Data Loss Prevention

We are running DLP 11.1 and are trying to implement Discover. I am a DLP discover newb, so if I am missing something simple let me know!

Let me provide the scenario.

We have a file server (actually an EMC NAS) has has c:\shares\sharename (most shares are departmental).

Issue 1:

The administrator is complaining that adding a single account with the necessary permissions to each share will be a great deal of work. (We do have MANY shares). I am able to scan the root C:\ and access each folder that is a share. However, this shows all the data to be on \\servername\c:

I would like to be able to break this out in reports via share to attack the data in that manner. Then I could contact Dept1 about the data in their share, Dept2 about the data their share,etc.  If I were able to scan by accessing the shares, I could do this.

Issue 2:

However, now he has presented me with another issue. His intent is to break all the department shares out like so:\\Servername\DeptShares (as the single share point). Then he will use folder permissions to limit access to each folder. Access based enumeration will be used to "hide" the inaccessible folders from users in order to avoid confusion.

So, even if I have share permissions setup on all our current shares, when the redesign takes place, I am right back where I started.

Should I just be doing this a different way?

Any and all suggestions are welcome!

If the administrator is re-organizing the appliance why can't he add your DLP ID to the tasks and give it read only perms to all the shares?

OR you may have to get a list of shares from the admin and create a target based on the list

\\Servername\DeptShares\dept1

\\Servername\DeptShares\dept2

\\Servername\DeptShares\dept3

instead of the root

servername\C:

Each method has it's downside.  targetting by sharename requires periodic updates to the share list, targetting by Root presents reporting challenges

Hi mharrison

Please find the below explaination  regarding issues you are facing for persmission.

•  Issue has appeared on SAN or NAS systems that present their data as Windows shares and have connectivity to Active Directory for file permissions.
• If the Active Directory connection is interrupted for any reason, Windows reports the "Access Denied" error when the discover server tries to access the files. You should check the connection
with Active Directory to make sure that its connectivity is not interrupted.
• Currently Network Discover can only retrieve the Share ACL if the scanning user is an administrator and the share is on the same machine as the Discover server.

Hi,

I think you should focus more on last point which Mr. Kishor has mentioned.  Check if the DLP user has domain admin rights if yes then he should be able to retrive effective permission of that particular share folder.

 Hi mharrison,

please refer below to understand the issue and rectify the same.

SharePoint site content. The user account must also have permission to invoke Web services and permission to obtain the access control list (ACL).If the user account does not have the "Enumerate Permissions" right, then the ACL is not obtained for the SharePoint content.

The following permission levels in SharePoint already have these permissions defined:

• Full Control (includes Browse Directories, Use Remote Interfaces, and Enumerate permissions)
• Design (includes Browse Directories and Use Remote Interfaces permissions)
• Contribute (includes Browse Directories and Use Remote Interfaces permissions)

I am not trying to retreive permissions. I am attempting to access the share to scan it.

I am not scanning SharePoint server at all. I am simply talking about file shares on an EMC Celerra and Windows servers.

There is no single account or account type in our enviroment that has share level access to all shares in the enterprise. BackupUser did not work. Domain Admin did not work.