Access Policy CASB Tenant Segregation

Customers with multiple CASB tenants can now limit access and visibility to one or more CASB tenants to particular users and groups using an access policy. This is useful when there is a need to segregate management of CASB rules, 3rd party apps and configurations between different groups of administrators.

This feature affects only CASB pages, where the CASB tenant selector is enabled (such as Rule Editor, Connected Apps, Cloud Apps Dashboard). You can create similar data segregation in Analytics by creating complementing custom access policy for analytics. See Custom Access Policies.

To limit the access to a specific CASB tenant you do the following:

  1. Creating a custom access policy to restrict the CASB tenant access. Use CASB Tenants Access Global Restriction. This is a restricting policy. It restricts user access to specific tenants. (See Creating the Custom Access Policy to Restrict the CASB Tenant Access.)

  2. Assign a global CASB access policy that allows access to all CASB tenants (e.g. CASB Application Full Administration, CASB Application View, Cloud Activity View). (See Assigning Access Policies to Apply the CASB Tenant Segregation.)

When CASB tenant segregation is enabled, the user will be only be able to see the CASB tenants selected in the custom access policy (restricting policy).

Creating the Custom Access Policy to Restrict the CASB Tenant Access

Create a custom access policy that will restrict the user’s access to specific CASB tenant(s):

  1. From the Administration app in the Proofpoint Information and Cloud Security Platform, select User ManagementAccess Policies. Click New Custom Access Policy. The General tab of Create Custom Access Policy displays.

     

  2. In the General tab area, complete the Name, Alias fields and optionally the Description field.

     

    Click Next and the Template tab displays.

  3. In the Template tab, define the criteria. Select the Template Type by clicking Select.

    The Select Templates list displays.

  4. Select CASB Tenants Access Global Restriction.

  5. From the list, select the CASB tenants you would like to allow access to, and click Next.

    In the example, the user has access only to ‘ProofpointADlab’ and ‘ProofpointADlab02(US)’ CASB tenants.

  6. Click Save, and verify that your custom access policy was created.

Assigning Access Policies to Apply the CASB Tenant Segregation

The CASB Tenants Access Global Restriction policy you created is a restricting policy. It restricts user access to specific tenants and must be assigned together with a global CASB access policy that allows access to all CASB tenants (e.g. CASB Application Full Administration, CASB Application View, Cloud Activity View).

Access policies can be assigned to users, groups or personas.

  1. From User Management > Users, select the user\group\persona you want.

  2. From Access Policies area, click Edit.

  3. Select a policy that will allow the user access to the CASB app (e.g. CASB Application Full Administration, CASB Application View, Cloud Activity View).

  4. In addition, select the CASB Tenants Access Global Restriction you created. (In the previous example, you created casb-adlab-segregation.)

  5. Click Done, and verify the two policies were assigned.

With the restricting policy, the user can see only the restricted policies. In the example, ProofpointADlab and ProofpointADlab02(US) were included in the restricted policy.

If there was no restricting policy, the user can see all policies, including the restricted policy.