数据丢失防护 (DLP) 策略Data loss prevention (DLP) policies

本文档介绍数据丢失防护策略,这些策略有助于防止组织数据与定义的连接器列表共享。This document introduces you to data loss prevention policies, which help protect your organizational data from being shared with a list of connectors that you define.

什么是数据丢失防护策略?What's a data loss prevention policy?

组织的数据是取得成功的关键所在。An organization's data is critical to its success. 组织的数据需要随时可用于决策,但必须受到保护,避免与无权访问这些数据的受众共享。Its data needs to be readily available for decision-making, but it needs to be protected so that it isn't shared with audiences that shouldn't have access to it. 为了保护这些数据,Microsoft Flow 提供了创建和实施策略的功能,用于定义可访问和共享业务数据的客户连接器。To protect this data, Microsoft Flow provides you with the ability to create, and enforce policies that define which consumer connectors can access and share business data. 这些定义如何共享数据的策略称为数据丢失防护 (DLP) 策略。These policies that define how data can be shared are referred to as data loss prevention (DLP) policies.

为何要创建 DLP 策略?Why create a DLP policy?

创建 DLP 策略可以明确定义可访问和共享业务数据的客户连接器。You create DLP policy to clearly define which consumer connectors may access and share your business data. 例如,使用 Microsoft Flow 的组织可能不希望在 SharePoint 中的业务数据自动发布到其 Twitter 源。For example, an organization that uses Microsoft Flow may not want its business data in SharePoint to be automatically published to its Twitter feed. 为了防止出现这种情况,请创建 DLP 策略,阻止将 SharePoint 数据用作推文来源。To prevent this, you create a DLP policy that blocks SharePoint data from being used as the source for tweets.

DLP 策略的优点Benefits of a DLP policy

  • 确保在整个组织中以统一的方式管理数据。Ensures that data is managed in a uniform manner across the organization.
  • 防止将重要业务数据意外发布到社交媒体站点等连接器。Prevents important business data from being accidentally published to connectors such as social media sites.

管理 DLP 策略Managing DLP policies

管理 DLP 策略的先决条件Prerequisites for managing DLP policies

创建 DLP 策略Create a DLP policy

创建 DLP 策略的先决条件Prerequisites for creating DLP policies

若要创建 DLP 策略,必须至少对一个环境拥有相应的权限。To create a DLP policy, you must have permissions to at least one environment.

请按照以下步骤创建 DLP 策略,以防止公司的 SharePoint 站点中的数据发布到 Twitter:Follow these steps to create a DLP policy that prevents data in your company’s SharePoint site from being published to Twitter:

  1. 登录到 Microsoft Flow 管理中心(管理中心)。Sign into the Microsoft Flow Admin center (Admin center).

  2. 选择“数据策略”选项卡,然后选择“新建策略”链接:Select the Data Policies tab, and then select the New policy link:

    登录

  3. 选择“数据组”选项卡:Select the Data groups tab.

  4. 在页面顶部的“数据策略名称”标签中,输入“Contoso 的安全数据访问”作为 DLP 策略名称:Enter the name of the DLP policy as Secure Data Access for Contoso in the Data Policy Name label at the top of the page:

    登录

  5. 在“环境”选项卡中选择“环境”。Select the environment on the Environments tab.

    备注

    环境管理员可以创建仅应用到单个环境的策略。As an environment admin, you can create policies that apply to only a single environment. 租户管理员可以创建仅应用到任何环境组合的策略:As a tenant admin, you can create policies that apply to any combination of environments:

    选择环境

  6. 选择“数据组”选项卡:Select the Data groups tab:

    选择数据组

  7. 选择“仅业务数据”分组框中的“添加”链接:Select the Add link located inside the Business data only group box:

    选择添加

  8. 从“添加连接器”页中选择“SharePoint”和“Salesforce”连接器:Select the SharePoint and Salesforce connectors from the Add connectors page:

    选择连接器

  9. 选择“添加连接器”按钮以添加可共享业务数据的连接器。Select the Add connectors button to add the connectors that can share business data.

  10. 选择屏幕右上角的“保存策略”。Select Save Policy in the top right corner of the screen.

  11. 片刻之后,新 DLP 策略将显示在数据丢失防护策略列表中:After a few moments, your new DLP policy will be displayed in the data loss prevention policies list:

    DLP 列表

  12. **(可选)**向团队发送一封电子邮件或其他通讯,提醒他们有新的 DLP 策略可用。Optional Send an email or other communication to your team, alerting them that a new DLP policy is now available.

