Learn how to allow users to override selected DLP policies.
Safetica 9.9 and newer offer a policy setting called Override. With its help, the admin can allow certain users to override the blocking by selected DLP policies.
Override is useful in environments, where the admin trusts the users to only override blocking policies for legitimate reasons. With Override, the admin gives users the power to decide whether a blocking makes sense and thus influence company data security. And since the action is logged, the admin can go back to question the user about it any time.
The situations where Override can be useful are for example:
- a salesperson has a legitimate business reason to send a sensitive file to a customer
- sensitive content is incorrectly detected in an ordinary file
- a user needs to circumvent a technical problem or non-standard product behavior
- and many other similar situations
Override works for general and data policies and for all data category types.
To see Override availability for various channels, click here and have a look at Limitations.
In this article, you will learn:
- How to configure Override
- What will the user see
- What can the admin find in logs
- Where to visualize override actions
- How to send alerts when a user uses Override
How to configure Override
To create a policy that can be overridden by users:
- Go to Safetica Management Console > Protection > DLP policies and create a new general or data policy.
- In Policy mode, choose Log and block.
- A new option User override will appear.
- If you select Enabled, all users to whom this policy is applied, will be able to override its blocking.
- In the next step, select the users you want to apply this policy to and click Finish.
What will the user see?
When a user tries to perform an action that is blocked by a DLP policy with activated Override (e.g. upload data to a network share), a small notification appears.
If the user clicks it, they will see more info about what was blocked. Then they can either cancel the action (the operation will be blocked), or override the blocking.
In the bottom part of the Override notification, the user must explain what they are doing and why.
After they click Override, the action will be allowed and logged as an override event.
What can the admin find in logs?
In Safetica Management Console > Protection > DLP logs, the admin can see all the allowed, logged, blocked, and also overridden actions which have happened in their environment.
To filter only overridden actions, click Override in the Top actions chart.
In the Top overriding users chart, you can easily see if someone is overriding blocking policies way too much, so you are better informed about whose logs should be checked.
In the Action context column of the Records table, you can see the pre-defined reason the user selected when overriding a blocked action.
To see even more info and get more context about why an override happened (such as the explanation the user wrote in their own words), click the Details link in the Details column.
Where to visualize override actions
To see information about override actions in the form of charts, go to Protection > DLP logs and in the upper left part of the screen select Override actions from the Layout drop-down. You will see who used the Override feature, what was overridden and when.
A real-time notification about the use of Override is sent as part of the DLP policy violation alert. The admin can set it up in Safetica Management Console > Alerts after clicking the New rule button.