CA Total Defense Admin Guide

Administrator guide
Orchestria Active Policy Management Version 6.0
Copyrights
Copyright 2001-2008 Orchestria Limited. All rights reserved. US Patent 7,333,956. Other US and international patents granted or pending. Orchestria and the conductor device are registered trademarks of Orchestria Corporation. Copyright in and ownership of this manual is and shall at all times remain in Orchestria. No part of this manual may be reproduced without the prior written permission of Orchestria and the contents of this manual are and shall remain confidential. The delivery of this manual shall in no circumstances imply that the information contained herein about Orchestria Active Policy Management (APM) is in the public domain. Accordingly, disclosure of the contents of this manual or any part thereof to a third party will constitute a breach of the confidentiality provisions of any agreement for the use of Orchestria APM. Optional Content Search and Agent technology used under license from and Copyright 2007 FAST Search and Transfer International AS. Outside In Content Access Copyright 1991, 2007 Oracle Corporation.
Disclaimer
Every effort has been made to ensure that this document accurately describes the operation of Orchestria APM. However, Orchestria does not accept any responsibility for the consequences of any discrepancies between the description of Orchestria APM contained in this manual and the Orchestria APM system as implemented. Orchestria also reserves the right to make amendments to the contents of this manual from time to time to reflect changes made to the specification of Orchestria APM or for any other reason.
Trademarks
Adobe and FrameMaker are registered trademarks of Adobe Systems Incorporated. Bloomberg is a registered trademark of Bloomberg L.P. ZANTAZ Enterprise Archive Solution and Exchange Archive Solution (EAS) are trademarks of ZANTAZ Inc. Lotus and Notes are trademarks of IBM Corporation. Netscape is a registered trademark of Netscape Communications Corporation. Solaris is a trademark of Sun Microsystems, Inc. Windows, Microsoft, Hotmail, Outlook, and PowerPoint are trademarks or registered trademarks of Microsoft Corporation. WordPerfect is a trademark of Corel Corporation. All other marks are owned by their respective companies.
Contents
Contents
Chapter 1
Welcome to Orchestria APM

Background.......................................................................... 17 Why choose Orchestria APM? ..................................................... 18 Intelligent Pre-Review........................................................ 18 Panoramic Post-Review ...................................................... 19 Architecture ........................................................................ 20 Administrator responsibilities .................................................... 21 Real time administration of user policies ................................. 21 User administration........................................................... 22 Machine administration ...................................................... 22 Extracting business intelligence from captured data.................... 23 Before you start .................................................................... 24 Deployment .................................................................... 24 Post-deployment tasks ....................................................... 24 License files.................................................................... 24 Contact us .......................................................................... 24
Chapter 2
Administration console
Overview ........................................................................... 25 User Administration screen .................................................. 26 Machine Administration screen ............................................. 27 User Policy Editor screen .................................................... 28 Machine Policy Editor screen................................................ 29 Administration search ....................................................... 30 Logfiles screen ................................................................ 31 Statistics screen ............................................................... 32 Content Agents screen ....................................................... 33 Administration console shortcuts................................................ 34
Orchestria Active Policy Management Administrator guide
Find items ...................................................................... 34 Console hyperlinks ............................................................ 35 Administration console tools ..................................................... 36 Console options ............................................................... 36 License files ................................................................... 36 Replicate CMS changes to client machines ............................... 36 Account import wizard ....................................................... 37 Primary user database credentials ........................................ 37 Search user database credentials ......................................... 37 Install system definition file ............................................... 38 Define a dynamic address list .............................................. 38
Chapter 3
User administration
Groups ............................................................................... 41 Managing groups .............................................................. 42 Move groups .................................................................. 42 Special groups ................................................................. 43 Group policies ................................................................. 45 Analyzing group activity ..................................................... 45 Users ................................................................................. 46 New users ..................................................................... 46 New users and Microsoft Windows authentication ...................... 46 Recreate users ................................................................ 47 Manage user accounts ........................................................ 47 User policies ................................................................... 48 User properties................................................................ 48 Exporting the user hierarchy .................................................... 52 Export via the Administration console..................................... 52 Export from a command line ............................................... 52 Exporting to XML format ..................................................... 53 Export issues................................................................... 53 Importing users .................................................................. 54 Synchronizing e-mail addresses............................................. 54 Import methods ............................................................... 54 Import sources................................................................. 54 Controlling what users can see and do ......................................... 55 Ordinary users ................................................................. 55 Managers and administrators................................................ 56 Administrative privileges ................................................... 57 Roles ........................................................................... 59
Contents
Chapter 4
Machine administration
Overview ............................................................................ 61 Machine hierarchy ............................................................ 61 Machine icons.................................................................. 62 Console-only and utility machines.......................................... 62 Orchestria APM infrastructure .................................................. 63 Running the infrastructure as a named user ............................. 63 Stopping and restarting the infrastructure .............................. 63 Data replication across the network ............................................ 64 Notification periods........................................................... 64 Disable replication ........................................................... 65 Replication failures .......................................................... 65 Slow network connections .................................................. 65 CMS .................................................................................. 66 Rename a CMS ................................................................. 66 Editing the CMS policy........................................................ 66 Suspend a CMS ................................................................. 66 Enable single sign-on ........................................................ 67 Backing up and restoring the CMS .......................................... 67 Connecting to a CMS .......................................................... 67 Multiple CMSs .................................................................. 68 Gateways ............................................................................ 69 Adding a new gateway ....................................................... 69 Managing gateways ........................................................... 69 Common (or default) gateway policies .................................... 69 Rename a gateway............................................................ 69 Client machines .................................................................... 70 Adding new client machines................................................. 70 Moving client machines or gateways to a new parent server .......... 70 Deleting client machines..................................................... 70 Editing machine policies ..................................................... 71 Common (or default) machine policies .................................... 71 Suspend a client machine.................................................... 71 Rename a client machine .................................................... 71 Exporting the machine hierarchy ............................................... 72 Export via the Administration console ..................................... 72 Export from a command line ............................................... 72 Re-importing exported hierarchies......................................... 73 Importing machines ............................................................... 73 Command file format ........................................................ 73
Monitoring free disk space ....................................................... 74 Disk space policy settings.................................................... 74 Suspended machines ............................................................. 75 Manual suspensions .......................................................... 75 Automatic suspensions ....................................................... 75 What operations are still available on suspended machines? .......... 76 Disabling e-mail, file and browser integration ................................ 76 Responding to an infrastructure failure .................................. 76 When installing with msiexec.exe ......................................... 76 Data encryption .................................................................... 77 Encrypting replicated data .................................................. 77 Encrypting stored data ....................................................... 77 Data compression .................................................................. 79 Compress stored data ........................................................ 79 Compress transmitted data ................................................. 79 Event purging ...................................................................... 80 Purging strategies............................................................. 80 What data is purged? ........................................................ 80 Minimum retention period ................................................. 81 Purge SPs ...................................................................... 81 Configure purges in the machine policy ................................... 81 Selective trigger-based purging ........................................... 82 Turn off event purging ...................................................... 83 Purge policy settings ........................................................ 83 Machine diagnostics .............................................................. 85 Diagnostic machine searches................................................ 85 Diagnostics policy settings................................................... 85 Replication checkpoints ..................................................... 87 Checkpoint policy settings .................................................. 88 Log files ............................................................................ 89 Types of log file .............................................................. 89 Configure logfiles ............................................................ 90 Copy log entries to the Windows event log .............................. 91 View logfiles .................................................................. 91
Contents
Chapter 5
Administration searches
Searching for administration data .............................................. 94 Run an existing search ....................................................... 94 Predefined searches ......................................................... 94 Run a new search ............................................................. 95 Saved searches ............................................................... 96 Copy search results to clipboard ........................................... 96 Administration search filters ................................................ 96
Chapter 6
Editing policies
What is a policy? ................................................................... 97 Policy icons and toolbar buttons ................................................ 98 Editing policies ..................................................................... 99 Policy navigation ................................................................. Hyperlinks .................................................................... Back and Forward buttons ................................................. Find policy folders or settings............................................. Controlling policy changes...................................................... Policy privileges ............................................................. Management groups ........................................................ Disable and enforce attributes............................................ Policy list settings ............................................................... Define a list .................................................................. Default and custom list items ............................................. List item icons ............................................................... Included, excluded and ignored lists..................................... Searching listed files for key text ....................................... Copying and importing list items ......................................... Multiple message list settings ............................................. Policy lists and wildcards .................................................. Triggering on e-mail addresses ............................................... Spaces in e-mail addresses ............................................... Matching all address formats.............................................. Internal e-mails ............................................................. Display names ............................................................... SMTP .......................................................................... EX ............................................................................. Domino ....................................................................... Bloomberg alias addresses ................................................ X.400 .........................................................................
100 100 100 100 101 101 101 101 102 102 103 103 103 105 105 107 108 109 109 109 109 109 109 110 110 110 110
Triggering on key words or phrases ..........................................111 Basic rules.....................................................................111 Search text wildcards ......................................................111 Subexpressions and OR operators .........................................111 Search text variables .......................................................112 Detect Far Eastern characters ............................................112 Punctuation matching ......................................................112 Hyphenated words ..........................................................113 Using backslashes to search for special characters ...................113 Searching listed files for key text ........................................113 Searching zip files ...........................................................115 Searching embedded e-mails ..............................................115 Searching archive files .....................................................115 Folders and settings .............................................................116 Disabled folders and settings ..............................................116 Enforced folders and settings ..............................................117 Hidden folders and settings ................................................118 Policy inheritance ................................................................119 Policy branch inheritance ..................................................119 Parent-child inheritance ....................................................119 Policy reports......................................................................121 Generate policy reports.....................................................122 Save policy reports as files .................................................122 Available actions .............................................................123 Report filters .................................................................123 Policy versions.....................................................................125 Format .........................................................................125 Reported and assigned policy versions ...................................125 Policy version example......................................................126 Captured passwords and credit card numbers ...............................127 Which screens display these details? .....................................127 Obscuring credit card numbers or passwords............................127 Avoiding the capture of credit card numbers or passwords ...........128 Exporting, importing and copying policies....................................128 User policy settings...............................................................129 Capture settings..............................................................129 Control settings ..............................................................133 Transaction settings .........................................................138 System settings...............................................................140 Extensions.....................................................................142 User policy triggers ..........................................................143
Contents
Machine policies ................................................................. Infrastructure ................................................................ Policy Engines ............................................................... Central Management Server .............................................. Client File System Agent ..................................................
145 145 149 150 151
Chapter 7
Categorizing, tagging and classifying events

Why categorize events? ........................................................ 154 Categorizing e-mails and files ................................................ Categorization methods.................................................... How does categorization work? .......................................... Guidelines for categorization control triggers and actions .......... Set up new categorization triggers ...................................... Add categorization to existing triggers ................................. Syntax for specifying categories .......................................... Smart tag category variables ............................................. Smart tags......................................................................... Set up a smart tag .......................................................... Smart tags and file triggers ............................................... Example trigger usage...................................................... Smart tag names and values .............................................. Use variables as smart tag values ....................................... X-headers and smart tags ................................................. Document classifications ....................................................... When are document classifications used? ............................... Classification in e-mails ................................................... Classification types ........................................................ Set up a document classification ........................................ Document Classifier triggers ............................................. Parameters for generic classifications................................... Parameter 6 functions ..................................................... Wildcards and other special characters ................................ Example document classification......................................... Customer complaint e-mails ............................................
154 155 156 159 162 163 165 167 170 170 171 171 172 172 174 176 176 176 176 177 177 178 179 180 181 181
Chapter 8
Transactions
What data is captured?.......................................................... 183 Manual captures.................................................................. 184 Automatic captures.............................................................. 184 Cancel a transaction............................................................. 185
10
Transaction exceptions ..........................................................186 Transaction icons .................................................................186 Spending limits ....................................................................187 Set up spending limits.......................................................187 Can I set up period or aggregate spending limits? ......................187 Transaction detection............................................................188 Transaction Detector triggers..............................................188 How do Transaction Detector triggers work? ............................188 Transaction validation ...........................................................189 Show Dialog? setting............................................................191 Show Dialog? Never ..........................................................191 Show Dialog? Unless transaction matches................................192 Show Dialog? If necessary...................................................192 Show Dialog? Always .........................................................192 Transaction matching ............................................................193 Matching process.............................................................193 Transaction trigger refinements................................................196 Unreadable uploaded files or e-mail attachments .....................196 Selective trigger-based purging ...........................................196
Chapter 9
Capturing data
Capture strategies ................................................................197 Example .......................................................................197 Capturing Web pages ............................................................198 Manual Web captures .......................................................198 Automatic Web captures ...................................................198 Web page issues..............................................................199 Capturing e-mails .................................................................201 Manual e-mail captures .....................................................201 Automatic e-mail captures .................................................201 Attachments ..................................................................202 Importing e-mails ...........................................................204 E-mail issues ..................................................................204 Importing IM conversations......................................................205 Capturing application usage ....................................................205 Capture triggers..............................................................205 Application events ..........................................................206 Timeouts for application events...........................................206 Zero activity events .......................................................206
Contents
11
Turning off application monitoring....................................... 206 Capturing files ................................................................... File triggers .................................................................. What file information is captured? ....................................... File sources .................................................................. When are files captured? .................................................. What do file triggers look for? ............................................ How are captured files associated with Orchestria APM users?...... Defining the file archive list .............................................. Capture trigger exemptions and refinements .............................. Data Lookup.................................................................. Disabling e-mail, file and browser integration ......................... Prevent trigger details being captured ................................ Unreadable uploaded files or e-mail attachments .................... Encrypted e-mails........................................................... Digital signatures............................................................ Selective trigger-based purging...........................................
207 207 207 207 208 208 209 209 210 210 210 211 212 212 212 213
Chapter 10
Controlling user activity

Planning a control strategy..................................................... 215 Control procedure ............................................................... 216 Control events .................................................................... Web, e-mail and application events ..................................... File events ................................................................... Control event icons in the console ...................................... What determines the event type? ........................................ Authorized and prohibited activity....................................... Intervention setting ............................................................. Intervention options and e-mail server agents ......................... Available intervention options ............................................ Option: Block With Notification ......................................... Option: Block Quietly....................................................... Option: Block - files ........................................................ Option: Categorize - files .................................................. Option: Categorize - single category only............................... Option: Categorize - multiple categories allowed ................... Option: Delete Silently ..................................................... Option: DoD overwrite and delete silently.............................. Option: Inform............................................................... Option: No further actions ................................................ Option: None ................................................................ Option: Notify .............................................................. Option: Quarantine with notification ................................... Option: Quarantine quietly ...............................................
217 217 217 218 219 219 220 220 220 222 223 223 224 224 225 225 225 225 226 227 227 228 228
12
Option: Replace Silently ..................................................229 Option: DoD overwrite and replace silently ............................229 Option: Warn ................................................................230 Option: Warn, but allow users to designate as Personal ..............231 Control action precedence .....................................................232 Intervention action behavior...............................................232 Quarantine control actions ................................................232 Controlling Web activity .........................................................233 How control actions operate ...............................................233 Which settings are applicable?.............................................233 Trigger exemptions and refinements .....................................234 Browser requirements when exempting secure Web sites ............234 When are users redirected to alternative Web pages?.................235 Controlling e-mails ...............................................................236 How the control action operates ..........................................236 Which settings are applicable?.............................................237 Account requirements for recipients of forwarded e-mails ...........238 Forwarding e-mails to multiple addresses ...............................239 Sending forwarded e-mails to someone else ............................239 E-mail address matching....................................................239 Modifying recipient fields ..................................................239 Identifying the e-mail that triggered an automatic reply .............240 Trigger exemptions and refinements .....................................240 E-mails in Public Folders are excluded from policy ....................240 Blocking a Webmail .........................................................241 Controlling application usage ..................................................242 How control actions operate ...............................................242 Application Monitor control triggers ......................................243 What data is captured by Application Monitor triggers? ...............243 Controlling files ..................................................................244 File triggers ..................................................................244 When do file triggers activate? ............................................245 File sources ..................................................................246 How are files events associated with Orchestria APM users? .........247 Printed files...................................................................247 Files copied to USB devices ................................................248 Files entering or leaving your corporate network ......................249 Imported files ................................................................249 Scanned files .................................................................249
Contents
13
User notifications ............................................................... Notification dialogs ......................................................... Notification e-mails ........................................................ Notification messages in replacement files .............................
251 251 252 252
Variables in notification dialogs and e-mails .............................. 253 User definitions .................................................................. 258 Set up a user definition .................................................... 258 Copying text from notification dialogs .................................. 259 Control trigger exemptions and refinements ................................ Data Lookup.................................................................. Disable integration for specific e-mail triggers ....................... Unreadable uploaded/imported files or e-mail attachments ........ Digital signatures............................................................ Encryption.................................................................... Selective trigger-based purging........................................... Integration with e-mail servers ............................................... Monitoring e-mail activity that would be missed by client agents .. Fewer intervention options for the server agents ..................... Outgoing e-mail triggers only on Exchange Server and Domino ..... Intervention options and e-mail server agents ........................ Automatic notifications and e-mail server agents .................... Interactive warning e-mails and Exchange Server ....................
260 260 260 261 261 262 262 263 263 263 263 264 265 266
Chapter 11
Data lookup
Overview ......................................................................... Data Lookup commands and True-False tests ......................... Adding Data Lookup commands to e-mail triggers..................... About Data Lookup Failure Mode ........................................ User Attribute lookup syntax and configuration ...................... Address Book lookup syntax ............................................. Message Attribute lookup syntax ........................................ XML Attribute lookup syntax ............................................ Data lookup variables .......................................................... <who> ....................................................................... <attribvalue> ................................................................ labeled <variable> ......................................................... <msgvar> .................................................................... <msgvalue>................................................................... <numericoperator> ......................................................... <stringoperator> ............................................................
272 272 273 273 274 275 275 276 277 278 279 280 282 283 283 284
14
<text> .........................................................................286 <type> ........................................................................286 <uservar>......................................................................287 <xpath> ........................................................................290 Advanced Data Lookup Commands ............................................291 Command evaluation ........................................................291 Examples of data lookup syntax ...........................................291 Complex True-False test ...................................................293 Composite True-False test .................................................294 Complex Composite True-False test ......................................296 OR and <fallguy> handling .................................................296 User Attribute lookup examples ...............................................297 Address Book lookup examples ................................................298 Message Attribute lookup examples ...........................................299 XML Attribute lookup examples ................................................300 Counting unique domains ......................................................301 Long domain example .......................................................301 List of known long domains ................................................301 Adding to the list of long domains ........................................301 XML metadata example .........................................................302
Chapter 12
Configuring event audit options

Customizable audit features ..................................................303 Types of audit status ........................................................304 Auditing privileges ................................................................305 Configuring audit buttons and field labels ...................................306 Define audit field names (Fields 1,2,3) ..................................307 Define list items for audit fields...........................................307 Specify mandatory audit changes ........................................308 Specify audit field dependencies..........................................308 Suppress automatic auditing ..............................................308 Set up audit e-mail templates ...........................................309 Set up the iConsole customizable toolbar buttons ...................310 Quarantined e-mails ............................................................312 Quarantine setup procedure ...............................................313 Reviewing quarantined events .............................................314
Contents
15
Chapter 13
Content agents
Overview .......................................................................... 315 Why use Content Agent triggers? ......................................... 316 Before you start .................................................................. 316 Deployment .................................................................. 316 Content agents ................................................................... Content agent icons ........................................................ Training documents......................................................... Test documents ............................................................. Default test documents .................................................... Define content agents ...................................................... Managing content agents ..................................................
317 317 317 317 318 318 323
Chapter 14
Troubleshooting
Searching for events ............................................................ 325 E-mails ............................................................................. 326 iConsole ........................................................................... 330 Web pages......................................................................... 331 User Administration ............................................................. 333 Policy .............................................................................. 334 Machine administration ......................................................... 335 Replication ........................................................................ 336 Database problems .............................................................. 337 Far Eastern characters ........................................................ 338 Dial-up connections ............................................................ 338
Index ............................................................................ 339
16
1. Welcome to Orchestria APM
Welcome to Orchestria APM

elcome to Orchestria Active Policy Management (APM). This guide shows you how Orchestria APM can enable you to regain control of electronic business communications throughout your organization. This chapter introduces Orchestria APM and briefly describes the business case for choosing it. Orchestria APM lets you manage e-mail, instant messaging, Web and application activity across your organization. It is a policy-based solution that delivers real visibility into corporate e-mail, instant messaging and Web activity. It provides you with unlimited flexibility to capture, control, retrieve, audit and analyze user behavior across your enterprise.
chapter 1
Background
Internet communication has empowered employees as never before. Every day, informal unstructured business communications flood in, out and across organizations. The proliferation of e-mail, instant messaging and Web-based forums have bought new fluidity and flexibility to the workplace, enabling organizations to operate in real-time and leverage the business value hidden in these communications. But there is a price to pay. A new regulatory landscape for business communications has emerged, obliging organizations to retain these communications for subsequent auditing by regulators and, equally important, to control the content of these communications to prevent regulatory violations. It is these twin challenges, archiving and content supervision, that must be addressed by organizations wishing to avoid the penalties for non-compliance. Orchestria APM has been explicitly designed to meet these challenges, combining industrial-strength archiving and retrieval capabilities with pioneering real time communication filters.
18
Why choose Orchestria APM?

Orchestria APM intelligently understands the nature of electronic communications as they occur and lets you manage e-mail, instant messaging, and Web-based correspondence across the global enterprise. Designed for the emerging regulatory landscape, Orchestria APM provides real protection for executives, company reputations, and intellectual property. Specifically, it has been explicitly designed to meet the two critical challenges facing organizations who seek regulatory compliance:

Enforces information boundaries by intervening at the desktop, highlighting non-compliant user behavior as it occurs. Educates users to modify their own behavior by recommending or forcing remedial action (in the form of contextualized advisory dialogs). Does not disrupt workflow, because it does not interfere with normal routing of e-mail traffic (unless explicitly configured to do so).
Intelligent Pre-Review: Preventing communications that violate corporate policy or industry regulations. Panoramic Post-Review: Implementing an industrialstrength and legally compliant archiving and auditing solution.
For example, you can enforce information boundaries by blocking e-mails sent between specific teams and covering particular subjects.
Intelligent Pre-Review
Pre-review is commonly used now to describe the practice of filtering communications at source to detect potential regulatory violations. Organizations need to protect themselves against individual malpractice and the unauthorized exposure of sensitive financial or business data, intellectual property and competitive information. They must ensure that non-compliant communication is detected and blocked before it can be sent and archived. Failure to do so means that the archive becomes, in effect, a repository of regulatory violations waiting to be discovered by scrupulous regulators. However, the unstructured, informal, nature of these communications makes them extremely difficult to analyze and control. A preventative solution is needed that can intelligently understand the nature any correspondence as it occurs, eliminating the risk of regulatory violations but without disrupting workflow. Orchestria APM provides exactly this. Specifically, it:
Example Orchestria APM intervention A user attempts to send a non-compliant e-mail. As soon as they click Send, Orchestria APM detects the potential violation, suspends the transmission and displays an advisory dialog.
Analyzes message content and recipient details, identifying and preventing non-compliant activity (e-mail, instant messaging and Web) in real time.
Chapter 1 Welcome to Orchestria APM
19
Panoramic Post-Review
Post-review refers to the practice of searching for and auditing e-mails and instant messages after they have been sent, and reviewing Web activity after it has been detected and recorded. Organizations need a scalable archiving solution that meets regulatory requirements on the storage, retention and on-demand retrieval of historical communications. Such archiving and data retrieval systems must encompass both internal and external e-mail, personal Web-based e-mail accounts (for example, Hotmail or Yahoo!) and instant messaging. Orchestria APM has been explicitly designed to meet the post-review requirements of large organizations. It provides industrial-strength archiving, retrieval, auditing and reporting features. Easy-to-use, fine granularity search tools enable managers and regulators to zero in on targeted events, and to create event audit trails. Ancillary utilities even enable Orchestria APM to integrate with your existing e-mail archive and emerging next-generation storage devices such as EMC Centera. i The Orchestria APM search and auditing features
are demonstrated in chapter 12 Configuring event audit options.
2a
Example e-mail retrieval You search for, review and audit captured communications in the Orchestria APM Data Management console. 1 You specify which captured events you want to retrieve in the search definition. This example shows the Advanced search definition screen.
2 When you run the search. All events matching the search criteria display in the search results screens. Event icons and titles are hyperlinked to individual event screens (2a). 3 Finally, you can zero in on individual events to see their full details in the event screens. In this example, the Mail tab shows the actual captured e-mail and plus its attachment.
20
Architecture
Orchestria APM deployments can be complex, and vary from one organization to the next. This section shows the architecture for a simple deployment to client machines. This enables you to install Orchestria APM client agents on users desktops to monitor and control their e-mail and Web activity. Here, Orchestria APM machines are organized into hierarchical branches, with the central management server (CMS) as the top level server. Below the CMS, each branch of the hierarchy is optionally managed by a gateway, and each gateway can serve multiple client machines and/or further gateways. You manage Orchestria APM using consoles. You can deploy consoles on any machine in your Orchestria APM installation. For technical details about Orchestria APM, see the Deployment guide and the Technical and Functional Overview, available from the Orchestria service desksee page 24.
3 4
2 4
3a
1 4
3a
3a
5 4
Orchestria APM example architecture 1 CMS: This is the central repository for your Orchestria APM installation, holding all policy details and captured data. 2 Gateway: These are data-routing servers, operating between the CMS and client machines. They provide resilience and network load balancing. Each gateway can server multiple client machines or even child gateways. 3 Client machines: These run Orchestria APM e-mail and Web integration features (the client agents). If required, client machines can connect directly to the CMS (3a) with no intermediate gateway. 4 Console: Any Orchestria APM machine can run any combination of Administration console, Data Management console, and Executive console. 5 Console-only machine: No Orchestria APM server software or client integration features are installed on this machine.
21
Administrator responsibilities
As an Orchestria APM administrator, your primary responsibility will be to translate real business issues into effective (user) policy. However, your responsibilities will also cover such areas as deployment and user administration. Typically, these responsibilities will include:

To minimize business risks

You must ensure that only authorized personnel can change policies. For example, careful use of the Hide, Disable and Enforce policy attributes enables you to conceal sensitive policy settings from your workforce and prevent deliberate or accidental tampering with key policy settings.
Real time administration of user policies User administration Machine administration Extracting business intelligence from captured data
To maintain the trust of your workforce

You will need to ensure that individual users are adequately informed if their Web or e-mail activity contravenes corporate guidelines and triggers a blocking or warning. Specifically, you must ensure that all advisory messages in Blocking, Warning and Inform dialogs are helpful and informative. To achieve this, you must edit the messages associated with a control trigger. You also need to decide what Orchestria APM features are available to ordinary users in the Administration console, and in their browser and e-mail applications. For example, you can choose whether or not to display a 'capture light' in the browser taskbar to alert users when a Web page capture is in progress. i User policies are fully described in chapter 6, Editing policies. This includes a summary of the
main policy settings, task descriptions, and an explanation of how policy inheritance works.
Real time administration of user policies

You need to roll out policy changes in a controlled and structured manner, ensuring that these changes meet your business needs, minimize business risks, and do not offend your workforce.
To meet changing business needs

As these needs change, you will need to modify policies for individual users or groups. For example, to meet new budgetary goals you may need to adjust the maximum permitted transaction values to eliminate overspending by specific users or groups. Alternatively, your organization may switch to a new supplier, so you need to amend policies to channel users away from your old suppliers' Web site and perhaps redirect them to the Web site of your new suppliers. In both cases, you achieve these aims by editing the associated control trigger settings in the relevant user policies.
To control policy changes

You need to prevent unauthorized or conflicting changes to user and machine policies. This is especially important if you have multiple administrators (that is, Orchestria APM users with administrative authority). You need to control who is able to edit policies, which policies they can manage and, within those policies, which settings they can edit. For full details, see page 101.
22
User administration
This involves a number of post-deployment tasks, before you deploy Orchestria APM across your organization, and also routine maintenance of your user accounts to reflect changing business needs. Finally, you also need a strategy for creating and managing other administrators, and ensuring that the extent of their administrative authority is sufficient and appropriate.
Managing administrators
To share the administrative workload, you can promote ordinary users into administrators or managers by granting them administrative privileges. You can limit the scope of their administrative authority by withholding specific privileges and controlling which groups they can manage. For full details, see page 56.
As with user administration, machine administration involves a number of post-deployment tasks, before you deploy Orchestria APM across your organization, and also routine maintenance of your machine accounts to reflect changing business needs.
Post-installation tasks
Before rolling out Orchestria APM across your organization, you must determine how it handles new users: can new users enroll themselves, or are new accounts created solely by administrators? Or do you want to import user details into Orchestria APM from an existing source such as your Microsoft Exchange server? You must also define an appropriate default policy for new users. This policy will be fairly restrictive to ensure that new users adhere to your corporate guidelines governing acceptable Web and e-mail usage. i These issues are fully described in the
Deployment guide; see chapter 3, 'Before you start using Orchestria APM'.
Post-installation tasks
Before rolling out Orchestria APM across your organization, you need to configure your CMS policy, and the common client and gateway policies (these common policies are applied automatically to new machines). Key policy areas that you must consider include database purging and the management of free disk space. i These issues are fully described in the
Deployment guide; see chapter 3, 'Before you start using Orchestria APM'.
Maintaining the user hierarchy

