Skip to main content

Netskope Help

Create a Next Generation API Data Protection Policy

To create a Next Generation API Data Protection policy, follow the instruction below:

  1. Log in to the Netskope tenant UI.

  2. Navigate to Policies > API Data Protection.

    The API Data Protection page loads.

  3. Under SAAS, click the Next Gen tab.

  4. Click New Policy.

    The New API Data Protection Policy page loads.

  5. Exposure: Users are individuals or bots associated with an account in the protected application, and with (read or write) access to content in the application.

    Important

    Exposure computation works at a 'collaborative' level. For example, if the administrator includes 'user 1' in a policy, any file that is shared with 'user 1' even by users who are not part of the policy will trigger a policy alert.

    Based on your requirements, select the following options:

    Note

    • You can leave the User field empty (except for Microsoft Yammer). If you do so, all users will be scanned.

    • Workday note: Netskope uses the primary email of the user to calculate the domain exposure.

    • User Profile: A set of users as defined in the user profile. User profiles allow you to upload a CSV file with all the users email addresses to include or exclude in a scan for policy violations.

      Note

      • User profiles must be added before they are listed here. To download a CSV file that contains your user profiles, go to Policies > Profiles > User, and then click New User Profile. Complete the steps in the New User Profile wizard, and then select a user profile here.

      • GitHub note: Since GitHub does not provide email addresses, Netskope does not support user profiles for GitHub.

    • Internal Domains: A user within the same domain of the organization. To configure an internal domain, navigate to Settings > Administration > Internal Domains. For more information, see Internal Domains.

      Note

      • GitHub note: Since GitHub does not provide email addresses, internal domains refer to users not labeled as external collaborators in GitHub.

      • Citrix ShareFile & Workday note: Currently, Netskope does not use the internal domains setting to calculate the exposure level for Citrix ShareFile and Workday.

    • External Domains & Anonymous Users: A user outside the domain of the organization. External domains and anonymous users refer to users with email addresses not belonging to the internal domains.

      Note

      • GitHub note: Since GitHub does not provide email addresses, external domains and anonymous users are limited to users labeled as external collaborators in GitHub.

      • Microsoft Yammer note: Anonymous user does not exist in Microsoft Yammer. All users are on the Yammer organization.

    • Domain Profiles: You can select a domain profile consisting of a list of custom domains. To create a domain profile, navigate to Policies > PROFILES > Domain.

      Note

      • GitHub note: Since GitHub does not provide email addresses, Netskope does not support domain profiles for GitHub.

      • Citrix ShareFile & Workday note: Currently, Netskope does not use the domain profiles setting to calculate the exposure level for Citrix ShareFile and Workday.

    • Exclusions: You can set an exclusion list whereby the policy excludes scanning. You can set an exception list from user profiles, internal & external domains, anonymous users, and domain profiles.

      Note

      GitHub note: Currently, GitHub does not support the exception setting.

    • # Internal Collaborators >: To set thresholds for when content sharing triggers a policy violation, select the More Than or Less Than radio button and enter the number of internal collaborators that need to be detected for a policy violation to occur.

  6. Under Object, based on your requirements, select the following options:

    • All Applications: Apply the policy to all SaaS apps and instances.

    • Applications: Apply the policy to the respective SaaS app(s) you select. On selecting this option, all app instances of a specific SaaS app gets included for policy scanning.

    • App Instance: Apply this policy to the respective SaaS app instance(s) you select.

      Note

      To identify if the Microsoft 365 OneDrive or SharePoint app instance is GCC High or commercial, a GCC High app instance name will be suffixed by .us.

    • Categories: Apply the policy based on the type of SaaS app solution. If you select a category, all the corresponding SaaS app and instances are included for policy scanning. Here are the SaaS app categories and corresponding SaaS apps:

      • Development Tools: Atlassian Jira, GitHub

      • Cloud Storage: Google Drive, Microsoft 365 OneDrive Commercial & GCC High, Citrix ShareFile

      • Collaboration: Atlassian Confluence, Microsoft 365 Teams GCC High, Microsoft 365 SharePoint Commercial & GCC High, and Microsoft 365 Yammer, and Zoom.

      • Helpdesk Management: Zendesk

      • HR: Workday

      • Identity & Access Management: Okta

      For Application and Categories, you can also exclude certain SaaS apps and instances from the purview of policy scanning. To do so, select the Application or Categories option from the Object drop-down list and click the Exclusions drop-down list and select the SaaS app/instance.

    • Content: Click the Specify App Instance drop-down list, select the SaaS app instance. The scan content window opens. You can either select All content or Specific resources. On selecting Specific resources, include and exclude the resource IDs to scan. Click Save.

    • File Type: Apply the policy for a specific file type category. A few file type category examples are audio, image, word processor, presentation, video, etc.

      Note

      • The file type option is available for HR, cloud storage apps only.

