choose the server added in step1, after the directory refreshed, select the OU from the directory tree:

Repeat this step to add the other group/OU.

3. Select 'Manage' --> 'Policies' --> 'Policy List', click 'Add Policy', choose 'Add a blank policy'.

4. Under 'Detection' tab, click 'Add Rule' to add a 'Content Matches Keyword' rule to detect the key word 'Finance':

5. Click 'Gorups' tab, click 'Add Rule', choose 'Sender/User based on a Directory Server Group' under 'Sender/User matches User Group', then click 'Next':

6. Under 'Conditions' section, click to choose the group that will implement this policy:

Then, this policy will be only implement to the group Finance.

If an user on the Finance OU send out a file that contain the word 'Finance', an incident will be generated. But, the other users on the other OU/group will not.

Comments 4 CommentsJump to latest comment

Claire Hsiau's picture

I also follow the step to create the special user group, but while I choose the specified user group, then DLP can't capture any incident, even the sender match the user group, my version is "11.5.1010.07001"

Login to vote
Carl.H's picture

Hi Claire

I am having the same problem as you... Have you managed to fix this? If yes, what was the solution?

Thanks in advance

Login to vote
ensweiler's picture

I appreciate this is an old post, but having the same problem on v 12.5.2. 

The system doesn't detect on Network Monitor, however the AD email attribute is popuplated correctly. 

Has anyone solved?

Login to vote
ℬrίαη's picture

Best to get a new thread opened up. This one is two years old.

Click the "Mark as solution" link at bottom left on the post that best answers your question. This benefits admins looking for a solution to the same problem.

Login to vote