Your hierarchy of users and groups will require routine maintenance. In particular, you may occasionally need to reorganize or create new user groups to cater for users with particular policy requirements. This allows fast and selective rollout of policy changes. For example, you may decide to group together all users who are in constant e-mail contact with customers. This allows you to configure the group policy to capture maximum business intelligence from this e-mail correspondence. For details about managing groups, see page 42.
Routine maintenance
You need to ensure that all Orchestria APM machines are running the current versions of the software and that their individual machine policies are appropriate for your network environment. For example, you will need to ensure that replication, database purging and free disk space settings have sensible values. To optimize data flows across your network, you may also need to occasionally reorganize the allocation of client machines to each gateway.
23
Data security
You also need to consider data security. This covers encryption, database backups, and database purging.
Extracting business intelligence from captured data

It is highly likely that you will need to assist managers in extracting maximum business intelligence from your store of captured data. This may involve configuring key statistics for display in the Executive console. To perform such tasks effectively, you will need to liaise with managers to determine exactly what information they require. You have two main areas of responsibility:
Encryption: All user data captured by Orchestria APM (Web pages, e-mails and so on) is replicated across your network and stored on the CMS. You must ensure that these data transfers and the stored data itself are secure. You can do this by configuring the machine policy to encrypt this data. These policy settings are described on page 145. Backups: We recommend that you make a full backup of your Orchestria APM database on the CMS at least once per week, and incremental backups on a daily basis. For further details, see page 67. Database purging: We also strongly recommend that you turn database purging on in both the common gateway and common client policies to prevent free disk space falling to dangerously low levels on your Orchestria APM machines with the attendant risk of the infrastructure being suspended. For details, see page 80. i On a suspended client machine, control
triggers and actions continue to operate but the resulting control events are not saved. For example, you cannot search for blockings that occurred while a client machine was suspended.
First, you may need to configure the Orchestria APM statistics required by managers and other senior decision makers in your organization. For example, you may need to amend time slot intervals for real time statistics or supply the fixed values used by fixed statistics for budgeting or forecasting purposes. i For full details, see chapter 3 of the Executive
Console guide.
Second, you may need to configure the Executive console display for individual managers. The block import/export feature is particularly useful and lets you quickly roll out identical configurations to multiple Executive consoles. i For full details, see chapter 2 of the Executive
Console guide.
24
Before you start

Deployment
You must designate one machine per installation as your CMS. After setting up a CMS, you can install Orchestria APM on as many gateways and client machines as your license agreement permits. Before installing the CMS or a gateway server, you will also need to ensure that your chosen database engine is already installed and correctly configured on the target server. You can find installation procedures for the CMS, gateways and client machines, plus much other useful deployment information, in the Deployment guide.
Contact us
To contact the service desk, go to:
http://support.orchestria.com
If you do contact the service desk, they may ask you to supply the following log files:

The infrastructure log file, wgninfra.out. Any relevant system log files. These take the format: stderr_200201200945.log.
These are all located in Orchestria's \data\log subfolder of
the Windows All Users profile; see page 89.
Post-deployment tasks
After deployment, there are several things you must do before you start using Orchestria APM. These mainly involve changes to the default policies for key user groups and new machines. You also need to edit the account properties of any new administrators and managers. Finally, you may need to amend your browser security settings if you intend using any Web page control triggers. As before, you can find the full range of post-deployment tasks in the Deployment guide.
License files
After installing Orchestria APM, you may need to install a license file before you can start using the product. Your license file unlocks the Orchestria APM policy modules available to your organization. Details about obtaining and installing your license file are given on page 36. Alternatively, you can contact the service desk for advicesee the next section.
2. Administration console
Administration console
T
his chapter provides an introduction to the Administration console and gives an overview of its main features.
chapter 2
i For details about other Orchestria APM

consoles, see the following guides:
Policy administration: You can define policies for Orchestria APM users and machines. User policies let you capture and control user activity. Machine policies cover such areas as database management, data replication, encryption, and cache management. Event auditing setup: Full auditing features are available in the iConsole, but you must first use the Administration console to configure audit status labels and the contents of the auditing dialogs. Statistics: You can configure statistics for display in the Executive console. Real time statistical data is compiled for each group and includes event counters based on user activity. Content agents: Content agents can detect specific types of document based on their text content (for example, e-mails, Web pages and files). You can train and publish content agents and incorporate them into content agent triggers. Administration searches: You can run administration searches to search for users, groups and machines. For example, you can search for user accounts with out-of-date policies or machines that have missed one or more replication checkpoints.
` Data Management console guide ` Executive Console guide ` iConsole user guide
Overview
You use the Administration console for these tasks:
User administration: Organize your Orchestria APM users into hierarchical groups to streamline user administration. Machine administration: Organize your Orchestria APM machines into a hierarchical tree for optimum network performance and load-balancing. Logfiles: You can view log files covering a range of user and machine activity, including logon activity, data replication and infrastructure errors.
26
User Administration screen

In the User Administration screen, you can organize users into hierarchical groups, assign administrative privileges, and set user passwords. You can also launch the User Policy Editor directly from this screen. The left pane shows the hierarchy of users and groups. The right pane depends on whether a user or group is selected in the left pane. For individual users, the right pane shows the users attributestheir parent group, policy version, administrative privileges (if any), and logon sessions (a session opens whenever a user starts up the Orchestria APM console, or uses their Web browser or e-mail application.) For user groups, the right pane shows the Detail and List tabs (not shown). The Detail pane shows the group attributes, similar to the user attributes described above. The List tab shows summary details of all users belonging to the current group. For full details about this screen and all associated tasks and features, see chapter 3, User administration.
4 5 7 1 User hierarchy Shows the hierarchy of user groups and individual users. You can right-click or drag-and-drop to quickly reorganize users and groups. 2 User or group details Shows the properties and attributes of the current user or group. For groups, a List tab also shows summary details for all users in the group. 3 Hyperlinks Some details shown here are hyperlinks to other console screens. For example, the Policy field is hyperlinked to the current users policy in the User Policy Editor. 6 4 Logon Sessions For users only, this section shows current and historical logon sessions. 5 Parent server, User name The parent server is either the CMS or a gateway. The user name is the Orchestria APM logon name for the current console user. 6 Policy version numbers These allow you to track local and inherited policy updates. 7 Hide Sessions Click to hide logon session details.
Chapter 2 Administration console
27
Machine Administration screen

In the Machine Administration screen, you can manage accounts for the Central Management Server (CMS) and your gateway and client machines. You can also launch the Machine Policy screen directly from this screen. The machine hierarchythe CMS, gateways, and client machinesdisplays in the left pane. The right pane depends on whether a client machine or server (CMS or gateways) is selected in the left pane. For client machines, the right-hand pane (not shown) shows attributes for the current machine, including its parent server, its connection status, and which version of policy it is using. For the CMS and gateways, the right pane shows the Detail and List tabs. The Detail pane shows the server attributes, similar to the client machine attributes described above. The List tab shows summary details for all child machines (client machines and gateways) attached to the current server. For full details about this screen and all associated tasks and features, see chapter 4, Machine administration.
4 1 Machine hierarchy The CMS is at the root, with a gateway optionally serving each branch of client machines. From here, you can add or delete Orchestria APM machines. 2 Detail tab This shows the properties and attributes of the current machine. List tab Available for gateways and the CMS only. See 3 for further details.
3 Machine details This shows summary details for all child machines attached to the gateway or CMS. 4 Parent server This is either the CMS or a gateway. 5 User name This is the Orchestria APM logon name for the current console user.
28
User Policy Editor screen

The User Policy Editor is where you edit policies for groups and individual users. These policies govern how users access the Web, use e-mail and conduct transactions. They also determine what Orchestria APM functionality is available or visible in a user's browser or e-mail application, and what actions are available to users in the console. Policy folders are listed on the left, with settings and subfolders on the right. Icon variations show the current status of each folder and setting. Double-click a setting to view or edit its values and attributes. You launch the Policy Editor from the Administration console; first select the user or group whose policy you want to view. A full introduction to user policies is given in chapter 6, Editing policies. This includes a summary of the main policy settings, task descriptions, icon summaries, and an explanation of how policy inheritance works. i This screen shares the same features and layout
as the Machine Policy Editorsee page 29.
1 10 9 3 8
5 1 Toolbar Each screen has its own set of tools and features. 2 Policy root. This indicates which user or group the current policy applies to. 3 Policy folders pane Shows all the folders available for viewing or editing in the current policy. Icon variations show the folder status (disabled, enforced or hidden). You can also double-click a folder to view or edit its attributes. 4 Policy path Shows the location of the current folder or setting within the policy. 5 Parent server This is either the CMS or a gateway. 6 User name This is the Orchestria APM logon name for the current console user.
7 Policy version Shows the current policy version number. This enables administrators to track policy updates. 8 Policy explanations Hover your mouse pointer over any folder or setting to see a tooltip explanation. Help is also available when you double-click a policy item. 9 Contents pane Shows the settings or subfolders in the current policy folder. Icon variations show the status of each setting or subfolder (disabled, enforced or hidden). You can also double-click a setting to view or edit its value. 10 Hyperlink Many settings are hyperlinked to a dependent setting. Click the hyperlink to jump to the specified setting.
29
Machine Policy Editor screen

The Machine Policy Editor is where you edit policies for the CMS, gateways, and client machines. These policies govern how Orchestria APM machines manage their databases and how they exchange data with other Orchestria APM machines. Policy folders shown on the left and policy settings and subfolders shown on the right. Icon variations show the current status of each folder and setting. Double-click a setting to view or edit its values and attributes. You launch the Policy Editor from the Administration console; first select the machine whose policy you want to view. An introduction to machine policies is given in chapter 6, Editing policies. This includes a summary of the main policy settings, task descriptions, icon summaries, and an explanation of policy inheritance. i This screen shares the same features and layout as the User Policy Editorsee page 28.
2 3
4 5 1 Toolbar Each screen has its own set of tools and features. 2 Policy root This indicates which user or group the current policy applies to. 3 Policy folders pane Shows all the folders available for viewing or editing in the current policy. Icon variations show the folder status (disabled, enforced or hidden). You can also double-click a folder to view or edit its attributes. 4 Policy path Shows the location of the current folder or setting within the policy. 5 Parent server This is either the CMS or a gateway. 6 7
6 User name This is the Orchestria APM logon name for the current console user. 7 Policy version Shows the current policy version number. This enables administrators to track policy updates. 8 Policy explanations Hover your mouse pointer over any folder or setting to see a tooltip explanation. Help is also available when you double-click a policy item. 9 Contents pane Shows the settings or subfolders in the current policy folder. Icon variations show the status of each setting or subfolder (disabled, enforced or hidden). You can also double-click a setting to view or edit its value.
30
Administration search
Administration searches let you search for user, group and machine accounts. For example, you can search for user accounts with out-of-date policies or machines that have missed one or more replication checkpoints. A range of predefined searches are available. These include information and health searches, for both users and machines. Information searches typically retrieve basic details about existing accounts; health searches identify problematic accounts, or accounts which require your attention, such as machines which cannot be contacted or users with out-of-date policies. You can also define and save your own administration searches, and copy search results to the clipboard. Existing searches (predefined and custom) are listed in the left. When you select a search, all users, groups or machines matching the search criteria are shown in the right pane. Administration searches are discussed in chapter 5, Administration searches.
2 1 Search list Lists all predefined administrative searches plus any custom searches saved on the current machine. 2 Results list Displays items matching the search criteria. 3 Search button Click to define a custom search (4). 4 Administration Search dialog Use to define your own searches. For details about the available search filters, see the online help.
31
Logfiles screen
The Logfiles screen displays logs of all significant events on the local machine. The Administration console supports four types of Orchestria APM logfile:
Activity logs record when users and machines log in or out, and each time policies are created or updated. Replication logs record any database changes that were made on a remote machine and copied to the local machine, for example, policy updates. System logs record any infrastructure errors that occur while the Orchestria APM service is running. Account Import logs record the outcome of any operations using the User Import wizard.
Available log files are listed in the left pane and the logged events are shown on the right pane. Note that log files are saved in Orchestrias \data\log subfolder of the Windows All Users profile; see page 89. Settings in the local machine policy determine the maximum size of each log file and, by implication, how often new log files are created. You can also view the log files on remote machines. To do this, expand the Machine Administration branch and select the machine you want. Then right-click and choose View Logfiles. For further details about Orchestria APM logfiles, see page 87.
3 1 Machine Administration To view the log files on a remote machine, expand this branch and select the machine you want. See 4 for further details. 2 Local log files All available log files on the local machine are listed here. File names show when the log file was created. 3 Log pane All events in the current log file are listed here. From here, you can copy the contents of any log file into a text editor such as Microsoft Notepad. 4 Logfile viewer for remote log files This has the same layout as the standard logfiles screen. To launch the viewer, right-click the machine you want and choose View Logfile. See 2 for details.
32
Statistics screen
The Statistics screen lets you configure summary statistics for e-mail, Web and transaction activity across your organization. You can view the actual statistics, in graphical or tabular format in the Executive console. Statistic folders are listed in the left pane and configurable statistics in the right pane. Statistic properties apply globally across your Orchestria APM installation, but statistical data is compiled for each user group. Orchestria APM compiles three main types of statistic: event lists, currency statistics and counter statistics. Event lists are simply lists of events triggered by user activity, such as blocked e-mails. Currency statistics include real time values based on captured transactions and static values defined by users for, say, forecasting purposes. Counter statistics are similar to currency statistics but relate only to non-transaction data such as e-mail traffic. The Statistics screen and the Executive console plus all the associated tasks and features are discussed in the Executive Console guide.
1 Toolbar Each screen has a unique set of tools and features. 2 Statistics folders Shows folders containing the available statistics. Select a folder to display its statistics in the Statistics pane.
3 Statistics pane Shows basic details about each statistic. From this pane, you can configure statistic properties. For static statistics, you can also enter fixed time-series values. 4 Properties dialog You configure statistic properties in a dialog similar to this one. The available fields depend on the statistic type (such as currency or event list) and whether it is real time or static.
33
Content Agents screen

i The Content Agent features are available only if
explicitly included in your license agreement.
The Content Agent screen lets you train and publish content agents. These agents can detect specific types of document based on their text content. A document can be any Web page, e-mail, attachment, or file. After you have trained and published an agent, you can incorporate it into a content agent trigger. These triggers let you capture or control any attempt by users to browse,
upload, print, copy to removable drives, send or receive documents, that match the specified type. For example, you could train a content agent to recognize the login page of any Web-based e-mail provider. This would allow you to display a warning, or even block the user, if they attempted to send or read a message. Alternatively, you could train an agent to identify customer e-mail enquiries. The Content Agents screen and all associated tasks and features are discussed in chapter 13, Content agents.
1 6
2 3 4
1 Toolbar Each screen has a unique set of tools and features. 2 Published content agents These agents have been tested and are available for inclusion in content agent triggers. 3 Unpublished content agent These agents may not have been tested and are not available for inclusion in content agent triggers. 4 Default test documents A common set of test documents that you can use to calibrate any content agent.
5 Agent Testing dialog This shows the scores for individual training and test documents. These scores indicate how well individual documents match the document type targeted by the content agent. 6 Example positive training documents When choosing your training documents, you can add any file types supported by Orchestria APM, including event link files.
34
Administration console shortcuts

Find items
To quickly find a specific user, group or machine in the Browse tab, use the Find feature. But see the note below. 1 2 Click or press Ctrl+F.
Examples
These show the outcome if you use Find to locate the user frankschaeffer.
Find fails because frankschaeffer is not visible in the Browse tree.

Users Management Marketing
Enter the item name in the Find Items dialog. You do not need to enter the whole name. You can search on the first few letters of any word in the name, and you do not need to match the case. For example, type 'schaef' to find the first occurrence of fschaeffer. Specify whether to search up or down from your current location in the Browse tab. You can quickly search the Browse tree to find other occurrences of this name:
Find succeeds because frankschaeffer is visible in the Browse tree.

Users Management frankschaeffer spencerrimmel Marketing
` To find the previous occurrence of this name,

click or press F3.
` To find the next occurrence of this name, click

or press Shift+F3. i Find can only find items that are currently visible,
or that were recently visible. That is, it can look for items in branches that are currently expanded, or that were previously expanded but are now collapsed. It cannot find items in branches that have never been expanded (in the current session). See the examples opposite.
Find succeeds because frankschaeffer was previously visible in the Browse tree, even though it is not currently visible. 1
Users Management frankschaeffer spencerrimmel Marketing
Users Management Marketing
35
Console hyperlinks
In the Administration console, when you select a user, group or machine, their attributes are listed in the right pane. Some attributes are hyperlinked to other console features. For example, if you view a user, you can double-click their Group Name attribute to immediately locate this user group in the left. Or you can double-click their Policy attribute to view their current policy. 1
Management Groups
When you select an item in the browse tab, the right pane contains these hyperlinked attributes: For users
Policy Click to open the current user's policy in the Policy Editor Click to highlight the parent group for the current user. Click to highlight the management groups assigned to the current user.
Parent Group
For groups 2 3
Parent Group Policy Click to open the current group's policy in the Policy Editor. Click to highlight the current group's parent group.
For machines Console hyperlinks 1 Left pane 2 Example hyperlinks 3 Attributes list
Policy Click to open the current machine's policy in the Policy Editor.
36
Administration console tools

Console options
These options let you customize the behavior of certain console features. 1 In the Administration console, choose Tools > Options. In the Options dialog, choose the tab you want. These settings let you:
License files
After installing or upgrading Orchestria APM, you may need to install a license file before you can start using the product. Your license file unlocks the Orchestria APM policy modules available to your organization. Separate license files control access to user policies and machine policies.
` General tab: Display the assigned policy version in

console screens showing lists of users or machines (see page 125) and request warnings before you replicate CMS changes to client machines (see the previous section) or edit user roles.
Obtain a license file

Contact the Service Desk and quote your installation code. The license file uses this code to authenticate your Orchestria APM installation. To contact the Orchestria service desk, see page 24. To find your installation code, choose Tools > Install license file in the Administration console. The Install License File dialog shows your installation code.
` User Administration tab: Request warnings before

you move users and groups into new parent groups. For details, see page 47.
` User Attributes tab: Define custom attributes for

users in your organization. For details, see page 51.
Install a license file

1 2 In the Administration console, choose Tools > Install license file. Select your license file and click Install. As soon as your Orchestria APM installation is authenticated, your licensed policy modules are unlocked and available to use.
` User Roles tab: Assign default sets of

administrative privileges to user roles and create new roles. For details, see page 50.
` Address Lists: Define dynamic address lists. These

are automatically-generated lists of e-mail addresses.
` Audit tab: Define the settings available to

reviewers when updating event audit trails. For details, see page 307.
Replicate CMS changes to client machines

Database changes on the CMS are replicated automatically to client machines. These include changes to policies and accounts, for both users and machines. The replication frequency is determined by the CMS machine policy, but you can request immediate replication. This is useful where Orchestria APM runs on networks using a slow CMS-to-clients replication interval. This is described in chapter 4, Machine administration. For details, see page 66.
` Content Proxy tab: Available
only if your license
agreement includes the Content Services feature. See chapter 13, Content agents. Select a Content Proxy server to use when training content agents or running a content search. For further details, see either the iConsole user guide, or the Data Management console guide; search the index for content searches, before you start.
37
Account import wizard

The Account Import wizard enables you to import user accounts into the Administration console, either from an external LDAP directory or from a tailored CSV file. The wizard is described in chapter 3, User administration. For details, see page 54.
Search user database credentials

! If you do not set up the search user, then
reviewers will be unable to retrieve any events.
Primary user database credentials

Orchestria APM uses a primary logon account to access the CMS database. You supply the logon credentials (user name and password) when you install the CMS or a gateway. But if you change the password (say, for security reasons), you must supply Orchestria APM with the new values. You can do this directly from the Administration console: 1 Choose Tools > Set Database Primary User Password. i To continue beyond this point, your Orchestria
APM user account must have the Admin: Change
When running event searches, the Data Management console must connect to your database using its own search user account, not the account used by the Orchestria APM infrastructure. This ensures that reviewers cannot see events associated with users outside of their management groups. You create this account when you deploy the CMS; search the index for Search User database account. To change the user name or password for the search user account: 1 Choose Tools > Set Database Search User Credentials. i Your Orchestria APM user account must have the Admin: Change database credentials privilege to
continue beyond this point.
database credentials privilege. See page 57. 2 In the Set Database Primary User Password dialog, enter the new password:
In the Set Database Search Database Credentials dialog, enter the new user name and password for the Orchestria APM database search user account.
Set Database Search User Credentials dialog
Set Database Primary User Password dialog ! You must change the password on your
database server before setting the new password in the Administration console. See also page 337.
38
Install system definition file

To detect social security numbers using the %SSN% variable, Orchestria APM needs to refer to a specific system definition file. That is, the US Social Security High Group file. A version of this file is provided with Orchestria APM, but to ensure the data remains accurate, we recommend that you update the file regularly (for example, on a monthly basis). To do this: 1 Browse to the following Web site: http://www.socialsecurity.gov /employer/ssnvhighgroup.htm 2 Right-click on the US Social Security High Group file that you want and choose Save Target As to save the information as a .txt file on your local machine. In the Administration console, choose Tools > Install System Definition File.
Define a dynamic address list

Orchestria APM lets you define dynamic address lists. A dynamic address list is an SQL query designed to generate a list of e-mail addresses. These address lists are available to users sending e-mails from the iConsole. They are primarily used to generate lists of recipients when an administrator sends a legal hold notification. 1 In the Administration console, choose Tools > Options then go to the Address Lists tab.
Options dialog, Address Lists tab
Install System File Definition dialog
Click the Add button to display the Address List dialog (the screenshot is on page 39):
From the File Type list box, choose US Social Security High Group file. Browse to where you saved the text file and click Install. The file is installed to the CMS where it can be referenced for %SSN% confirmation.
2.1 Type a descriptive name for the new address

list. This name will be listed in the iConsole when an administrator composes an e-mail (for example, a legal hold notification).
2.2 Enter the SQL query to retrieve the users you

want. For query guidelines and advice on sample queries, see page 39.
2.3 You can iteratively test the SQL query to ensure that it retrieves users as intended. Click Test to test your query. Any users found by the test are appended to the Address List dialog.
39
Guidelines and sample SQL queries

When writing SQL queries for dynamic address lists, be aware that queries are case sensitive on Oracle CMSs. Also, we recommend you always use a database view to access database tables (this ensures that dynamic address lists can always be generated, even if row level security is enabled). For full guidelines, plus sample queries specifically written for Oracle CMSs that specify case insensitive string values, see the Legal Hold guide, available from the Orchestria service desksee page 24. i Row level security (RLS) is implemented by
default when you install a CMS database. RLS ensures that reviewers can only see captured events associated with users in their management groups when searching the CMS database.
Address List dialog 1 Define your database SQL query to identify the recipients for a legal hold notification (or a notification follow-up). 2 Click Test to test the query. 3 Users retrieved by the query test are appended to the dialog here.
When is the new address list available?

Although these changes are saved immediately on the CMS, the latest range of address lists may not be immediately available to iConsole users. Specifically, any users logged on to the iConsole at the time when you add, remove or modify an address list will need to restart their iConsole session (that is, they must log off then log back on).
40
3. User administration
User administration
he task of managing e-mail and Web activity for a diverse, ever-changing user base is a major challenge. You need user administration with unlimited scalability and flexibility. Orchestria APM provides a streamlined solution based on hierarchical user groups. You manage users and groups in the User Administration screen. This chapter introduces the main tasks and features associated with this screen.
chapter 3
You manage users and groups in the User Administration screen. This screen uses the standard tree layout, and its hierarchical structure also enables you to control your administrators by restricting their management authority to specific branches of this tree:
Users Management Directors Finance
Omar Abassi Spencer Rimmel Frank Schaefer Lynda Steel
Groups
A user group is a collection of associated users that share a common policy (though customized policies are permitted). You can create as many groups as you need and arrange them in any way you want. For example, you can organize users into groups based on location, job, or purchasing permissions. Most importantly, user groups provide a vehicle for quickly rolling out policy changes to control Web and e-mail activity across your organization. Each group has its own customizable policy, providing you with a centralized but highly flexible method of user administration.
Legal Marketing Sales Asia Europe
Qi Xaopeng
N America User Administration screen User groups are organized using the familiar tree layout.
42
Managing groups
In the Administration console, you must first expand the User Administration branch. You can then perform these actions. i You can also right-click any group to perform
the actions.
Move groups
To move groups you need to enable the Allow Groups to be Moved policy settingsee page 150. You can easily rearrange groups by moving them into different parent groups. Simply drag-and-drop a group onto a new parent. Or select a group and choose Edit > Move To. !
You need to be aware that moving groups can
X Create new groups

Click or choose Edit > New Group.
cause row level security issues and unintended changes to policysee the following sections.
X Rename groups
Select a group and choose Edit > Rename.
X Delete groups
Select a group and click Delete ( ). Or choose Edit > Delete. When you delete a group, any users in the group are also deleted.
Moving a group can cause unintended changes to their policy!

Although groups normally retain any customized policy settings or attributes when they are moved to a new parent group, it is possible that these will be overwritten if the corresponding settings or attributes inherited from the new parent group are already enforced. To avoid unintended policy changes, you can configure the Administration console to display a warning before you confirm a move. To do this, choose Tools > Options, then go to the User Administration tab. See page 36.
X Choose the default group

Select any group and choose Edit > Set As Default. Orchestria APM adds all self-enrolled new users to this group. See the next section for details.
X Edit a group policy

This is described on page 45.
Moving a group can cause unintended row level security issues!

If a group (and therefore its users) is moved from one parent group to another, the events associated with those users are also moved. Reviewers with rights to the first group lose access to those events, but reviewers with rights to the second group gain access to those events. This means that reviewers in the second group can view events associated with users that were not in their management group at the time the event was captured. If this is likely to cause a problem, we recommend you leave the Allow Groups to be Moved policy setting at its default setting of False and move users between groups by creating new target groups and moving users as required. This reduces the row level security risk.
Chapter 3 User administration
43
Special groups
Users group
This is the top-level group in the User Administration tree (see the illustration on the previous page). You cannot move or delete this group, though you can rename it. Directly or indirectly, all user groups derive their policy from the Users group. Changes to a single group policy are automatically inherited by all its child groups, and by all users in these child groups. So you need only make a policy change in one place, and Orchestria APM automatically applies this change to affected users.
Users
Parent
Management Directors Finance Legal Marketing Sales Asia Europe
Default group
! When you use Orchestria APM for the first time
after installation, we strongly recommend you edit the default group policy. See page 45.
Parent and child
Children
You can make any group the default group. When new users add themselves to Orchestria APM (page 46), they are automatically assigned to this group. The default group is shown in bold in the User Administration screen:
Users New Users Management Directors Finance Legal
Parent and child
Users group Default group
Children
N America Parent and child groups For example, changes to the policy of the Sales group are copied automatically to all users in the Asia, Europe and N America groups. i Policy inheritance, and how to enforce or override it, is discussed in chapter 6, Editing policies.
Default group All self-enrolled new users are added to this group. i If an administrator creates an account for a new
user, they can assign the user to any existing group.
Management groups
The management group is the name given to the highest level group in any branch of the user hierarchy that an administrator is permitted to manage. If required, an administrator can have multiple management groups. In effect, management groups limit the administrators authority to the management groups themselves, plus any groups that they contain. You can assign any existing group as a management group for a particular administrator. Assigning multiple management groups enables an administrator to manage separate branches of the user hierarchy.
Parent and child groups

In Orchestria APM, parent and child groups provide a hierarchical system of policy inheritance:
Parent group This is any group that contains another group. Each new group inherits the policy defined for its parent. Child group This is any group contained within a parent group. By default, a child group inherits its parent group policy. Of course, a child group can also be a parent if it contains other groups.
44
Each management group represents a management branch of the user hierarchy. Within each management branch, an administrator can manage user accounts, edit policies, view captured data and so on. Any groups that lie outside this branch are hidden in the console, and cannot be managed by the administrator. In the example below, if group 3 is assigned as a management group, the administrator can only view data captured on behalf of users belonging to groups in branch B. 1 2 3 A B
Overriding management group constraints

Orchestria APM's inbuilt security ensures that reviewers can only ever see the events they are allowed to. That is, they cannot see events associated with users outside their management group(s). To allow administrators to bypass these security measures and search for events throughout the entire Orchestria APM enterprise, they must have the Admin: Disable management group filtering privilege. To assign administrative privileges, see page 50. For the full range of privileges, see page 57.
Management groups If a management group is 1, 2 or 3, the administrator can manage: 1 Any group in the organization. 2 Groups in branch A ( ), incorporating branch B ( ). 3 Groups in branch B only ( ). i You specify the management group when setting
user properties. For details, see page 48.
45
Group policies
Group policies are one of the most powerful features of Orchestria APM, and provide the basis for centralized highly-flexible user administration. Settings in a group policy are inherited by all users (and all subgroups) in the group. In effect, the group policy is a default policy for all users added to the group. This policy inheritance is the vehicle for fast and flexible policy rollout across your organization. By customizing key policy settings for targeted groups, you can quickly and selectively enforce preferred Web and e-mail behavior across your organization. i Policy inheritance is discussed on pages 119 to 120. Why is this necessary? The default group is effectively a holding group until you can move new users into more appropriate groups. But when you use Orchestria APM for the first time, there is only one existing group. This is the 'Users' group and so it is automatically set to be the default group. Of necessity, 'Users' hasand must have a non-restrictive policy: no settings are disabled, enforced or hidden. This means any new user who inherits this policy has complete freedom to change any setting in their policy. In other words, they could potentially define their own policy to dodge the rules in your organization governing acceptable Web and e-mail usage. But you can easily prevent this by choosing or creating a default group that does have a restrictive policy. That is, key settings in the policy for the default group are enforced, hidden or disabled. This ensures that new users adhere to the rules governing acceptable Web and e-mail usage. For details about policy settings, see page 100.
Editing a group policy

In the Administration console, select the group then:

Click Edit Policy
, or
Right-click and choose Edit Policy, or Click the policy hyperlink in the right pane. See page 34 for details.
Analyzing group activity

Orchestria APM allows you to focus on Web and e-mail activity for specific groups. In the iConsole and Data Management console, you can quickly search for all captured e-mails, Web pages or transactions associated with a particular group. Full details are given in the iConsole user guide and Data Management console user guide, respectively. Orchestria APM also compiles statistics for each group. For example, you can analyze spending figures for any group in your organization and display these figures in a chart in the Executive console. Full details are given in the Executive Console guide.
This opens the User Editor. This is discussed in detail in chapter 6, Editing policies. ! After editing a group policy, click Save to save
any policy changes. This displays a summary dialog listing all the policy items that you have modified. The summary dialog allows you to confirm, cancel or modify the changes.
Editing the default group policy

! When you use Orchestria APM for the first time
after installation, we strongly recommend you choose a new default group and define a restrictive policy for this group.
46
Users
The section describes how to add new users, manage user accounts, edit user policies, and control what users can see and do.
New users and Microsoft Windows authentication

By default, Microsoft Windows user authentication is used to automatically generate new user accounts. When the user next starts up their browser or e-mail application after the Orchestria APM Client Integration software has been installed on their machine, Orchestria APM will create an account name for them that includes their domain, for example, Unipraxis\frankschaeffer.
New users
There are three ways to add users:
X Import users from an external source

You can import user details from an external data source. This is the method typically used by customers. See Importing users on page 54.
X Administrators add new users

1 In the User Administration screen, select the group you want to add the user to. 2 Click Create New User Edit >New User. or choose
Implications for manually created accounts

This means that if an administrator wants to create a new account for a specific user, the administrator must enter an account name that matches the automatic name that would normally be created for the user when they start up their browser, e-mail application or the Administration console. Typically, this means the administrator must include the domain prefix in the user's account name. If the administrator omits the domain prefix (for example, frankschaeffer), Orchestria APM will be unable to resolve the new user against the existing accounts when the user next starts up their browser, e-mail application or the Administration console. As a result, Orchestria APM will create a duplicate account name for the user that includes their domain (Unipraxis\frankschaeffer), and all captured data will be associated with this account and not the administrator-created account (frankschaeffer).
3 Enter a name and specify a role for the new account.
` Note the special requirements for administratorcreated new accountssee next section.
` Roles are described on page 49.

