Policy Management
Overview of the Policy Management in the ESA.
Policies group together Data Elements, Masks, and Roles to create security configurations that reflect your organization’s data security strategy. Policies are deployed to the locations specified under Data Stores. This is applicable to the policies that are dynamically deployed and not to the immutable policies that are deployed using the DevOps approach. The mapping between Roles and Data Elements is unique to each Policy and needs to be configured.
Note: The Deploy Status is only applicable for 9.x.x.x Protectors and earlier. For 10.0.0 protectors and later, you can access the information about the deploy statuses from the Protegrity Dashboard.
Protegrity supports two types of Policies:
- Structured: using structured Data Elements for fine-grained protection.
- Unstructured: using unstructured data elements for course-grained file protection. Used exclusively with Protegrity File Protector.
Policy Changes
Policies must be deployed to take effect in the system.
Any updates made to any of the policy components result in a policy change. These updates may be related to administrative changes in the policy definition, such as an addition of a data element. These updates may also be an effect of a change coming from the organization’s Directory Service that is automatically pulled into the ESA.
User-originated changes made through the ESA UI require a manual policy deployment from the Web UI. User-originated changes made via the ESA Policy Management API are automatically deployed. Finally, any changes coming from the LDAP Member Sources that are configured in automatic refresh mode in the Role definition are also immediately deployed.
For more information about the available Policy Deployment mechanisms, refer to the Deploying Policies section.
1 - Creating Policies
Creating a Structured Policy
This section describes the steps to create a structured policy.
To create a structured policy:
On the ESA Web UI, navigate to Policy Management > Policies & Trusted Applications > Policies.
The list of all the policies appears.
Click Add New Policy.
The New Policy screen appears.
Select Structured from Type.
Type a unique name for the policy in the Name textbox. The maximum length of the policy name is 55 characters.
Type the description for the policy in the Description textbox.
Under the Permissions tab, select the required permissions.
For more information about adding permissions, refer to the section
Configuring Policy Permissions.
Under the Data Elements tab, add the required data elements.
For more information about adding data elements, refer to the section Data Elements.
Under the Roles tab, add the required roles.
For more information about adding roles, refer to the section Roles.
Under the Data Stores tab, add the required Data Stores.
For more information about adding data stores, refer to the section Data Stores.
Click Save.
A message Policy has been created successfully appears.
Creating an Unstructured Policy
This section describes the steps to create an unstructured policy.
To create an unstructured policy:
On the ESA Web UI, navigate to Policy Management > Policies & Trusted Applications > Policies.
The list of all the policies appear.
Click Add New Policy.
The New Policy screen appears.
Select Unstructured from Type.
Type a unique name for the policy in the Name textbox.
The maximum length of the policy name is 55 characters.
Type the description for the policy in the Description textbox.
Under the Permissions tab, select the required permissions.
For more information about adding permissions, refer to the section Configuring Policy Permissions.
Under the Data Elements tab, add the required data elements.
For more information about adding data elements, refer to the section Data Elements.
Under the Roles tab, add the required roles.
For more information about adding roles, refer to the section Roles.
Under the Data Stores tab, add the required Data Stores.
For more information about adding data stores, refer to the section Data Stores.
Click Save.
A message Policy has been created successfully appears.
2 - Adding Data Elements to Policy
This section discusses about how to add data elements to policy.
Adding Data Elements for Structured Policies
This section describes the steps to add data elements for structured policies.
To add data elements for structured policies:
On the ESA Web UI, navigate to Policy Management > Policies & Trusted Applications > Policies.
The list of all the policies appear.
Select the policy.
The screen to edit the policy appears.
Click the Data Elements tab.
Click Add.
The list of all the available data elements appears.
Select the data elements.
Click Add.
A message Selected Data Elements have been added to the policy successfully appears.
Adding Data Elements for Unstructured Policies
This section describes the steps to add data elements for unstructured policies.
To add data elements for unstructured policies:
On the ESA Web UI, navigate to Policy Management > Policies & Trusted Applications > Policies.
