Content Access Restriction for Tier 2

Introduction

Content Access Restrictions in Enterprise Archive safeguard sensitive information by controlling access to specific Tier 2 data sets. This is achieved by applying restrictions based on metadata attributes associated with the content. This feature operates by establishing rules that define which users can access particular data elements. For example, you might decide that only people in the sales department can see customer contact information. By using roles and specific email x-headers, you can create distinct access levels for your data. This helps ensure that only the right people can see the information they need.

Enterprise Archive employs metadata attributes, specifically the X-Smarsh-Custom-Attrib field, to determine user access to content. To ensure compatibility, various header formats (e.g., X-ZANTAZ-REPOSITORIES) are converted into the standardized X-Smarsh-Custom-Attrib format by the Smarsh Data Migration team. Importantly, these access restrictions remain consistent as content transitions between Search Tiers.

Benefits of Content Access Restriction

  • Enhanced Data Security: Protects sensitive information from unauthorized access.

  • Compliance Adherence: Aids in meeting regulatory requirements for data protection.

  • Improved Data Governance: Facilitates effective management of data access and distribution.

Adding Access Restriction Policy

Case Managers and Archive Administrators can be restricted to only a portion of the content in the archive by setting appropriate permissions.

To restrict access to the entire corpus or allowed groups:

  1. Select the Administration tab.

  2. Click Roles in the workspace for Administration . A list of all existing roles in Enterprise Archive is displayed.

  3. Click the role for which access to corpus must be restricted.

  4. Click the Restriction Policy option from the Case or Archive Management roles workspace.

  5. Select Custom Attributes from the Type drop-down. The following screen appears.

    images/download/attachments/196150792/image2024-7-30_20-50-48.png

  6. Enter the Attribute Name and Attribute Value that is assigned to the restriction rule.

  7. To add the attributes to rule, click the

    images/download/attachments/196150792/Add.png

    icon.

  8. Choose between the Include and Exclude options to either include or exclude the selected attributes for the role.

  9. Close the Restriction Policy window.

  10. Click Submit .

Understanding Exclude

When using the "Exclude" option in Content Access Restriction, Enterprise Archive applies a filter that restricts access to content that matches the excluded attributes.

Example:

If a role has the following exclusion rule:

  • Attribute Name: "country"

  • Attribute Value: "Germany"

Users with this role will not be able to access any content where the "country" attribute is set to "Germany."

Scenario: US Data and German Recipient

In the scenario where a US user sends a mail to a German user, a relevant attribute (such as the attribute specifying the recipient's country) might be set to "Germany" in the email metadata. If this attribute is used in an exclusion rule for a role, users with that role would not be able to access the email, even if it was sent from a US user.

To grant access to all US data, you need to explicitly include all relevant US-related attributes in the "Include" section of the restriction policy. This could involve including attributes like:

  • Country of sender

  • Country of recipient

  • Country of CC recipients

  • Country of BCC recipients

By carefully defining your exclusion and inclusion rules, you can effectively control access to specific data sets based on metadata attributes.


Note

  • These exclusion and inclusion rules apply to both Tier 1 and Tier 2 collections. The same principles apply regardless of whether the restrictions are based on groups or other attributes.