X New users add themselves
After you have installed the Orchestria APM Client Integration software on a users machine, the user can create their own Orchestria APM account. First, you must configure the CMS machine policy to automatically create accounts for unrecognized users. Then, when the user next runs their e-mail or browser application, Orchestria APM adds them automatically to the default group (see page 43). User names for the new accounts are generated automatically based on Microsoft Windows authentication (see next section).
47
Recreate users
Sometimes it is necessary to re-create a user that was previously deleted. For example, an employee may have left the company and then rejoined at a later date. When a user account is deleted, Orchestria APM marks that user as deleted, but does not remove their user account from the Orchestria APM enterprise. In practice, this means that the user is no longer visible, and no new events can be associated with them. If a user is then created with a user name that matches a single deleted user account, Orchestria APM will automatically recreate that deleted user and add an entry to the Activity log. To do this, you need to configure the CMS machine policy to allow user accounts to be undeletedsee page 150. When a user is recreated, all user attributes and e-mail addresses are set to their previous values, and links to associated events are restored. All privileges, passwords and management groups are set to the default values for a new user. i Users can be recreated in any of the ways
described on page 46.
X Move a user
! Moving a user can cause unintended changes
to their policy!
To move a user to a different group, right-click the user and choose Move Item. Although users normally retain any customized policy settings or attributes when they are moved to a new parent group, it is possible that these will be overwritten if the corresponding settings or attributes inherited from the new parent group are already enforced. To avoid unintended policy changes, you can configure the Administration console to display a warning before you confirm a move. To do this, choose Tools > Options, then go to the User Administration tab. See page 36.
X Delete a user
Select a user and click Delete ( ). Or choose Edit > Delete. This removes the user account from the User Administration screen. The CMS database is updated to show the account is no longer active, but the account itself is not deleted from the database. This enables you to search for any deleted user accounts using the Administration Search feature (see page 93). It also allows you to recreate the user at a later datesee the previous section.
Manage user accounts

In the Administration console, browse the User Administration branch to find the user you want. You can then perform the following actions. i You can also right-click any user to perform the
actions.
X Rename a user
Right-click a user and choose Rename. Be aware that renaming individual users can be complicated, and depends entirely on how your CMS policy handles new users. You must be especially careful if your Orchestria APM uses Microsoft Windows user authentication to automatically generate new user accounts. For a full description of user renaming, see page 333.
48
User policies
This section describes the basic policy tasks. For full details, refer to chapter 6, Editing policies.
User properties
Together, these properties define the scope of a users administrative authority (if any). They also include a users attributes. i You can find full details about creating managers
and administrators, and restricting the scope of their authority on page 56.
X Edit a user policy

In the Administration console, select the user then:
` Click Edit Policy
, or
` Right-click and choose Edit Policy, or ` Click the policy hyperlink in the right pane. See
page 35 for details. ! After editing a policy, click Save to save any
policy changes. This displays a summary dialog listing all the policy items that you have modified. The summary dialog allows you to confirm, cancel or modify the changes.
Account history
Sometimes, an administrator will need to change the name or group of a user, for example, if that user gets married, or moves to a different department within the company. To view a users name or group history: 1 2 3 Right-click a user and choose Properties. In the Properties dialog, click the Details tab. Click the Name History or the Group History button to display the date and details of any name or group changes for the current user.
X Edit the default user policy

By definition, a default user policy is a group policy. So to edit the default user policy, you must edit the relevant group policy.
` Policy for the default group: By default, new

self-enrolled users are added to the default group and inherit its policy. Therefore, changes to this policy affect only these users. If you later move these users to a different group, they will inherit the policy for that group. i You must define a suitably restrictive policy for the default group. For details, see page 45.
Passwords
You need to supply a password to run some Orchestria APM utilities and the consoles. As a security precaution to prevent unauthorized access to data on the CMS, you cannot set blank passwords.
X Change your own password

In the Administration console or Data Management console, choose File > Change Password.
` Group policies: Any group policy is a default user

policy, since changes to it affect the individual policies of all users in the group. If you edit the policy of a higher-level group, the changes cascade down to each child group and to all users in these child groups. This mechanism is called parent-child inheritance. See page 119 for details.
X Change the password for another user

1 In the Administration console, expand the User Administration branch . 2 Select the user and click Properties Edit > Properties. or choose
3 In the Properties dialog, go to the Details tab and click Set Password. 4 There will be a short delay before the user can log in using the new password. This is because the new password must first be replicated to the user's console machine.
49
Roles
Each user in Orchestria APM is assigned a role, for example, Administrator, Manager, or User. Roles determine the default privileges assigned to a user.
X Define the privileges assigned to a role

You can only change the privileges assigned to a role if you have been granted the Admin: Edit user roles privilege. In the Administration console: 1 Choose Tools > Options and select the User Roles tab. This shows the available roles for your organization and all the available privileges. 2 Select the role you want to edit. 1 User Properties, Details tab 1. Set Password. Click to change the password for another user. 2. Name History: Click to display the current users name history. 3. Change Role: Click to change the role for the current user. 4. Group History: Click to display the current users group history. 3 4 3 In the privilege list, select a check box to assign a privilege to the current role; clear the check box to revoke the privilege. i Note the following:
` If
you change the default set of privileges
assigned to a role, Orchestria APM automatically updates the privileges of all users with that role assigned. For example, if you add a privilege to the Managers role, all users with the Manager role are automatically granted the new privilege.
` If Management groups
These define which branches of the user hierarchy an administrator is permitted to managesee page 56. i You cannot set or change the management group
of a user who has the 'Admin: Disable management group filtering' privilege.
future versions of Orchestria APM introduce
new privileges to a default role, these will be granted automatically to all users with that role when you run the upgrade.
X Assign a role to a user

1 In the Administration console, right-click a user and choose Properties. 2 In the Properties dialog, go to the Details tab and click Change Role to display the Select Role dialog. 3 From the Select a new role list, choose the role you want. For details, see page 59. i Note the following:
X Assign management groups

1 Right-click a user and choose Properties. 2 In the Properties dialog, click the Details tab. 3 Click the Browse button and choose the group(s) you want to add as management groups. i A management group only takes effect if the user has the administrative privileges, Users: View the user hierarchy or Users: Edit the user hierarchy.
` You
can rename a role using the User Roles tab
in the Options dialog.
` After
assigning a role to a user, if you then
change the privileges granted to that user, Orchestria APM changes the users role to
50
Custom. For example, if you grant a Manager the complete set of privileges, that users role changes from Manager to Custom because their privileges no longer match those associated with the Manager role.
Administrative privileges
Users are granted a default set of privileges based on their role (see opposite). After assigning a role to a user, if you then change the privileges granted to that user, Orchestria APM changes the users role to Custom. For example, if you grant a Manager the complete set of privileges, that users role changes from Manager to Custom because their privileges no longer match those associated with the Manager role.
X Create a new role

You can create as many roles as you like and assign default privileges to them. In the Administration console: 1 Choose Tools > Options and select the User Roles tab. This shows the available roles for your organization and all the available privileges. 2 Select a role to base the new role on and click New to display the Create new role dialog. 3
X Assign administrative privileges

1 Right-click a user and choose Properties. 2 In the Properties dialog, click the Privileges tab. 3 Select the required privilegessee page 57.
User Properties, Privileges tab Some privileges may be grayed out because: 1 Creating a new user role 1. New role name. Type a name for the role you are creating. 2. Copy from existing role. Select a suitable role from this list to base the new role on. 3. New. Click to create a new role based on the one currently selected. 3 Type a new name for the role you are creating. 4 If necessary, you can change the role to base the new role on using the Copy from existing role list. i You can create as many roles as required, but
once created, roles cannot be deleted.
` Either you do not have these privileges yourself. You cannot grant privileges to other users unless you have the privilege yourself. ` Or you are viewing your own privileges. You cannot
change your own privileges.
` Or you are reviewing the primary administrator's

privileges. The primary administrator has full administrative privileges, and it is not possible to withdraw a privilege from this account (see page 56). i The role associated with the primary
administrator is Custom, as the privileges do not match those associated with any default role.
51
E-mail addresses
! It is critical that user e-mail addresses are kept
up to date. This is because key Orchestria APM features (Event Import, policy engines and User Attribute lookup) rely on e-mail address mapping to associate e-mails with specific Orchestria APM users. For details on synchronizing user e-mail addresses in the CMS database with addresses in an external source (for example, Active Directory), see the Deployment guide; search the index for Account Import.
Customized user attributes

Orchestria APM lets you define custom attributes. For example, you can create an Employee ID attribute and assign a unique ID to each user in your organization.
X Create user attributes for your organization

To do this, you rename the default attributes. 1 In the Administration console, choose Tools > Options and select the User Attributes tab. 2 Select an attribute and click Modify. 3 Enter its new name, for example, Employee ID. This name is added to the Attributes tab of the User Properties dialog.
You can associate multiple e-mail addresses with a single Orchestria APM user. This tab enables you to add or modify e-mail addresses for the current user. It is important to keep these addresses up to date as many Orchestria APM features reference them.
X Assign attribute values to individual users

To do this, you must edit the users properties. 1 Right-click a user and choose Properties. 2 Select the Attributes tab. 3 Select the attribute whose value you want to change (for example, Employee ID) then click Modify. 4 In the Modify Value dialog, type the new attribute value (for example, 131206). 1
User Properties, Addresses tab 2
X Update user e-mail addresses

1 Right-click a user and choose Properties. 2 In the Properties dialog, click the Addresses tab. 3 Use the Add, Remove and Modify buttons to update the address list for the current user.
3 Assigning customized user attributes 1 Options dialog, User Attributes tab. This is where you name the attribute. 2 Example customized attribute. 3 User Properties dialog, Attributes tab. This is where you assign attribute values to the user.
52
Exporting the user hierarchy

You can export any branch of the user hierarchy to a specified file type. You can do this using the Administration console, or from a command line. For full details, see the online help.
Export via the Administration console

1 In the Administration console, expand the User Administration branch . Right-click a group to File. and choose Export Hierarchy
In the resulting dialog, specify:
Export Hierarchy to File dialog
` File name and location: You do not need to

provide a filename extension; this is set automatically.
Export from a command line

You can only run a command line on the CMS.
` File format: Choose from the following:

Command File exports to a file compatible with Account Import. XML Data File exports to an XML file that can be edited and re-imported using Account Import. For details, see page 53. Spreadsheet Data File exports to a file that can be opened in applications such as Microsoft Excel. i To preserve non-ASCII names (such as names
with Japanese characters) in the exported file, select the Unicode check box.
Command line syntax

The command line syntax for exporting user details to a specified file type is: wgninfra -exec wigan/infrastruct/directory/ DirectoryExport Users> <filename> <parameters> Where: <filename> defines a name for the destination file. <parameters> defines the export parameters. Available parameters and parameter rules are described in the next section.
` User details: Choose which user details you want

to export. You can export user roles, management groups, attributes and e-mail addresses. i You cannot export e-mail address details if you
choose to export to a Spreadsheet Data File.
53
Export parameters
i You must enclose the entire parameter value in
"double quotes" if that value contains a space.
Exporting to XML format

Exporting to an XML file allows you to:
-b Defines the base group path. That is, the starting point for the export process. -s Specifies Spreadsheet Data File as the destination file type. This can be opened in applications such as Microsoft Excel. -x Specifies XML Data File as the destination file type. This XML file can be edited and re-imported using Account Import. For details, see page 53. i If you do not specify the -s or -x parameter,
Orchestria APM exports the data to a command file. This file is compatible with Account Import.
Create an accessible backup of your user hierarchy. You can roll back your user hierarchy by re-importing the hierarchy backup file using Account Import. Make changes to the user hierarchy quickly and efficiently using an XML editor. The updated user hierarchy can then simply be re-imported using Account Import. i
For details on importing users, see page 54.
Export issues
When you export a user hierarchy, you need to be aware of the following issues.
Use these parameters to: -g Export group names, with groups organized hierarchically in the exported file. -u Export user names. -a Export the attributes assigned to each user. These correspond to the attributes listed in the User Properties dialog. -r Export the role assigned to each user. -m Export the management group assigned to each user. -e Export the e-mail addresses assigned to each user. -p Specifies that the full group path is preserved in the exported file. -n Writes the export file using Unicode character sets. Any non-ASCII names (such as names with Japanese characters) are then preserved in the exported file.
Re-importing exported hierarchies

If you export to a file compatible with Account Import, we recommend that you do not re-import the exported hierarchy back onto your working CMS. This is because each line in the exported file is a command (for example, newutility, newuser or newgroup), to add data to the database where that data already exists. If you re-import an exported hierarchy back onto your working CMS, such commands are logged as warnings.
Spreadsheet column layout

When you export the user hierarchy (or a branch of the hierarchy) to a spreadsheet, there are no column headings. For details about what information appears in each column, see the Administration console online help: search the index for columns. ! This format will fail to export the hierarchy if users
have over 10 attributes defined. We recommend instead, that you export to an XML Data File.
54
Importing users
To simplify mass deployments, you can use the Account Import feature to import user details into Orchestria APM from an external Lightweight Directory Access Protocol (LDAP) directory or a source file. Account Import can:
Import methods
You can import user details by running:
Import new users and groups into the existing Orchestria APM user hierarchy. Reorganize existing Orchestria APM users to synchronize them with an external user hierarchy, for example, an LDAP directory structure. Create new Orchestria APM accounts for unknown users. These are imported users who have no corresponding account in Orchestria APM. Add a domain as a prefix to all imported user account names, such as UNIPRAXIS\frankschaeffer. Update Orchestria APM user accounts with imported attributes such as e-mail addresses and employee IDs.
Account Import wizard: This is the simplest method of importing user details. The wizard can import data from any supported sourcesee below. Launch the wizard from the Administration console. Command line import operations: These enable you to schedule regular import operations, for example, to ensure that your LDAP directory and Orchestria APM user hierarchy stay synchronized. From a command line, you can import data from any supported sourcesee the next section.
Import sources
Account Import can import user information directly from an LDAP directory, data file or command file:
i For full details about users import operations,

please refer to the Deployment guide; search the index for user import operations.
Synchronizing e-mail addresses

!
It is essential that your e-mail addresses on the CMS remain synchronized with, for example, Active Directory. However, be aware that non-matching e-mail addresses may be deleted during synchronization.
LDAP directory: The Lightweight Directory Access Protocol (LDAP) enables directory services to manage directory objects. Objects and attributes in an LDAP directory are exposed to any other application that uses the LDAP protocol. Orchestria APM can import user details from the following LDAP directories:
` Microsoft Active Directory ` Novell eDirectory (NDS) ` Netscape/Sun ONE Directory Server ` Domino Server
Data files: These are structured files of user data, in XML or spreadsheet-compatible format. Data files contain encoded versions of an external user hierarchy and include the user details necessary for Orchestria APM to create, or re-create, this external hierarchy on the CMS. Command files: These are import configuration files containing Orchestria APM user and machine import commands (for example, create new user or set user attribute). Typically, you use import command files to make specific changes to your existing Orchestria APM user hierarchy.
One of the most important uses for Account Import is to synchronize users e-mail addresses in the CMS database with addresses in an external source, typically an LDAP directory such as Active Directory. Such synchronization is essential for Orchestria APM features that rely on e-mail address mapping (that is, policy engines, user attribute data lookup and Event Import). During synchronization, any addresses in the CMS database that are not present in the LDAP database are deleted from the CMS. That is, if you have manually added an e-mail address to a user in the CMS database, or if an e-mail address has been removed from the LDAP source since the last synchronization, it will be deleted.
55
Controlling what users can see and do

Ordinary users
As an administrator, you can restrict the Orchestria APM features available to other users in the Administration console and in their browser and e-mail application. For example, if you prefer a low-profile management style, Orchestria APM can run silently on a users machine with no on-screen evidence of its presence.
In their browser
If you install the Orchestria APM browser integration software on a client machine, you can configure a users policy to display an acceptable usage message when the user starts up their browser and a set of Orchestria APM capture lights in the browser taskbar. The purpose of the acceptable usage message is to remind the user that their Web activity may be monitored; you can configure both the content of the message and how often it is shown. In the browser, the taskbar capture lights come on to indicate when page captures are in progress. They also give users access to other Orchestria APM features. For example, these capture lights allow users to manually capture pages or transactions. But you can prevent these capture lights from displaying so that users are unaware when Orchestria APM is monitoring their Web activity. 1 2 3
In their e-mail application

If you install the Orchestria APM e-mail integration software on a client machine, you can configure a users policy to display an acceptable usage message when the user starts up their e-mail application and a capture button ( ) in the toolbar of their e-mail message windows. The purpose of the acceptable usage message is to remind users that their e-mails may be monitored; you define both the content of the message and how often it is shown. The capture button enables users to manually capture e-mails, but you can remove this button from the toolbar so that users are unaware that Orchestria APM is monitoring their e-mails. To configure the warning message and hide the Capture button, you must edit the Extensions settings in the users policy.
Orchestria APM capture lights 1 Capture in progress. 2 Transaction detected. 3 XML detected. To configure the warning message and hide the taskbar capture lights, you must edit the Extensions settings in the users policy.
56
Managers and administrators

You can promote ordinary users into administrators or managers by granting them administrative privileges. You can limit the scope of their administrative authority by withholding specific privileges and controlling which groups they can manage. You can also control their personal Web and e-mail activity, just as you can for ordinary users. i Orchestria APM creates a primary administrator
when installing the CMSsee the next section.
To prevent administrators and managers from editing their own policies and reversing these settings, you must enforce the relevant settings in their parent policy, and ensure that the parent policy falls outside the scope of their management groups. For details about enforcing policy settings, see page 117.
Controlling which groups they can manage

A management group represents the top level user group that an administrator is permitted to manage. It limits an administrators authority to the management group itself, plus any groups that it contains. Specifically, the administrator is permitted to manage user accounts, edit group and user policies, and manage captured data associated with these groups. Groups that lie outside the management group are hidden from the administrator in the console. This lets you to restrict the administrative authority of junior administrators or managers to specific groups of users. i For further details about management groups, see page 43. Instructions for assigning management groups are on page 49.
Primary administrator
Orchestria APM creates a Primary Administrator account when you install a CMS. The primary administrator has full administrative privileges and full management group coverage. Furthermore, the administrative privileges and management groups assigned to the primary administrator can never be changed. This means it is not possible to withdraw a privilege from this account, or to assign a management group that excludes some groups or users. i You must use this account to configure Orchestria
APM after deployment. For further details, see the Deployment guide.
Controlling Web and e-mail activity

As with ordinary users, you can conceal the presence of Orchestria APM when an administrator or manager opens their browser or e-mail application. To do this, you simply edit the Extensions settings in their user policy, as described in the previous sections. This prevents the acceptable usage message and the capture lights (see page 55) from displaying. You may want to do this if, for example, your organization has universal guidelines governing personal Web and e-mail usage, applicable equally to all staff in your organization.
57
Administrative privileges
For individual administrators and managers, you can assign administrative privileges. These control which features are available to users in the iConsole, Administration console and Data Management console. For example, you can grant or withhold privileges to edit the user hierarchy. Choose from:
! Only users with the administrator role are

granted this privilege by default. Because this privilege permits users to bypass security measures, we strongly recommend that it is granted to users only when absolutely necessary.
Admin: Allow administration searches: Allows a user to search for user, group or machine accounts in the Administration console. Admin: Allow unrestricted SQL searches: Allows a user to edit the raw SQL search expression generated in the SQL tab when they define a search. Without this privilege, users can view but cannot edit the SQL tab. ! Only the primary administrator is granted this
privilege by default. Because this privilege permits users to write unrestricted SQL queries, we strongly recommend that it is granted to other users only when absolutely necessary.
Admin: Edit customizable console text: Allows a user to define audit status descriptions and customized user attributes. Admin: Edit user roles: Allows a user to edit the default set of administrative privileges assigned to each role. Admin: Install license file: Allows a user to install a license file on the CMS. The license file determines which policy modules are available in your Orchestria APM installation. Admin: Install System Definition Files: Allows a user to install a System Definition file on the CMS. i In the current version of Orchestria APM, you
can only install a definition file for social security numbers. That is, the US Social Security High Group File.
Admin: Assign Undefined Privileges: Allows a user to acquire any new privilege added to Orchestria APM after an upgrade. ! Only the primary administrator and users with
the administrator role are granted this privilege by default. Because this privilege assigns potentially unknown privileges, we strongly recommend that it is granted to other users only when absolutely necessary.
Admin: Manage iConsole: Allows a user to access the Manage Searches section in the iConsole, and install and publish search definition files. i This privilege was previously known as
Admin: Manage iConsole searches.
Admin: Change database credentials: Allows a user to reset the credentials for the database accounts (primary user and search user) that Orchestria APM uses to access the CMS database. For details, see the Database guide; search the index for primary user and schema owner. i This privilege is not connected to the Users:
Reset user passwords privilege.
Admin: Use single sign-on: Allows a user to log on with Single Sign-on (see page 67), even if the CMS machine policy setting Allow single sign-on? is set to False. Agents: Edit content agents: Allows a user to create and edit content agents. If a user has neither this privilege nor View content agents (see below), the Content Agents branch is hidden from the user in the Administration console. i
This privilege does not affect a users ability to configure Content Agent triggers.
Admin: Disable management group filtering: Allows a user to bypass inbuilt security measures and search for events outside of their management group.
58
Agents: View content agents: Allows a user to view content agent details. i This privilege does not affect a users ability to
configure content agent triggers.
Events: Allow download in original message format: Allows a user to download an e-mail event in its original message format (MSG). Events: Allow event import: Allows a user to run the Event Import utility. For details, see page 204. Events: Allow event searches: Allows a user to search for captured Web, e-mail and application data in the iConsole and Data Management console. Events: Allow export: Allows a user to export search results to a self-contained Web site, a Microsoft Personal Folder (PST file), or a Notes Database (NSF file). Events: Allow searches of unlimited size: Allows an iConsole reviewer to run unlimited event searches. That is, the iConsole will return all events that match the search criteria, disregarding any result limits defined in the registry. i For this privilege to take effect, the iConsole
must be configured for unlimited searches. For details, see the Deployment guide; search the index for iConsole: search results, configuring.
Audit: Allow auditing without viewing the event: Allows a user to change the audit status of and event without needing to view it. This also makes it possible to change the audit status of multiple events in a single operation. Audit: Always suppress automatic auditing: Allows a user to view events without adding a Viewed Event entry to the audit trail. Other audit activities, such as changing an event status or forwarding a copy of the event via e-mail will create an audit entry. Audit: Always suppress automatic export logging: Allows a user to export events (to either a self-contained Web site, or a Microsoft Personal Folder) without adding a Exported Event entry to the audit trail. Audit: Choose to suppress automatic auditing: Allows a user to choose whether to view events without adding a Viewed Event entry to the audit trail. See page 308 for details. i For full access to auditing features in the Audit tab, the user also needs the Audit: Update audit trail privilegesee below.
Events: Change expiry dates: Allows a reviewer to edit the expiry date and 'do not delete' flag for an event. Events: Control quarantined events: Allows a reviewer to either release or reject an e-mail from quarantine. Events: View captured data: Allows a user to view captured data associated with any user in any of their management groups. This privilege also allows users to use the Content Indexer utility (a necessary task before using content agents or running content searches). Events: View expiry dates: Allows a user to view the expiry date and 'do not delete' flag for an event. Machines: Edit the machine hierarchy: Allows a user to access the Machine Administration screen and manage accounts for any Orchestria APM machine. This privilege also permits users to suspend and resume machines. Machines: View log files: Allows a user to access the Log Files screen.
Audit: Update audit trail: Allows a user to update the audit trail for an individual event. Audit: View audit trail: Allows a user to view, but not update, the audit trail for an individual event. Events: Allow bulk session management: Allows a user to access multiple user accounts. i This privilege must be granted to the user
account the policy engine hub uses to log on to the CMS.
Events: Allow content searches: Allows a user to search for captured events based on their text content. Content searches are available in the iConsole and Data Management console.
59
Machines: View the machine hierarchy: Allows a user to access the Machine Administration screen and view accounts for any Orchestria APM machine. Policies: Edit policy: Allows a user to view and edit any machine policy and any user policy that falls within any of their management groups. Policies: Edit the CMS policy: Allows a user to edit the machine policy for the CMS. If you clear this check box, access to the CMS policy is denied but users can still edit other machine policies. Policies: Replicate changes to clients: Allows a user to replicate any policy changes down to client machines immediately. If a user does not have this privilege, any changes they make will replicate automatically at intervals defined in the CMS policy. Policies: View policy: Allows a user to view any machine policy and any user policy that falls within any of their management groups. Stats: Access statistics: Allows a user to view statistics in the Executive console. Stats: Administer statistics: Allows a user to access the Statistics screen of the Administration console. Stats: Disable statistics: Allows a user to disable individual statistics in the Statistics screen of the Administration console. Users: Edit the user hierarchy: Allows a user to access the User Administration screen and manage accounts for any user in their management groups. Users: Reset user passwords: Allows a user to set a new Orchestria APM password for another user without knowing their existing password. i This privilege does not apply to database logon
passwords. These are governed by the Change database credentials privilege.
Roles
Roles provide a quick method of assigning administrative privileges. Each Orchestria APM user is assigned a role, which in turn defines a default set of privileges. To assign roles to users, see page 49. After assigning a role, you can still grant any combination of privileges to an individual user. If you do change the privileges granted to a user, Orchestria APM changes that users role to Custom. For example, if you grant a Manager the complete set of privileges, that users role changes from Manager to Custom because their privileges no longer match those associated with the Manager role.
Default roles
These roles are provided by default. You can choose from:
Administrator: These administer Orchestria APM. By default, these have the full range of privileges. i If future versions of Orchestria APM introduce
new privileges, these will be granted automatically to all users with an Administrator role when you run the upgrade.
Manager: These manage your organization. Their privileges focus on searching for captured data. Policy administrator: These are permitted to view and edit policies, but not to manage user or machine accounts or search for captured data. Reviewer: These have the same privileges as Managers but can also view and edit the audit status of captured events. User: These are ordinary Orchestria APM users with no administrative privileges. UserRole1 and UserRole2: These are existing custom roles (see below) that you can customize to suit the needs of your organization.
i If you change the default privileges assigned to

a role, Orchestria APM automatically updates the privileges of all users who have that role.
Users: View the user hierarchy: Allows a user to access the User Administration screen and view accounts for any user in their management groups.
i Instructions for assigning administrative privileges are on page 50. Also, roles provide a shortcut method
for assigning privilegessee below.
Custom roles
You can create custom roles and assign default privileges to them. For details, see page 50.
60
4. Machine administration
his chapter introduces the Orchestria APM central management server (CMS), gateways and client machines. It describes the principal functions of these machines, and explains how to administer machine accounts. i Installation, upgrade and uninstallation procedures
are described in the Deployment guide.
chapter 4
Machine hierarchy
Orchestria APM machines are organized into hierarchical branches, with the CMS as the top level server. Below the CMS, each branch of the hierarchy is managed by a gateway. Each gateway serves multiple client machines. This type of distributed deployment provides resilience, and network load balancing. 1
Overview
Orchestria APM installations comprise three main types of machine: a CMS, gateways and client machines.
2 3
CMS is the central database for your Orchestria APM installation. This database contains the policies for all your users and machines, plus all the captured transactions, Web pages and e-mails. Gateways are intermediate servers, providing resilience and data-routing services between the CMS and client machines. Each gateway can serve multiple client machines or even child gateways. Client machines are computers used by Orchestria APM users. Each has its own machine policy held in a local database. This database also contains policy details and captured data associated with the current user (this captured data is periodically replicated up to the parent server).
Example machine hierarchy 1 CMS 2 Gateways 3 Client machines i Your Orchestria APM machines are organized in a
virtual hierarchy. This does not necessarily relate to your actual network topology or to the hierarchy of users and groups.
62
Machine icons
A single Administration console can connect to multiple CMSs. The CMS tree view and the Machine Administration screen uses these icons: CMS tree icons
CMS group. By default, the top level CMS group is called My Servers. CMS - disconnected. The Orchestria APM user account currently logged on to the Administration console is not logged on to the CMS. CMS - connected CMS - suspended
Console-only and utility machines