The list of all the policies appear.
Select the policy.
The screen to edit the policy appears.
Click the Data Elements tab.
Click Add.
The list of data elements created for unstructured data appears.
Select the data elements.
Click Add.
A message Selected Data Elements have been added to the policy successfully appears.
3 - Adding Roles to Policy
This section discusses how to add roles to a policy and then how to customize the permissions for individual roles.
Adding Roles to Policies
You add roles to a policy to enforce user access to data. The roles can be set up to enable granular access control on sensitive enterprise data. You can add one or more roles to a policy.
To add roles to policies:
On the ESA Web UI, navigate to Policy Management > Policies & Trusted Applications > Policies.
The list of all the policies appear.
Select the policy.
The screen to edit the policy appears.
Click the Roles tab.
Click Add.
The list of roles created appears.
Select the roles.
Click Add.
A message Selected Roles have been added to the policy successfully appears.
4 - Configuring Policy Permissions
Overview of configuring policy permissions.
Policy Permissions define how your end users will interact with sensitive data. Permissions specify if the members of a Role have the ability to protect or unprotect a given Data Element. Permissions govern the format of data to return for authorized and unauthorized unprotect operations.
Permissions can be set using the ESA Web UI or the Policy Management API.
Available Permissions vary depending on whether the Policy is Structured or Unstructured.
For Structured Policies, the following Permissions are configurable for each Data Element:
- Unprotect: Allows Role members to unprotect data.
- Protect: Allows Role members to protect data.
- Reprotect: Allows Role members to reprotect data.
Note: From 10.1.0, if you have selected the HMAC-SHA256 data elements, then only the Protect option is enabled. The other options, such as, Reprotect and Unprotect are grayed out.
For Unstructured Policies, the following Permissions are configurable for each Data Element:
- Unprotect Content: Allows Role members to unprotect data.
- Protect Content: Allows Role members to protect data.
- Reprotect Content: Allows Role members to reprotect data.
- Create Object: Allows Role members to create a file or directory.
- Admin Permissions: Allows Role members to add or remove protection.
Access and No-Access Operations
You can control the data output during unprotect operations:
- For authorized unprotect operations, you can decide to return the data in the clear or with an applied Mask.
- For unauthorized unprotect operations, you can decide to return the data in its protected form if it is available, as null, or generate an error.
The following table specifies the behavior during Unprotect operations.
| No-Access Operation | Permission Description |
|---|
| Null | A null value is returned when the user tries to access the data. |
| Protected Value | The tokenized or encrypted value is returned when the user tries to access the data. |
| Exception | An exception is returned when the user tries to access the data. |
Note: Masks can only be applied during unprotect operations.
For more information about how no-access operations work for users in multiple roles, refer to the section No-Access Operations for Users in Multiple Roles.
You can also set permissions or rules using the Policy Management API.
Setting Default Permissions for a Policy
By default, every new Policy is created with most restrictive permissions, disallowing all operations for Policy members. Changes to Permissions will have to be made on a granular level, by modifying Data Element Permissions or Role Permissions.
To set default permissions for a policy:
On the ESA Web UI, navigate to Policy Management > Policies & Trusted Applications > Policies.
The list of all the policies appear.
Select the required policy.
The screen to edit the policy appears.
Click the Permissions tab.
- Select the required permissions.
- Click Save.
The permissions are set for the policy. The default Permissions are inherited by every new Role added to the Policy. Roles added before the Permission change are not modified.
Modifying Data Element Permissions
You can modify Permissions of Roles for each individual Data Element. The new Permissions override the default Permission configuration.
To customize permissions for each data element:
On the ESA Web UI, navigate to Policy Management > Policies & Trusted Applications > Policies.
The list of all the policies appear.
Select the required policy.
The screen to edit the policy appears.
Click the Data Elements tab.
Click Edit Permissions.
The Permissions screen appears.
Select the required permissions.
You can choose the Permissions of each Policy Role on the Data Element you are modifying.
