Custom user directory groups

Use the Main > Policy Management > Resources > Custom User Directory Groups page in the Data Security module of the Forcepoint Security Manager to add or manage custom groups derived from existing user directory entries.

Create groups by filtering the user directory with advanced LDAP queries. The group is in effect a view into the user directory; it does not modify the user directory in any way.

This option is useful for targeting precise user directory attributes and compound conditions. For example, you can define a group of all users whose manager’s name starts with the letter A.If you are using Risk-Adaptive Protection to determine actions permitted according to the user’s risk level, you can see the Risk Level of each user in the list. A value of 1 to 5 is shown only for users that were assigned to Risk-Adaptive

Protection. Level 1 is set for users that are considered less risky for the organization; level 5 is for users that are considered to be most risky. The values are determined by Forcepoint Behavioral Analytics and sent to Forcepoint DLP.

To add a custom user directory group to a policy, first add it to a business unit. Then,

Tip: Administrators can also create groups of Forcepoint DLP resources. These can contain both user directory entries and non-user directory resources, such as URL categories, geo-locations, custom users, and custom computers. These groups are referred to as business units (see Business Units section for more information).

when configuring rules, select the business unit as a source or destination.

The group objects are recalculated every time the user directory is synchronized with the system.

To create a custom user directory group:

Steps

  1. Click New.
  2. Enter a Name for the group.
  3. Enter a Description for the group.
  4. If you have more than one User directory configured, select which one to query.
  5. Enter an LDAP Query to search the specified user directory and filter it to create a custom grouping.

    For example, to create a group of objects where the Department, Company, or Description attribute is Sales, enter:

    (| (department=Sales) (company=Sales) (description= Sales))

    The query must use LDAP filter syntax. The filter format uses a prefix notation.

    filter = "(" filtercomp ")"
 filtercomp = and / or / not / item
 and = "&" filterlist
or = "|" filterlist
not = "!" filter 
filterlist = 1*filter
item = simple / present / substring 
extensible
simple = attr filtertype value
filtertype = equal / approx / greater
/ less
equal = "="
approx = "~="
greater = ">="
less = "<="
extensible = attr [":dn"]
            [":" matchingrule]  
            ":=" value / [":dn"] 
            ":" matchingrule ":=" value
present = attr "=*"
substring = attr "=" [initial] any 
                     [final]
initial = value
any = "*" *(value "*")
final = value Nested operations:
 (|(&(…K1…)(…K2…))(&(…K3…)(…K4…)))
    Note: Not all user directory entries can be retrieved. Only the following are supported: users, groups, and computers.

    Queries are refreshed whenever you re-import user directory.

  6. Click View Sample Data to view examples of the data in this group, such as entry names, types, and distinguished names (DNs).

    Use this sample to make sure that the correct information is being retrieved.

  7. Click OK.