Data Loss Prevention

I am working on a project where the incident response would like to be moved to the department head but am running into an issue: How do I automatically assign users to roles?

Active Directory attributes are populated including Manager and Department so I can create roles with the correct conditions

I can then assing a user to the correct role

So Joe can be assinged to the Human Resources role and then review only incidents from people within his department or he is flagged in AD as the Manager of.

Now here's the problem... I have 1500 departments and 1500 managers.  How do I automatically (programatically) assign user to a role and more importantly how do I update Joe's role when he is no longer the manager of HR, but the manager of Customer Service.

Thanks

hi jesse,

 it would be a great improvement in DLP profile management to be able to use AD atributes or group to manage profile assignement but for now it is not.

I think that only way to do what you want is to update DLP database using a home made script (in older DLP version i was able to mimic browsing through DLP UI pages to perform some extract automatically but it was so tricky and so many update in following version that it does not work anymore). There is two tables to be updated :

UserRoleMapping : in order to assign user to role

ProtectUser : in order to update defaultroleid field

(may be there is some other table to update but i dont think so, it has to be tested)

 So your script has to access AD information (directly or via falt file) then analyze who should have which profile and then check in DB if everything is ok or not. If there is something to be updated you may go through a third party system to request the update (or validation) or do it automatically in the DB. You should implement some control to be sure that role is existing (for example after a new organisation definition)...

Of course updating directly DLP DB is never a good solution, but when it is the only one this could be a solution waiting for DLP tool to get this new capabilities.

 Regards

PS : i can perform some test on my side as i am sure many DLP customers would be interested in it (in europe managing departement and country segregation looks sometimes crazy)

Thanks for the response, I think this is exactly what I'm looking for.  I've always been disappointed that Symantec hasn't done anything like AD group membership for managing security roles or anything and it is  such a manual process.

Would love to hear what you find out in your testing

hi jesse,

 it works fine. I just need to force rebuild of indexes on UserRoleMapping table (it may be due to configuration of my oracle database on test platform)

regards