File protection

File protection lets you identify documents containing sensitive data through the use of protection rules. Once protection rules are created, they can be applied to documents gathered in workbooks.

NOTE: Only file types supported by your selected file protection method can be protected.

File protection is implemented using one or more of the following systems.

  • Mask file system and SharePoint documents in their original source location.

  • Encrypt files using Microsoft Purview Information Protection, referred to as "Microsoft Purview labeling" in OpenText Core Data Discovery & Risk Insights.

  • Perform custom actions on items in workbooks by connecting to existing third-party applications using OpenText Core Data Discovery & Risk Insights APIs. For example, you can generate a list of sensitive items that you can handover to File Governance Suite (FGS) File Report to create a file access report.

You can filter and search for protected items by metadata in Analyze and Manage, but the content of protected items is not viewable.

For information about applying file protection rules to items in a workbook, see Manage workbook activity

Mask at the source location

You can mask file system and SharePoint documents at their original source location. This method replaces the original documents, at the source location, with masked versions in the original file format. Masking at the source location is referred to as internal masking. When applied from the workbook protection action, masking is based on existing grammar types or rules for which masking is configured and selected as part of the file protection rule.

The following document file types processed from file system or SharePoint sources can be masked at their source location.

  • text-based formats

  • PDF

  • new Microsoft Office formats, such as .docx, .xlsx, and .pptx

A single Internal Masking file protection system is automatically created when your OpenText Core Data Discovery & Risk Insights application was installed and cannot be edited or deleted. You need to create File protection rules to define how you want to mask documents at their source.

CAUTION: This is an irreversible action that overwrites the document in the original source location. To ensure you have a backup, perform a send to target action against the workbook before masking the documents at the source.

Encrypt using Microsoft Purview labeling

Encrypt files using Microsoft Purview Information Protection. In OpenText Core Data Discovery & Risk Insights, this file protection type is referred to as "Microsoft Purview labeling". Once Microsoft Purview labeling systems have been configured in Connect and the desired Microsoft Purview labeling rule applied to items in a workbook in Manage, the binary file (if collected and not on hold), content, and grammar value details are removed from OpenText Core Data Discovery & Risk Insights.

For each Microsoft Purview labeling system you create in Connect, OpenText Core Data Discovery & Risk Insights reads the associated rules (policies) you have already implemented in your environment. When you manually deactivate a Microsoft Purview labeling system in OpenText Core Data Discovery & Risk Insights, all rules associated with the system are deactivated. If you re-activate a system, you must manually re-activate the associated rules. When systems or rules are deleted in Microsoft, the systems or rules are automatically deactivated in OpenText Core Data Discovery & Risk Insights.

NOTE: You can apply Microsoft Purview Information Protection labels in OpenText Core Data Discovery & Risk Insights 24 hours after the label is created in Microsoft.

For information about configuring the connection to Microsoft Purview Information Protection, see Microsoft Purview Information Protection connection.

  1. From the primary navigation pane, click File Protection > Manage Systems.

  2. Click NEW SYSTEM.

  3. Complete the General options for the new system.

    Option Description
    System Name

    Type a meaningful, unique name for the new system.

    Limits: Maximum 50 characters.
    Description

    (Optional) Type a meaningful description for the new system.

    Limits: Maximum 250 characters.
    Type Click Microsoft Purview labeling. The system type cannot be changed after the system is created.

    Click NEXT.

  4. Complete the configuration options for the new system.

    Option Description
    Agent Clusters

    Select the agent clusters that will manage the new system.

    NOTE: To protect documents, the agent cluster for the source must be the same agent cluster as selected for the file protection system.

    Azure Tenant ID

    Type the "Directory (tenant) ID" for the Azure tenant for which you created the app registration for OpenText Core Data Discovery & Risk Insights.
    Application Name

    Type the “Display name” defined for the app registration you created for OpenText Core Data Discovery & Risk Insights.
    Application ID Type the “Application (client) ID” defined for app registration you created for OpenText Core Data Discovery & Risk Insights.
    Application Secret Type the secret defined for the app registration you created for OpenText Core Data Discovery & Risk Insights.

    Click FINISH.

    The new system is created. OpenText Core Data Discovery & Risk Insights connects to your file protection application using the details provided and the rules begin to populate to the File Protection > Rules page.

Protect using custom actions

Perform custom actions on items in workbooks by connecting to existing third-party applications using OpenText Core Data Discovery & Risk Insights APIs. For example, you can generate a list of sensitive items that you can handover to File Governance Suite (FGS) File Report to create a file access report.

Once API-based systems have been configured in Connect and the corresponding action applied to items in a workbook in Manage, an API Developer, user using the included APIs, can retrieve the information about the workbook items and can mark the action status as Processing. The designated person can then apply the custom action and take any addition necessary actions.

