数据丢失防护 (DLP) 策略Data loss prevention (DLP) policies

什么是数据丢失防护策略?What is a data loss prevention policy?

组织的数据是取得成功的关键所在。An organization's data is critical to its success. 组织的数据需要随时可用于决策,但必须受到保护,避免与无权访问这些数据的受众共享。Its data needs to be readily available for decision-making but it needs to be protected so that it isn't shared with audiences that should not have access to it. 为了保护这些数据,Microsoft Flow (Flow) 提供了创建和实施策略的功能,用于定义可与哪些使用者服务/连接器共享特定的业务数据。To protect this data, Microsoft Flow (Flow) provides you with the ability to create and enforce policies that define which consumer services/connectors specific business data can be shared with. 这些定义如何共享数据的策略称为数据丢失防护 (DLP) 策略。These policies that define how data can be shared are referred to as data loss prevention (DLP) policies.

为何要创建 DLP 策略?Why create a DLP policy?

创建 DLP 策略能够明确定义可与哪些使用者服务共享业务数据。You would create DLP policy to clearly define which consumer services business data may be shared with. 例如,使用 Flow 的组织可能不希望其存储在 SharePoint 中的业务数据自动发布到其 Twitter 源。For example, an organization that uses Flow may not want its business data that's stored in SharePoint to be automatically published to its Twitter feed. 为了防止出现这种情况,可以创建 DLP 策略,阻止将 SharePoint 数据用作推文来源。To prevent this, you can create a DLP policy that blocks SharePoint data from being used as the source for tweets.

DLP 策略的优点Benefits of a DLP policy

  • 确保在整个组织中以统一的方式管理数据Ensures that data is managed in a uniform manner across the organization
  • 防止将重要业务数据意外发布到社交媒体站点等服务。Prevents important business data from being accidentally published to services such as social media sites.

管理 DLP 策略Managing DLP policies

若要创建、编辑或删除 DLP 策略,需要满足以下条件:In order to create, edit, or delete DLP policies, the following items are required:

创建 DLP 策略Create a DLP policy

若要创建 DLP 策略,必须至少对一个环境拥有相应的权限。In order to create a DLP policy, you must have permissions to at least one environment.

遵循以下步骤创建一个 DLP 策略,防止公司 SharePoint 中存储的数据发布到 Twitter:Follow these steps to create a DLP policy that prevents data that is stored in your company’s SharePoint from being published to Twitter:

  1. 在“数据策略”选项卡中,选择“新建策略”链接:While on the Data Policies tab, select the New policy link:
    登录Sign in
  2. 在打开的页面顶部的“数据策略名称”标签中,输入“Contoso 的安全数据访问”作为 DLP 策略名称:Enter the name of the DLP policy as Secure Data Access for Contoso in the Data Policy Name label at the top of the page that opens:
    登录Sign in
  3. 在“应用到”选项卡中选择“环境”。Select the environment on the Applies to tab.
    注意:环境管理员可以创建仅应用到单个环境的策略。Note: As an environment admin, you can create policies that apply to only a single environment. 租户管理员可以创建应用到所有环境、一个或多个选定环境或者除一组选定环境以外的所有环境的策略:As a tenant admin, you can create a policy that applies to all environments, one or more selected environments, or all environments except a selected set:
    登录Sign in
  4. 选择“数据组”选项卡:Select the Data groups tab:
    登录Sign in
  5. 选择“仅业务数据”分组框中的“+添加”链接:Select the + Add link located inside the Business data only group box:
    登录Sign in
  6. 从“添加服务”页中选择“SharePoint”和“Salesforce”服务:Select the SharePoint and Salesforce services from the Add services page:
    登录Sign in
  7. 选择“添加服务”按钮,添加允许共享业务数据的服务:Select the Add services button to add the services that are allowed to share business data:
    登录Sign in
  8. 选择“保存策略”:Select Save Policy:
    登录Sign in
  9. 片刻之后,新 DLP 策略将显示在数据丢失防护策略列表中:After a few moments, your new DLP policy will be displayed in the data loss prevention policies list:
  10. (可选)向团队发送一封电子邮件或其他通讯,提醒他们有新的 DLP 策略可用。Optional Send an email or other communication to your team, alerting them that a new DLP policy is now available.

祝贺你,现已创建一个允许应用在 SharePoint 与 Saleforce 之间共享数据,并阻止与其他任何服务共享数据的 DLP 策略。Congratulations, you have now created a DLP policy that allows app to share data between SharePoint and Saleforce and blocks the sharing of data with any other services.

注意:将服务添加到一个数据组会自动将该服务从其他数据组中删除。Note: Adding a service to one data group automatically removes it from the other data group. 例如,如果 Twitter 当前位于“仅业务数据”数据组,并且你不希望允许与 Twitter 共享业务数据,则只需将 Twitter 服务添加到“不允许业务数据”数据组。For example, if Twitter is currently located in the business data only data group, and you don't want to allow business data to be shared with Twitter, simply add the Twitter service to the no business data allowed data group. 这将从“仅业务数据”数据组中删除 Twitter。This will remove Twitter from the business data only data group.