In addition to conventional gateways and client machines, Orchestria APM also supports these machine types:
Console-only machines: You manage your Orchestria APM installation using an Administration console. Normally, you would install the console at the same time as you install the Orchestria APM infrastructure. But if required, you can install a console on any computer that can communicate with the CMS, even if that computer is not running the Orchestria APM infrastructure. Console-only installations are described in the Deployment guide; search the index for console-only installations. Utility machines: These are host machines for the Orchestria APM Content Proxy server and iConsole application servers. Utility machines enable you to run these components without overloading your existing Orchestria APM servers. They inherit the common client machine policy.
Machine Administration icons

CMS - active CMS - suspended. See page 75. Gateway active Gateway - suspended Gateway - disconnected * Client machine Client machine - suspended Client machine - disconnected * Utility machine Utility machine - suspended Utility machine - disconnected * * The CMS is unable to connect to this machine, for example,
because it is switched off.
` The Content Proxy server is part of the Orchestria

APM content services. These services provide access to the content search and content agent featuressee chapter 13, Content agents.
` The iConsole application server (sometimes referred to as the back-end server) provides the Web service that connects to the CMS. It enables all event search and auditing activity conducted in the iConsole to be written to the CMS. That is, it allows iConsole users to search for, retrieve and audit events stored on the CMS.
Chapter 4 Machine administration
63
Orchestria APM infrastructure

Each Orchestria APM machine has an infrastructurea collection of software componentsthat enables it to operate, communicate with other Orchestria APM machines, and protect confidential data. Settings in the local machine policy control the infrastructure:

A CMS or gateway, if you specify a remote \Data folder then the local infrastructure must log on as a domain user with administrative rights to read and write to the remote folder. The Remote Data Manager (RDM), the infrastructure must log on as a named user account. Also, this account must have the Log on a service security privilege and permissions to retrieve data from an third party archive. See the Deployment guide for details; search the index for RDM.
Security settings control whether Orchestria APM encrypts network data transfers and records in the local database, and whether login credentials for Orchestria APM users are cached. Data Management settings cover data compression, data file block sizes, event purging, and free disk space handling.
` When free disk space falls to critical levels, the

infrastructure is suspended. For details, see page 74.
Stopping and restarting the infrastructure

You can manually stop and restart the infrastructure (see previous section) on any Orchestria APM machine.
` We strongly recommend that you set up a purging

strategy as soon as possible after installation. For details, see page 80.
Replication settings determine how often the local machine notifies its parent server of newly captured data or local infrastructure changes. These notifications act as triggers for data replication. Logging settings control which infrastructure operations are logged. You specify which operations are logged and the maximum size of log files.
Windows machines
You can stop or restart the infrastructure using the wgninfra service. Run the following commands: Stop infrastructure: net stop wgninfra
Restart infrastructure: net start wgninfra
i For further details about Infrastructure settings in the machine policy, see page 145.
Solaris servers
You can stop, start or restart the infrastructure using the wgninfra script. Find this at /etc. The syntax is: Stop infrastructure: Start infrastructure: /etc/wgninfra stop /etc/wgninfra start
Running the infrastructure as a named user

When installing an Orchestria APM server or client machine, you must specify a logon account for the infrastructure. This defaults to LocalSystem, but if required you can specify a named user account. There are various conditions when you may need to do this. Specifically, when installing the following:
Restart infrastructure: /etc/wgninfra restart
i You can find other hardware-related issues in the

Technical Information chapter of the Deployment guide.
64
Data replication across the network

Each Orchestria APM machine replicates data across the network:
Notification periods
All data replication across an Orchestria APM installation is driven by notification messages:
From the CMS to client machines The CMS database holds policy and administration details for each Orchestria APM user, group and machine. Database changes (for example, policy or account updates) are copied automatically from the CMS, via the gateway servers, to local databases on the client machines.
From client machines to the CMS Each client machine manages a database of locally captured e-mails and Web pages, plus copies of its own machine policy and the user policy for the current user. The local machine policy determines how often captured data and local policy changes are replicated up to the CMS via gateways. i Replication failures are described on page 65.
Captured data: Newly captured events are replicated as soon as possible from client machines to the CMS. The Captured Data Notification Period in the machine policy determines how often a client machine sends notification that it has captured new data. When the CMS receives this notification, it transfers the captured data from the client to the CMS and the client stops sending notifications. Infrastructure data: The Infrastructure Notification Period in the machine policy determines how often client machines and the CMS notify each other of new infrastructure changes such as policy edits or user account updates. When the recipient machine receives this notification, it determines if it needs the update; if so, it requests the details. As soon as the recipient machine has processed the notification, the sender machine stops sending notifications.
If required, you can also encrypt and compress replicated data: data encryption is described on page 77; data compression is described on page 79.
Data transfers from the CMS Data transfers such as policy changes pass from the CMS database (1) to the gateway databases (2) and finally to databases on client machines (3).
Data transfers from client machines to the CMS Data transfers can include captured Web pages and e-mails, and locally-generated policy changes. This data passes from the client machines (1) via gateways (2) to the CMS database (3).
65
Disable replication
If required, you can disable replication to and from individual machines. For example, you may want to temporarily stop the CMS sending policy change notifications to all Orchestria APM machines. To disable replication, you can either suspend a machine or server, or you can set the replication period to zero.
Replication failures
If a parent server is unable to store a replicated event for any reason, it reports the failure back to the child machine, which writes an entry for the failed event to the replication holding cache. For details, see the Deployment guide; search the index for holding cache.
Suspend a machine
When an Orchestria APM machine is manually suspended, it can neither send or receive replicated data. For client machines, this means they can neither replicate captured data to their parent server or receive policy changes from the CMS. For details about suspending a machine, see page 75. i If a machine is suspended automatically (for
example, because of a critical shortage of free disk space), under certain circumstances events captured locally before the suspension are still replicated up to the parent server.
Slow network connections

If there is a very slow connection between a client machine and its parent server, for example over a WAN or dial-up connection, you can turn off replication. This primarily affects laptop users. To turn off replication: 1 2 In the Machine Policy Editor, browse to the Replication folder. Set the Replicate Captured Data on Slow Links setting False (clear the check box).
Set the notification period to zero

You need to edit the policy for the machine that you want to stop replicating data. In the Replication folder of the machine policy, set the Captured Data Notification Period and Infrastructure Notification Period settings to zero in order to separately disable the outward replication of captured data and infrastructure changes. Note that the machine will still be able to receive replicated data. This approach is also the quickest way to turn off all replication across the Orchestria APM enterprise. First, set the notification periods to zero for the common gateway policy and the common client policy. Then do the same for the CMS machine policy. Be aware that this approach will generate extra network traffic as the policy changes need to be transmitted around the enterprise. i The common gateway and client policies are
described on page 69.
Remember, you will still need to periodically replicate any captured data that accumulates on the laptop. This will require regular (albeit temporary) policy changes to ensure that replication occurs. Alternatively, the laptop will need to make regular connections to its parent server over a LAN. For example, this could happen whenever the laptop user visits the office. i If you are unable to turn off replication, see
Troubleshooting on page 335.
66
CMS
The CMS maintains the central database for all your Orchestria APM client machines, and has its own unique, machine policy. This policy includes the standard settings common to all Orchestria APM machine policies, but it also determines how the CMS handles new user and machine accounts, and how it manages multiple concurrent client connections.
X Before you start using Orchestria APM

Before you use Orchestria APM for the first time after installation, you must edit the CMS policy to determine how it handles new machine accounts. It can either create new accounts automatically, or it can require an administrator to manually add new machines in the Administration console. See the Deployment guide for details; search the index for post-deployment tasks.
Rename a CMS
! We strongly recommend that you do not
rename your CMS. For details, see page 335.
X Replicate CMS changes to client machines

immediately Any changes to the CMS database are replicated automatically to client machines. The frequency is determined by the replication settings in the CMS machine policy. But you can request immediate replication. This is useful if your Orchestria APM installation uses a slow CMS-to-clients replication interval. In the Administration console, choose Tools > Replicate Changes to Clients. i You can also request warnings before you and
replicate these changes. To do this, choose Tools > Options and go to the General tab. Then, when you next replicate changes, Orchestria APM asks you to confirm the replication.
Editing the CMS policy

The machine policy for the CMS incorporates the standard policy settings plus settings that refer exclusively to operations on the CMS. These cover account handling for unknown users or machines, and database management (see page 150).
X Edit the CMS policy

Expand the Machine Administration branch . Then: select the CMS
` Right-click and choose Edit Policy, or ` Click Edit Policy

, or
` Click the policy hyperlink in the right pane. See
Suspend a CMS
If necessary, you can manually suspend a CMS. You may want to do this because, for example, you want to run a cold backup of your Oracle database. Note also scheduled backups will complete faster on a suspended CMS. You can also manually resume a suspended CMS. See page 76 for further details. i A CMS may be suspended automatically if free
disk space falls to dangerously low levels, or database problems arise, or if a disk failure occurs. For details, see page 74.
67
Enable single sign-on

If required, you can configure Orchestria APM so that users skip the logon dialog when they start up an Orchestria APM console. Instead of the user supplying their own credentials to access the console, Orchestria APM automatically supplies the native Windows account of the current user. In all other respects, the authentication process is identical to using a logon dialog. To configure Orchestria APM to use single sign-on, you must edit the CMS machine policy. In the Central Management Server policy folder, set Allow Single Sign-on? to True. i This functionality requires that users wanting to
run consoles have Orchestria APM account names prefixed with their domain, for example, UNIPRAXIS\lyndasteel.
Connecting to a CMS
Icons in the CMS tree indicate the status of each CMS:
1 2 3 4 CMS tree 1 My Servers icon. 2 Disconnected CMS. 3 Connected CMS. 4 Suspended CMSsee the next section.
X Connect to a CMS
1 In the CMS tree, select a disconnected CMS 2 Right-click the CMS and choose Connect. 3 Supply your logon user name and password. .
i The administrative privilege Admin: Use single

sign-on allows a user to log on with single sign-on, even if single sign-on is disabled on the CMSsee page 57.
X Disconnect from a CMS

1 In the CMS tree, select a connected CMS .
Backing up and restoring the CMS

We recommend that you make a full backup of your Orchestria APM database on the CMS at least once per week, and incremental backups on a daily basis. You can find an overview of CMS backup and restore procedures, for both Microsoft SQL Server and Oracle database engines, in the Database guide.
2 Right-click the CMS and choose Disconnect.
X Connect to a CMS as a different user

If necessary, you can disconnect from and reconnect to a CMS in one easy step. You may want to log on as a different user for reasons of security. 1 In the CMS tree, select the CMS you want to connect to. 2 Right-click the CMS and choose Connect As. 3 Supply the logon user name and password you want to use.
68
Multiple CMSs
If necessary, you can deploy multiple CMSs, each serving a separate cluster of Orchestria APM machines. You can even connect to any CMS from the Administration console on any client machine, for example, to browse captured data or edit user policies. CMSs are organized in a tree view in the Browse screen of the Administration console:
Orchestria Active Policy Management London
Managing multiple CMSs

X Add a new CMS group
You can organize CMSs into groups to simplify your administration routine. Choose File > Add CMS Group or click in the toolbar.
X Add a CMS
Choose File > Add CMS or click in the toolbar. Then specify the server you want in the Connect to CMS dialog.
East Reach Trading Ltd Monitrax Limited Unipraxis plc
X One CMS per client machine

Even in a multiple-CMS environment, be aware that the Orchestria APM database on a client machine is permanently associated with a single CMS. You must specify this CMS when you install the Orchestria APM Client Integration software on the client machine. The only way you can instruct a client machine to copy captured data to a different CMS is to reinstall the Orchestria APM Client Integration software.
Midlands South East
CMS Tree: 1 CMS 2 CMS group
69
Gateways
Gateways are data-routing servers, operating between the CMS and client machines. Each gateway serves multiple client machines and is connected to a single parent server, either the CMS or another gateway. This hierarchical, distributed deployment provides resilience and network load balancing.
Managing gateways
In most cases, the procedures for managing gateway serversediting policies, suspending, moving to a different parent server, and so onare identical to those for managing client machines: To do this
Edit a gateway policy Move a gateway to a different parent Delete a machine
Adding a new gateway

Before a new machine can function as a gateway, you must install the Enterprise Server software using the installation wizard. When you run the wizard, you specify Gateway as the server type. The new gateway is added to the Machine Administration screen as soon as it connects to the CMS. But administrators can also add new gateways manually, before the Enterprise Server software has been installed. In both cases, the new machine inherits the common client policy (page 71).
See Page 71 Page 70 Page 70
! If you delete a gateway, all client machines

connected to the gateway are also deleted.
Suspend a gateway
Page 76
X Administrators add a new gateway

1 Expand the Machine Administration branch 2 Click or choose Edit > New Machine. .
Common (or default) gateway policies

New gateways do not inherit the CMS policy. Policy inheritance for new gateways does not operate in the same way as the hierarchical policy inheritance for new users and groups. Instead, new gateways inherit a common gateway policy. To edit this policy, expand the Machine Administration branch . Then:

3 In the New Machine dialog, enter the computer name (or click Browse to search your network) and choose Gateway.
Choose Edit > Edit Common Gateway Policy, or Right-click any gateway Common Gateway Policy. and choose Edit
New Machine dialog 4 Click OK to create a new account and add the gateway to the Machine Administration screen. i You can edit the gateways machine policy
immediately, but the new account is not activated until you install the Enterprise Server software on the gateway computer.
i In the common gateway policy, database purging

is turned off. It is essential that you turn this setting on for each new gateway. See page 80 for details.
Rename a gateway
! We strongly recommend that you do not
rename gateways. For details, see page 335.
70
Client machines
Each client machine manages a database of locally captured e-mails and Web pages, plus copies of its own machine policy and the user policy for the current user. Settings in the machine policy determine how often captured data and local policy changes are replicated to the CMS via gateways, and how often redundant database information is purged. In addition to acting as a local agent for capturing or controlling user activity, you can use client machines to manage every aspect of your Orchestria APM installation. To do this, you need to install the Administration, Data Management or Executive console on the relevant client machines (but see also Console-only and utility machines on page 62. For information about installing consoles, see the Deployment guide. 3 In the New Machine dialog, enter the computer name (or click Browse to search your network) and choose Client. 4 Click OK to create a new account and add the client machine to the Machine Administration screen. i You can edit the clients machine policy
immediately, but the new account is not activated until you install the Orchestria APM infrastructure on the client machine.
Moving client machines or gateways to a new parent server

If necessary, you can reorganize the machine hierarchy. For example, to optimize load-balancing purposes you may want to move a client machine to a different gateway (you can also move gateways to a different parent gateway).
Adding new client machines

Normally, a new machine account is created automatically when you install the Orchestria APM infrastructure on a client. The new machine is added to the Machine Administration screen as soon as the client connects to the CMS. But administrators can also add new client machines manually, before the Client Integration software has been installed on the client. It is unlikely you would need to do this, but it may be necessary if you want to apply a custom machine policy to a new machine as soon as it connects to the CMS. In both cases, the new machine inherits the common client policy (page 71).
X Manually move a machine

1 Right-click a client machine and choose Move Item. Or choose Edit > Move Item. 2 In the Move Item dialog, select the target parent server (either the CMS or a gateway).
X Reparent multiple machines simultaneously

To do this, use the Account Import wizard. You specify the individual moves in a CSV file. See page 73 for details.
Deleting client machines

Select a client machine and click or choose Edit > Delete. This removes the machine account from the User Administration screen and the CMS database is updated to show the account is no longer active. But the account itself is not deleted from the database. This enables you to search for any deleted machine accounts using the Administration Search feature (see page 93). ! If you delete a gateway, all client machines
connected to the gateway are also deleted.
X Administrators add a new client machine

1 Expand the Machine Administration branch 2 Click or choose Edit > New Machine. .
71
Editing machine policies

When new machine accounts are added to the CMS they automatically inherit the default client policy. You can edit this policy, but you can also create customized policies for specific machines. Settings in the machine policy determine how often captured data and local policy changes are copied to the parent server. Other settings determine local database how often records are deleted, whether data transfers to the parent server are encrypted, and so on. You use the Machine Administration screen to launch the Machine Policy Editor. See chapter 6, Editing policies for full details about editing policies.
Common (or default) machine policies

New client machines do not inherit the CMS policy. Policy inheritance for new client machines does not operate in the same way as the hierarchical policy inheritance for new users and groups. Instead, all new client machines inherit a common client policy.
X Edit the default policy for new clients

Expand the Machine Administration branch Then: .
` Choose Edit > Edit Common Client Policy, or ` Right-click any client machine
Common Client Policy. i In the common client policy, database purging is
turned off. It is essential that turn this setting on for each new machine. See page 80 for an explanation.
and choose Edit
X Edit a machine policy

In the Administration console, select the client machine, then:
` Click Edit Policy
, or
Suspend a client machine

If necessary, you can manually suspend or resume a client machine. For example, you may want to suspend the Orchestria APM infrastructure to carry out routine maintenance. See page 76 for details.
Rename a client machine

If necessary, you can rename client machines without losing any captured data. However, you may need to reconfigure any customized settings in the local machine policy. See page 335 for details.
X Reset a machine policy

In the Machine Policy Editor, choose Edit > Reset. This removes any custom settings in a machine policy and restores the default values (that is, values inherited from the common client policy).
72
Exporting the machine hierarchy

You can export any branch of the machine hierarchy to a command file compatible with the Account Import utility. You can do this using the Administration console, or from a command line.
Export from a command line

You can only run a command line on the CMS. The command line syntax for exporting machine details to a specified file type is: wgninfra -exec wigan/infrastruct/directory/ DirectoryExport Machines
Export via the Administration console

1 Expand the Machine Administration branch the Administration console. Right-click the CMS or a gateway choose Export Hierarchy to File. In the resulting dialog, specify: and in
<filename> <parameters> Where: <filename> defines a name for the destination file. <parameters> defines the export parameters. Available parameters and parameter rules are described in the next section.
` File name and location: we recommend that you

give the file a .acc extension.
` Machine type: Choose to export gateways, client

machines or both. For full details, see the online help.
Export parameters
i You must enclose the entire parameter value in
"double quotes" if that value contains a space.
-b Defines the base machine. That is, the starting point for the export process. Use these parameters to configure Orchestria APM to: -g Export gateways, organized hierarchically in the command file. -u Export client and utility machines. Export Hierarchy to File dialog i If you only export client and utility machines,
then the command file is organized in a flat, non hierarchical structure.
-n Writes the export file using Unicode character sets. Any non-ASCII names (such as names with Japanese characters) are then preserved in the exported file.
73
Re-importing exported hierarchies

We recommend that you do not re-import the exported hierarchy back onto your working CMS. This is because each line in the exported file begins with the variables newutility, newgateway or newclient. If you re-import an exported hierarchy back onto your working CMS, these re-imported machines will be logged as duplicates of existing accounts.
Command file format

When you import a command file containing machine details, each record in the file must conform to the format required by Account Import. Each machine record must begin on a new line with a variable that defines the type of operation. For example, the commands below create a new gateway, GW-MILAN, parented to CMS-HARDY, and a new client machine, UNI-TAYLOR, parented to GW-MILAN. The final command moves an existing client machine, UNI-ROBSON, to the new gateway.
newgateway,GW-MILAN,CMS-HARDY newclient,UNI-TAYLOR,GW-MILAN moveclient,UNI-ROBSON,GW-MILAN
Importing machines
To simplify mass deployments, you can bulk create new machine accounts and pre-assign client machines to parent servers in advance of the Orchestria APM rollout. This enables you to deploy multiple client machines using a single source image (which identifies a single parent server) whilst ensuring that each client machine automatically connects to its 'correct' parent server immediately after installation. You can also bulk move (or reparent) existing client machines and gateways to new parent servers. To bulk create new accounts, you import the gateway and client machine details from a command file. You can do this using the Account Import wizard (launched from the Administration console) or you can run a command line import operation. Command files for machine import operations are briefly described in the next section.
i For full details about machine import operations,

please refer to the Deployment guide; search the index for Account Import.
74
Monitoring free disk space

Settings in the machine policy can monitor levels of free disk space and suspend the Orchestria APM infrastructure when free disk space falls below a critical level. You can find these settings in the Data Management folder:
Machine Policy [CMS-HARDY] Infrastructure Security Data Management Replication Logging Policy Engine Central Management Server
1 Warning level
3 Error level
Machine Policy: Data Management For each Orchestria APM machine, these policy settings monitor free disk space on the drive hosting the Data folder (this folder, which may be remote, contains configuration data and captured data for the local Orchestria APM installation). You can specify disk space warning and error levels, and how often free disk space is checked. If free space falls below the warning level, warnings are written to the Audit log file. If it then falls below the error level, the Orchestria APM infrastructure is suspended. Note that the infrastructure restarts automatically when free disk space recovers to the warning level.
Changing levels of free disk space 1 Free disk space falls below the Warning level. 2 During this period, warnings are added to the log file. 3 Free disk space falls below the Error level. 4 During this period, the Orchestria APM infrastructure is suspended. 5 Free disk space recovers above the Warning level and the Orchestria APM infrastructure resumes automatically.
Disk space warning level

When free disk space falls below this level, Orchestria APM adds a warning to the Audit log file. The default warning level is 25MB. If free disk space continues to fall, further warnings are added to the log file until eventually free space falls to the error level and the Orchestria APM infrastructure is suspended. Up to 10 warnings are issued, with a minimum fall in free disk space of 1MB between each warning. The warning level (not the error level) also represents the 'safe' level at which the infrastructure automatically restarts following a suspension and subsequent recovery in free disk space. i For the CMS and gateway servers, we strongly
recommend you set this level to 250MB.
Disk space policy settings

You need to consider the following machine policy settings when monitoring levels of free disk space.
Disk space check interval

You must determine how often free disk space is checked. If you set this interval to zero minutes, free disk space is never checked. i On the CMS and gateway servers, we strongly
recommend you set this frequency to one minute.
Disk space error level

When free disk space falls below this level, the Orchestria APM infrastructure is suspended. The default value is 5MB. Following a suspension, the infrastructure automatically restarts when free disk space recovers to the warning level (not the error level). i For the CMS and gateway servers, we strongly
recommend you set this level to 50MB.
75
Suspended machines
When a CMS, gateway or client machine is suspended, all notification activity ceases. That is, the machine is unable to receive data such as policy updates or (for the CMS and gateways) newly captured data. For details about which operations are still available on suspended machines, see page 76. 1 2 3 4 5
Automatic suspensions
The infrastructure on Orchestria APM machines is suspended automatically if:
Free disk space falls below the Error Level. This level is defined in the Infrastructure > Data Management folder of the machine policy. See page 145 for details. Database problems arise. For example, Orchestria APM suspends a machine if there is a communication failure with the local database, or if the local database becomes full (that is, it fills its allocated space quota). A disk failure occurs. If a parent server is unable to replicate data because of a disk failure on a child machine, Orchestria APM suspends the child machine. The replication holding cache becomes full. Events that fail to replicate successfully are stored in a holding cache. If the caches maximum event limit is exceeded, Orchestria APM suspends the child machine. For details, see the Deployment guide; search the index for holding cache.
Machine Administration tree 1 Machine Administration icon. 2 Active CMS. 3 Suspended CMS. 4 Gateway server. 5 Client machine.
Manual suspensions
If necessary, you can manually suspend Orchestria APM names. For example, you may do this to carry out machine maintenance. Similarly, a scheduled backup will complete faster on a suspended CMS because data transfers to the CMS are discontinued until it resumes data processing.
X Suspend or resume a machine

Expand the Machine Administration tree and right-click the machine you want. Then choose Suspend, Resume or Machine State, as required. i To suspend or resume Orchestria APM
machines, you must have the Edit Machine Hierarchy administrative privilegesee page 58.
76
What operations are still available on suspended machines?

Certain Orchestria APM operations continue or remain available on a suspended client machine:
Disabling e-mail, file and browser integration

If required, you can disable e-mail, file and browser integration when you install Orchestria APM. You can also specify that integration is disabled if, for any reason, the Orchestria APM infrastructure fails to start. i Other methods for disabling e-mail and browser
integration for individual users (by editing their user policy) are described on page 210.
Replication: If a client machine is suspended automatically due to a lack of free disk space or because the local database is full, data captured on the client machine before the suspension occurred is still replicated up to the parent server. i If a client machine is suspended for other
reasons (for example, a manual suspension), captured data is not replicated up to the parent server until the client machine resumes.
Responding to an infrastructure failure

The Infrastructure Failure setting in the user policy System Settings folder controls how Orchestria APM responds if the infrastructure fails to start. In particular, you can use this setting to disable Orchestria APM integration with all browser and e-mail applications. For more information on this and other system settings, see page 140.
Policy: If the machine was suspended manually, you can still edit user and machine policies on suspended machines. For example, even if you suspended the CMS you can still amend the policy of any machine or any user in your management groups. i These policy changes are not replicated to the
relevant client machine until the CMS resumes.
Control triggers and actions: On a suspended client machine, control triggers and actions continue to operate but the resulting control events are not saved. For example, you cannot search for blockings or warnings that occurred on suspended machines. i Capture and transaction triggers do not
operate on a suspended machine.
When installing with msiexec.exe

When installing Orchestria APM using deployment methods based on msiexec.exe, you can disable browser integration for Windows Explorer and Outlook. In practical terms, this means that if a user surfs the Web using Windows Explorer or Outlook as a browser, Orchestria APM does not monitor this activity. For more information on msiexec.exe parameters supported by Orchestria APM, please refer to the Deployment guide; search the index for Msiexec.exe. i Integration with Internet Explorer and e-mail
integration with Microsoft Outlook are not affected; Web activity in Internet Explorer and e-mail activity in Outlook continue to be monitored as normal.
77
Data encryption
You can optionally encrypt data stored on Orchestria APM machines plus data transfers between these machines. Encryption is controlled by settings in the machine policy. There is also a command line method for manually changing the master encryption key on each machine.
Encryption keys
Each Orchestria APM machine has a unique encryption key that is used when writing blob files to disk. Further settings in the machine policy determine how often the local key is changed. By default, regular key changes occur automatically to reduce your exposure to security risk. Limiting the volume of data encrypted with a single key means it is harder for an intruder to crack the key. It also means that in the unlikely event they succeed, they will only gain access to a small part of your total data store. Note that superseded keys are retained so that older files can still be read. In normal situations, it is not necessary to edit these policy settings because the default values have been carefully chosen. But if you need to strengthen security on the CMS (or a gateway), you can modify two key replacement thresholds:
Encrypting replicated data

If required, you can encrypt all data sent across the network (page 145). To do this: 1 2 In the Machine Policy Editor, browse to the Security folder. Edit the Communications Encryption setting. You can choose from low, medium or high encryption.
Encrypting stored data

Encrypting your stored data prevents intruders from accessing sensitive information by reading the blob (Binary Large Object) files directly. This is especially important on the CMS where the blob files contain captured e-mail and Web data for the whole enterprise. The data store on each Orchestria APM machine incorporates blob files, containing policy data and, on the CMS and gateways, captured Web and e-mail data. Machine policy settings enable you to optionally encrypt these blob files with a local encryption key. You can also manually change the master key used to encrypt the local encryption keys. i On client machines, blob files containing captured
data are not encrypted.
Time interval: The key is changed after the specified number of days. For example, you can specify a key change every seven days. Volume of data: The key is changed after it has encrypted the specified volume of data. For example, you can specify a key change after every 1GB of captured data. (On the CMS, this threshold measures how much data has been captured and encrypted across your entire Orchestria APM installation.)
These thresholds operate in parallel. The encryption key is changed as soon as either threshold is exceeded, and both threshold counters are immediately reset to zero.
78
Set the key change thresholds

To set the key change thresholds on your CMS or a gateway server: 1 2 Expand the Machine Administration branch Right-click the machine you want Edit Policy. .
Changing the master encryption key

On each Orchestria APM machine, the keys used to encrypt stored data (the blob file keys) are themselves encrypted with a master key. For maximum data security, Orchestria APM allows you to manually change this master key. Clearly, changing the master encryption key, especially on the CMS, is an extremely sensitive task. For this reason, the key change process has been rigorously engineered to eliminate the risk of data loss arising from an unrecoverable blob file encryption key. In particular, Orchestria APM:
and choose
In the Machine Policy Editor, browse to the Security folder.

Machine Policy [CMS-HARDY] Infrastructure Security Data Management Replication Logging Data Lookup Central Management Server
Prevents the automatic creation of new blob file encryption keys while the master key change is underway or when a machine is starting up. Scrupulously records each stage of the process in key change recovery files to enable automatic rollback if the key change fails.
Machine Policy, Security folder 4 Edit the two Data Store Encryption Key Change settings. The Volume threshold is defined in megabytes; the Interval threshold is defined in days. Save the machine policy.
Orchestria APM provides a command line method for manually changing the master encryption key. The command syntax is: wgninfra -exec wigan/infrastruct/database/KeyServices ManageKeys -m Where: wigan/infrastruct/database/KeyServices is the Java Class path. You must type this path exactly as shown here. ManageKeys identifies the command as an encryption key operation. -m specifies that the operation applies to the local master key.
i It is unlikely you will need to edit these settings

on your client machines. Encrypted blob files on these machines only contain policy data.
79
Data compression
Machine policy settings allow you to compress data stored on the local server and data replicated between Orchestria APM machines.
When is transmitted data not compressed?