Permissions to access the API-based custom actions are created when the system is created. The permissions display at the bottom of the Manage and Workspace Security role permissions in Administration but are not assigned to existing roles by default. You must assign the permission for the custom action to a role. For a user to be able to execute the custom action on items in a workspace, the user must be assigned that role when you create or edit the Security for the workspace. For more information, see "Roles" in the Administration Help Center.

If you have the appropriate permissions to use the APIs to manage custom actions, see API-based custom activities.

  1. From the primary navigation pane, click File Protection > Manage Systems.

  2. Click NEW SYSTEM.

  3. Complete the General options for the new system.

    Option Description
    System Name

    Type a meaningful, unique name for the new system. This name displays on the File Protection page and anywhere the activity for this custom action is reported (such as workbook detail, workspace audit and report).

    Limits: Maximum 50 characters.
    Description

    Type a meaningful description for the new system. This description displays as the tooltip for the action icon in the workbook detail pane.

    Limits: Maximum 250 characters.

    NOTE: If left blank, there will not be a tooltip to display when you hover over the action icon.
    Type Click API. The system type cannot be changed after the system is created.

    Click NEXT.

  4. Complete the configuration options for the new system.

    Option Description
    API Name

    Type the REST suffix that will be used when calling the REST APIs to perform this custom action.

    IMPORTANT: This must be identical to the REST suffix that you define using the OpenText Core Data Discovery & Risk Insights APIs.

    Limits: Maximum 20 alphanumeric lowercase characters and dashes.
    Action Name

    Type the name of the label that will display for this action on the Activity tab of the workbook detail pane and in the feature list when creating a workspace.

    Limits: Maximum 20 characters.
    Action Icon

    Click the icon to display for this action on the Activity tab of the workbook detail pane.
    Permission Name Type the name of the permission that will be created for this action. The permission will be available in the Manage and Workspace Security roles and, by default, is not assigned to a specific role.

    Click FINISH.

    The new system is created.

The defined icon for an API-based custom action displays alongside the default action icons on the Activity tab of the workbook detail pane. The workspace must have the feature enabled for the API-based action. The features display in a separate column on the Features page when creating or editing a workspace in Manage. Like the default features, you must select the custom action feature for the workspace and assign a user with the necessary role to allow that user to see the custom action icons for the workbook.

  1. Assign the custom action permission to a role at the application level (Manage) in Administration.

  2. Assign the corresponding custom action workspace security level permission to a role at the Workspace Security level in Administration.

  3. Assign the Manage and Workspace Security roles with the custom action to the user in Administration.

  4. When creating or editing a workspace in Manage, select the user on the Security page of the wizard and select a functional workspace role.

Edit a file protection system

Microsoft Purview labeling and API file protection systems can be edited as needed.

  1. On the File Protection > Manage Systems page, click the name of the file protection system you want to edit.

    TIP: You can also click or hover over the row for the system and then click the edit icon (edit icon).

  2. Make the necessary changes on the General and Configuration pages and then click FINISH.

    The updates to the file protection system are saved.

Activate or deactivate a file protection system

You can activate and then deactivate Microsoft Purview labeling and API file protection systems as needed. Once deactivated, you will not be able to select the system when selecting a file protection system to apply to a workbook. A deactivated system cannot be edited or deleted.

CAUTION: Deactivating a Microsoft Purview Information Protection system automatically deactivates all associated rules.

  1. On the File Protection > Manage Systems page, click or hover over the row for the desired system.

    Additional icons display in the right column.

  2. Click the activate (activate icon) or deactivate icon (deactivate icon) associated with the desired system.

  3. In the confirmation dialog, click YES to confirm the action.

    If deactivated, the system and all associated rules are deactivated. The associated rules no longer display when applying rules to a workbook in Manage.

    If activated, the system is re-activated. You must manually activate the individual rules to make them available when applying rules to a workbook in Manage.

For each Microsoft data protection system you create in Connect, OpenText Core Data Discovery & Risk Insights reads the associated rules (policies) in your environment. When you manually deactivate a Micorosoft data protection system in OpenText Core Data Discovery & Risk Insights, all rules associated with the system are deactivated. If you re-activate a system, you must manually re-activate the associated rules. When systems or rules are deleted in Microsoft, the systems or rules are automatically deactivated in OpenText Core Data Discovery & Risk Insights.

Delete a file protection system.

You can delete Microsoft data protection and API file protection systems as needed. The source location, the underlying Microsoft Purview Information Protection solution, or the API itself.

CAUTION: Deleting a Microsoft Purview Information Protection system automatically deletes all associated rules. This cannot be undone. You would need to create a new file protection system to reconnect to Microsoft Purview Information Protection and repopulate the rules.

  1. On the File Protection > Manage Systems page, click or hover over the row for the desired system.

    Additional icons display in the right column.

  2. Click the delete icon (delete icon) associated with the desired system.

  3. In the confirmation dialog, click YES to confirm the action.

    The system and all associated rules are deleted. The associated rules no longer display when applying protection to a workbook in Manage.