search cancel

MIP Permissions explained


Article ID: 242625


Updated On:


Data Loss Prevention


What are the main permissions required for MIP and DLP and what does each do? 


Release : 15.8



There are 4 main permissions that are required for DLP to work with MIP.  Below you can view which permissions are directed to Detection server and which to Endpoint.

Detection server permissions:

Content.SuperUser: needed for Detection server to be able to decrypt any content encrypted in tenant's context.

UnifiedPolicy.Tenant.Read: needed for Enforce to sync labels from Azure

Endpoint permissions:

User_Impersonation: needed for Endpoint Agent to impersonate the endpoint user so that it can decrypt that user's content

UnifiedPolicy.User.Read: Endpoint Agent to fetch all the MIP labels a logged-in user has access to. Endpoint Agent suggests/enforces a label from only the label(s) that are accessible to that specific user.