Under certain conditions, transmitted data is not compressed, even if the local machine specifies has Compress Transmitted Data? set to True. This happens when the sending and receiving machines have incompatible machine policy settings. Specifically, transmitted data is not compressed if:
Compress stored data

To minimize the use of disk space, you can compress stored data on Orchestria APM servers and client machines. Specifically, you can compress the blobs (Binary Large Object files). These contain policy data and, on the CMS and gateways, captured Web, e-mail and application data. On the CMS or a gateway, both the captured data blobs and policy blobs are compressed. On client machines, only the policy blobs are compressed. To turn on compression of stored data for a specific machine: 1 In the Machine Policy Editor, browse to the Data Management folder. Set the Compress Stored Data? setting to True.
The receiving machine is not configured to store compressed data (that is, its Compress Stored Data? setting is set to False), or The sending and receiving machines use differing block sizes (that is, the Data File Block Size settings on the two machines are set to different values).
i You can find these setting in the Data

Management folder of the machine policy.
Compress transmitted data

To reduce network traffic, you can compress data before transmitting it across the network between Orchestria APM machines. Specifically, you can compress the policy blobs and captured data blobs (see the previous section). To turn on compression for data transmitted from a specific machine: 1 In the Machine Policy Editor, browse to the Replication folder. Set the Compress Transmitted Data? setting to True.
i When a server receives data that is already

compressed, it does not uncompress then re-compress the data before replicating it up to a parent server or (for the CMS) storing it.
80
Event purging
Settings in the machine policy control how often events are purged. By default, purging is turned off on Orchestria APM machines, but we recommend that you enable purging, especially on your gateways and client machines. i For details about what data is purged, see below. The simplest strategy is to implement purging after replication. Under this strategy, individual items of captured data are automatically excluded from purges until they have been replicated to the parent server. Only items that have already been replicated can become eligible for purging. To roll out a purging strategy across all of your gateways and client machines, simply edit the Common Gateway Policy and Common Client Policy. If required, you can still specify a custom purge strategy for individual machines by editing their machine policy directly.
Purging strategies
You need a separate purging strategy for your CMS, which holds captured data for your entire organization, and one or more strategies for your gateways and client machines. To implement these strategies, you need to configure the CMS, common gateway and common client machine policies. Instructions are given on page 81.
Partition-based purges
Applicable to Oracle databases only. The Orchestria APM database schema includes support for Oracle database partitioning based on event time stamps, and for partition-based purging. For full details, see the Database guide; search the index for partition-based purging.
CMS purges
Compliance-seeking organizations need to implement an event purging strategy that meets regulatory requirements on the storage and retention of historical communications. Typically, this strategy requires scheduled purges. These run at regular intervals and are configurable in the CMS machine policy. If you set up scheduled purging, you must also specify the minimum retention period for captured items before they become eligible for purging. For example, you may be required to retain e-mails for a minimum of three years. For details about the minimum retention period, see page 81.
What data is purged?

Each purge removes eligible database records plus any corresponding blob (Binary Large Object) files, if the blob files are stored in the \Data folder or EMC Centera. This is because each Orchestria APM event comprises metadata, written to the local Orchestria APM database, and a blob file, saved on physical media:
Gateway and client machine purges

Events stored in the local database of a gateway or client machine are eventually replicated up to the parent server and ultimately to the CMS. The main reason for event purging on gateways and client machines is to prevent free disk space falling to dangerously low levels on these machines (with the attendant risk of the Orchestria APM infrastructure being suspendedsee Automatic suspensions on page 75).
A database entry contains the event metadata. For example, database fields specify an e-mails delivery date, 'envelope' details, what policy triggers were applied, and so on. Later sections in this chapter focus on purging these database entries. A blob file contains the e-mail content and any attachments, or the Web page plus any uploaded files, stored in Orchestria APM format. The blob file is written to disk and saved in the \Data folder (or migrated to EMC Centera, if required).
81
Minimum retention period

Orchestria APM events become eligible for purging from the CMS when their minimum retention period expires. The retention period is measured in whole days, from midnight to midnight. For example, a 1000 day retention period implies that captured events must be retained in the Orchestria APM database for at least one thousand whole days before they can be purged. An events eligibility for purging therefore depends on its age. For:
Purge SPs
For both SQL Server and Oracle databases, Orchestria APM supports stored procedures (SPs). Public SPs, supplied with Orchestria APM, provide default purging functionality and can be overridden your own custom SPs, if required. When the Orchestria APM infrastructure runs a database purge, it invokes the required public or custom purge SPs. Before a purge runs, the infrastructure also checks for any pre-purge SPs; when the purge completes or terminates, it checks for any post-purge SPs. For full details, see the Database guide; search the index for SPs.
A captured event, that is, an e-mail or Web page captured by an Orchestria APM client or server agent, its age is calculated from the time the trigger activated. Imported e-mails, the age is determined by the EMail.EventDateFromEMail parameter. This specifies whether the e-mails capture date is set from the date in the e-mail itself or the date when it was imported. This parameter is described in the Deployment guide; search the index for parameters: Event Import.
Configure purges in the machine policy

1 2 Expand the Machine Administration branch To configure event purging for: .
i The default retention period can be overwritten by

reviewers and policy administratorssee below.
` The CMS, right-click the CMS

Policy.
and choose Edit
Override the default retention period

Orchestria APM permits reviewers and policy administrators to override the default minimum retention period. For example:
` All gateways, right-click the CMS and choose Edit Common Gateway Policy. ` All client machines, right-click the CMS and choose
Edit Common Client Policy.
A reviewer may need to put an unauthorized e-mail on litigation hold. They can do this in the Review dialog of the Data Management console by overriding the expiry date of that e-mails retention period. For example, they can specify that the retention period never expires. See page 303. Policy administrators can set a custom retention period for all events captured by a specific trigger. For example, they may want to retain events captured by an Application Monitor trigger for one month only, but retain events captured by an e-mail trigger for three years. For details, see page 82.
` A specific machine, right-click the machine and choose Edit Policy.

3 In the Machine Policy Editor, browse to the Data Management folder.
Machine Policy [MachineCommonClient] Infrastructure Security Data Management Replication Logging
Machine Policy: Data Management folder
82
Set the purge frequency: You can configure purges to run immediately after the data has been replicated, or you can schedule purges to run at regular intervals.
Selective trigger-based purging

Each trigger in the user policy has its own Minimum Retention setting. This permits you to set a custom retention period for all events captured by a specific trigger. For example, you may want to retain events captured by an Application Monitor trigger for one month only, but retain events captured by an e-mail trigger for three years. To set per trigger minimum retention periods: 1 2 Expand the User Administration branch Choose the user want to edit. Click or group .
` Scheduled purges: To schedule regular purges, set

Purge Events on Replication? to False (clear the check box). Then configure the policy settings for the minimum retention period and purge frequency and time. For details, see page 83.
` Purging after replication: Set Purge Events on

Replication? to True (select the check box). This purges your database as soon as captured or imported data has been replicated to the parent server. No further policy changes are required. This setting is ignored on CMSs; it is intended for use only with gateways and client machines. 5 Configure purge performance: Other settings in the Data Management folder provide further control over purge operations. For example, you can choose to suspend the Orchestria APM infrastructure during purge operations or you can specify a purging timeout. For details, see page 84. Save the policy. Database purging is turned on as soon as the new settings replicate to the target Orchestria APM machines.
whose policy you
3 4
or right-click and choose Edit Policy.
In the User Policy Editor, browse to the trigger you want and display the trigger settings. For any Capture or Transaction trigger, edit the Minimum Retention Period (Days) setting as required.
` For any Control trigger, two separate Minimum

Retention Period (Days) settings are available. The first refers to authorized activity (disregarded warnings, plus inform, notify and silent events). The second refers to prohibited activity (that is, blockings and heeded warnings). (For more details, see page 217.) In both cases, the retention period determines how long the respective events are retained in the local database before they are eligible for purging. Edit these settings as required.
` For all triggers, you can permanently exclude

events from purges by selecting the Unlimited check box in the Policy Setting Properties dialog. 6 Save the policy. The new retention period becomes effective as soon as the new settings replicate to the target Orchestria APM machines.
i Trigger-based minimum retention periods override

the default retention period for the local machine, defined in the machine policy; see step 4 on page 82.
83
Turn off event purging

By default, event purging is turned off. If, after installation, you turned on database purging but subsequently need to turn it off you must edit the machine policy. 1 2 Expand the Machine Administration branch .
Purge policy settings

To set up event purging for Orchestria APM machines, you must edit settings in the relevant machine policy (see step 2 on page 81).
Scheduled purges
To schedule regular purges, edit these settings in the Data Management folder of the local machine policy.
Edit the policy for the machine or machines on which you want to turn off purging. For example, to turn off purging on all gateways, right-click the CMS and choose Edit Common Gateway Policy. In the Machine Policy Editor, browse to the Data Management folder. Set Purge Events on Replication? to False (clear the check box). Set Event Purge Frequency (Days) to 0 (zero) days. Save the policy. Event purging is turned off enabled as soon as the new settings replicate to the target Orchestria APM machines.
Minimum Retention (Days) Confirm or reset this setting. It defaults to 1,095 days, ensuring that the next purge removes all items more than three years old (see Minimum retention period on page 81). i You can override this default minimum
retention periodsee page 81 for details.
Event Purge Frequency (Days) By default, this is set to zero. Reset this to one day to schedule daily purges.
Event Purge Time (Minutes) Specify at what time the purge runs. Particularly for gateways, you may want to run purges when there is little or no user activity to minimize the impact on machine performance. To specify the purge time, enter the number of minutes after midnight (local time). For example, enter 180 to specify a 03.00 am purge. By default, this setting corresponds to 01.00 am i If you are editing the Common Client or the
Common Gateway policies, you can enforce a setting for all client machines and gateways by clicking Enforce Items .
i Reviewers can also specify that individual events

never become eligible for purging, while policy administrators can configure any trigger to ensure that any events captured by that trigger never become eligible for purgingsee page 81 for details.
i To avoid blob files remaining on the CMS after a

scheduled purge, we recommend that you set the Remote Data Cache Timeout to synchronize with the scheduled purge frequency. For details, see the Deployment guide.
84
Purge performance
The following settings provide further control over purge operations:

Event Purge Temporary Storage Size You can specify the maximum number of database rows that can be stored in a temporary table at one time. For efficient purge processing, Orchestria APM retrieves events flagged for purging and stores them in a temporary database table. When the temporary table has been fully purged, Orchestria APM refills it with the next batch of events flagged for purging. This process repeats until the purge completes or times out. This setting prevents the temporary table becoming too large and adversely affecting performance. i This setting applies only to the default purge
process. It may not apply to custom purge processes.
Suspend Infrastructure During Purge? You can choose whether to suspend the infrastructure during scheduled purges. Select this setting (set it to True) to automatically suspend the infrastructure while the scheduled purge runs (unless the infrastructure is already suspended). Typically, you may want to suspend the infrastructure while performing other purge-related database activity or for performance reasons. For example, purging may be faster with foreign key constraints removed from certain tables. In this situation, we recommend that you pause replication activity while the purge runs to prevent new data being written to the database while these constraints are removed; suspending the infrastructure guarantees that all replication activity is paused for the duration of the purge.
Event Purge Timeout (Minutes) In addition to specifying when a purge starts, you can also specify the maximum time (in minutes) that a database purge can run for. You may want to limit the purge duration so that, for example, it does not coincide with replication or import operations. When the timeout expires, the purge is terminated.
Event Purge Batch Size When purging a database, Orchestria APM can delete a batch of rows in a single operation. You can specify how many rows are included in each batch deletion. Larger batch sizes mean bigger database transactions and more DBMS locks. Note that a single purge operation typically includes multiple batch deletions.
85
Machine diagnostics
The CMS collects machine diagnostic data from all Orchestria APM servers and client machines in the machine hierarchy. This data underlies the diagnostic machine and user searches available in the Administration console. To minimize network impact, you can configure when and how this diagnostic data is collected.
Diagnostics policy settings

You can configure the CMS to control when it collects diagnostic data. You can also control the network impact by changing the number of collection threads and specifying how long it spends collecting this data. Finally, you can update the account login status for any anomalies identified in the diagnostic data. To configure the collection of diagnostic data, you edit settings in the CMS or gateway machine policy. Browse to the Diagnostics policy folder:
Diagnostic machine searches

The Administration console includes a wide range of diagnostic machine searches. Typically, these are searches to identify machines that require your attention. For example, you can search for machines that are suspended or which cannot be contacted, or which are running out of date software. For details about these diagnostic searches, see page 94. In addition, Orchestria APM includes specific diagnostic support for replication problems in the form of checkpoints. These are replication markers sent to all Orchestria APM machines and which require an acknowledgment from each recipient. They enable administrators to check child machines are up-to-date in terms of policy updates and other infrastructure data. The Administration console includes several checkpointbased machine searches. For full details about checkpoints, see page 87.
Collection Time: Defaults to 720 (12 hours or 12.00 pm). This setting specifies when, or how often, diagnostic data is collected. This is dependent on the Collection Frequency setting (see below). If the Collection Frequency is:
` Set to zero, the Collection Time setting specifies the

number of minutes between each collection run. If the Collection Time and Collection Frequency are both zero, automatic scheduled collections are disabled.
` Set to one or more days, the Collection Time

setting specifies the number of minutes past midnight when data collection begins.
Collection Frequency: Defaults to 1. This setting indicates how often (in days) diagnostic data is collected. If the Collection Frequency is zero, data is collected more frequently than one a day; this depends on the Collection Time settingsee above. If the Collection Frequency and Collection Time are both zero, automatic scheduled collections are disabled.
86
Collection Period: Defaults to zero. This setting determines how long (in minutes) the CMS or gateway spends collecting diagnostic data. For example, if the Collection Frequency is 1 and the Collection Period is 120, then diagnostics will be collected daily over a two-hour period. If the Collection Period is zero, the server automatically calculates an appropriate collection period.
Session Record Expiry Period: Defaults to seven days. This setting is used to rectify inaccurate session records identified when processing the diagnostic data. That is, a user account is logged out of Orchestria APM, but the session record on the parent server indicates the user is still logged in. For example, this may happen if problems occur when uninstalling a client machine. How does this setting work? If diagnostic data from a child machine indicates the machine has not been running for longer than this expiry period, all open machine and user sessions for this machine are updated to the Logged Out state. If the Session Record Expiry Period is zero, session records are never cleared by this method.
Number of Collection Threads: This setting is only invoked if there has been no communication between the parent and child machine. To minimize network impact, diagnostic data is collected as part of the normal communications between a parent and its child machines. But if there has been no communication between these machines during the collection period, additional threads are created specifically to actively collect this diagnostic data. This Collection Threads setting specifies the maximum number of additional threads used simultaneously to collect and process diagnostic data from child machines. It defaults to 10. You can increase concurrency by raising the number of collection threads. This reduces the time needed to collect the data but also has a greater impact on your network. Alternatively, you may choose to reduce the number of collection threads so that data trickles back to the parent server, lengthening the collection time but reducing network load.
87
Replication checkpoints
Checkpoints enable administrators to check child machines are up-to-date in terms of policy updates and other infrastructure data (that is, user and machine details). The CMS generates a checkpoint record and adds this to the replication queue, from where it is subsequently sent to all child machines. Each child machine then returns a checkpoint acknowledgment. This is a confirmation that the child machine has received all infrastructure updates sent prior to this latest checkpoint. Note that acknowledgments are fast-tracked back to the CMS to allow rapid diagnosis of your Orchestria APM deployment. Checkpoints can be generated automatically, for example, at 01.00 am every day or after every 1,000 infrastructure updates. You can also manually generate checkpoints and configure how long checkpoints and their acknowledgment are retained in the CMS database.
Manual checkpoints
If required, you can manually set checkpoints. For example, you may want to send a custom checkpoint after making changes to your user hierarchy or after running a major Account Import job. To set a manual checkpoint: 1 In the Administration console, choose Tools > Generate Checkpoint. In the resulting dialog, specify a description of the checkpoint and click Generate. A checkpoint ID appears in the dialog. i The checkpoint ID can be copied to the
Windows clipboard for use when running a custom administration search for machinessee page 95.
Close the dialog.
How long are checkpoints retained?

By default, checkpoints and acknowledgments are retained in the CMS database for 60 days, but you can configure this. For details, see page 88.
i The description, along with the checkpoint ID, is

stored in the Wgn3Checkpoint database table.
Diagnosing missed checkpoints

The Administration console provides a number of predefined searches based on missed checkpoints. For example, you can search for machines that have failed to acknowledge the latest checkpoint, or machines which have not acknowledged a checkpoint for three days. After identifying these machines, we suggest that you analyze the Orchestria APM log files on these machines and their parent servers to determine the cause of the missed checkpoints. Under normal conditions, after the problem has been fixed any outstanding infrastructure updates, including missed checkpoints, are then automatically replicated to those child machines when they signal to their parent server that they are ready to start receiving updates again. For details about running these missed checkpoint searches, see page 94.
Automatic checkpoints
You can configure the CMS to generate checkpoints automatically, at regular intervals or after a specified number of infrastructure updates. To do this, or to disable automatic checkpoints, you edit the CMS machine policy. For details, see page 88. Automatic checkpoints are assigned a checkpoint ID and description, both of which can be used when running a custom administration search for machinessee page 95. Automatic checkpoints are assigned one of two checkpoint descriptions:
Scheduled: Specifies a regular checkpoint generated using the Checkpoint Time and Checkpoint Frequency machine policy settings. Triggered by update count threshold: Specifies a checkpoint generated by the Update Count Threshold machine policy setting.
88
Checkpoint policy settings

To configure automatic checkpoints and to specify the checkpoint retention period, you edit settings in the CMS machine policy. Browse to the Checkpoints policy folder:
` Update Count Threshold: Defaults to zero. This

setting specifies the number of infrastructure updates that trigger a new checkpoint. If this setting is zero, the update count threshold is disabled and checkpoints are not generated. What is a suitable value for this setting? Unfortunately, we cannot give precise guidelines. A simple policy update, perhaps affecting a dozen trigger settings, may only comprise two infrastructure updates (to the policy and blob database tables). Conversely, a major restructuring of a typical user hierarchy, with its attendant impact on policy tables, the group hierarchy, e-mail address tables and so on, can easily comprise tens of thousands of infrastructure updates. We recommend that you leave this threshold set to zero and only change this under the guidance of Orchestria technical staff.
Checkpoint Time: Defaults to 1140 (19 hours or 7.00 pm). This setting specifies when checkpoints are generated, or how often they are generated. This is dependent on the Checkpoint Frequency setting. If the Checkpoint Frequency setting is:
` Set to zero, the Checkpoint Time setting specifies

the number of minutes between each generated checkpoint. If the Checkpoint Time setting is also set to zero, scheduled checkpoints are disabled.
` Set to one or more days, the Checkpoint Time

setting specifies the number of minutes past midnight when each checkpoint is generated. i If a new checkpoint is scheduled but there have
been no infrastructure changes since the last checkpoint, a new checkpoint is not generated.
Checkpoint Frequency: Defaults to 1. This setting indicates how often (in days) checkpoints are generated. If the Checkpoint Frequency is zero, then scheduled checkpoints are either disabled or generated more frequently than one a day; this depends on the Checkpoint Time settingsee above.
Checkpoint Retention (days): Defaults to 60. This setting specifies how many days checkpoints and their acknowledgments are retained on the CMS. Set this value to zero to permanently retain checkpoints and acknowledgments.
Disabling automatic checkpoints

To fully disable automatic checkpoints, set the following three policy settings to zero: Checkpoint Time, Checkpoint Frequency and Update Count Threshold.
89
Log files
Orchestria APM keeps a log of all significant activity and replication events, for example, when a new user account is created or when a user policy is edited. Event logs are saved in .log files. You can print the contents of any logfile using a text editor such as Microsoft Notepad. Log files are typically saved locally in Orchestria's \data\log subfolder of the Windows All Users profile. The example below shows this location within a typical folder structure: All Users Application Data Orchestria Active Policy Management data log s cache Default User srimmel lsteele fschaeffer

Types of log file
Activity logs These record general activity by all machines. For example, each time users or machines log in or out, and each time policies are created or updated. They are saved in Orchestria's \data\log subfolder of the Windows All Users profile. Logfile names take the format: activity_200201200945.log. You can configure this log file to also record user administration changes using a machine policy settingsee page 90. Replication logs These record any database changes that were made on a remote machine and copied to the local machine. These typically include changes to a machine or user policy, and changes to user accounts and user groups. These changes are recorded in the replication log on each machine. Logfiles are saved in Orchestria's \data\log subfolder of the Windows All Users profile. Logfile names take the format: repl_200201200945.log. You can configure this log file using machine policy settings, see page 90. System logs These record any infrastructure errors that occur while the Orchestria APM service is running. Under normal conditions, this logfile is empty. Logfiles are saved in Orchestria's \data\log subfolder of the Windows All Users profile. Logfile names take the format: stderr_200201200945.log. You can configure this log file using machine policy settings, see page 90. i Any errors detected when the Orchestria APM
service starts up are written to the file wgninfra.out. Find this file in the \data\log subfolder in the Orchestria APM installation folder.
Data folder structure
Log entries are not replicated up to the CMS. Logfile names indicate the type of log, and incorporate the date and time when the file was created. For example, activity_200201200945.log is an Activity log created on 20 January 2002 09:45. You use the Administration console to view logs on any machine in your Orchestria APM enterprisesee page 91.
User Administration logs These record any changes made to user accounts or groups. These typically include changes to user accounts and user groups. Logfiles are saved in
90
Orchestria's \data\log subfolder of the Windows All Users profile. Logfile names take the format: useradmin_20050120945.log.
Configure logfiles
You configure logfiles in the machine policy. In the Machine Policy Editor screen, go to the Infrastructure > Logging foldersee page 147. Settings in this folder determine:
You can configure this log file using machine policy settings, see page 90.
Event Import logs These record the outcome of Event Import operations, including details of all successful and unsuccessful events, plus details of any system errors (for example, when a user cannot be created). An Event Import parameter determines the level of logging detail. Logfiles are saved in Orchestria's \data\log subfolder of the Windows All Users profile. Logfile names take the format: evtimport_20050120945.log.
Which events are recorded in the logfile, for example, policy changes and logins. The maximum size for a logfiles. New logs are created when the current log exceeds its maximum size. The maximum number of logfiles. When this number is exceeded, the oldest logfile is deleted. Whether user administration entries in Orchestria APM logfiles are: diverted from the Activity logfile to the User Administration logfile; recorded in both logfiles; or not recorded in either logfile. For example, to log administration entries:
iConsole logs These record the outcome of iConsole operations, including details of any errors incurred performing iConsole operations. iConsole logfiles are saved in Orchestria's \data\log subfolder of the Windows All Users profile. Logfile names take the format: iconsole_2005120945.log.
` Only in the User Administration logfile, configure the User Administration Changes setting in the Activity folder to False and the same setting in the User Administration folder to True. ` In the Activity and User Administration logfiles, configure the User Administration Changes setting in the Activity folder to True and the same setting in the User Administration folder to True. ` In neither logfile, configure the User Administration Changes setting in the Activity folder to False and the same setting in the User Administration folder to False.
Content indexer logs These record the outcome of content indexer operations, including all significant connection and job events. Content indexer log files are saved in Orchestria's \data\log subfolder of the Windows All Users profile. Logfile names take the format: index_job001_200501241500.log. i Content indexer log files are not listed in the
Administration console.
Account Import logs These record the outcome of any operations using Account Import (see pages 54 and 73). Log entries typically include changes to the user or machine hierarchy, such as the addition of new users, groups or client machines. Logfiles are saved in Orchestria's \data\log subfolder of the Windows All Users profile. Logfile names take the format: ldap_200201200945.log.
Whether entries in Orchestria APM logfiles are also copied to the NT Event Log. You can specify which categories of message are copiedsee page 91.
i Event Import and the content indexer are

described in the Deployment guide; search the index for Event Import and Content Indexer.
91
Copy log entries to the Windows event log

You can specify that entries in Orchestria APM logfiles are also copied to the Windows event log. This enables you to use third party monitoring and alerting software such as Microsoft Operations Manager (MOM) to notify your administrators when an Orchestria APM error occurs. You can also specify which categories of message are copied. 1 In the Machine Administration screen of the Administration console, select the machine you want and open the Machine Policy Editor. Browse to the Infrastructure > Logging policy folder. Edit the Write to Windows Event Log setting. For example, you can choose to only copy Errors. Save your policy changes.
View logfiles
By default, the Administration console lists logfiles on the local machine. But you can also view logfiles on remote machines.
X View local logfiles

1 Choose Manage > Logfiles or click .
2 Browse the available logfiles and choose the one you want to view: indicates a closed logfile. indicates the current logfile. i You can only view logfiles if you have been
granted the Machine: View Logfile privilege.
2 3
X View remote logfiles

1 Choose Manage > Machine Administration. 2 Expand the machine hierarchy and select the machine you want. 3 Right-click and choose View Logfile.
92
5. Administration searches
Administration searches
his chapter focuses on administration searches for user, group and machine accounts. For example, you can search for user accounts with out-of-date policies or machines that have missed one or more replication checkpoints. A range of predefined searches are available in the Administration console. These include information and health searches, for both users and machines. Information searches typically retrieve basic details about existing accounts; health searches identify problematic accounts, or accounts which require your attention, such as machines which cannot be contacted or users with out-of-date policies. You can also define and save your own administration searches, and copy search results to the clipboard. In all cases, Orchestria APM generates a SQL search expression. If required, experienced users can edit this expression directly.
chapter 5
Searching for users and machines From the Administration console (1), the Administration Search feature (2) lets you search for user (3) and machine (4) accounts. All searches for user accounts are limited in scope by your management groups (5); you cannot search for users associated with groups outside your management groups.
94
Searching for administration data

Administration data refers to user, group and machine account details. To search the CMS database for administration data, you use the Administration Search feature in the Administration console. This lets you construct complex search expressions without needing any knowledge of SQL syntax. i You can only search for administration data if you
have the administrative privilege Admin: Allow administration searches. See page 57.
Predefined searches
The Searches screen in the Administration console includes a wide range of predefined searches:
User Information: These focus on user accounts that are active or currently logged in, or which have had policy changes since the account was created. User Health: These searches focus on:
` User accounts with out-of-date policies. That is,

the child machine is not using the latest policy version held on the CMS.
Run an existing search

In the Administration console, expand the Searches branch in the left-hand pane and select the search you want. The search runs automatically. When the search completes, all matching user or machine accounts are listed in the right-hand pane. For user searches only, you can double-click any user listed in the right-hand pane to view their full account properties. If you need to cancel the search (for example, because if it taking a long time to complete), click the Stop Search button.
Active Policy Management My Servers CMS-HARDY User Administration Machine Administration Logfiles Statistics Content Agents Searches User Information User Health Machine Information Machine Health Custom Searches
` Unused user accounts. These are accounts that

exist on the CMS but which have never logged on.
` User accounts with no parent group, and user or group policies with no parent policy. Both situations can potentially arise if the user hierarchy becomes corrupted in the CMS database.
Machine Information: These searches identify current machine accounts (separate searches are available for each machine type) and machines currently connected to the CMS. Machine Health: A wide range of diagnostic searches are available. For example, you can search for:
` Suspended machines, machines that cannot be

contacted, or Orchestria APM machines on which the infrastructure has stopped.
` Machines that need a complete infrastructure

synchronization with their parent server.
` Machines running the latest version of Orchestria APM, or machines running an out-of-date version. ` Machines that have missed one or more replication
checkpoints.
` Machines with a replication backlogeither

infrastructure updates waiting to be sent down to child machines, or captured events waiting to be sent up to the parent server. i For details about these predefined searches,
see the Administration console online help.
Administration console: Searches branch
Chapter 5 Administration searches
95
Run a new search

1 In the Administration console:
` To define a new administration search, choose

Tools > Administration Search or click .
` To edit an existing search, expand the Searches branch in the left-hand pane (see page 94). Right-click the search you want and choose Edit.
2 Fill in the fields in the Administration Search dialog:
2.1 CMS: If your console is linked to multiple CMSs,

choose the CMS whose database you want to search.
2.2 Look For: Choose your search items. These are the items you want to look for: Users, User Groups or Machines. 2.3 View: Only available for machine searches. The view determines which data is returned by a database query. In effect, it determines which columns are shown in the right-hand pane. Choose:
` Generic View to include basic machine details.