      • The file type criterion will only be matched against files. Other non-file resources will ignore this criteria.

  7. Under Profile & Action, select the following options:

    Note

    For a complete list of apps that support various profiles and actions, see Next Generation API Data Protection Feature Matrix per Cloud App.

    • Profile: You can either select the following options:

      • None

      • DLP: If you select this option, select one or more predefined or custom DLP profile(s) from the list. To manage DLP profiles, navigate to Policies > PROFILES > DLP. For more information on managing DLP, see Data Loss Prevention.

      • Threat Protection: If you select this option, choose a threat protection profile from the drop-down list. You can either choose the default predefined malware scan profile or a custom malware scan profile. To learn more, see Creating a Malware Detection Profile.

    • Action: The action to be taken when a policy violation occurs.

      • Alert: When you select this action and a policy violation occurs, Netskope sends a notification in Skope IT > Alerts page.

        Note

        Alerts are generated for the last 30 days only.

      • Change owner to a specific user: This action changes the owner of the file to a specific user. On clicking this option, the UI prompts you to enter the email address of the specific user. Click Proceed.

        Note

        Currently, this action is available for Google Drive and Workday apps only. To learn more: Policy Action Special Behavior.

      • Restrict access to owner: This action restricts the access of the file to the owner only.

        Note

        Special note on Google Drive. To learn more: Policy Action Special Behavior.

      • Restrict access to internal collaborators: This action restricts the access of the file to users within the organization and domains as defined under Settings > Administration > Internal Domains.

      • Restrict access to specific domains and internal collaborators: This action restricts the access of the file to selected domain(s) and internal collaborators as defined in the previous bullet item. On clicking this option, the UI prompts you to enter the domain profile name. Click Proceed.

        Note

        If you do not have a domain profile defined, click Manage Domain Profiles to create a new domain profile.

      • Revoke organization-wide sharing: This action removes any kind of organization-wide sharing links and access.

      • Revoke specific domains: This action removes access for users matching the specified domain profile. On clicking this option, the UI prompts you to enter the domain profile name. Click Proceed.

        Note

        • If you do not have a domain profile defined, click Manage Domain Profiles to create a new domain profile.

        • Read Guest/External User Parsing Limitation under the appendix section for additional information.

  8. Under Policy Name, enter the policy name. and a short description.

  9. Under Status, based on your requirement, select the following options:

    • Disabled: Keep the policy disabled and enable it later.

    • Enabled: Enable the policy so that it takes effect immediately.

  10. On the top-right, click Save followed by Apply Changes.

    You should see the newly created policy on the policy home page.

    Note

    If you have kept the policy disabled, make sure to enable the policy. You can click the more options icon (...) to the right of the policy entry and click Enable followed by Apply Changes.

Next, you can view the DLP incidents under Incidents > DLP. For more information on DLP incidents, see About DLP.

Appendix – Special Behavior of SaaS Apps
Microsoft 365 OneDrive & SharePoint Commercial
Guest/External User Parsing Limitation

Guest/external users included in a user profile will not be considered for exposure computation in OneDrive and SharePoint. This is currently a known limitation. As a workaround, guest/external user domains can be added to the domain profile.

Delete Inherited Link

In Microsoft 365 OneDrive & SharePoint, files can inherit sharing link(s) from a parent folder. Such sharing link(s) cannot be deleted at the file level, but must be deleted at the folder level where they originate. For files with inheriting permissions, Next Generation API Data Protection deletes the sharing link(s) at the parent folder level.

Exposure Calculation for Deleted Groups

A file shared with a group that was deleted before provisioning the Netskope API Data Protection, the Exposure Status of the file on the Inventory page will be blank. To fix this, the Microsoft tenant administrator should revoke the permissions of the deleted group in the Microsoft tenant. Thereafter, Netskope can correctly calculate the exposure and execute policy actions for the file.

Policy Action Special Behavior

Use case

Google Drive

Workday

Change owner to a specific user

Since there is no owner in Google shared drive, Netskope cannot change owner on files or folders in a shared drive. This action applies to My Drive only.

Workday automatically restricts the access to the new owner only. The others including the previous owner will no longer have access to the file.

Restrict access to owner

Since there is no owner in Google shared drive, Netskope cannot restrict access to owner on files or folders in a shared drive. This action applies to My Drive only.

-

Restrict access for inherited permission

Netskope does not delete inherited permissions from files or folders in a shared drive, as removing these inherited permissions would also remove them from any files or folders that have those permissions. Therefore, Netskope retains inherited permissions and does not remove them.

-

Policy action for files and folders in a shared drive

Netskope only applies policy actions to files or folders in a shared drive if there is a user with a Manager/Content Manager/Writer role on the shared drive. Netskope impersonates that user to carry out the policy action. If there are no permissions granted to any user with these roles on the shared drive, Netskope will not perform the policy action, even if there is a policy hit.

-