Note: If you are using masks with any data element, then ensure that masks are created before editing permissions.
Click Save.
A message Permissions have been updated successfully appears.
Note: The customized permissions, if any, override the default permissions for any policy.
Modifying Role Permissions
You can modify Permissions over Data Elements for each individual Role. The new Permissions will override the default Permission configuration.
To customize permissions for each role:
On the ESA Web UI, navigate to Policy Management> Policies & Trusted Applications> Policies.
The list of all the policies appear.
Select the policy.
The screen to edit the policy appears.
Click the Roles tab.
Click Edit Permissions.
The Permissions screen appears.
Select the permissions.
You can choose the Permissions of each Policy Data Element for the Role you are modifying.
Click Save.
A message Permissions have been updated successfully appears.
4.1 - Permission Conflicts
Conflict scenarios and resolutions.
Policy users can be assigned to multiple roles with different Data Element permission settings. This section guides you through conflict resolution applied by the software. As a general rule, the least restrictive permissions are applied. If the conflict is unsolvable, access may be revoked. If multiple policies exist in one data store, then the effective merged policies and merged role permissions are applied when the Data Store is deployed.
Masking Conflicts
In case of Masking conflicts, the general rule of applying least restrictive permission is typically applied, with some exceptions.
Study the following table to understand all possible conflict permutations and their outputs. In this table, User U1 with a policy P is associated with roles R1, R2, and R3. The user is also connected with the data element DE1 containing Left and Right masks, and output formats.
| R1 | U1 | DE1 | MASK | Left: 1, Right: 2 | Left: 1, Right: 2 |
|
| R1 | U1 | DE1 | MASK | Left: 1, Right: 2 | Left: 1, Right: 2 |
| R2 | U1 | DE1 | MASK | Left: 1, Right: 2 |
|
| R1 | U1 | DE1 | MASK | Left: 1, Right: 2 | There is conflict in the mask
settings (Left, Right) and thus, the Unprotect access is revoked
with NULL as the output. |
| R2 | U1 | DE1 | MASK | Left: 0, Right: 5 |
|
| R1 | U1 | DE1 | MASK | Left: 1, Right: 2 with mask character
‘*’ | There is conflict in the mask
character settings and thus, the Unprotect access is revoked with
NULL as the output. |
| R2 | U1 | DE1 | MASK | Left: 1, Right: 2 with mask character
‘/’ |
|
| R1 | U1 | DE1 | MASK | Left: 1, Right: 2 | There is conflict in the mask
settings (Left, Right) and thus, the Unprotect access is revoked
with NULL as the output. |
| R2 | U1 | DE1 | MASK | Left: 1, Right: 2 |
| R3 | U1 | DE1 | MASK | Left: 0, Right: 5 |
|
| R1 | U1 | DE1 | MASK | Left: 1, Right: 1 with masked mode | There is conflict in the mask
settings and thus, the Unprotect access is revoked with NULL as
the output. For example: If the value 12345 is masked with
Left: 1, Right: 1 settings in masked mode,
then it results in *234*. If the value 12345 is masked with
Left: 1, Right: 1 settings in clear mode,
then it results in 1***5. As the resultant values are
conflicting, the Unprotect access is revoked with NULL as the
output. |
| R2 | U1 | DE1 | MASK | Left: 1, Right: 1 with clear mode |
|
| R1 | U1 | DE1 | MASK | Left: 1, Right: 2 | There is conflict in the output
formats. The resultant output is most permissive, which is
CLEAR. |
| R2 | U1 | DE1 | CLEAR | |
|
| R1 | U1 | DE1 | MASK | Left: 1, Right: 2 | There is conflict in the output
formats due to conflicting MASK settings. However, with the CLEAR
setting applicable in the order of access as per the role R3, the
resultant output is most permissive. In this case, it is
CLEAR. |
| R2 | U1 | DE2 | MASK | Left: 0, Right: 5 |
| R3 | U1 | DE3 | CLEAR | |
Unprotect Permission Conflicts
Unprotect Permissions may be set to authorized or unauthorized. In the case of authorized access, the data can be returned as masked or in the clear. In the case of unauthorized access, the output may be set to null, exception, or protected string, if available for the specific Data Element.
