Use case: Limit DLP Incident Manager viewing with redaction permissions

To protect confidential information, and to meet legal demands in some markets, McAfee DLP Endpoint offers a data redaction feature.

When using data redaction, specific fields in the DLP Incident Manager and DLP Operations displays containing confidential information are encrypted to prevent unauthorized viewing, and links to evidence are hidden.

Note: The fields computer name and user name are predefined as private.

This example shows how to set up the DLP Incident Manager permissions for a redaction reviewer — a single administrator who cannot view actual incidents, but can reveal encrypted fields when required for another reviewer viewing the incident.

Task

  1. In McAfee ePO, select MenuUser ManagementPermission Sets
  2. Create permission sets for regular reviewers and for the redaction reviewer.
    1. Click New (or ActionsNew).
    2. Enter a name for the group such as DLPE Incident Reviewer or Redaction Reviewer.
      Note: You can assign different types of incidents to different reviewer groups. You must create the groups in Permission Sets before you can assign incidents to them.
    3. Assign users to the group, either from available McAfee ePO users or by mapping Active Directory users or groups to the permission set. Click Save.
    The group appears in the left panel Permission Sets list.
  3. Select a standard reviewer permission set, then click Edit in the Data Loss Prevention section.
    1. In the left pane, select Incident Management.
    2. In the Incidents Reviewer section, select User can view incidents assigned to the following permission sets, click the choose icon, and select the relevant permission set or sets.
    3. In the Incidents Data Redaction section, deselect the default Supervisor permission, and select the Obfuscate sensitive incidents data option.
      Selecting this option activates the redaction feature. Leaving it deselected displays all data fields in clear text.
    4. In the Incident Tasks section, select or deselect tasks as required.
    5. Click Save.
  4. Select the redaction reviewer permission set, then click Edit in the Data Loss Prevention section.
    1. In the left pane, select Incident Management.
    2. In the Incidents Reviewer section, select User can view all incidents.
      Note: In this example, we assume a single redaction reviewer for all incidents. You can also assign different redaction reviewers for different sets of incidents.
    3. In the Incidents Data Redaction section, select both the Supervisor permission and the Obfuscate sensitive incidents data option.
    4. In the Incident Tasks section, deselect all tasks.
      Note: Redaction reviewers do not normally have other reviewer tasks. This is optional according to your specific requirements.
    5. Click Save.