Directory Policy Best Practices
- Updated On 19 Oct 2020
- 2 Minutes To Read
Directory Policies allow SecureCircle administrators to create a data access policy based on Active Directory/LDAP groups. A single Directory Policy may be applied to multiple Circles. The following are best practices when creating Directory Policies.
Strategy: Use Existing Active Directory Group Membership to Manage Data Access
Ultimately, a Directory Policy will be applied to one or more Circles, and a Circle will govern access to data. A similar process may already be used to manage access to data in file shares. While it may be tempting to create new Active Directory groups exclusively for managing data access through SecureCircle, it is recommended instead to look at existing access polices (e.g., ACLs on folder/shares) and create a similar Circle/Directory Policy strategy. For example, if an existing corporate file share has the following layout:
/share/ | |-- /HR/ <-- HR Active Directory group has access to this folder |-- /IT/ <-- IT Active Directory group has access to this folder -- /Finance/ <-- Finance Active Directory group has access to this folder
A similar Circle/Directory Policy strategy could be used:
HR Circle ← Directory Policy with access granted to HR Active Directory group.
IT Circle ← Directory Policy with access granted to IT Active Directory group.
Finance Circle ← Directory Policy with access granted to Finance Active Directory group.
Access to data protected in the above Circles can now be managed in the same way access to data in the file share was managed: by adding/removing users from Active Directory groups. Once the Directory Policies are set, administrators no longer need to manage/interface with the SecureCircle Server.
Login/Logout When Testing Active Directory Group Membership Changes
Group membership reported to the SecureCircle Agent by the OS may not be immediately updated when group membership changes are made in Active Directory. Logging off and logging back in will ensure the OS reports the updated group membership to the SecureCircle Agent.
Note: running gpupdate or gpupdate /force does not update group membership reported to the SecureCircle Agent by the OS.
Start General, Become More Specific if Required
Because data may be protected in more than one Circle simultaneously, it is highly recommended to start with a general protection strategy and move to a more specific strategy over time. Protecting more data earlier may mitigate a large majority of an organization's data risks, but rollout of data protection is sometimes slowed by attempts to develop a very granular data access policy involving many Circles and groups. Instead, create a single, generic Circle, (named "Company Files", for example), and apply a Directory Policy to it that allows all Domain Users access to data protected in the Circle. This will immediately give persistent protection, control, and visibility to all of an organization's data. Later, if more granular data access policies are needed, new Circles can be created and Directory Policies applied that further control access to data already protected by the generic Circle. Data protected by multiple Circles is only accessible if the users attempting access are granted access to all Circles in which the data is protected.