How To Administer Role-based Access Control for McAfee Data Loss Prevention Endpoint

Version 1

    Introduction

     

    This document will cover the Role-based Access Control (RBAC) feature in McAfee Data Loss Prevention (DLP) Endpoint.

     

    Overview

     

    This document will cover:

    1. What is Role-based Access Control, also known as the separation of duties?
    2. The benefits of Role-based Access Control, and how the role based access control can prevent unauthorized viewing of incidents by different user groups.
    3. How to administer Role-based Access Control.

     

    Video


    You can also watch the steps described in this document by viewing the video below.

     

    Procedure

     

    I - What is Role-based Access Control

     

    Role-based Access Control (RBAC) is also known as separation of duties. Role-based Access Control provides granular control over users who view the Data Loss Prevention (DLP) incident manager and operational events data. By assigning incidents to specific administrators or groups and building a permission setting in ePO, users can control which reviewers see which incidents. Data Redaction provides unauthorized viewing of incidents and evidence by encrypting confidential information in the DLP incident manager and Operational Events views.

    RBAC 3.png

     

    II - The benefits of Role-based Access Control

     

    There are several benefits that accompany Role-based Access Control and Data Redaction. For example, let’s say your company has worldwide offices headquartered in the U.S. An incident in the UK sales office occurs when an employee tries to email a list of customer personal identifiable information to a competitor. Certain European privacy laws specify that local incidents stay local. By using Role-Based Access Control, administrators can allow the local UK DLP admin to view these incidents while restricting the US global DLP admin from viewing the same incidents. In addition, the use of data redaction disallows the local UK DLP admin from viewing sensitive information such as username and violation while allowing the UK complaince manager to view the same sensitive information. All of this can be easily managed from the McAfee ePO management console.

    RBAC 4.png

     

    III - How to administer Role-based Access Control

     

    Let’s now look at how to configure a role-based access in DLP. First, we need to create the proper user accounts and assign them the appropriate permission set. To create user accounts, login to your ePO server and browse to "Menu" > "User Management" > "Users."

    RBAC 6.png

     

    Next, we need to create our users. In this instance, we have already created two user accounts, "DLPadmin" and "Compliance."

    RBAC 7.png

     

    We now need to create permission sets and configure the appropriate permissions. The "DLPadmin" user should be able to create operational tasks without viewing sensitive information, while the "Compliance" user should be able to view all data within the incident manager without having the rights to create operational tasks. We can assign users to each permission set in ePO. Here, the DLP admin account is assigned to the DLP admin permission set. Also, the compliance user account is assigned to the compliance permission set.

    RBAC 8.pngRBAC 9.pngRBAC 10.pngRBAC 11.png

     

    Now, let’s login with each user account.

    RBAC 12.png

     

    We can see the "Compliance" user can view all incident data in clear text. Also, this account does not have the ability to create operational tasks based on role-based access rules. As you can see, the "DLPadmin" account can view incident data, but sensitive information such as username and computer name are redacted. Also, using Role-based Access rules, this account the ability to create operational tasks.

    RBAC 15.png

    Role-based Access Control is now administered via McAfee ePO.