In case of Authorized and Unauthorized Unprotect Permissions conflicts, the general rule of applying least restrictive permission is always applied. Study the following table to understand all possible conflict permutations and their outputs.
| 1 | R1 | U1 | DE1 | | MASK | Left: 1, Right: 2 | There is conflict in the output
formats. If one of the roles has access, then the output format is
used. The resultant output is most permissive, which is
MASK. |
| R2 | U1 | DE1 | NULL | | |
| 2 | R1 | U1 | DE1 | | MASK | Left: 1, Right: 2 |
| R2 | U1 | DE1 | Protected | | |
| 3 | R1 | U1 | DE1 | | MASK | Left: 1, Right: 2 |
| R2 | U1 | DE1 | Exception | | |
| 4 | R1 | U1 | DE1 | | CLEAR | | If one of the roles has access,
then the output format is used. The resultant output is most
permissive, which is CLEAR. |
| R2 | U1 | DE1 | NULL | | |
| 5 | R1 | U1 | DE1 | | CLEAR | |
| R2 | U1 | DE1 | Protected | | |
| 6 | R1 | U1 | DE1 | | CLEAR | |
| R2 | U1 | DE1 | Exception | | |
No-Access Operations for Users in Multiple Roles
In case of Unauthorized Unprotect Permissions conflicts, the general rule of applying least restrictive permission is always applied. Study the following below to understand all possible conflict permutations and their outputs.
| No-Access Operation 1 | No-Access Operation 2 | Resultant Permission on the Protector |
|---|
| Protected | NULL | Protected |
| Protected | EXCEPTION | Protected |
| Protected | Mask | Mask |
| Protected | Clear | Clear |
| NULL | EXCEPTION | EXCEPTION |
| NULL | Mask | Mask |
| NULL | Clear | Clear |
| EXCEPTION | Mask | Mask |
| EXCEPTION | Clear | Clear |
4.1.1 - Inheriting Permissions
Special case of inheriting permissions across roles.
A special case exists when a user is present in multiple roles, this creates a conflict. This section provides information about how the software resolves this conflict. As a general rule, the software applies the most restrictive permissions.
Typically, when a policy user is assigned a role that does not have a specific data element associated with the role, then the user cannot use the data element for performing security operations. If the user tries to use the data element, then an error is generated.
However, consider a policy where you have created a default role that is applicable to all users. You associate a specific data element with this default role. In this case, the policy user, who is included in another role that is not associated with the specific data element, inherits the permissions for this data element from the default role. This scenario is applicable only if the users are a part of the same policy or a part of multiple policies that are applied to the same data store.
Scenario:
Policy 1 contains the role R1, which is assigned to the user U1. The role R1 is associated with a data element DE1, which has the permissions Unprotect, Protect, and Reprotect. The user U1 can unprotect, protect, and reprotect the data using the data element DE1.
Policy 2 contains the role R2, which is assigned to the user U2. The role R2 is associated with a data element DE2. which has the permissions Unprotect, Protect, and Reprotect. The user U2 can unprotect, protect, and reprotect the data using the data element DE2.
Policy P3 contains the role R3, which is applicable to all the users. The role R3 role is associated with two data elements DE1 and DE2. Both the data elements have the Unprotect permissions associated with it.
Note: The ALL USERS denotes a default role which is applicable to all the users. To enable the default role, click the Applicable to all the members toggle button on the ESA web UI. For more information about Applicable to all the members, refer to the section Roles.
Use Case 1
The Use Case 1 table demonstrates that roles R1 and R2 have an indirect relationship with data elements DE1 and DE2. The roles are part of different policies that are deployed to the same data store. As a result, the roles R1 and R2 have inherited the permission of the default role for data elements DE1 and DE2.