数据共享冲突Data sharing violations

假定已创建上述 DLP 策略,如果某个用户创建的流在 Salesforce(位于“仅业务数据”数据组中)与 Twitter(位于“不允许业务数据”组中)之间共享数据,系统会通知该用户该流“已暂停”,因为这与已创建的防数据丢失策略冲突。Assuming you have created the DLP policy outlined above, if a user creates a flow that shares data between Salesforce (which is in the business data only data group) and Twitter (which is in the no business data allowed data group), the user will be informed that the flow is suspended due to a conflict with the data loss prevention policy you created.
创建流create flow

如果用户因流暂停而与你联系,需考虑下述事项:If your users contact you about suspended flows, here a few things to consider:

  1. 在此示例中,如果因正当业务原因而需要在 SharePoint 和 Twitter 之间共享业务数据,则可编辑 DLP 策略。In this example, if there is a valid business reason to share business data between SharePoint and Twitter, you can edit the the DLP policy.
  2. 要求用户按 DLP 策略编辑流。Ask the user to edit the flow to comply with the DLP policy.
  3. 要求用户在决定是否在这两个实体之间共享数据之前,让流保持“已暂停”状态。Ask the user to leave the flow in the suspended state until a decision is made regarding the sharing of data between these two entities.

查找 DLP 策略Find a DLP policy


管理员可以从管理中心使用搜索功能查找特定的 DLP 策略。Admins can use the search feature from the Admin center to find specific DLP policies.

注意:管理员应该发布所有 DLP 策略,以便组织中的用户在创建流之前,意识到存在这些策略。NOTE Admins should publish all DLP policies so that users in the organization are aware of the policies prior to creating flows.


如果你没有管理员权限并想要详细了解组织中的 DLP 策略,请与管理员联系。If you don't have admin permissions and you wish to learn more about the DLP policies in your organization, contact your administrator. 也可以通过创建者环境主题了解详细信息You can also learn more from the maker environments topic

注意:只有管理员可以编辑或删除 DLP 策略。NOTE Only admins can edit or delete DLP policies.

编辑 DLP 策略Edit a DLP policy

  1. 浏览到 https://admin.flow.microsoft.com 启动管理中心。Launch the Admin center by browsing to https://admin.flow.microsoft.com.
  2. 在启动的管理中心内,选择左侧的“数据策略”链接。In the Admin center that launches, select the Data polices link on the left side.
    登录Sign in
  3. 搜索现有 DLP 策略的列表,选择要编辑的策略旁边的编辑按钮:Search the list of existing DLP policies and select the edit button next to the policy you intend to edit:
  4. 做出所需的更改。Make the changes you wish to make. 例如,可以修改环境或者数据组中的服务。You can modify the environment or the services in the data groups, for example.
  5. 选择“保存策略”保存所做的更改:Select Save Policy to save your changes:
    登录Sign in

该策略现已更新。Your policy has now been updated. 在数据丢失防护策略列表中找到该策略并检查其属性,即可确认是否对它做了更改。You can confirm that the changes have been made to your policy by finding it in the data loss prevention policies list and reviewing its properties.

注意:环境管理员可以查看租户管理员创建的 DLP 策略,但无法编辑这些策略。Note DLP policies created by tenant admins can be viewed by environment admins but cannot be edited by environment admins.

删除 DLP 策略Delete a DLP policy

  1. 浏览到 https://admin.flow.microsoft.com 启动管理中心。Launch the Admin center by browsing to https://admin.flow.microsoft.com.
  2. 在启动的管理中心内,选择左侧的“数据策略”链接。In the Admin center that launches, select the Data polices link on the left side.
    登录Sign in
  3. 搜索现有 DLP 策略的列表,选择要删除的策略旁边的删除按钮:Search the list of existing DLP policies and select the delete button next to the policy you intend to delete:
  4. 选择“删除”按钮,确认你确实想要删除该策略:Confirm that you really want to delete the policy by selecting the Delete button:
    登录Sign in

该策略现已删除。Your policy has now been deleted. 在左侧选择“数据策略”链接并查看策略列表,即可确认该策略是否不再列在数据丢失防护策略列表中。You can confirm that the policy is no longer listed in the data loss prevention policies list by selecting the Data Policies link on the left and reviewing the list of policies.

DLP 策略权限DLP policy permissions

只有租户管理员与环境管理员可以创建和修改 DLP 策略。Only tenant and environment admins can create and modify DLP policies. 环境主题中了解有关权限的详细信息。Learn more about permissions in the environments topic.

后续步骤Next steps