One is wanting to setup the ignore function for data owners in EDM. However, there seems to be a functionality issue with part of the feature. When one selects to do this and ignores based on recipient, one has the choice to select "All Recipients", or "Any Recipients".
When one selects to use "Any Recipients", and sends a test message that has multiple recipients, and one of them has data they own, DLP ignores the message correctly and does NOT create a incident.
However, if one selects "All Recipients" our expectation is that ALL the recipients must have data they own in the message otherwise the ignore doesn't apply and do create a incident. However, when one sends the same test message thru, it does NOT create a incident.
What is the functional difference between the two settings?
For example, let us consider the following sample EDM rows
Password Email1 Email2 Domain
xzy686 [email protected] [email protected] symc.com
ghj780 [email protected] [email protected] symc.com
The following scenarios could occur:
- The first case is when the All Recipients exception is identified on both Email fields.
1. If the email contains data "xzy686" and [email protected], [email protected] in To list, the ignore should work on All recipients, and incident should not be created.
2. If the email contains data "xzy686" and [email protected], [email protected], [email protected] then there is a violation and incident should be created. Here admin3 does NOT own "xzy686".
3. If the email contains all 4 recipients from both rows ([email protected], [email protected], [email protected], [email protected]) and sensitive data from both rows "xzy686" and "ghj780" then too there is a violation and incident should be created. In this case admin1 and admin2 do not own data "ghj780" and admin3 and admin4 do not own data "xzy686".
In case of Any Recipient exception all three cases above will be ignored without generating incidents.
- Now if the data owner exception for All Recipients is created on Domain.
1. In the above sample data both rows contain the same domain field. Hence if all recipients in the email To list contains any email address that belongs to symc.com and sensitive data "xzy686" and/or "ghj780", the email will be ignored as the same domain owns data from both rows.
2. However, if the same email also contains one or many email ids that belong to any domain other than symc, the email should generate incident.
Again, both the cases above will be ignored by Any Recipient exception without generating incidents.