Table 1. Use Case 1
| P1 | R1 | U1 | DE1 | URP | U1 | DE1 | URP |
| DE2 | U |
| P2 | R2 | U2 | DE2 | URP | U2 | DE1 | U |
| DE2 | URP |
| P3 | R3 | ALL USERS | DE1 | U | ALL USERS | DE1 | U |
| DE2 | U | DE2 | U |
The Unprotect permission is highlighted in bold in the Protector side permissions after deploying the policy column. This Unprotect permission indicates that it has been inherited from the role R3, which is applicable to the data elements DE1 and DE2 for all the users.
Use Case 2
The Use Case 2 table demonstrates that if roles R1 and R2 have a direct relationship with data elements DE1 and DE2, then they will not inherit the permissions of the default role.
Table 2. Use Case 2
| P1 | R1 | U1 | DE1 | URP | U1 | DE1 | URP |
| DE2 | - | DE2 | - |
| R3 | ALL USERS | DE1 | U | U2 | DE1 | - |
| DE2 | U | DE2 | URP |
| P2 | R2 | U2 | DE1 | - | ALL USERS | DE1 | UR |
| DE2 | URP |
| P3 | R4 | ALL USERS | DE1 | R | DE2 | UR |
| DE2 | R |
Use Case 3
The Use Case 3 table demonstrates that if roles R1 and R2 have a direct relationship with data elements DE1 and DE2, then they will not inherit the permissions of the default role.
Table 3. Use Case 3
| P1 | R1 | U1 | DE1 | URP | U1 | DE1 | URP |
| DE2 | - | DE2 | - |
| R2 | U2 | DE1 | - | U2 | DE1 | - |
| DE2 | URP | DE2 | URP |
| R3 | ALL USERS | DE1 | U | ALL USERS | DE1 | UR |
| DE2 | U |
| R4 | ALL USERS | DE1 | R | DE2 | UR |
| DE2 | R |
Use Case 4
The Use Case 4 table demonstrates that as role R2 has an indirect relationship with data element DE1, it has inherited the permissions of the default role. The role R1 has a direct relationship with data element DE1, and it have not inherited the permissions of the default role.
Table 4. Use Case 4
| P1 | R1 | U1 | DE1 | - | U1 | DE1 | - |
| DE2 | - |
| R3 | ALL USERS | DE1 | U | U2 | DE1 | U |
| DE2 | URP |
| P2 | R2 | U2 | DE2 | URP | ALL USERS | DE1 | U |
| DE2 | - |
The Unprotect permission is highlighted in bold in the Protector side permissions after deploying the policy column. This Unprotect permission indicates that it has been inherited from the role R3, which is applicable to the data element DE1 for all the users.
Use Case 5
The Use Case 5 table demonstrates that Role R1 has inherited the permissions of the default role for the data element DE2.
Table 5. Use Case 5
| P1 | R1 | U1 | DE1 | URP | U1 | DE1 | URP |
| DE2 | UP |
| P2 | R3 | ALL USERS | DE2 | U | ALL USERS | DE1 | - |
| P3 | R4 | ALL USERS | DE2 | P | DE2 | UP |
The resultant permissions are highlighted in bold in the Protector side permissions after deploying the policy column. These permissions indicate that they have been inherited from the roles R3 and R4, which are applicable to the data element DE2 for all the users.
Use Case 6
The Use Case 6 table demonstrates that role R1 will inherit the permissions of the default role for the data element DE2.
Table 6. Use Case 6
| P1 | R1 | U1 | DE1 | U | U1 | DE1 | UP |
| DE2 | URP |
| P2 | R5 | U1 | DE1 | P | ALL USERS | DE1 | - |
| P3 | R3 | ALL USERS | DE2 | URP | DE2 | URP |
The resultant permissions are highlighted in bold in the Protector side permissions after deploying the policy column. These permissions indicate the permissions that have been inherited from the role R3, which is applicable to the data element DE2 for all the users.