These include the machine role (for example, a client machine or gateway), its policy versions, its parent server, the number of children (child machines parented to the current server) and the Orchestria APM software version.
6 Administration Search dialog 1 CMS list. 2 Look for options. 3 Database view. 4 Search description. 5 Search Now button. 6 Search filters.
i If you do write your own search expression,

see the SQL requirements in the Data Management Console guide; search the index for SQL search expressions. Also, the handling for wildcards and other special characters, plus the requirements when specifying user or group names, are the same as for event searches. These are also described in the Data Management Console guide; search the index for searches, wildcards.
` Diagnostics View to include various status columns, in addition to the usual machine details. For example, these indicate the connection status, replication status (including missed checkpoints), and whether a machine needs resynchronizing. You use this data to identify machines that which require your attention.
2.4 Search filters: Define your search using the
search filters. For example, if looking for users you can search by user group or last logon date. Search filters are displayed on search tabs. The range of available filters depends on what items you are looking for. See page 96 for filter details. 3 As you define your search filters, Orchestria APM generates a SQL search expression. If you have the Events: Allow unrestricted SQL searches administrative privilege (see page 57), you can click the SQL tab to edit this expression directly. 4
If required, you can save your search definitionsee page 96. Saved searches are listed under the Custom Searches folder in the Administration console. Click Search Now to run the search. Or choose Search > Search Now. Items matching the search criteria are shown in the Search tab.
96
Saved searches
You can save searches for users, groups or machines as .QDF files. This allows you to run repeat searches and share search expressions with your colleagues.
Look for: User groups

You can filter the search by group details, such as:

Group name Active or deleted group accounts Groups containing users with a specific name Groups containing users with a specific role
X Save a search
In the Administration Search dialog, define your search as normal. Then choose Search > Save or Save As. i These menu items are not available in the
main console menu bar!
For example, you can search by group for groups containing administrators or groups containing managers.
Look for: Users

You can filter the search by a users account details such as:

X Open a saved search

In the Administration Search dialog, choose Search > Open and select a saved search. i This menu item is not available in the main
console menu bar!
User account name or user full name Parent group name User role Active or deleted user accounts When the account was created Last connection date and time
Copy search results to clipboard

You can easily export the results of any administration search. For example, you can add them to a spreadsheet or a Word document. To do this, you copy the selected search results to the clipboard; from there, you can paste them into the target application. 1 After running an administration search, select the results you want in the right-hand pane of the Administration console. You can drag the mouse to quickly select multiple rows. Right-click any selected results and choose Copy to Clipboard.
For example, you can search for users in a specific group or who have not logged in for more than seven days. i
Be aware of the limitations when filtering
searches by user group; see the Data Management Console guide for details; search the index for user groups.
Look for: Machines

You can filter the search by machine attributes, account details and diagnostic status, including:

When the account was created Last connection date and time Parent server name Current logon state Date and time of last connection Active or deleted accounts Diagnostic status. These filters include time of last replication, outstanding replication updates, time of latest checkpoint acknowledgment, checkpoint description and so on.
Administration search filters

You can look for users, user groups and machines. Your choice of search item determines the range of available search filters. These are summarized below, and full details are given in the online help; search the help index for search filters. i You can use wildcards for all these filters. These
are described in the Data Management Console guide.
For example, you can find all the Orchestria APM machines connected to a specific gateway, or you can identify all machines that have failed to acknowledge the last five checkpoints.
6. Editing policies
Editing policies
his chapter examines machine policies and user policies. Orchestria APM uses these policies to manage machine and user behavior. Both types of policy work in the same way. The chapter describes how to edit policies, introduces the concept of policy inheritance, and summarizes the main policy settings.
chapter 6
credit card numbers; other settings may have a simple true-false value; finally, some settings take a userselected menu item as their value. Related settings are grouped into policy folders. Each folder can have attributes such as Hidden, Disabled, or Enforced. Settings within the folder inherit these attributes. These attributes let you tailor the scope of any custom policies that may be needed lower down your hierarchy of user groups or machines. In all, cases, an administrator can override the default settings to create custom policies for a specific user, group, client machine, gateway or CMS. User policies 1 Machine policies 5
What is a policy?
A policy is simply a collection of settings applied to a user, a group of users, or a machine.
A user policy controls Web, IM, and e-mail activity, and monitors application usage for an individual user or a group of users. User policies are also used to monitor specified files (typically text-based documents). Users inherit their policies from the group they belong to. In turn, the group inherits its policy from its parent group. A machine policy determines how an Orchestria APM computer manages its database of captured data and communicates with other Orchestria APM computers. By default, new client machines inherit the common client policy and new gateways inherit the common gateway policy.
4 Policy 2 3 Policy types User policies apply to: 1 User. 2 Users groups. Machine policies apply to: 3 Client machines. 4 Gateways. 5 CMS.
Each setting controls a specific aspect of user or machine behavior, and each setting has a value. For example, some settings have numeric values; for others, the value is actually a list of items such as URLs or
98
Policy icons and toolbar buttons

Administration console toolbar Edit policy Opens the policy editor for the current user, group, or machine. Policy Editor toolbar Save Saves the latest policy changes. ! You must do this after making any changes to values or attributes! Properties Edits the values or attributes of the
current folder or setting.
Policy Editor icons

Policy root Policy folder Policy folder - disabled Policy folder - enforced Policy folder - disabled, enforced Policy folder - hidden Policy folder - hidden, disabled Policy folder - hidden, enforced Policy folder - hidden, disabled, enforced Policy setting Policy setting - disabled Policy setting - enforced
Disable Items Disables the current folder (and its

subfolders).
Enforce Items Enforces the current setting or

folder. Note that this does not enforce subfolders.
Hide Items Hides the current setting or folder

(and its subfolders).
Refresh Updates the screen display to include

recent changes made in the parent policy.
Policy Report Generates a report for the entire

policy or the currently selected folder.
Find Finds a named policy item. Find Previous Finds the previous occurrence.
Policy setting - disabled, enforced
Find Next Finds the next occurrence.

Policy setting - hidden
Back Returns to the previously selected item.

Policy setting - hidden, disabled
Forward Returns the policy item you selected

before you clicked Back. Policy setting - hidden, enforced Policy setting - hidden, disabled, enforced
Chapter 6 Editing policies
99
Editing policies
By default, users inherit the policy defined for the group they belong to. But you can create a custom policy for an individual user. For example, if user policies throughout your organization block certain Web pages, you can exempt a user from these restrictions by redefining the blocking triggers in their policy. Orchestria APM provides shortcuts for fast editing of user and machine policies:
X View a policy in read-only mode

If required, you can view a policy in read-only mode to prevent accidental changes to settings or folder attributes. 1 Expand the User Administration or Machine Administration branches. Then select a user, group or machine. 2 Right-click and choose View Policy.
X Edit a policy
` For user policies, see page 48. ` For group policies, see page 45. ` For CMS policies, see page 69. ` For gateway policies, see page 69. ` For client machine policies, see page 71.
X Disable folders
X Enforce folders or settings

X Hide folders or settings X Edit a folder or setting

1 Expand the User Administration or Machine Administration branches. Then select a user, group or machine and: This is described on page 116.
X Finding policy folders or settings

To quickly find a specific folder or setting, you can use the Find feature. This is described on page 100.
` Click Edit Policy
, or
page 34 for details. 2 In the Policy Editor, browse the policy folders to find the setting you want. 3 Double-click the setting to edit its value or attributes. i When editing list settings, you can import existing lists of e-mail addresses or Web sites. See page 121 for details. 4 Click to save the updated policy. A summary dialog lists all policy items that you have modified. This dialog allows you to confirm, cancel or modify the changes.
X Reset a policy
This restores the inherited default values for all settings in the policy and the inherited attributes for all folders in the policy. In a Policy Editor screen, choose Edit > Reset.
100
Policy navigation
In the User Policy Editor, you can quickly navigate around a policy using hyperlinks, the Back and Forward buttons, and the Find feature.
Back and Forward buttons

Use these buttons to jump back to previously selected policy items.
Hyperlinks
Many settings are hyperlinked to a dependent setting or folder. For example, each capture trigger has a setting that specifies the capture action; click the hyperlink to jump to the specified action.
Click Back to go back to the policy setting or folder that you previously selected. Click Forward to return to the policy item you selected before you clicked Back.
Find policy folders or settings

1 To quickly find a specific folder or setting, you can use the Find feature. 1 2 In the Policy Editor screen, click or press Ctrl+F.
Enter the setting or folder name in the Find dialog. You do not need to enter the whole name. You can search on the first few letters of any name, and you do not need to match the case. For example, type 'use' to find the first 'Message To Users' setting. You can quickly search the policy tree to find other occurrences of this name:
Hyperlinks in the User Policy Editor 1 Example hyperlinks to dependent settings.
` To find the previous occurrence of this name,

click or press F3.
` To find the next occurrence of this name, click

or press Shift+F3. i For more complex searches, use the Policy Report tool. See page 121 for details.
101
Controlling policy changes

You need to prevent unauthorized or conflicting changes to user and machine policies. This is especially important if you have multiple administrators (that is, Orchestria APM users with administrative authority). First, you must decide who is permitted to edit (or even view) policies. You create policy administrators by the prudent allocation of administrative privileges. Second, you need to specify which users, groups or machines can be managed by each of your policy administrators. For example, you may want to restrict an administrators authority to a specific department or office. To do this, make sure an appropriate management group is assigned to each of your policy administrators. Finally, after identifying which policies an administrator is permitted to manage, you need to control which settings and folders within those policies they are permitted to edit. To do this, you apply the Disable, Enforce and Hide attributes.
Management groups
After assigning the appropriate privileges to your policy administrators, you need to set their management groups to control which user policies they can manage. Administrators cannot view or edit user policies that fall outside their management groups. See page 43.
Disable and enforce attributes

Any folder and setting can be enforced . This means nobody can edit it in a child policy (see page 119). Similarly in the user policy, any Capture, Control and Transaction folder or subfolder can be disabled . This means Orchestria APM ignores all settings in the folder itself and its subfolders. By using combinations of the Enforce and Disable attributes, you can restrict the folders and settings that an administrator can edit in a child policy. For example, to set up an enterprise-wide Web usage advisory, the primary administrator can enforce the Warning Message folder in the user policy (see the Extensions folder on page 142) for the top-level Users group. This means nobody can change the message in any child policy throughout the enterprise. Likewise, the primary administrator may choose to disable certain folders in the policy for the top-level Users group, for example, some unused capture triggers. If they also enforce these disabled folders , this ensures that nobody can re-enable these triggers in any child policy throughout the enterprise. i The Disable and Enforce attributes are fully
described on pages 116 to 117.
Policy privileges
Certain administrative privileges permit users to view and edit policies, and to replicate policy changes to client machines. These are:

Policies: Edit policy Policies: Edit the CMS policy Policies: Replicate changes to clients Policies: View policy
See page 59 for further details.
102
Policy list settings

All triggers in the user policy (except for manual captures) are conditionally dependent on lists of trigger items. If detected, these items can trigger a capture, blocking or a warning. Examples include lists of key words or phrases, credit card numbers, Web site URLs, e-mail addresses, file names, window titles, and executable paths. Support for policy list settings includes:
To edit the list so it only includes inherited (default) items or custom items added by the current user, see page 103.
i Note the following:
` `
In lists of e-mail addresses, spaces are interpreted
as AND operators. See page 109. You cannot add multiple items into a single row of
Copying and importing: When editing these list settings, you can copy and paste items from other lists, and import items from other files or applications. For example, you can import URLs from a table in Microsoft Word. See page 105. Wildcards: You can also use * and ? wildcards to define list items. Included and Excluded lists: For each policy list setting, you can specify an Included list of items or an Excluded list. You specify which list is checked for matching items. You can even set up trigger exemptions for specific URLs or e-mail addresses by specifying combination list checking. See page 103. E-mail address formats: When defining lists of e-mail addresses, you can search for display names or you can define addresses based on the protocols used by your e-mail server. See page 109.
the list box. You must add items to separate rows. For example, you cannot add this as a single entry:
file1.txt;file2.txt;file3.txt
1 6 2 3 7 8 9 10
Define a list
To define a list of trigger items, you edit the associated policy list setting. These settings use a special version of the Policy Setting Properties dialogsee opposite. 1 Open the User Policy Editor and locate the trigger with the list setting you want to change. Example list settings include Excluded Addresses and Included Search Text. Double-click the list setting or right-click and choose Properties. This opens the Properties dialog. Use the Add, Exclude and Remove buttons to define your list. Policy Setting Properties dialog: list settings 1 List source options: Use inherited value and Override inherited value. 2 Default list items, inherited from the parent policy. 3 Custom list items, added to the current policy. 4 List box. Right-click here to copy, paste or import list items. 5 Dashed line. Separates default items from custom items. 6 Add button. 7 Include or Exclude button. Available only when you select a default item. 8 Remove button. Available only when you select a custom item. 9 Edit button. 10 Enforce button.
103
Default and custom list items

A list setting can include both inherited default items and custom items added by the current user. But you can edit the list properties to only include items from one of these sources. The following actions are available in the Policy Setting Properties dialog for list settings.
Included, excluded and ignored lists

For each policy list setting, you can specify an Included list of items or an Excluded list. You specify which list is checked for matching items. You can even set up trigger exemptions for specific URLs or e-mail addresses by specifying combination list checking. The Which List? policy settings determine which list is used to detect matching URLs, e-mail addresses, search text, and so on.
X Revert to the inherited list

If you want to revert the list back its original state, containing only those items inherited from the parent policy, select the Use inherited value option. This removes all custom list items and reinstates any excluded default list items.
Included lists
In effect, included items are 'forbidden' items. If a trigger uses an Included list, any single item in the list can activate the trigger. If a trigger fails to detect any items in the Included list, the trigger does not activate. For example, if a Web page capture trigger uses an Included URL list, any URL on this list will trigger a capture when the user browses to it.
X Remove all inherited list items

If you want the list to only include custom items, select the Override inherited value option and the Remove inherited items check box. This removes all list items inherited from the parent policy.
Excluded lists
List item icons

When you edit a list setting, icons in the Policy Setting Properties dialog show the status of individual items. Policy list items
Default item inherited from the parent policy. Enforced default item. These cannot be deleted or unenforced. Custom item. These are added by the current user. Enforced custom item. These cannot be deleted or unenforced in child policies.
In effect, excluded items are 'allowed' items. If a trigger uses an Excluded list, any items can activate the trigger except items in this list. If a trigger fails to detect any items in the Excluded list, the trigger always activates. For example, a control trigger for incoming e-mails uses an Excluded Address list. The trigger always activates when it detects an incoming e-mail unless the e-mail is from a sender on the Excluded list. If it is from an Excluded sender, the trigger does not activate. Multiple items in Excluded list ! Excluded lists containing multiple items require special attention. For these lists, Web pages or e-mails are only exempted if all listed items are detected. For example:
An outgoing e-mail sent to multiple recipients is only exempted if all recipients are on the Excluded address list. If any recipient is absent from the Excluded address list, the trigger will activate as normal! A Content Search Text trigger for Web pages that specifies multiple excluded words will always activate unless every word on the Excluded text list
104
is detected on the Web page. If any listed words are missing, the trigger activates as normal. If all listed words are detected, the trigger will not activate.
Combination list checking

Available only for URL and e-mail address lists.
Ignored lists
Available only for e-mail address and top level file name lists.
If a trigger has e-mail addresses or top level file names in an Ignored list, these addresses and files are ignored by the trigger and cannot cause the trigger to activate. In effect, Ignored Addresses and Top Level File Names lists enable you to exempt specific e-mail addresses and files from normal control trigger operations. i For details on Top Level File Names, see page
page 245.
This allows you to set up general capture, control or transaction triggers, but exempt specific URLs or e-mail addresses. For example, combination list checking allows you to block e-mails sent between the Research and Sales departments unless a copy has also been sent to a particular manager (for example, your regulatory compliance officer). How does this work? First, the detected URL or address is compared against the Included list. If a match is confirmed, the URL or address is then compared against the Excluded list. If it also appears in the Excluded list, the URL or address is exempted and the trigger does not activate. To illustrate the required policy settings in the earlier example, the group policy for the Sales department could include a control trigger for outgoing e-mails with the following list settings: Policy setting
Which address list? Included list Excluded list
For example, a control trigger for outgoing e-mails blocks e-mails sent between the Research and Sales teams, but the Research manager is exempted from this rule and so added to the Ignored Addresses list. When the trigger detects e-mails sent by any member of the Sales team to the Research manager, the trigger infers that it must ignore the e-mail and does not activate.
Value / list items Use Included list, but exempt if recipient in Excluded list research.unipraxis.com compliance.officer@unipraxis.com
In this situation, Orchestria APM would detect an e-mail sent to, say, frankschaeffer@research.unipraxis.com and trigger a control event (for example, to block the e-mail) unless the recipients also included compliance.officer@unipraxis.com.
105
Searching listed files for key text

Some triggers can search the text content of a file for key words or phrases. These files can either be imported files, e-mail attachments, or files uploaded to a Web site. If Orchestria APM detects this text, the trigger activates. List settings in these triggers define which files are searchedsee page 111. Formats
New line
Example *.bmp *.gif *.jpg *.png
Spreadsheet or word processor table
Setting a file size limit

You can specify a limit on the maximum size of files to be searched. To do this, you edit the Maximum Size of Files setting in the user policy System Settings folder. i To ensure that files of any size are searched, set Maximum Size of Files to a value of zero.
1
Trailing spaces are optional. See also next section.
Copying and importing list items

When defining your policy list settings, you can copy items from other list settings or external documents. You can import items from external applications or files. For example, you can quickly copy lists of e-mail addresses, Web sites, file names, or key words and phrases to other settings within a policy or even to other policies.
Commas and semi-colons

These are recognized by Orchestria APM as list separators. To import list items that contain a literal comma or semi-colon, replace the comma or semi-colon with \, or \; instead. For example, change this: Do not disclose the content or take, retain or redistribute copies of this e-mail. To do this: Do not disclose the content or take\, retain or redistribute copies of this e-mail.
Supported list formats

You can copy and paste delimited lists from any text editor or text file. Orchestria APM recognizes the following separators between items: commas, tabs, semi-colons, and line breaks. You can also copy items from a table or spreadsheet. In all cases, simply copy the items you want to the Clipboard then paste them directly into the target policy list. Below are some examples that can be pasted directly into a list setting: Formats
Comma1
Copying a list
This section describes how to copy list items from various sources.
X Copy from another policy list setting

1 In the User Policy Editor, right-click the list setting with the items you want to copy. Then choose Properties. 2 In the resulting dialog, select the items that you want to copy then right-click and choose Copy. To select multiple items, hold down the Ctrl key and left-click the items you want.
Example *.bmp,*.gif,*.jpg,*.png *.bmp, *.gif, *.jpg, *png
Semi-colon1
*.bmp;*.gif;*.jpg;*png *.bmp; *.gif; *.jpg; *png
Tab
1
*.bmp
*.gif
*.jpg
*.png
Trailing spaces are optional. See also next section.
106
X Copy from an external application

Open the external application and simply select and copy the items you want. This can be any application that allows you to copy delimited lists to the Clipboard (see the previous section about supported list formats). For example, you can export from a Lotus 1-2-3 spreadsheet or a Microsoft Word document.
X Import an Outlook address book

In Microsoft Outlook, you can export address books to a CSV file and then import the CSV file into a list setting. 1 Run the Import and Export Wizard to export a Contacts folder to a CSV file. 2 Remember to use the Map Custom Fields feature to remove unwanted data fields. See the Outlook help for details. 3 The wizard encloses each CSV value in doublequotes. Remove these quotes before you import the CSV file into the list setting. 4 In the User Policy Editor, right-click the target list setting and choose Properties. 5 Right-click the list box choose Import. Then select the CSV file.
X Copy from your Favorites folder

Open your Favorites folder and view the Properties of any Web site shortcut. You can then copy the URL directly to the Clipboard.
X Copy from e-mail messages

Open an e-mail and copy the addresses from the To: Cc: Bcc: or From: fields.
Pasting a list
1 To paste copied items into a list setting, open the User Policy Editor. Right-click the target list setting and choose Properties. Right-click the list box choose Paste. This adds the copied items to the target list.
X Import a Lotus Notes address book

In Lotus Notes you can export address books to a text file and then import the text file into a list setting. 1 In Notes, open the address book and select the contacts you want to export. 2 Run the Export feature to export the contact details to a text file. 3 The resulting text file includes all the available details for each contact. But you only need the e-mail addresses, so you must delete all the other details before importing the file into a list setting. ! The file may require extensive editing in order
to remove all unwanted data. If you are only importing a small number of contacts, this may not be a practical solution.
Importing a list
This section describes how to import list items from various sources.
X Import from a delimited text file

You can import any text file that uses appropriate list formats (that is, comma separators, tabs, semicolons, and new lines. See page 105 for examples). 1 In the User Policy Editor, right-click the target list setting and choose Properties. 2 Right-click the list box choose Import, then select the file you want.
4 In the User Policy Editor, right-click the target list setting and choose Properties. 5 Right-click the list box choose Import.
107
Multiple message list settings

Most policy list settings comprise a single series of key items, for example, a list of URLs. But some control triggers allow you to define separate messages for each item in a list of key words of phrases. For this multiple message list settings, each list item comprises two values: a key word or phrase, and a notification message. When Orchestria APM detects that word or phrase, it displays the corresponding message to the user. This allows you to tailor the message to give as much detail as possible using a single control trigger. i Notification messages to users (displayed when a
control trigger generates a blocking, warning or inform event) are discussed on page 251. Company Z
Example messages
For example, a single trigger may include the following items of key text with separate messages defined for each item: Key text
Company X
Example message
This e-mail has been blocked. Corporate guidelines do not permit you to send e-mails to Company X. This e-mail has been blocked. We no longer have a contractual agreement to support Company Y. This e-mail has been blocked. Company Z are currently renegotiating their license agreement with us.
Company Y
Which control triggers?

Multiple messages are available for the Included Search Text or Agent settings in the following control triggers:

Submitted Search Text n (Web pages only) Content Search Text n (Web pages only) Search Text n (e-mails only) Attachments n (e-mails only) Content Agent n (Web pages and e-mails)
For each trigger, multiple messages are supported only for the Included Search Text setting. For obvious reasons, you cannot define multiple messages for the Excluded Search Text setting (that is, a list of absent words and phrases). i Content agent triggers are available only if
explicitly included in your license agreement. See chapter 13, Content agents.
108
Policy lists and wildcards

You can use wildcard characters * and ? when you define list of trigger items. See the examples below. i Orchestria APM interprets a space between
keywords as a literal character except in e-mail address and credit card number lists.
Text wildcard
Trigger text can apply to the content of a Web page, e-mail, e-mail attachment, imported file, uploaded file or data submitted to a Web site using an HTML form.
URL wildcards Note that * characters are added are automatically to start and end of these items. For example:
unipraxis Interpreted to be the same as *unipraxis*. The trigger detects sites such as unipraxis.com, unipraxis.co.uk or even sales.unipraxis.com. sales.*.com Detects Web sites such as sales.unipraxis.com.
unipr* or ref??? holiday req*
If part of an Included list, the trigger activates whenever Orchestria APM detects words such as Unipraxis or ref328. If part of an Excluded list for an e-mail content trigger, the trigger activates for all e-mails except those that contain phrases such as 'holiday request'. If part of an Excluded list for a submitted data trigger, the trigger activates for all data submissions except when, say, a user selects 'Photocopier paper' from a form menu.
photocop*
E-mail address wildcard

E-mail address matching is not case-sensitive. Also, Orchestria APM interprets a space between address components as AND operators. *@unipraxis.com Detects e-mails sent to or from this domain only. *@unipraxis* Detects e-mails sent to or from domains such as unipraxis.com or unipraxis.co.uk. Detects any e-mail addresses ending in 'unipraxis.com'. In effect, this is the same as specifying *@unipraxis.com. Detects all e-mails sent to or from, say, frank.schaeffer@unipraxis.com.
File name wildcards

These include e-mail attachments, imported files and files uploaded to Web sites.
plan??? or *.xls
If part of an Included list, the trigger activates whenever Orchestria APM detects a file such as plan_13.xls. If part of an Excluded list, all imported files, uploaded files, or attachments activate the trigger unless they involve files such as cute_kittens.jpg.
*.jpg
unipraxis.com
frank unipr*
i For further details about e-mail address matching, see page 109.
i Most triggers that use file lists are activated when a listed file is detected; you can specify any file types in these list settings. But other triggers attempt to search the content of the listed files; for these triggers, only certain file types are supported in the file list. See page 113 for details.
109
Triggering on e-mail addresses

Many e-mail triggers in the user policy allow you to define lists of included or excluded e-mail addresses. When you define these lists, be aware of the different e-mail address formats. The main protocols are discussed below. For example, if your organization uses Microsoft Outlook, you can define lists of EX addresses to capture e-mails sent internally. Alternatively, you can define universal list items to match against all e-mail address formats. Or you can base your address lists on display names (that is, the names that appear in the From: To: Cc: or Bcc: fields) in an e-mail.
Internal e-mails
Orchestria APM uses the same methods of address matching for internal and external e-mails. That is, the guidelines below also apply when you define internal address patterns in the user policy. See the Data Management Console guide for details; search the index for e-mails, internal.
Display names
Orchestria APM automatically searches for e-mail display names, so you can add items such as these to your list of included or excluded addresses: To match against
A specific person, for example, Spencer Rimmel
Spaces in e-mail addresses

For Included or Excluded lists of e-mail addresses, Orchestria APM interprets spaces between keywords as an AND operator. But for other policy lists such as lists of key phrases window titles or URLs, spaces are interpreted as literal characters, not as AND operators.
Add this list item

Spencer Rimmel, or rimmel, or *rimm*
Matching all address formats

With careful planning, you can define lists of included or excluded e-mail addresses that match against any targeted address, regardless of the e-mail address format. To define a 'universal' e-mail address, simply enter the basic keywords such as a person's name and the Internet domain, separated by spaces and omitting any protocolspecific elements such as @, ex: or p=. The example below matches against SMTP, EX and X.400 formats because both keywords are present in each format. To match against Any e-mails sent to Spencer
Rimmel of Unipraxis plc
SMTP
Arguably the most commonly used protocol for sending and receiving e-mail, SMTP addresses take this form: spencer.rimmel@unipraxis.com To match against
A specific organization A specific person
Add this list item

*unipraxis.com spencer.rimmel*
Add this list item

rimmel unipraxis
For incoming e-mails in Microsoft Outlook, SMTP addresses may be converted to EX addresses (see the next section) if the sender's address already exists in an Outlook address book. In this situation, to ensure that policy triggers activate as expected, you may need to include both SMTP and EX versions in your list of included or excluded addresses or define a list that matches all e-mail address formatssee the previous column.
110
EX
This protocol is used internally by Microsoft Outlook. You may need to specifically include EX addresses when defining e-mail triggers, for example, to capture e-mails sent internally within your organization. EX addresses use this format: /o=unipraxis/ou=uk/cn=spencer/cn=rimmel To include EX addresses in a policy list, you need to amend this format by inserting spaces between each address element (spaces are interpreted as AND operators). This ensures the policy trigger will always activate, regardless of how the e-mail address elements are ordered. For example: To match against
Bloomberg alias addresses

These are alias addresses for participants in Bloomberg IM conversations or Bloomberg messages embedded in EML e-mails generated by Orchestria APM utilities Cnv2email.exe or BB2email.exe. These alias addresses are stored as x-headers in the e-mail and can be analyzed by Orchestria APM policy engines. Bloomberg alias addresses use this format: BLP:/CN=99775533/O=222555 Where CN= identifies an individual user, and O= is the Firm ID. To explicitly include Bloomberg alias addresses in a policy list, you need to add the relevant identifiers. For example: To match against
Add this list item

/o=unipraxis /cn=spencer /cn=rimmel
Add this list item

BLP: O=222555 BLP: CN=99775533
Domino
This protocol is used internally by Domino. You may need to specifically include Domino addresses when defining e-mail triggers, for example, to capture e-mails sent internally within your organization. Domino addresses use this format: /o=unipraxis/ou=uk/cn=spencer/cn=rimmel To include Domino addresses in a policy list, you need to amend this format by inserting spaces between each address element (spaces are interpreted as AND operators). This ensures the policy trigger will always activate, regardless of how the e-mail address elements are ordered. For example: To match against
X.400
This is a widely-used protocol in Europe and Canada and an international standard. X.400 addresses take the following format: c=uk;a= ;p=Unipraxis;o=Exchange; s=rimmel;g=spencer To explicitly include X.400 addresses in a policy list, you will need to amend the above format by inserting spaces between each address element (Orchestria APM interprets spaces as AND operators). This will ensure that the policy trigger always activates, regardless of how the e-mail address elements are ordered. For example: To match against
Add this list item

/o=unipraxis /cn=spencer /cn=rimmel
Add this list item

p=unipraxis s=rimmel; g=spencer
111
Triggering on key words or phrases

Some policy triggers let you search e-mails, Web pages, data submitted in forms to Web sites and files for key words or phrases. i Orchestria APM uses the term search text to
mean the key words and phrases that you want a trigger to detect.
Search text wildcards

You can use wildcard characters % * ? and _ when you define a list of trigger words or phrases. You can substitute % or * for zero or more characters and ? or _ for a single character. See page 108 for examples. i To search explicitly for % * ? or _ characters,
prefix them with a backslash. For example, use
Basic rules
When a trigger detects key words or phrases:
spencer\_rimmel to match any occurrence of spencer_rimmel.
It matches only whole words. So unipr will not match Unipraxis. Matching is not case-sensitive. So unipraxis will match Unipraxis. Spaces between words create a single, composite search term. So if the search text is unipraxis solutions, the trigger confirms a match if it detects the phrase Unipraxis solutions. Any differences in punctuation or capitalization are ignored. By default, a trigger ignores the hyphen in hyphenated words. So e-mail will match e-mail and email. By default, a trigger matches punctuation but ignores spacing (including tabs and line breaks). For details on punctuation matching, see page 112. Some characters and symbols require special handling, for example: _ * % ?. See page 113.
Subexpressions and OR operators

You can associate multiple words or phrases with individual messages, using the | { } characters as list separators. The | character is an OR operator and { } brackets let you define sub-expressions: Key text Trigger activates when Orchestria APM detects
recruitment' or 'job offer sales forecast or sales projection Company X or Company Y or Company Z
recruitment|{job offer} sales {forecast|projection}
Company {X|Y|Z}
i When defining the list items, Orchestria APM interprets a space between keywords as a literal character.
112
Search text variables

