Documentation | Support

Go to the table of contents Go to the previous page Go to the next page View or print as PDF
Defining Resources > Custom user directory groups
Custom user directory groups
Administrator Help | Forcepoint DLP | Version 8.5.x
Related topics:
*
User directory entries
*
Business Units
*
Remediation
*
The RAP service
Use the Main > Policy Management > Resources > Custom User Directory Groups page in the Data Security module of the Forcepoint Security Manager to add or manage custom groups derived from existing user directory entries.
Create groups by filtering the user directory with advanced LDAP queries. The group is in effect a view into the user directory; it does not modify the user directory in any way.
This option is useful for targeting precise user directory attributes and compound conditions. For example, you can define a group of all users whose manager's name starts with the letter A.
If you are using Risk Adaptive Protection to determine actions according to the user's risk level, you can see the Risk Level of each user in the list. A value of 1 to 5 is shown only for users that were assigned to Risk Adaptive Protection, where level 1 gets the most permissive actions. The values are determined by Forcepoint UEBA and sent to Forcepoint DLP.
 
* 
Tip 
Administrators can also create groups of Forcepoint DLP resources. These can contain both user directory entries and non-user directory resources, such as URL categories, geo-locations, custom users, and custom computers. These groups are referred to as business units (see Business Units for more information).
To add a custom user directory group to a policy, first add it to a business unit. Then, when configuring rules, select the business unit as a source or destination.
The group objects are recalculated every time the user directory is synchronized with the system.
To create a custom user directory group:
1.
Click New.
2.
Enter a Name for the group.
3.
Enter a Description for the group.
4.
If you have more than one User directory configured, select which one to query.
5.
Enter an LDAP Query to search the specified user directory and filter it to create a custom grouping.
For example, to create a group of objects where the Department, Company, or Description attribute is Sales, enter:
(| (department=Sales) (company=Sales) (description= Sales))
The query must use LDAP filter syntax. The filter format uses a prefix notation.
filter      = "(" filtercomp ")"
filtercomp  = and / or / not / item
and         = "&" filterlist
or          = "|" filterlist
not         = "!" filter
filterlist  = 1*filter
item        = simple / present /               substring extensible
simple      = attr filtertype value
filtertype  = equal / approx / greater
              / less
equal       = "="
approx      = "~="
greater     = ">="
less        = "<="
extensible  = attr [":dn"]
              [":" matchingrule]
              ":=" value / [":dn"] ":"               matchingrule ":=" value
present     = attr "=*"
substring   = attr "=" [initial] any
              [final]
initial     = value
any         = "*" *(value "*")
final       = value
Nested operations:
    (|(&(…K1…)(…K2…))(&(…K3…)(…K4…)))
 
* 
Note 
Not all user directory entries can be retrieved. Only the following are supported: users, groups, and computers.
Queries are refreshed whenever you re-import user directory.
6.
Click View Sample Data to view examples of the data in this group, such as entry names, types, and distinguished names (DNs).
Use this sample to make sure that the correct information is being retrieved.
7.
Click OK.

Go to the table of contents Go to the previous page Go to the next page View or print as PDF
Defining Resources > Custom user directory groups
Copyright 2017 Forcepoint. All rights reserved.