Use Case 7
In Use Case 7 table, role R1 is related to data element DE1 in policy P1 and and role R3 is related to data element DE1 in policy P3. In this case, roles R1 and R3 will not inherit the permissions of the default role.
Table 7. Use Case 7
| P1 | R1 | U1 | DE1 | U | U1 | DE1 | U |
| DE2 | - |
| P2 | R1 | U1 | DE2 | - | ALL USERS | DE1 | URP |
| P3 | R3 | ALL USERS | DE1 | URP | DE2 | - |
5 - Deploying Policies
Making the Policy available to the Protectors.
Policies must be deployed to take effect in the system.
There are two stages of deployment: Ready to Deploy and Deployed. The Ready to Deploy stage signals that the Policy configuration is finalized and the Policy can be deployed. The Deployed stage means that this version of the Policy is actively being made available to the Protectors. If you modify a Policy, then you need to repeat the deployment process.
Note that this behavior only applies to modifying Policies via ESA Web UI. If you are modifying a Policy using the Policy Management API, the deployment happens automatically after every change.
For more information about the Policy Management API, please refer to the section Using the Policy Management REST APIs.
Marking the Policy as Ready to Deploy
To mark the Policy as Ready to Deployment:
On the ESA Web UI, navigate to Policy Management > Policies & Trusted Applications > Policies.
The list of all the policies appear.
Select the required policy.
The screen to edit the policy appears.
Click Ready to Deploy.
A message confirming the action appears. The Ready to Deploy is inactive and the Deploy is active. The ESA must be up and running to deploy the package to the protectors.
Deploying a Policy
This section describes how to deploy the policy after it has been marked as Ready to Deploy.
To deploy the policy:
On the ESA Web UI, navigate to Policy Management > Policies & Trusted Applications > Policies.
The list of all the policies appear.
Select the required policy.
The screen to edit the policy appears.
Click Deploy.
A message Policy has been deployed successfully appears.
Note: An error message appears if the deployment of the Policy is not linked to any Data Store.
If you deploy a policy to a data store, which contains additional policies that have already been deployed, then the policy user inherits the permissions from the multiple policies.
For more information about inherting permissions, refer to Inheriting Permissions.
Deploying Data Stores
You can choose to deploy a Policy to a specific Data Store only. That will allow the nodes associated with the Data Store to get the latest Policy. By deploying a Data Store, you deploy the Trusted Applications associated with it.
To deploy a Data Store:
On the ESA Web UI, navigate to Policy Management > Data Stores.
The list of all the data stores appear.
Select the data store.
The screen to edit the data store appears.
Click Deploy.
A message **Data Store has been deployed successfully** appears.
When the Protector pulls the package that contains a policy added to the data store, it connects to ESA to retrieve the necessary policy information. The policy information includes members for each role in the policy, token elements, and so on.
Deploying Trusted Applications
During deployment, the Application Protector validates the Trusted Application. If the validation fails, then the Protector generates an audit entry with the detailed information.
Marking a Trusted Application as Ready to Deploy
To mark a Trusted Application as Ready to Deploy:
On the ESA Web UI, navigate to Policy Management > Policies & Trusted Applications > Trusted Applications.
The list of all the trusted applications appear.
Select the required trusted application.
The screen to edit the trusted application appears.
Click Ready to Deploy.
A message Trusted Application has been marked ready to deploy appears.
The Deploy action is active.
Deploy the Trusted Application
To deploy the trusted application after it has been marked as Ready to Deploy:
On the ESA Web UI, navigate to Policy Management > Policies & Trusted Applications > Trusted Applications.
The list of all the trusted applications appear.
Select the required application that is in the ready to deploy state.
The screen to edit the trusted application appears.
Click Deploy.
A message Trusted application has been successfully deployed appears.
Note: An error message appears if the deployment of the Trusted Application is not linked to any Data Store.
You can also deploy the trusted application by deploying the data store. In this case, all the policies and trusted applications that are linked to the data store are prepared to be distributed to the protection points.
For more information about deploying a data store, refer to Deploying Data Stores to Protectors.