When defining the key words or phrases that you want a trigger to detect, you can use variables to represent certain types of information. For example, you can use the %DIGITS% variable to detect any sequence of digits such as a credit card number or telephone number. Other variables force the trigger to consider the context in which an item of text occurs. For example, you can set up the trigger to detect 'Unipraxis' only when it occurs in the context of an e-mail address. A wide range of variables are available, providing great flexibility when defining your search text. These include variables for representing words, numbers, monetary amounts, URLs, e-mail addresses and punctuation. Details are in the technical note Search text variables, available from the Orchestria service desksee page 24. i You can also use 'search text' variables when
defining Parameter 7 in a document classification. For details, see page 178.
Punctuation matching
By default, Orchestria APM matches punctuation when searching for key words or phrases. However, you may want to disable punctuation matching if you require more flexible matching. This can arise if your key words or phrases are frequently used with incorrect or inconsistent punctuation.
Example
For example, consider an e-mail control trigger that detects all references to the 'security: breach'. However, some e-mails omit the colon and refer to the 'security breach'. To detect both variations, use the punctuation variable %-matchPunct% to specify the search text: %-matchPunct%Security: Breach Note that this variable returns 'Security: Breach' even if it detects 'security breach'. This ensures that Orchestria APM triggers ignore all punctuation characters when looking for references to security breaches. For full details about punctuation matching and using variables to qualify your search textsearch the Administration console online help for punctuation variables. i Orchestria APM ignores the hyphen in hyphenated
words when searching for key words or phrases. See the next section.
Detect Far Eastern characters

Orchestria APM supports Unicode character sets. For example, you can set up policy triggers to search the contents of a file for Japanese words or phrases. For details about setting up Unicode support, see the Deployment guide; search the index for 'unicode characters, general configuration'.
113
Hyphenated words
By default, Orchestria APM ignores the hyphen in hyphenated words when searching for key words or phrases. This provides built-in flexibility to detect variations of words that are inconsistently hyphenated. For example: This search text: e-mail email Matches:
e-mail or email email or e-mail
Using backslashes to search for special characters

The following characters have special meaning: { } | [ ] % ? * \ For example, to search for literal occurrences of * and ? characters, you need to prefix them with a \ backslash. To search for literal occurrences of backslash characters, you must still prefix them with a further backslash (for example, type \\Sales to detect '\Sales'). Full details are in the technical note 'Search text variables', available from the service desksee page 24.
Orchestria APM does not ignore other occurrences of hyphens. For example, the search text Recruitment May 2003 only detects an exact match of this phrase, that is, "Recruitment - May 2003". In some cases, normally hyphenated words or phrases can occur as two separate words. But Orchestria APM does not treat hyphenated words and space-separated words as synonymous. You must be aware of this distinction when defining trigger search text and you may need to use the | operator (logical OR) to detect both hyphenated and space-separated occurrences of your key words or phrases. For example: This search text: Matches: But does not match:
long-term or longterm long term

Some Capture, Control and Transaction triggers let you search the contents of a file for key words or phrases. If Orchestria APM detects this text, the trigger activates. List settings in these triggers define which files are searched. The triggers which support file content searching are:

Attachments n (e-mails only) File Upload n (Web pages only) Document Classifier n (Web pages and e-mails) Content Agent n (Web pages and e-mails) File n (files only)
For more details about these triggers, see page 143.
long term long-term longterm
long term
File formats
Orchestria APM can search these files:
long-term or longterm long-term or longterm
FrameMaker MIF files Maker Interchange Format files are created from Adobe FrameMaker documents. They have a .MIF extension. Orchestria APM can only search the text content of these files.
long term
{long term}|{long-term}
long term or long-term or longterm
HTML files These are documents that can be viewed on the Web. They typically have an .HTM extension. Orchestria APM supports HTML 3.0 or earlier.
114
Lotus 1-2-3 files These typically have a .WKS extension, or a variation such as .WK4. Orchestria APM can search spreadsheets created with Lotus 1-2-3 up to version 5.0, and Lotus 1-2-3 for SmartSuite up to edition 9.6.
PDF files These typically have a .PDF extension. Orchestria APM can search documents created with Acrobat 4.0 or later. It cannot search PDF files that have document security turned on (typically, this applies to files that are password-protected).
Microsoft Office documents These include Word, Excel and PowerPoint files:
Rich text format file These typically have an .RTF extension, but Orchestria APM can search text files with any file name or extension.
` Microsoft Word documents: These are typically

.DOC or .DOT files. Orchestria APM can search files created with Word 97 or later, including .WBK backup files. Files must be unencrypted (that is, not password-protected) and uncompressed.
Text files These are typically .TXT files, but Orchestria APM can search text files with any file name or extension.
` Microsoft Excel spreadsheets: These are typically

.XLS or .XLW files. Orchestria APM can search spreadsheets created with Excel 97 or later. Orchestria APM can search workbooks, worksheets and charts; it does not search other spreadsheet elements such as macros or lookup tables. Files must be unencrypted (that is, not password-protected) and uncompressed.
vCards These are electronic business cards, used for sending contact information over the Internet. They have a .VCF extension.
WordPerfect files Orchestria APM can search files created with WordPerfect 2002 or later.
` Microsoft PowerPoint presentations: These typically have a .PPT extension. Orchestria APM can search presentations created with PowerPoint 97 or later. Files must be unencrypted (that is, not password-protected) and uncompressed.
XML files These typically have a .XML extension. Orchestria APM can search text between XML tags, not XML tags themselves.
Microsoft Project 98 documents These typically have an .MPP extension. Orchestria APM can only search the text content of these files.
Zip files These typically have a .ZIP extension, but can include any archive of one or more compressed files. These include files created with compression tools such as WinZip and gzip. Policy settings let you specify a maximum depth of zip file nesting and a maximum size for decompressed zip filessee the next section for details.
Microsoft Works documents These typically have a .WPS extension. Orchestria APM can search files created with Works up to version 4.0.
MP3 files These typically have a .MP3 extension. Orchestria APM can extract and search the properties and metadata of MP3 files.
115
Searching zip files

Orchestria APM can search the text content of documents archived inside a zip file. However, the compressed and recursive nature of zip files requires special handling in order to alleviate processing delays. You can optimize zip file handling by editing settings in the user policy. i A zip file is any archive of one or more
compressed files. These include files created with compression tools such as WinZip(R) and gzip.
For example, if you set a maximum depth of 2, then Orchestria APM will drill down two levels of nesting to analyze archived documents. In practice, this means it will search the text content of documents archived inside a zip file that is itself included in a master zip file. If Orchestria APM detects a further level of nesting, it does not search the documents archived inside this further zip file. i This policy setting also covers e-mails embedded
inside a master e-mail.
Maximum size for decompressed zip files

When you decompress a zip file, the total size of all its archived documents can be very large. To prevent excessive processing delays and memory usage, you can define a maximum size for decompressed zip files. Orchestria APM can search the text content of documents in the zip file until it detects a document that would, when decompressed, take the cumulative total size of the decompressed zip file above this maximum size. To set this maximum size, you edit the Maximum Size of Decompressed Zip Files setting in the user policy System Settings folder. For example, if you set a maximum size of 1,000 KB, Orchestria APM can search the text content of documents inside a zip file until it detects a document that would, when decompressed, take the cumulative total decompressed size of the zip file over 1,000 KB. Orchestria APM then disregards that document, plus any other archived documents not yet searched.
Searching embedded e-mails

E-mails can contain embedded message attachments, and can even contain embedded messages which themselves contain further embedded messages! To recursively decompress, extract and search the text content of these embedded e-mails can cause a performance slowdown. To alleviate this problem, you can specify the maximum depth of nesting supported by Orchestria APM. To do this, edit the Maximum Depth of Nested Zip Files and E-mails setting in the user policy System Settings folder (see the previous section for an example).
Searching archive files

Orchestria APM can search the text content of documents inside an archive file. Such files are defined in the Archive File Extension system policy settingsee page 141.
Nested zip files

Zip files can contain nested zip files, and can even contain nested zip files which themselves contain further nested zip files! To recursively decompress, extract and search the content of documents archived inside these nested zip files can cause a performance slowdown. To alleviate this problem, you can specify the maximum depth of nesting supported by Orchestria APM. To do this, you edit the Maximum Depth of Nested Zip Files and E-mails setting in the user policy System Settings folder.
116
Folders and settings

Each policy folder and setting can have any combination of three attributes: disabled, enforced and hidden. These attributesin combination with policy inheritance, described on page 119let you tailor the scope of any custom policies that may be needed lower down your hierarchy of machines or users. Icons representing the current status of each folder and setting are listed on page 121.
Re-enabling a disabled folder

To re-enable a disabled folder, click i You cannot re-enable a folder if:
Its parent folder in the same policy is still disabled. The equivalent folder is disabled and also enforced in the parent policy. The Enforce attribute, when applied to a folder, prevents anyone re-enabling the folder in a child policy.
again.
Disabled folders and settings

When you disable a folder, Orchestria APM ignores all settings in the folder itself and its subfolders. For example, if you disable the URL capture triggers for Web pages, a URL alone cannot trigger a capture. You cannot disable individual settings, but settings become disabled when their parent folder is disabled. A folder may have been disabled directly. More commonly, a folder is disabled because its parent folder has been disabled. Alternatively, the equivalent folder may have been disabled in the parent policy. In this last case, you can only re-enable the folder by re-enabling the equivalent folder in the parent policy. i Certain essential policy folders can never be
disabled. For example, this applies to all settings in the machine policy.
Concealing disabled items

If you disable folders in a policy, it can be hard to focus on the effective policy areas. To focus solely on those folders that remain enabled, you can configure the Policy Editor so it does not display disabled folders.
Conceal disabled items: By default, disabled folders are shown in the Policy Editor. Choose View > Show Disabled Items to conceal these folders. Or press Ctrl+D. Show disabled items: If disabled folders are concealed in the Policy Editor, you can undo this by choosing View > Show Disabled Items. Or press Ctrl+D. 2
Disabling a folder
When you disable a folder in a parent policy, this attribute is fixed in any child policies and can only be undone in the parent policy. 1 Select a folder and click choose Disabled. . Or right-click and
Folder and setting icons change to
and
Disabled policy items 1 Disabled items shown. 2 Disabled items concealed.
117
Enforced folders and settings

Enforced items are an ideal method for selectively preventing policy changes. When you enforce an individual setting, its value cannot be changed in a child policy. When you enforce an individual folder, all settings in the folder are fixed and cannot be edited in a child policy. Subfolders are not enforced automatically (see below). Also, if you enforce a disabled folder , it cannot be re-enabled in a child policy. Equally, if you enforce an enabled folder, it cannot be disabled in a child policy.
Unenforcing items
Naturally, you cannot unenforce folders or settings in a child policy. You can only unenforce items by editing the policy in which the attribute was set. To unenforce:

A folder, select an enforced folder and click
An entire branch, right-click a folder and choose Unenforce Branch.
i If a folder is enforced, you cannot unenforce

individual settings within the folder. Also, you cannot unenforce folders in a child policy if the equivalent folder is enforced in the parent policy.
Enforcing items
1 Select a single folder or setting then click right-click and choose Enforced. . Or
Enforced folders and policy inheritance

The Enforce attribute is exempt from automatic policy branch inheritance (see page 119). When you enforce a folder, this only enforces settings within the current folder and within the equivalent folder in any child policies. To enforce settings within all subfolders, you must use the Enforce Branch command. Likewise, to unenforce an entire branch, use the Unenforce Branch command. See above for instructions.
To enforce subfolders, right-click a folder and choose Enforce Branch. This has the same effect as enforcing an individual folder, except it applies to all subfolders in the policy branchsee page 119. Folder and setting icons change to and .
118
Hidden folders and settings

Because the user policy is so extensive, it can be hard to focus on the areas you want to review or edit. To simplify the information displayed in the Policy Editor, you can mark individual folders or settings as hidden'. You can then choose to show or conceal these hidden items in the Policy Editor.
Concealing hidden items

If you hide folders or settings in a policy, you can conceal hidden items. That is, you can configure the Policy Editor so it does not display hidden folders or settings.
Hiding items
If you hide a folder, its subfolders and settings are also hidden. Likewise, if you hide a folder in a parent policy, the equivalent folder in any child policies is also hidden. 1 In the Policy Editor, select a folder or setting, then click . Or right-click and choose Hidden. Folder and setting icons change to and .
Conceal hidden items By default, hidden items are shown in the Policy Editor. To conceal these items, choose View > Show Hidden Items. Or press Ctrl+H. Show hidden items To show (that is, unconceal) hidden items in the Policy Editor, choose View > Show Hidden Items. Or press Ctrl+H. 2
2 3
You can now choose to show or conceal these hidden itemssee the following section.
Unhiding items
To unhide a folder or setting, click again. Hidden policy items 1 Hidden items shown. 2 Hidden items concealed. i You cannot unhide individual settings within a
hidden folder. Also, you cannot unhide folders in a child policy if they have inherited this attribute from a parent policy.
119
Policy inheritance
You will probably need many different policies to support the diverse needs of your users. For example, different departments and various levels of management may each require their own, customized policy. To streamline policy administration, Orchestria APM uses automatic policy inheritance. Policy inheritance is the mechanism by which attributes and values cascade down the policy tree and from one policy to another. It provides a fast, flexible means of updating policies for large numbers of users or machines. It operates in two dimensions. First, attributes are inherited within a policy branch. Second, there is inheritance from parent to child policies. that has been hidden directly the attribute check box is Hide from users. selected in the Properties dialog: Conversely, for setting that are disabled simply because their parent folder is disabled the check box is clear in Hide from users. the Properties dialog: i The Enforce attribute is exempt from automatic
policy branch inheritance. When you enforce a folder, this only enforces settings within the current folder and within the equivalent folder in any child policies. See page 117.
Parent-child inheritance
This means that a child policy inherits its values and attributes from a parent policy. That is, the value for any setting passes automatically from a parent policy to the equivalent setting in a child policy. Likewise, the attributes defined for any folder are inherited automatically by the equivalent folder in a child policy.
Policy branch inheritance

This is the simplest form of policy inheritance. A policy branch refers to all policy folders and settings contained within the current folder. Within a policy branch, the Hide and Disable attributes (not Enforcesee the note below) automatically cascade down from a parent folder to all its settings and subfolders: Note that an inherited attribute is not the same as an attribute that is explicitly set. For example, unhiding a parent folder will not unhide a setting in that parent folder, which has been hidden directly. For any setting
1 3
3 Custom policies and parent-child policy inheritance 1 All settings in the parent policy use default values. 2 In the first-level child policy, one setting has a custom value. Other settings use inherited (default) values. 3 In the second level child policy, one setting has a custom value. Other settings (one default and one custom) are inherited from policy 2.
Policy branch inheritance If you hide (1) a folder (2), all subfolders and settings in its policy branch are also hidden (3).
120
This allows you to quickly administer large numbers of users and machines. For example, changes to a group policy are copied automatically to all lower-level groups, and to all users in these groups. So you need only make a policy change in one place, and Orchestria APM applies this change automatically to all affected users. Parent-child inheritance also lets you quickly roll out custom policies. All you do is specify those settings that differentiate a child policy; all other settings are inherited, unchanged, from the parent policy. For example, a user regularly purchases items from a Japanese Web site. To create a custom policy to capture these Yen transactions, the only setting you need to change is the Default Currency.
Machine policies
Policy inheritance for new gateways and client machines does not operate in the same way as the hierarchical policy inheritance for new users and groups. Instead, new machines inherit a common gateway policy or a common client policy. For all gateways, there is a single parent policythe common gateway policyinherited by all gateways. Likewise, there is a single parent policy for all client machinesthe common client policy. Of course, you can customize these common policies to suit your network conditions, and you can also customize the policies for individual gateways and client machines. Note that the CMS has a unique policy. New gateways and client machines do not inherit this policy. 1
User policies
For users and groups, parent and child policies derive from the hierarchy of user groups defined in the User Administration screen. A separate policy is attached to each user and each group. A master policy is attached to the top level Users group. Settings in the master policy cascade down to group policies, and group policy settings cascade down to user policies. Of course, at any level in this hierarchy you can create a customized policy of any individual user or group. 1
2 3 Parent-child inheritance for machine policies 1 CMS policy. This is not inherited by any other Orchestria APM machine. 2 Common gateway policy, inherited by all gateways. 3 Common client policy, inherited by all client machines.
Parent-child inheritance for user policies 1 Master policy for Users group. 2 Policy changes are applied to this group. 3 These users each inherit the changes to their group policy.
121
Policy reports
Editing policies can involve extensive changes to similar-sounding settings. For example, you may want to quickly compare the Search Text words and phrases used by your Web and e-mail capture triggers. Or you may want to re-enable various triggers but you cannot remember which ones are explicitly disabled. These are typical problems facing policy administrators, especially where policy editing privileges have been granted to multiple administrators. Policy reports eliminate these problems and allow you to keep track of changes to individual policies. Policy reports gather the settings or folders that interest you into a single list and let you make instant changes to values and attributes. You can even copy report items into external documents or spreadsheets. This can be useful, for example, if you want to compare settings in different policies. Policy reports are available for both user and machine policies. The scope of each report is shaped by the report filters. For example, you can quickly pinpoint items that have been edited in the current session or which do not use default (inherited) values or attributes. You can further refine the report to include only particular types of settings (for example, list settings or
9 2
10 3 Policy Report dialog 1 Report filters. Pinpoint the policy items you want using the report fields: Select, Show, From, and Where name contains. These filters are described in full on page 123. 2 Report items. Right-click items to edit values, change attributes, locate or copy. 3 Type column. Icons identify settings and folders and also indicate the item status (hidden, enforced or disabled). 4 Item name. Shows the full name and policy path of the setting or folder. 5 Setting value. Shows the current value of each setting. 4 5 6 7
6 Attributes. Shows the current attribute status (Disabled, Enforced, Hidden) of each setting and folder. 7 Using Inherited Value. A No value indicates that the value has been customized and differs from the value that the setting inherited. 8 Find Now button. Click to generate a policy report based on the current report filters. 9 Customized setting or attribute. Highlights identify items that have been customized. That is, the current value or attribute differs from the inherited value or attribute. 10 Parent server and User name. The user name is the Orchestria APM logon name for the current console user.
122
True/False settings) or policy items with specific names. Finally, you can choose which parts of the policy to report on; you can generate a report for the entire policy, or you can limit it to a specific branch. So, with reference to the earlier examples, if a policy report reveals that your e-mail triggers are using different Search Text values to your Web triggers, you can immediately edit your e-mail settings in situ without returning to the Policy Editor screen. Likewise, you can run a single report to identify all explicitly disabled triggers and instantly re-enable them (this feature is exclusive to policy reports; you cannot do this in the Policy Editor itself; for example, if you re-enable a parent folder in the Policy Editor this does not re-enable any subfolders which have been disabled directly).
Save policy reports as files

You can save policy reports as text files with an easy-to-read layout, or you can save them in a spreadsheet-compatible format such as CSV. 1 To save the policy report, right-click any report item and choose Save As. In the Save As dialog:
` Enter a name for the report file. ` Specify the report layout, that is, plain, commaseparated or tab-separated. These last two formats can be easily parsed in to a spreadsheet.
` Specify which information is saved in the file. See

the online help for full details.
Generate policy reports

1 2 Open the policy you want from the console. In the Policy Editor, choose the scope of the policy report. To report on: 1
` The whole policy, click or right-click the policy root and choose Report. ` A policy branch, right-click the policy folder you
want and choose Report. The resulting report only covers items in the current folder and its subfolders. i You can easily change the report scope by
re-selecting the From filter. See step 3.
In the Policy Report dialog, select the report filters to retrieve the folders and settings that you want. Report filters are described on page 123. Click Find Now to run the report. You can right-click report items to edit their values, change their attributes (Hide, Enforce, or Disable), locate them in the Policy Editor, copy them to the clipboard, or even save them as spreadsheetcompatible files. See the next section for details. To select multiple items, hold down the Ctrl key while clicking with the mouse to select the items you want. For example, you can hide or reset multiple items in one go.
Policy report file: plain layout 1 Report header. 2 Table sections correspond to individual folders and settings in the policy report.
4 5
123
Available actions
When you generate a report, various actions are available. For example, you can change the attributes of a folder or setting, or locate the actual item in the Policy Editor. The available actions are listed below, but note that some actions are only available for specific types of report item. Right-click any report items then: Choose
Edit
Report filters
Report filters determine the scope of the policy report. You can filter the reports by item status, item type, policy branch and search text. i Search the index of the online help for policy
reports to find full details about the available filters.
By item status
These correspond to the Select filters in the Policy report dialog. The following filters are available:
To do this
Open the Properties dialog and directly edit the folder or setting. You can also double-click a report item to edit it. Disable or re-enable the selected folders.
All items Extends the report scope to include all folders and settings.
Disable Enforce Hide Use Inherited Value Reset Item
Items modified since the policy editor was opened Limits the report to folders or settings that you have edited in the current session of the Policy Editor.
Enforce or unenforce the selected items. Hide or unhide the selected items. Restore the selected setting to use the value inherited from its parent policy. Restore the values and attributes inherited from the parent policy. Locate and display the selected item in the Policy Editor screen. This helps you to understand the general context of a folder or setting. Copies the selected items into text files or spreadsheets. This can be useful, for example, if you want to compare settings in different policies. To select multiple items, see step 5 on page 122. Select all items in the report.

Items with a non-inherited state or value Limits the report to settings and folders whose values or attributes have been edited directly and which no longer match those in the parent policy. It excludes items that use values or attributes inherited, unchanged, from the parent policy.
Locate
Folders that are explicitly disabled Limits the report to folders that have been disabled Disable check box directly. For these folder, the is selected in the Properties dialog. This filter excludes folders that are disabled simply because their parent folder is disabled; for folders which Disable inherited their disabled attribute, the check box is clear in the Properties dialog. Items that are explicitly hidden Limits the report to folders or settings that have been hidden directly. For these items, the Hide From Users check box is selected in the Properties dialog. This filter excludes items that are hidden simply because their parent folder is hidden; for items which inherited their hidden attribute, Hide from users check box is clear in the the Properties dialog.
Copy
Select All Save As
Save the report as a text file. See page 122 for details.
124
Items that are enforced Limits the report to all folders and settings that Enforce check box is have been enforcedthe selected in the Properties dialog. i The Enforce attribute is exempt from
automatic policy branch inheritance. Subfolders and settings do not automatically inherit this attribute from a parent folder. See page 117.
List settings Limits the report to settings that require a list of trigger items. For example, the Included Card Numbers setting takes a list of credit card numbers. Other list settings require lists of key words and phrases, Web site URLs or e-mail addresses.
By policy branch
This corresponds to the From filter in the Policy report dialog. This filter enables you to fix the root level for the policy report; you can generate a report for the entire policy of the selected user, group or machine, or you can limit the report to a specific policy branch (page 119). Expand the policy tree and select the folder you want. The resulting report only covers settings in this folder and its subfolders. i You can also determine the root level for the
report while still in the Policy Editor, before you open the Policy report dialog. See Save policy reports as
By item type
These correspond to the Show filters in the Policy report dialog. The following filters are available:
All folders and settings Extends the report scope to include all folders and settings.
All folders Limits the report to policy folders, excluding all policy settings.
files, step 2.
All settings Limits the report to policy settings, excluding all policy folders.
By name
This corresponds to the Where name contains filter in the Policy report dialog. This filter enables you to limit the report to items with specific names or, more usefully, items whose name contains specific words or phrases. Enter the name of the settings or folders that you want. You do not need to enter the whole name. You can enter the first few letters of any word in the name, and you do not need to match the case. For example, type mess to find all folders and settings with 'Message in their name. i
Explicit wildcards * and ? are not supported.
True/False settings Limits the report to settings that take a True or False value. For example, if the Capture Mail Detail? setting is set to False, this ensures that an e-mails content and attachments are not captured.
Numeric settings Limits the report to settings that take a numeric value. For example, the Maximum Transaction Value setting takes a value such as 99.99.
Menu-Item settings Limits the report to settings that offer a menu of possible values. For example, in each control action the Intervention setting offers a menu of items such as Block Quietly, Warn and so on.
Also, this filter applies to the entire name and policy path. For example, Control Triggers would return all control trigger folders and settings, for both e-mails and Web pages.
Text settings Limits the report to settings that require a text value. For example, all Trigger Name settings fall into this category. Similarly, the Message To Users settings require a brief text message that will seen by users when a control trigger activates.
125
Policy versions
Policy version numbers allow administrators to track local and inherited policy updates. Each time a policy is edited, the relevant value in its version number increments by +1. See the example on page 126.
Reported and assigned policy versions

These are shown in the User Administration and Machine Administration screens.
Format
When you select a user, group or machine in the console, the attributes in the right-hand pane show the policy version. Version numbers contain a series of dot-separated values, for example 1.2.5.3. Each value represents the policy version at a specific level in the user or machine tree.
Reported policy version

This is the version of a user policy or machine reported by a client machine to the CMS when it logs on to Orchestria APM.
Assigned policy version

This is the latest policy version held on the CMS. This version is automatically replicated to the relevant client machine at intervals determined in the CMS policy.
1st value This shows the version of the policy licensed for your organization. When you install a new license file, this value increments by +1 (1.2.5.3 to 2.2.5.3). 2nd value This shows the version of the master policy for your organization. When you upgrade Orchestria APM, this value increments by +1 (1.2.5.3 to 1.3.5.3). 3rd value For user groups, this shows the policy version for the top level 'Users' group. For machines, it shows the policy version for the CMS. These policy edits increment the value by +1 (1.2.5.3 to 1.2.6.3). 4th and subsequent values For users and groups, this shows the policy version of a next-level user group or user. For machines, it shows the policy version of a next-level gateway or client machine. These policy edits increment the value by +1 (1.2.5.3 to 1.2.5.4).
Why do reported and assigned versions differ?

This can happen if an administrator updates a user's policy while the user is not logged on to Orchestria APM. This primarily affects laptop users. In this situation, the updated (or assigned) policy is held on the CMS but the old policy remains on the client machine. When the user next logs on to Orchestria APM, their client machine reports that it is using the old policy. Eventually, the discrepancy is eliminated when the assigned version of the policy replicates down from the CMS to the client machine. Policy version mismatches can also occur if two people are logged on to separate client machines as the same user. In the Administration console, the policy versions shown for that user account are those of the person who connected most recently to the CMS. If an administrator then updates that users policy, the assigned policy is replicated down to the client machines. There may be a few seconds delay before the policy versions shown in an Administration console update to the latest version. i You can view the reported and assigned policy
versions for individual users in the Administration console. If a user is logged on to Orchestria APM, you can select the user and view their Open Session details in the right-hand pane. These include both policy versions.
126
Policy version example

In this user policy example, numbers in brackets (for example, 4) indicate the policy version values at that level in the user tree:
Licensed policy for your organization: (1) My Servers CMS-HARDY (2)* User Administration Users (4) Directors (1) frankschaeffer (1) spencerrimmel (3)
Initially, this gives the following policy versions: Group: Users Group: Directors User: frankschaeffer User: spencerrimmel 1.2.4 1.2.4.1 1.2.4.1.1 1.2.4.1.3
If you then edit only the Directors group policy, the version numbers are: Group: Users Group: Directors User: frankschaeffer User: spencerrimmel 1.2.4 (no change) 1.2.4.2 1.2.4.2.1 1.2.4.2.3
Example policy versions for users and groups * Corresponds to the master policy for your organization.
Finally, if you then edit the policy for spencerrimmel, the version numbers are: Group: Users Group: Directors User: frankschaeffer User: spencerrimmel 1.2.4 (no change) 1.2.4.2 (no change) 1.2.4.2.1 (no change) 1.2.4.2.4
127
Captured passwords and credit card numbers

Orchestria APM can detect when a user submits a password or credit card number to a Web site. It can also detect credit card numbers in an e-mail. You can decide how to handle these details if they are captured by a capture trigger or control trigger. i For details about where these details are shown,
see the following section.
Obscuring credit card numbers or passwords

If you choose to obscure these details in the Data Management console, they are replaced in the relevant screens by a string of asterisks. For credit card numbers, you can also choose to partially obscure the number so all except the last four digits are replaced with asterisks (for example, **** **** **** 7639). Settings in the user policy control the handling of passwords and credit card numbers. To obscure these details in the Data Management console: 1 In the User Policy, go to the System Settings > Sensitive Information Handling folder.
User Policy [UNIPRAXIS\Spencer Rimmel] Capture Control
To respect your users privacy, you can choose not to capture these details at all. However, this can only be achieved through a blanket exclusion on capturing e-mail content or data submitted to a Web site. A more satisfactory approach is to capture the entire content of targeted e-mails or all data submitted to specified Web sites, but then to obscure passwords and credit card numbers so they are not readable when shown in the Data Management console.
Which screens display these details?

