Example Rules
Multiple DLP Actions
Each affected user action requires its own individual DLP rule. For instance, if an admin wanted to use the same Rule Expressions to control both DOWNLOAD and SHARE, two rules using the same Rule Expressions would be required.
DLP crawlers run on all daily cron jobs and remove shares that violate any SHARE ENFORCE rules.
Read how to create your own DLP rules
Learn more about DLP Rule Expressions
Objective | Affected User Action | Rule Expressions | Example Rule Expression | DLP Action | RESULT |
---|---|---|---|---|---|
Control download of files | DOWNLOAD |
| _file.path == '/myuser/mydir/myfile.pdf' OR _file.pathStartsWith('/myuser/mydir') OR _file.ext == 'pdf' OR _file.pathContains('/myuser/mydir') OR _file.pathMatches('/myuser/mydir') OR _file.fileNameContains('mrn') | DENY | Users cannot download files from the path expressed in the rule or with the extension or term in the filename. |
Control downloads and shares of files based on metadata | DOWNLOAD SHARE |
Note: The metadata set and the attribute specified cannot contain periods within their names. For example, cce.pii is valid, but cce.x.pii.y is not valid. | _metadata.exists('cce.pii') OR _metadata.existsAll('cce.pii') OR _metadata.existsWithValue('content.category', 'confidential') OR _metadata.existsWithValueInArray('content.categories', 'pii') OR _metadata.existsWithCondition('content.Risk Level', '>', 6) | ALLOW | Users can download and share files with associated metadata. |
Control login/access and downloading of files based on IP/Device/IP Range/country code | DOWNLOAD LOGIN |
| _request.remoteIp == '43.12.45.78'" OR _request.agent == 'Unknown'" OR _request.inIpv4Range('138.204.26.1', '138.204.26.254)" OR _request.remoteCountryCode == 'US' OR _request.inIpV4CidrRange('10.2.0.0/16') | DENY | Users from the given IP, agent, IP range, country code, or CIDR ip range will not be permitted to login or download. |
LOGIN |
| _request.isAdminLogin | DENY | If the | |
Control login/access, downloading and sharing of files based on user attributes | DOWNLOAD LOGIN SHARE |
| _user.username =='FileCloudUser1' OR _user.email == 'john.Doe@mail.com' OR user.userType == 'Guest Access' OR !_user.inGroup('managers') OR _user.isMasterAdmin DLP Action: ALLOW/DENY | ALLOW | Users with the given username, email address, user type, any user not in the group 'managers', and the master Admin will be permitted to login, as well as downloading and sharing files. |
Control file sharing | DOWNLOAD SHARE |
Note: share.pathMatches(pattern) supports the wildcards: `*` - any sequence of characters | Rule Expression: _share.public OR _share.onlyAllowedEmails OR _share.allowedUsers OR _share.allowedGroups OR _share.hasUsersFromDomain('gmail.com') OR _share.onlyUsersFromDomain('mycompany.com') OR _share.pathStartsWith('/myuser/mydir') OR _share.pathContains('sometext') OR _share.pathMatches('*sometext*') | ALLOW | Select users select groups, and users coming from a particular domain can access a specified or matching path. |
Control file download and login combinations | DOWNLOAD LOGIN |
| Rule Expression: !_user.inGroup('superadmin') and _metadata.existsWithValue('PII.Confidentiality Level', 'HIGH') OR _user.inGroup('external') or _request.remoteIp in ['45.45.45.1', '45.45.45.2', '45.45.45.7'] OR _request.isAdminLogin && !_request.inIpV4CidrRange('10.2.0.0/16') DLP Action: ALLOW/DENY | DENY | Users in (or not in) the given groups or IP ranges will not be able to download files or access paths with the given metadata (in this case, a HIGH value for the attribute 'PII.Confidentiality Level' OR Users logging into the admin portal in the given IP range will not be able to download files or log in. |
Control sharing based on domain of user doing the sharing | SHARE |
| Rule Expression: _user.isEmailInDomain('example.com', 'mail.com') | ALLOW | Users with one of the specified email domains are permitted to share files. |