Active Directory Logins - Importing AD Users into User Groups for use in DLP Roles

book

Article ID: 196171

calendar_today

Updated On:

Products

Data Loss Prevention Enforce

Issue/Introduction

You want to import DLP Users from Active Directory into User Groups and associate them with DLP Roles.

Resolution

The following is a very basic, contrived example which assumes the following

  1. That you have already enabled Active Directory authentication ( see KB https://knowledge.broadcom.com/external/article?articleId=171932 )
  2. A domain with the following configuration:
    • Domain Name: yeti.local
    • Users physically reside within a Container object at:
      • CN=Users,DC=yeti,DC=local
    • Security Group "DLP Admins" created in AD at the following path:
      • CN=DLP Admins,OU=DLP Groups,OU=User Groups,DC=yeti,DC=local

 

  1. Add a Directory Connection under System -> Settings -> Directory Connections and click Test Connection, as shown below (be sure to use the correct port for your AD):
  2. Navigate to System -> Users ->  Data Sources
  3. Click Add -> AD Logins Source, named "AD User Logins" as shown below and click Submit
  4. Navigate to System -> Users -> User Groups
  5. Click Create New Group, name it "DLP Admins", and configure the highlighted fields as shown below and click Save

  6. Navigate to System -> Login Management -> Roles
  7. Click Add Role, name it DLP Admins and select Server Administration under the User Privileges section
  8. Move to the Users & Groups tab and select User Groups -> DLP Admins and click Save
  9. Navigate to System -> Users -> Data Sources
  10. Select the checkbox next to the AD User Logins data source and click the Import button in the toolbar
  11. In the manager logs under C:\ProgramData\Symantec\DataLossPrevention\EnforceServer\<ver>\logs\tomcat\ directory, in the current "localhost.<currentdate>.log" file, with FINE level logging enabled, you should see entries similar to the following:

29 Jul 2020 10:09:26,400- Thread: 112 INFO [com.vontu.enforce.domainlayer.datauser.source.SyncStatusEventHandler] Queued user sync task for datauser named:AD User Logins ID:1006

29 Jul 2020 10:09:26,402- Thread: 132 INFO [com.vontu.enforce.domainlayer.datauser.source.SyncStatusEventHandler] Started user sync task for datauser named:AD User Logins ID:1006

29 Jul 2020 10:09:26,409- Thread: 132 INFO [com.vontu.enforce.domainlayer.adroles.DirectoryGroupMemberRetriever] Retrieving users from user group DLP Admins

29 Jul 2020 10:09:26,412- Thread: 132 FINE [com.vontu.enforce.domainlayer.adroles.DirectoryGroupMemberRetriever] Retrieving users from directory dc, DNs=[cn=DLP Admins,ou=DLP Groups,ou=User Groups,dc=yeti,dc=local].

29 Jul 2020 10:09:26,419- Thread: 132 FINE [com.vontu.enforce.domainlayer.adroles.DirectoryGroupMemberRetriever] Retrieved 2 users from directory dc, DNs=[cn=DLP Admins,ou=DLP Groups,ou=User Groups,dc=yeti,dc=local].

29 Jul 2020 10:09:26,419- Thread: 132 INFO [com.vontu.enforce.domainlayer.adroles.DirectoryGroupMemberRetriever] Retrieved 2 users from user group DLP Admins

29 Jul 2020 10:09:26,430- Thread: 132 INFO [com.vontu.enforce.domainlayer.adroles.ReconciledUsersPersister] Created 2 new users.

29 Jul 2020 10:09:26,442- Thread: 132 INFO [com.vontu.enforce.domainlayer.adroles.ReconciledUsersPersister] Deleted 0 users.

29 Jul 2020 10:09:26,442- Thread: 132 INFO [com.vontu.enforce.domainlayer.adroles.ReconciledUsersPersister] Updated 0 users.

29 Jul 2020 10:09:26,443- Thread: 132 INFO [com.vontu.enforce.domainlayer.events.system.SystemEventLogger] User saved. The user jsmith was saved by internal system user.

29 Jul 2020 10:09:26,444- Thread: 132 INFO [com.vontu.enforce.domainlayer.events.system.SystemEventLogger] User saved. The user kcartwright was saved by internal system user.

29 Jul 2020 10:09:26,450- Thread: 132 INFO [com.vontu.enforce.domainlayer.datauser.source.SyncStatusEventHandler] Completed successfully user sync task for datauser named:AD User Logins ID:1006

29 Jul 2020 10:09:26,452- Thread: 132 INFO [com.vontu.enforce.domainlayer.events.system.SystemEventLogger] User import completed successfully.. User import from source AD User Logins completed successfully.

29 Jul 2020 10:09:26,456- Thread: 134 FINE [com.vontu.enforce.domainlayer.datauser.MessageLinkService] Request to link existing messages with latest user update = 2020-07-28 17:10:59.0 and latest linked update = 2020-07-28 17:10:59.0

The imported users will now be added to the DLP Users (in the ProtectUser table in the database). You can view them from the console at System -> Login Management -> DLP Users. At this point you can log into the console as either of these users, with Server Management privileges.

Attachments