File protection
By connecting to existing applications in your environment, you can protect and report on identified sensitive data gathered in workbooks. Once created and applied, you can view protection activity on the ACTIVITY tab of the workbook detail panel.
NOTE: Only file types supported by your selected file protection application can be protected.
File protection systems are implemented through the following connections.
-
Encrypt files using Microsoft Purview Information Protection. In Fusion, this file protection type is referred to as "Microsoft data protection". Once Microsoft data protection systems have been configured in Connect and the desired Microsoft data protection rule applied to items in a workbook in Manage, the binary file (if collected and not on hold), content, and grammar value details are removed from Fusion.
For each Microsoft data protection system you create in Connect, Fusion reads the associated rules (policies) you have already implemented in your environment. When you manually deactivate a Micorosoft data protection system in Fusion, all rules associated with the system are deactivated. If you re-activate a system, you must manually re-activate the associated rules. When systems or rules are deleted in Microsoft, the systems or rules are automatically deactivated in Fusion.
NOTE: You can apply Microsoft data protection labels in Fusion 24 hours after the label is created in Microsoft.
For information about configuring the connection to Microsoft Purview Information Protection, see Microsoft Purview Information Protection connection.
-
Perform custom actions on items in workbooks by connecting to existing applications using Fusion APIs. For example, you can generate a list of sensitive items that you can handover to File Governance Suite (FGS) File Report to create a file access report.
Once API-based systems have been configured in Connect and the corresponding action applied to items in a workbook in Manage, an API Developer, user using the included APIs, can retrieve the information about the workbook items and can mark the action status as Processing. The designated person can then apply the custom action and take any addition necessary actions.
Permissions to access the API-based custom actions are created when the system is created. The permissions display at the bottom of the Manage and Workspace Security role permissions in Administration but are not assigned to existing roles by default. You must assign the permission for the custom action to a role. For a user to be able to execute the custom action on items in a workspace, the user must be assigned that role when you create or edit the Security for the workspace. For more information, see "Roles" in the Administration Help Center.
To enable a custom action for a user-
Assign the custom action permission to a role at the application level (Manage) in Administration.
-
Assign the corresponding custom action workspace security level permission to a role at the Workspace Security level in Administration.
-
Assign the Manage and Workspace Security roles with the custom action to the user in Administration.
-
When creating or editing a workspace in Manage, select the user on the Security page of the wizard and select a functional workspace role.
The defined icon for an API-based custom action displays alongside the default action icons on the Activity tab of workbooks The workspace must have the feature enabled for the API-based action. The features display in a separate column on the Features page when creating or editing a workspace in Manage. Like the default features, you must select the custom action feature for the workspace and assign a user with the necessary role to allow that user to see the custom action icons for the workbook.
TIP: If you have the appropriate permissions to use the APIs to manage custom actions, see Technical Note: API-based Custom Actions.
-
You can filter and search for protected items by metadata in Analyze and Manage, but the content of items protected with Microsoft Purview Information Protection is not viewable.
For information about applying file protection rules to items in a workbook, see "Manage workbook activity" in the Manage Help Center.
-
From the primary navigation panel, click File Protection > Manage Systems.
The Manage Systems page opens.
-
Click NEW SYSTEM.
The New System dialog opens to the General page.
-
Complete the General options for the new system.
Option Description System Name Type a meaningful, unique name for the new system.
Limits: Maximum 50 characters.
Description (Optional) Type a meaningful description for the new system.
Limits: Maximum 250 characters.
Type Click Microsoft data protection. The system type cannot be changed after the system is created. Click NEXT.
-
Complete the configuration options for the new system.
Option Description Agent Clusters Select the agent clusters that will manage the new system.
NOTE: To protect documents, the agent cluster for the source must be the same agent cluster as selected for the file protection system.
Azure Tenant ID Type the "Directory (tenant) ID" for the Azure tenant for which you created the app registration for Fusion.
Application Name Type the “Display name” defined for the app registration you created for Fusion.
Application ID Type the “Application (client) ID” defined for app registration you created for Fusion. Application Secret Type the secret defined for the app registration you created for Fusion. Click FINISH.
The new system is created. Fusion connects to your file protection application using the details provided and the rules begin to populate to the File Protection > Rules page.
-
From the primary navigation panel, click File Protection > Manage Systems.
The Manage Systems page opens.
-
Click NEW SYSTEM.
The New System dialog opens to the General page.
-
Complete the General options for the new system.
Option Description System Name Type a meaningful, unique name for the new system. This name displays on the File Protection page and anywhere the activity for this custom action is reported (such as workbook detail, workspace audit and report).
Limits: Maximum 50 characters.
Description Type a meaningful description for the new system. This description displays as the tooltip for the action icon in the workbook detail panel.
Limits: Maximum 250 characters.
NOTE: If left blank, there will not be a tooltip to display when you hover over the action icon.
Type Click API. The system type cannot be changed after the system is created. Click NEXT.
-
Complete the configuration options for the new system.
Option Description API Name Type the REST suffix that will be used when calling the REST APIs to perform this custom action.
IMPORTANT: This must be identical to the REST suffix that you define using the Fusion APIs.
Limits: Maximum 20 alphanumeric lowercase characters and dashes.
Action Name Type the name of the label that will display for this action on the Activity tab of the workbook detail panel and in the feature list when creating a workspace.
Limits: Maximum 20 characters.
Action Icon Click the icon to display for this action on the Activity tab of the workbook detail panel.
Permission Name Type the name of the permission that will be created for this action. The permission will be available in the Manage and Workspace Security roles and, by default, is not assigned to a specific role. Click FINISH.
The new system is created.
-
On the Systems page, click the name of the system you want to edit.
TIP: You can also click or hover over the row for the system and then click the edit icon (
).
The Edit Systems dialog opens.
-
Make the necessary changes and then click FINISH.
The edits to the file protection system are saved.
-
From the primary navigation panel, click File Protection > Rules.
The Rules page opens.
-
On the Rules page, click or hover over the row for the desired rule.
Additional icons display in the right column.
-
Click the activate (
) or deactivate icon (
) associated with the desired rule.
-
In the confirmation dialog, click YES to confirm the action.
The rule is activated or deactivated as appropriate and no longer displays as an available rule when applying Microsoft Purview Information Protection rules to a workbook in Manage.
CAUTION: Deactivating a Microsoft Purview Information Protection system automatically deactivates all associated rules.
-
On the Manage Systems page, click or hover over the row for the desired system.
Additional icons display in the right column.
-
Click the activate (
) or deactivate icon (
) associated with the desired system.
-
In the confirmation dialog, click YES to confirm the action.
If deactivated, the system and all associated rules are deactivated. The associated rules no longer display when applying rules to a workbook in Manage.
If activated, the system is re-activated. You must manually activate the individual rules to make them available when applying rules to a workbook in Manage.
CAUTION: Deleting a Microsoft Purview Information Protection system automatically deletes all associated rules. This cannot be undone.
-
On the Systems page, click or hover over the row for the desired system.
Additional icons display in the right column.
-
Click the delete icon (
) associated with the desired system.
-
In the confirmation dialog, click YES to confirm the action.
The system and all associated rules are deleted. The associated rules no longer display when applying rules to a workbook in Manage.