祝贺你,你现已创建一个允许应用在 SharePoint 与 Salesforce 之间共享数据,并阻止与其他任何服务共享数据的 DLP 策略。Congratulations, you've now created a DLP policy that allows app to share data between SharePoint and Salesforce and blocks the sharing of data with any other services.

备注

将服务添加到一个数据组会自动将该服务从其他数据组中删除。Adding a service to one data group automatically removes it from the other data group. 例如,如果 Twitter 当前位于“仅业务数据”数据组,并且你不希望允许与 Twitter 共享业务数据,则只需将 Twitter 服务添加到“不允许业务数据”数据组。For example, if Twitter is currently located in the business data only data group, and you don't want to allow business data to be shared with Twitter, simply add the Twitter service to the no business data allowed data group. 这将从“仅业务数据”数据组中删除 Twitter。This will remove Twitter from the business data only data group.

数据共享冲突Data sharing violations

假定已创建上述 DLP 策略,如果某个用户创建的流在 Salesforce(位于“仅业务数据”数据组中)与 Twitter(位于“不允许业务数据”组中)之间共享数据,系统会通知该用户该流“已暂停”,因为这与已创建的防数据丢失策略冲突。Assuming you've created the DLP policy outlined above, if a user creates a flow that shares data between Salesforce (which is in the business data only data group) and Twitter (which is in the no business data allowed data group), the user will be informed that the flow is suspended due to a conflict with the data loss prevention policy you created.

创建流

如果用户因流暂停而与你联系,需考虑下述事项:If your users contact you about suspended flows, here a few things to consider:

  1. 在此示例中,如果因正当业务原因而需要在 SharePoint 和 Twitter 之间共享业务数据,则可编辑 DLP 策略。In this example, if there's a valid business reason to share business data between SharePoint and Twitter, you can edit the DLP policy.

  2. 要求用户按 DLP 策略编辑流。Ask the user to edit the flow to comply with the DLP policy.

  3. 要求用户在决定是否在这两个实体之间共享数据之前,让流保持“已暂停”状态。Ask the user to leave the flow in the suspended state until a decision is made regarding the sharing of data between these two entities.

查找 DLP 策略Find a DLP policy

管理员Admins

管理员可以从管理中心使用搜索功能查找特定的 DLP 策略。Admins can use the search feature from the Admin center to find specific DLP policies.

备注

管理员应该发布所有 DLP 策略,以便组织中的用户在创建流之前,意识到存在这些策略。Admins should publish all DLP policies so that users in the organization are aware of the policies prior to creating flows.

创建者Makers

如果你没有管理员权限并想要详细了解组织中的 DLP 策略,请与管理员联系。If you don't have admin permissions and you wish to learn more about the DLP policies in your organization, contact your administrator. 也可以通过创建者环境文章了解详细信息You can also learn more from the maker environments article

备注

只有管理员可以编辑或删除 DLP 策略。Only admins can edit or delete DLP policies.

编辑 DLP 策略Edit a DLP policy

  1. 启动管理员中心Launch the Admin center.

  2. 在启动的管理中心内,选择左侧的“数据策略”链接。In the Admin center that launches, select the Data polices link on the left side.

    选择数据策略

  3. 搜索现有 DLP 策略的列表,选择要编辑的策略旁边的编辑按钮。Search the list of existing DLP policies and select the edit button next to the policy you intend to edit.

  4. 对策略进行必要的更改。Make the necessary changes to the policy. 例如,可以修改环境或者数据组中的服务。You can modify the environment or the services in the data groups, for example.

  5. 选择“保存策略”保存所做的更改。Select Save Policy to save your changes.

备注

环境管理员可以查看租户管理员创建的 DLP 策略,但无法编辑这些策略。DLP policies created by tenant admins can be viewed by environment admins but cannot be edited by environment admins.

删除 DLP 策略Delete a DLP policy

  1. 启动管理员中心Launch the Admin center.

  2. 选择左侧的“数据策略”选项卡。Select the Data polices tab on the left side.

    选择“数据策略”选项卡

  3. 搜索现有 DLP 策略的列表,然后选择要删除的策略旁边的删除按钮:Search the list of existing DLP policies, and then select the delete button next to the policy you intend to delete:

    选择“删除”按钮

  4. 选择“删除”按钮,确认你确实想要删除该策略:Confirm that you really want to delete the policy by selecting the Delete button:

    确认确实要删除该策略

DLP 策略权限DLP policy permissions

只有租户管理员与环境管理员可以创建和修改 DLP 策略。Only tenant and environment admins can create and modify DLP policies. 环境文章中了解有关权限的详细信息。Learn more about permissions in the environments article.

后续步骤Next steps