Troubleshooting DLP

Problem: Combined rules don't deny or allow actions as expected.

Possible cause:

Incorrect use of combined expressions in different rules
Use of multiple rules leads to their expressions being combined, and there is a misunderstanding about the results they achieve.
The following clarifies how combined expressions work together:

When you use multiple DENY expressions in different rules:
If any of the DENY expressions is true, the action is blocked.
If none of the DENY expressions is true, the action is allowed.
In other words, DENY expressions coming from different rules have an OR combination:
Example:
Download DENY expression rule 1: _file.pathStartsWith('/teamaccount/TeamFolder_01/FolderA')
Download DENY expression rule 2: _file.pathStartsWith('/teamaccount/TeamFolder_01/FolderB')
To clarify how these work together, imagine them in a single rule, combined. These would appear as:
_file.pathStartsWith('/teamaccount/TeamFolder_01/FolderA') || _file.pathStartsWith('/teamaccount/TeamFolder_01/FolderB')
Download is blocked from FolderA OR FolderB, but downloads from other folders are allowed.
When you use multiple ALLOW expressions in different rules:
The ALLOW expressions must be different or the combined expression can never be true (that is, you cannot use 2 or more _file.pathStartsWith expressions, 2 or more request.remoteIp expressions, and so on, that you set to different values.)
ALLOW expressions coming from different rules have an AND combination:
Example:
Download ALLOW expression rule 1: _file.pathStartsWith('/teamaccount/TeamFolder_01')
Download ALLOW expression rule 2: _user.inGroup('internalUsers')
To clarify how these work together, imagine them in a single rule, combined. These would appear as:
_file.pathStartsWith('/teamaccount/TeamFolder_01') && _user.inGroup('internalUsers')
Only downloads in the TeamFolder_01 directory for users in the internalUsers group are allowed. All other downloads are blocked.