Policy Export and Import functionalities supported in v10.3.2 - Exporting and Importing Policy levels, Classifiers and Resources as part of a policy

Policy levels, Classifiers and Resources now can be created or updated on the target system during policy import - they don’t have to exist on both source and target systems for a successful import.
Note: From v10.3.2, administrator can include or exclude classifiers and resources to the policy export. For more information, see Export Policies.
Policy level support:
  • When exporting a policy, all policy levels of the same data type as the exported policy will also be exported from the source system. During import, these policy levels are brought into the target system. If a policy level doesn't already exist on the target system, it will be created.
  • The policy level unique identifier is the order number shown in the system, if both source and target system have the same order number but a different name or description, they will be updated on the target system.
Supported Classifiers:
  • Supported types: Key phrases, Regular expressions, Dictionaries, File Properties, File Labeling
  • Unique Identifier: Classifier name
  • If a classifier with the same type and name exists on both the source and target systems, it will be updated during import. All other classifier types must already exist on both systems for the policy import to succeed.
Supported Resources:
  • Supported types: Custom users, Custom computers, Networks, Domains, Business units, Action plans, Notifications
  • Unique Identifier: Resource name (for custom users, the email address)
  • If a resource with the same type and name exists on both the source and target systems, it will be updated during import.
  • If a resource from the list above is marked as “deleted” in a policy, it will be removed during export.
  • All other resource types must already exist on both the source and target systems for a successful policy import.
Resources Lists Override During Policy Import:
  • The resources list in a policy rule’s source or destination channel (for example, web, email, or endpoint) will be overwritten during import.
  • Resources lists in nested resources—such as business units (for example, user and computer lists), notifications (for example, administrator lists), and action plans (for example, label lists)—will also be overwritten when the nested resource is updated during import.
Duplicated Resources:
  • Before importing resources, ensure there are no duplicate resources on either the source or target system. If duplicate resources exist, any policies related to those duplicates will be dropped during export or import. Ensure the following resources do not have duplicates in your system:
    • Custom users
    • Custom computers
Action Plan notes:
  • File Labeling - Make sure for both source and target system:
    • The Apply file labels checkbox is enabled on the Settings > General > Services > Decryption and File Labeling tab for the desired labeling system (Microsoft Information Protection or Boldon James)
    • The File labeling checkbox is enabled on the action plan configuration.

    Otherwise the policy export and policy import process will mismatch the file labeling configuration on the target system action plan.

    In addition, only active labels on the source system will be included in the policy export process. Deleted labels will be excluded.

  • Notifications - If the configured recipient is an Administrator, they will be associated with the notification on the target system, only if both the user name and email address are identical to those of the administrator associated on the source system (i.e. Administrators cannot be created or updated during this process). If the details do not match, the recipient will be removed from the notification during the import process.
  • Licensing - Make sure both the source and target systems have the same licenses available; otherwise the following may occur:
    • If the subscription license on the source system does not include all the channels available on the target system, the following applies:

      For example, if the source system has only DLP Endpoint license (i.e. only the endpoint channel can be configured in the action plan) and the target system has DLP Suite license (i.e. network web, network email, and endpoint channels can be configured in the action plan), then the actions on the target system will be set to the default options for the channels that are only available on the target system. (In this example, network web and network email channels will be set to audit in the action plan).

    • If the subscription license on the source system includes all the channels, but the target system does not, the action plan details will be exported and imported to the target system. The missing channel configurations on the target system will appear in the action plan once the relevant license is enabled on the target system.
Risk Adaptive Protection - Make sure both the source and target systems have the Risk Adaptive Protection configuration enabled; otherwise the following may occur:
  • If the Risk Adaptive Protection configuration is disabled on the source system, the action plans related to Risk Adaptive Protection will not be exported from either the policy rule or the exception rule. The action plan on the target system will be set to the default values in the system.
  • If the Risk Adaptive Protection configuration is enabled on the source system but disabled on the target environment, the action plans related to Risk Adaptive Protection will be exported and imported to target. However, they will not be displayed on the target until the configuration is enabled.
    Note: For more information on the configuration, refer Risk Adaptive Protection.