This document will cover the Role-based Access Control (RBAC) feature in McAfee Data Loss Prevention (DLP) Endpoint.
This document will cover:
What is Role-based Access Control, also known as the separation of duties?
The benefits of Role-based Access Control, and how the role based access control can prevent unauthorized viewing of incidents by different user groups.
How to administer Role-based Access Control.
You can also watch the steps described in this document by viewing the video below.
I - What is Role-based Access Control
Role-based Access Control (RBAC) is also known as separation of duties. Role-based Access Control provides granular control over users who view the Data Loss Prevention (DLP) incident manager and operational events data. By assigning incidents to specific administrators or groups and building a permission setting in ePO, users can control which reviewers see which incidents. Data Redaction provides unauthorized viewing of incidents and evidence by encrypting confidential information in the DLP incident manager and Operational Events views.
II - The benefits of Role-based Access Control
There are several benefits that accompany Role-based Access Control and Data Redaction. For example, let’s say your company has worldwide offices headquartered in the U.S. An incident in the UK sales office occurs when an employee tries to email a list of customer personal identifiable information to a competitor. Certain European privacy laws specify that local incidents stay local. By using Role-Based Access Control, administrators can allow the local UK DLP admin to view these incidents while restricting the US global DLP admin from viewing the same incidents. In addition, the use of data redaction disallows the local UK DLP admin from viewing sensitive information such as username and violation while allowing the UK compliance manager to view the same sensitive information. All of this can be easily managed from the McAfee ePO management console.
III - How to administer Role-based Access Control
Let’s now look at how to configure a role-based access in DLP. First, we need to create the proper user accounts and assign them the appropriate permission set. To create user accounts, login to your ePO server and browse to "Menu" > "User Management" > "Users."
Next, we need to create our users. In this instance, we have already created two user accounts, "DLPadmin" and "Compliance."
We now need to create permission sets and configure the appropriate permissions. The "DLPadmin" user should be able to create operational tasks without viewing sensitive information, while the "Compliance" user should be able to view all data within the incident manager without having the rights to create operational tasks. We can assign users to each permission set in ePO. Here, the DLP admin account is assigned to the DLP admin permission set. Also, the compliance user account is assigned to the compliance permission set.
Now, let’s login with each user account.
We can see the "Compliance" user can view all incident data in clear text. Also, this account does not have the ability to create operational tasks based on role-based access rules. As you can see, the "DLPadmin" account can view incident data, but sensitive information such as username and computer name are redacted. Also, using Role-based Access rules, this account the ability to create operational tasks.
Role-based Access Control is now administered via McAfee ePO.