If a trigger causes a password or credit card number to be captured, these details can appear in various screens in the Data Management console.
Transactions System Settings Document Classifications Sensitive Information Handling Extensions
Credit card numbers: For a credit card number captured in an e-mail, the number is shown in the Match field of the Summary tab and, if the capture action is set to capture full e-mail details, in the Mail tab. For a credit card number submitted to a Web site, the number is shown in the Match field of the Summary tab, in the Form Data tab and, if the capture action is set to capture full Web page details, in the Page tab. Passwords: For passwords submitted to a Web site, the password is shown in the Form Data tab. Note that the password it is never shown in the Page tab (because it is obscured automatically when the user types it in).
User Policy: Sensitive Information Handling 2 Edit the Credit Card Numbers and Passwords settings as required. You can choose whether or not Orchestria APM stores these details. Save the policy changes.
! When viewing captured events in the Data Management console, be aware that:
` Orchestria APM cannot obscure passwords when displaying captured e-mails in the Mail tab. ` Orchestria APM may, in rare situations, inadvertently expose submitted passwords in the Form Data tab. For details, see the Troubleshooting section on page 326.
128
Avoiding the capture of credit card numbers or passwords

The only way to avoid capturing credit card numbers or passwords is to completely exclude all e-mail content and all data submitted to Web sites. While such a blanket approach may be unacceptable for e-mails, it may be a practical solution in the case of passwords submitted to Web sites. To implement this, you must edit the relevant capture actions in the user policy: 1 In the User Policy, go to the relevant e-mail or Web capture action. i Note that both capture triggers and control
triggers can invoke a capture action.
Exporting, importing and copying policies

Orchestria APM provides the polimex.exe and wgnpol.exe utilities for exporting and importing policies to and from files, for copying a policy from one account to another, for exporting multiple policy files for groups and users in a selected group, and for checking policy versions. These operations are equally applicable to user policies, group policies and machine policies. For example, you can copy a customized policy from one user group to other same-level groups in your user hierarchy (by contrast, automatic policy inheritance only flows from parent groups to child groups and users). Likewise, you may want to export a machine policy to a file for archiving purposes. The ability to then re-import the saved policy at a later date gives you basic policy rollback functionality. i
For both polimex.exe and wgnpol.exe, policy
For e-mails: The Mail Details subfolders determines whether to capture the e-mail body text and attachments. Set Capture Body? to False. For Web pages: The Page Details subfolder determines whether to capture details submitted in HTML forms. Set Captured Submitted Form Data? to False.
names correspond to Orchestria APM account names for users, groups or machines.
Save the policy changes.
i The triggers listed below do not determine

whether or not credit card numbers and passwords are captured. Instead, they actively look for credit card numbers and passwords and activate only when a matching number or a password submission is detected.
For more information on polimex.exe and
wgnpol.exe, please see wgnpol.htm in the \Software\Win32\Support folder on your Orchestria APM distribution media.
` Submitted Credit Card ` HTML Password n ` Credit Card n
129
User policy settings

A user policy contains settings that govern how a user accesses the Web and uses e-mail. Specifically, the policy determines when to capture or control user activity, and how to organize captured data in the console. The policy also determines how much direct interaction a user has with Orchestria APM. i Orchestria APM support for Data At Rest triggers
is available only if their functionality is explicitly included in your license agreement.
Capture Triggers
You define the triggers that kick off a capture. You define separate sets of triggers for Web pages, incoming e-mails, outgoing e-mails, applications and files. For example, triggers can be content-based, maybe a word or phrase in the subject or an e-mail, or navigationbased, such as a Web site URL. Each trigger includes these features:
Capture settings
Capture triggers determine when Orchestria APM captures Web pages, e-mails, application metrics and files; capture actions determine what data is captured.
User Policy [UNIPRAXIS\Spencer Rimmel] Capture Web Pages Capture Triggers Capture Actions Incoming e-mails Capture Triggers Capture Actions Outgoing e-mails Capture Triggers Capture Actions Application Monitor Capture Triggers Capture Actions Data At Rest Capture Triggers Capture Actions Data In Motion Capture Triggers Capture Actions

Multiple versions: There are multiple numbered versions of each capture trigger (for example, URL 1, URL 2 and so on). This allows you maximum flexibility to configure your triggers and target the Web pages, e-mails, applications and files that you want to capture. Unique trigger name: You can give a unique name to each capture trigger. Trigger names enable you to quickly recognize the reason for the capture. These names appear in the Summary tab. Policy class: You can associate each capture trigger with a policy class. When a trigger activates, the policy class is saved in the trigger record attached to the resulting event. Reviewers can then search for events by their policy class in the iConsole. Smart tags: These settings enable you to categorize captured events. You can assign smart tags such as Privileged content or Employment solicitation to all triggers. When the trigger activates, the assigned tag is saved with the event metadata in the CMS database and can be viewed subsequently in the iConsole by reviewers. Minimum retention period: You can set a unique minimum retention period for each capture trigger. This determines how long captured events are retained in the local database before they are eligible for purging.
User Policy: Capture Settings For help on individual settings, right-click the setting in the Policy Editor and choose Edit. This displays a dialog containing an explanation of the setting.
The key characteristics of Web, e-mail, Application Monitor, Data At Rest and Data In Motion capture triggers are summarized on pages 130 to 131. The complete range of individual triggers is on page 143.
130
Web page capture triggers Some triggers activate when a user browses to a specified Web page. Other triggers activate when a user tries to upload a file or submit data (for example, a password or credit card number) to a Web site. E-mail capture triggers E-mail triggers can activate when a user tries to open or send an e-mail that contains prohibited or sensitive information. Others can activate because the e-mail contains an unauthorized attachment, or because it appears to be transaction-related. Each trigger includes:
Application Monitor capture triggers Application Monitor triggers are a special category. They can capture application metrics (key presses and mouse clicks for targeted applications over specific time periods). These triggers are based on two criteria, both of which must be confirmed for the trigger to activate:
Encryption exemptions: The Encryption Filter setting lets you exempt encrypted or non-encrypted e-mails. For example, you can capture non-encrypted e-mails but ignore encrypted e-mails. Digital signature exemptions: The Digital Signature Filter setting lets you exempt signed or unsigned e-mails. For example, you can capture unsigned e-mails but ignore signed e-mails. Disable integration with specific e-mail sources: The Which E-mail Source? setting lets you disable Orchestria APM integration with specific e-mail applications or import sources. That is, Orchestria APM ignores e-mails sent or opened using specific applications or imported from specific sources. Data Lookup exemptions: The Data Lookup Command setting lets you target e-mails with particular characteristics. This setting supports three types of data lookup:
Application: You can define applications by the executable name and path or by executable properties such as Version Information or Product Name. This lets you identify applications by their familiar name rather than their less familiar executable name (such as Netscape rather than netscp.exe). Window title: Triggers can detect when the application window uses a specific window title, indicating that a specific document or screen has been opened. For example, you can specify Hotmail - Compose to detect whenever a user writes a message on the Hotmail web site.
Data At Rest capture triggers These triggers are used to capture files scanned by the File Scanning Agent (FSA) or imported onto the CMS by an Import Policy job. The triggers activate if a file has a specific format (for example, a Microsoft Word document) or file name, or because its text content matches the specified trigger criteria. Each trigger includes:
` User Attribute lookup: Triggers can selectively capture e-mails based on the account attributes of the Orchestria APM sender or recipients (for example, a Department attribute; see page 51). ` Address Book lookup: These lookups examine the Outlook Address Book properties of the recipients or sender. For example, they can capture e-mails sent to users in a particular office. ` Message Attribute lookup: These lookups assess each e-mail for its potential impact on network traffic. For example, they can capture e-mails if the number of recipients is excessive.
Document Classification: The Use Document Classification? and Which Document Classifier? settings let you make the trigger dependant on a specific document classification. Search Text: The Search Files? setting determines whether Orchestria APM searches the text of the file. Files lists, for top level files and embedded files: The Which Top Level File List? setting lets you check for names of normal files or zip files. The Which Individual or Embedded File List? setting lets you check for named files contained within a zip file or embedded in a master file.
131
Unreadable Text: The Activate Trigger if Text Content Unreadable? setting lets you configure Orchestria APM to detect files with unreadable text (for example, because the file is encrypted or password-protected). File Sources: The Which File Sources? setting lets Orchestria APM monitor specific file sources:
Search Text: The Search Files? setting determines whether Orchestria APM searches the text of the file. Files lists, for top level files and embedded files: The Which Top Level File List? setting lets you check for names of normal files or zip files. The Which Individual or Embedded File List? setting lets you check for named files contained within a zip file or embedded in a master file. Unreadable Text: The Activate Trigger if Text Content Unreadable? setting lets you configure Orchestria APM to detect files with unreadable text (for example, because the file is encrypted or password-protected). File Sources: The Which File Sources? setting lets Orchestria APM monitor specific file sources:
` File Scanning Agent: The File Scanning Agent (FSA) can scan designated folders (including Microsoft Exchange Public Folders) and allows policy engines to apply Data At Rest triggers to files in those folders. ` File Importer: You can import files into the CMS using Event Import or Import Policy. ` External Agent API for File: You can use the External
Agent API to extract files from third party archives and import them into the CMS via Event Import.
Data Lookup exemptions: The Data Lookup Command setting supports XML Attribute data lookup and lets you target files with particular attributes:
` Network Boundary Agent For File: The Network Boundary Agent (NBA) monitors files leaving your corporate network or arriving from the Internet. ` Client File System Agent: This agent detects files or
documents being copied to USB devices (removable drives).
` XML Attribute lookup: Triggers can examine and capture files based on their metadata attributes (this metadata is stored in XML format). For example, file metadata includes details about the file creation and modified dates, and its name, path and title.
` Client Print System Agent: This agent detects files

or documents sent to a local or network printer. Data Lookup exemptions: The Data Lookup Command setting supports XML Attribute data lookup and lets you target files with particular attributes:
Data In Motion capture triggers These triggers are used to capture files being printed or copied to a USB device (removable device), and files entering or leaving the corporate network. Specifically, these triggers are used by the Client Print System Agent (CPSA), Client File System Agent (CFSA), and the Network Boundary Agent (NBA). For the CPSA and CFSA, the triggers can activate if the user tries to use a specific printer or USB device. Other trigger criteria can check the file name and analyze its text content. Each trigger includes:
` XML Attribute lookup: Triggers can examine and

capture files based on their metadata attributes (this metadata is stored in XML format). For example, file metadata includes details about the file creation and modified dates, and its name, path and title.
Document Classification: The Use Document Classification? and Which Document Classifier? settings let you make the trigger dependant on a specific document classification.
132
Capture Actions
Capture actions determine how much data is captured when a capture trigger fires. For example, you can choose whether to capture Web page images or e-mail attachments. There are multiple capture actions, allowing you maximum flexibility to configure the actions associated with any capture. You can also give unique names to capture actions, enabling you to quickly recognize the nature of the capture event when viewing them in the iConsole or Data Management console. Web page capture actions Each capture action can be specified by any capture trigger and, in addition to capturing Web data, also covers the following areas:
Application Monitor capture actions Each capture action covers the following areas:
Event timeout: This determines how often events are closed if an application is continuously active. Key presses: You can record how many key presses a user makes while running the specified executable in the specified window. Mouse clicks: You can record how many mouse clicks a user makes while running the specified executable in the specified window.
Data At Rest capture actions Each capture action can be specified by any capture trigger and can capture:
Browser Light: You can switch on or off the Orchestria APM capture light in the taskbar of the users browser. This indicates to users when a Web page has been captured. Capture Page Detail? You can specify how much page detail is captured. For example, you can capture or ignore images and uploaded files.
Capture File Details? You can specify how much file detail is captured. For example, you can capture the file itself, or just its metadata (file attributes), or both.
Data In Motion capture actions Each capture action can be specified by any capture trigger and can captured:
E-mail capture actions Actions listed here can be specified separately for both incoming and outgoing e-mail capture triggers. In addition to capturing e-mail data, each action also includes the following settings:
Capture File Details? You can specify how much file detail is captured. For example, you can capture the file itself, or just its metadata (file attributes), or both.
Capture Mail Detail? You can specify how much e-mail detail is captured. The To, From, Cc and Subject fields are always captured, as are details such as the capture date and user name. But you can also capture the e-mail content, attachments, and Internet Mail Header.
133
Control settings
Control triggers define when e-mail, file, Web, or application activity, cause a control event to be generated; control actions determine the nature of the control event (for example, a blocking or warning) plus any associated event handling (for example, automatic replies to incoming e-mails or redirecting Web users to alternative URLs).
User Policy [Spencer Rimmel] Capture Control Web Pages Control Triggers Control Actions Incoming e-mails Control Triggers Control Actions Outgoing e-mails Control Triggers Control Actions Application Monitor Control Triggers Control Actions Data At Rest Control Triggers Control Actions Data In Motion Control Triggers Control Actions

Unique trigger name: You can give a unique name to each control trigger. This lets you quickly recognize the nature of any control events listed in the iConsole or Data Management console. Multiple versions: There are multiple numbered versions of each Control trigger (for example, URL 1, URL 2 and so on). This allows you maximum flexibility to configure your triggers and target the Web pages, e-mails, applications and files that you want to control. Policy class: You can associate each control trigger with a policy class. When a trigger activates, the policy class is saved in the trigger record attached to the resulting event. Reviewers can then search for events by their policy class in the iConsole. Smart tags: This enable you to categorize control events. You can assign smart tags such as Privileged content or Employment solicitation to a trigger. When the trigger activates, the tag is saved with the event metadata in the CMS database and can be viewed subsequently in the iConsole or Data Management console. Severity: These enable you to group policy triggers into bands based on their severity scores. By default, the severity bands are Low, Medium or High. For example, you may want to assign a high severity score to a trigger that detects serious violations of corporate rules. When the trigger activates, the severity score is saved with the resulting event. You can then search for events by severity in the iConsole or Data Management console. Sampling Rate: Only available for e-mails. This enables you to capture a sample of events. For example, you may want to know how often a user sends an e-mail to an external e-mail address, such as 'hotmail'. To do this, you do not need to capture every single e-mail, but perhaps just 1 in 10. You will then know that for each captured event, the user has actually sent 10 e-mails. This saves valuable space on the CMS and ensures that reviewers' time is used efficiently.
User Policy: Control Settings
Control triggers
The range of possible control triggers is the same as the range of capture triggers. You can define triggers that cause Orchestria APM to block an e-mail, Web page, uploaded file, or data submission, remove a file, or to warn or inform the user, or even silently record the users behavior. Each trigger includes:
134
i Do not confuse this setting with the Sampling

Rate setting in the iConsole, which simply enables you to show a sample of all search results.
characteristics. This setting supports the following types of data lookup:
` User Attribute lookup: Triggers can selectively

detect e-mails based on the account attributes of the Orchestria APM sender or recipients (for example, a Department attribute; see page 51).
Minimum retention period: You can set minimum retention periods for each control trigger. This retention period determines how long the respective events are retained in the local database before they are eligible for purging. Advisory message to users: For each control trigger, you can define a unique message that appears in the Blocking, Warning or Inform dialog or, for Data At Rest triggers, in replacement stub files. For example, this message can explain to users why a particular application or e-mail triggered a warning.
` Address Book lookup: These examine the Outlook

Address Book properties of the recipients or the sender. For example, they can block e-mails sent to users in a particular office.
` Message Attribute lookup: These lookups assess each e-mail for its potential impact on network traffic. For example, they can block e-mails if they are too big.
Encryption exemptions: The Encryption Filter setting lets you exempt encrypted or non-encrypted e-mails. For example, you can use this filter to block non-encrypted e-mails but ignore encrypted e-mails. Digital signature exemptions: The Digital Signature Filter setting lets you exempt signed or unsigned e-mails. For example, you can use this filter to block unsigned e-mails but ignore signed e-mails. Disable integration with specific e-mail sources: The Which E-mail Source? setting lets you disable Orchestria APM integration with specific e-mail applications or import sources. If Orchestria APM detects e-mails sent or opened using the specified application or imported from the specified source, the trigger cannot activate. Categorization: You can configure the Message To Users setting to specify one or more categories. If the trigger activates and invokes a categorize control action, the categories are stored with the e-mail on the CMS.
The key characteristics of Web, e-mail, Application Monitor, Data At Rest and Data In Motion capture triggers are summarized on pages 134 to 134. The complete range of triggers is summarized on page 143. Web page control triggers Some triggers activate when a user browses to a specified Web page. Other triggers activate when a user tries to upload a file or submit data (for example, a password or credit card number) to a Web site. Each trigger also includes:
Keystrength exemptions: The Keystrength Exemptions setting lets block users from accessing insecure Web sites. If you set a keystrength exemption for each control trigger, Web sites or data submissions are blocked only if they use a keystrength lower than the minimum value specified by this setting.
E-mail control triggers Some triggers activate when a user tries to open or send an e-mail that contains prohibited or sensitive information. Others activate because the e-mail contains an unauthorized attachment, or because it appears to be transaction-related. Each trigger also includes:
Application Monitor control triggers Application Monitor triggers activate when Orchestria APM detects that a user is running a particular application. You can define applications by their executable name and path or by the Version Information
Data Lookup exemptions: Each e-mail control trigger includes a Data Lookup Command setting. This lets you target e-mails with particular
135
in the executable properties (this lets you identify applications by their familiar product name rather than their less familiar executable namefor example, Netscape rather than netscp.exe). Data At Rest control triggers These triggers analyze files scanned by the File Scanning Agent (FSA) or imported onto the CMS by an Import Policy job. The triggers activate if a file has a specific format (for example, a Microsoft Word document) or file name, or because its text content matches the specified trigger criteria. Each trigger includes:
Replacement stub files: You can configure triggers to replace deleted files with an explanatory stub file. This stub file contains an explanatory message, specified in the Message To Users setting. Categorization: You can also configure the Message To Users setting to specify one or more categories. If a trigger activates and invokes a categorize control action, the categories are stored with file event on the CMS.
Search Text: The Search Files? setting determines whether to search the text content of the file. Document Classification: The Use Document Classification? and Which Document Classifier? settings let you make the trigger dependent on a specific document classification. Files lists, for top level files and embedded files: The Which Top Level File List? setting lets you check for names of normal files or zip files. The Which Individual or Embedded File List? setting lets you check for named files contained within a zip file or embedded in a master file. Unreadable Text: The Activate Trigger if Text Content Unreadable? setting lets you configure Orchestria APM to detect files with unreadable text (for example, because the file is encrypted or password-protected). File Sources: The Which File Sources? setting lets Orchestria APM monitor specific file sources:
Data In Motion control triggers These triggers can detect files being printed or copied to a USB device (removable drive), and files entering or leaving the corporate network. Specifically, these triggers are used by the Client Print System Agent (CPSA), Client File System Agent (CFSA), and the Network Boundary Agent (NBA). For the CPSA and CFSA, the triggers can activate if the user tries to use a specific printer or USB device. Other trigger criteria can check the file name and analyze its text content. Each trigger includes:
` File Scanning Agent: The File Scanning Agent (FSA) can scan designated folders (including Microsoft Exchange Public Folders) and allows policy engines to apply Data At Rest triggers to files in those folders. ` File Importer: You can import files into the CMS using Event Import or Import Policy. ` External Agent API for File: You can use the External Agent API to extract files from third party archives and import them into the CMS via Event Import.
Document Classification: The Use Document Classification? and Which Document Classifier? settings let you make the trigger dependant on a specific document classification. Search Text: The Search Files? setting determines whether to search the text content of the file. Files lists, for top level files and embedded files: The Which Top Level File List? setting lets you check for names of normal files or zip files. The Which Individual or Embedded File List? setting lets you check for named files contained within a zip file or embedded in a master file.
136
Unreadable Text: The Activate Trigger if Text Content Unreadable? setting lets you configure Orchestria APM to detect files with unreadable text (for example, because the file is encrypted or password-protected). File Sources: The Which File Sources? setting lets Orchestria APM monitor specific file sources:
A control action can be invoked by any control trigger. There are multiple control actions, allowing you maximum flexibility to configure the actions associated with any blocking or warning. You can also give a unique name to each action, enabling you to quickly recognize the nature of the control event in the iConsole or Data Management console. Each control action automatically captures basic details such as the type of control event (for example, a blocking), when the event was captured and the user associated with the event. But you can also specify simultaneous capture actions to fully capture the associated e-mail, file, or Web page, or to record application usage details. i Control events are described in full on page 217. Web Page control actions Web page control actions determine how Orchestria APM handles attempts to browse particular Web pages, upload specific files, or submit data to a Web site. In addition to the Intervention setting, each Web page control action can:
` Network Boundary Agent For File: The Network

Boundary Agent (NBA) monitors files leaving your corporate network or arriving from the Internet.
` Client File System Agent: This agent detects files

being copied to USB devices.
` Client Print System Agent: This agent detects files or documents sent to a local or network printer.
Categorization: You can also configure the Message To Users setting to specify one or more categories. If a trigger activates and invokes a categorize control action, the categories are stored with file event on the CMS.
Redirect users: If a control action results in a blocking or heeded warning, any user trying to browse an unauthorized Web page is automatically sent to an alternative URL such as your intranet. Capture Web activity: When a control trigger activates, Orchestria APM automatically records the basic event details, but you can specify a capture action to capture the Web page content, images, uploaded files or submitted form data.
Control actions
Settings in the control action determine what type of control event is generated. Specifically, the Intervention setting determines whether to: block an instance of e-mail, file, Web or application activity; simply warn or inform the user; silently record the users behavior; categorize e-mails or files; or in the case of Data At Rest file events, silently remove or replace the users files. The Intervention setting is the pivotal determinant in the control action. For full details, see page 220.
E-mail control actions E-mail control actions determine how Orchestria APM handles e-mails and attachments. Separate actions are available for incoming and outgoing e-mails. In addition to the Intervention setting, each control action covers:
Forwarding e-mails: If required, you can forward any e-mail that activates a control trigger to another address. For example, you can forward copies of inappropriate e-mails to a manager. The alternative recipient receives a standard notification with the original e-mail included as an attachment.
137
Capturing e-mails and attachments: When a control trigger activates, Orchestria APM automatically records the basic event details (the user name, the time of the blocking, and so on). But you can also specify a capture action to capture the e-mail body text and any attachments plus, for incoming e-mails, the Internet mail header. Deleting or replacing e-mails: For incoming e-mails only. If an e-mail is blocked or canceled by the user (by clicking Cancel in a warning dialog), you can delete the e-mail from the recipients Inbox. Or you can keep the e-mail in the recipients Inbox, but replace its body text with a standard notification. Automatic replies: For incoming e-mails only. If an e-mail is blocked or canceled by the user (by clicking Cancel in a warning dialog), you can send an automatic reply to the sender, using a customizable explanatory message. Address Modification of Authorized E-mails: For
outgoing e-mails only. If required, you can move all
Data At Rest control actions Data At Rest control actions use the Intervention setting to silently remove, replace, or categorize targeted files. Each control action also covers:
Copying files: When a control trigger activates, you can configure Orchestria APM to save a copy of the file in another location. i If a file with the same name already exists in
the given location, Orchestria APM takes the action specified below.
` Copy Conflict Resolution: This defines what action Orchestria APM takes if a file with the same name already exists in the location where the file will be copied to. Orchestria APM can discard the new file and retain the existing file, or overwrite the existing file with the new file, or create an additional copy of the new file but with a numeric suffix in the file name.
Data In Motion control actions These control actions apply to files being printed or copied to a USB device (removable drive), and files entering or leaving the corporate network. They use the Intervention setting to block or categorize targeted files, or (if a user tries to print a file or copy it to a USB device) inform or warn the user.
recipients (or even just the external recipients) to the Bcc field of an outgoing e-mail before it is sent, to ensure it complies with your organization's regulations. i If you move recipients to the Bcc field, the
e-mail is flagged accordingly and this information can be seen when reviewing the event in the iConsole, or Data Management console.
Application Monitor control actions Application Monitor control actions determine how Orchestria APM handles attempts to start up particular applications. In addition to the Intervention setting (which determines whether to block the application, or warn or inform the user), each control action also contains a setting that lets you capture application usage details (key presses, mouse clicks, and so on).
138
Transaction settings
Triggers determine when Orchestria APM captures a transaction. The sole action determines how Orchestria APM handles any captured transactions.
User Policy [Spencer Rimmel] Capture Control Transactions Web Page Triggers Incoming e-mail Triggers Outgoing e-mail Triggers Transaction Action
Typically, these triggers display a Confirm Transaction dialog. This dialog prompts users to supply the relevant details, but one trigger type, Transaction Detector, explicitly identifies transactions in progress and can extract data such as the transaction total and supplier reference. ! If the Transaction Detector trigger is disabled, you cannot automatically capture transaction details. The complete range of triggers is summarized on page 143. Web page transaction triggers Some triggers activate when a user browses to a specified Web page. Other triggers activate when a user tries to upload a file or submit data (for example, a password or credit card number) to a Web site. E-mail transaction triggers Some triggers activate when a user tries to open or send an e-mail that contains prohibited or sensitive information. Others activate because the e-mail contains an unauthorized attachment, or because it appears to be transaction-related. Each trigger includes:
User Policy: Transaction Settings
Transaction Triggers
You define the triggers that kick off a transaction capture, based on Web page or e-mail characteristics. For example, you can base triggers on automatic analysis of Web page content or automatic detection of credit card numbers. Each trigger includes:
Unique trigger name: You can give a unique name to each Transaction trigger. Trigger names let you quickly recognize the reason for the capture. Policy class: You can associate each Transaction trigger with a policy class. When a trigger activates, the policy class is saved in the trigger record attached to the resulting event. Reviewers can then search for events by their policy class in the iConsole. Smart tags: These settings enable you to categorize transactions. You can assign smart tags such as Personal shopping or IT purchase to all triggers. When the trigger activates, the tag is saved with the event metadata in the CMS database and can be viewed subsequently in the iConsole. Minimum retention period: You can set a unique minimum retention period for each Transaction trigger. This determines how long captured events are retained in the local database before they are eligible for purging.
Encryption and trigger exemptions: The Encryption Filter setting lets you exempt encrypted or nonencrypted e-mails. For example, you can use this filter to block non-encrypted e-mails but ignore encrypted e-mails. Digital signatures and trigger exemptions: The Digital Signature Filter setting lets you exempt signed or unsigned e-mails. For example, you can use this filter to block unsigned e-mails.
i These triggers capture transaction data (the

amount, sales tax, supplier reference, and so on). They do not capture the associated Web page or e-mail. However, it is very easy to capture this information at the same time as the transaction data; simply configure a policy so that a transaction trigger and equivalent capture trigger use the same detection criteria and activate simultaneously.
139
Transaction Action
There is a single transaction action that determines how Orchestria APM handles captured transactions. It covers the following areas:
Transaction items The full range of transaction items supported by Orchestria APM is shown below. Transaction Items
Total The total value of the transaction, including any taxes and applicable shipping costs. The currency in which the transaction was conducted. The shipping amount (included in the Total). The tax amount (included in the Total). The method of payment. Examples include credit card, bank transfer, and so on. Supplementary payment details such as a credit card number or a bank account number. The transaction reference code provided by the supplier, such as an order number or invoice number. Your own reference code for the transaction. A brief, user-supplied description of the transaction. Additional, user-supplied comments about the transaction.
Name You can give a unique name to this action. This names enables you to quickly recognize the nature of the transaction event. It appears in the Summary tab. User input You can make the capture process wholly automatic or you can allow users to manually change or confirm transaction details that were captured automatically. Cancelations and exceptions You can allow or prevent users from canceling captured transactions. Or you can allow users to mark a captured transaction as an exception. If marked as an exception, its details are captured but the transaction is excluded from all statistical analysis in the Executive console. Transaction items You can configure how Orchestria APM handles individual items of captured transaction data (see below). For each item, you can:
Currency
Shipping Tax Payment type Payment data
Supplier reference
` Set the required confidence in its accuracy

(transaction validation is discussed on page 187).
Buyer reference Description
` Allow or prevent users from changing values

captured automatically.
` Specify whether the item is needed at all.

i To configure the sensitivity of the transaction
matching process, you need to edit the transaction settings in the System Settings folder. See page 140.
Comments
i You can define maximum transaction values when you configure the control triggers for Web pages and outgoing e-mails. See pages 143 and 144.
140
System settings
This policy folders contains various settings to control how Orchestria APM operates.
User Policy [Spencer Rimmel] Capture Control Transactions System Settings Extensions

Application Monitor: This controls the timeout for application events, which in turn determines the interval at which application usage details (mouse clicks and key presses) are recorded. Initialization: These settings control initialization of Orchestria APM when users log on. In particular, the Infrastructure Failure setting controls how Orchestria APM responds when the infrastructure fails to start. You can specify that only Orchestria APM is disabled (for example, capture and control triggers stop working) or you can disable Orchestria APM plus all browser and e-mail applications integrated into Orchestria APM (this prevents users running their browser or e-mail applications until the infrastructure restarts). User Notifications: These settings determine the titles for notification dialogs, for example, when user activity triggers a blocking, warning or inform event, or when Orchestria APM detects a transaction. They also determine the subject and body text for notification e-mails containing a forwarded e-mail. Definitions: These settings enable you to specify the following definitions:
User Policy: System Settings System settings include:
Document Classifications: These settings enable Orchestria APM to detect specific types of document, for example, sales proposals, contract agreements, or airline Web sites. Generic classifications use parameter settings to identify document types defined by you. For full details, see chapter 7 Categorizing, tagging and classifying events. Sensitive Information Handling: These enable you to conceal captured passwords and credit card numbers so they are not readable in the Data Management console. Transactions: These settings enable Orchestria APM to identify and group together all e-mails or Web pages that collectively make up the full context of a single transaction. For example, a single transaction may include catalog and checkout Web pages, plus a subsequent e-mail receipt. Policy settings cover the following areas:
` Internal E-mails: When Orchestria APM detects an

internal e-mail, the associated capture or control event is flagged accordingly. You can then explicitly search for internal e-mails in the Data Management console. For details about searching for internal events, see the Data Management Console guide; search the index for e-mails, internal.
` The sensitivity of analysis used by Orchestria APM

to detect transactions. See step 3 on page 188.
` Intranet Sites: When Orchestria APM detects an

intranet visit, the associated capture or control event is flagged accordingly. You can then explicitly search for intranet hits in the Data Management console. For details about searching for internal events, see the Data Management Console guide; search the index for e-mails, internal.
` A transaction activity timeout. This determines

when Orchestria APM deems a transaction complete and closes it.
` The sensitivity of the automatic transaction

matching. Orchestria APM looks for common details in existing transaction items and in the newly captured item. For details, see page 193.
141
` Additional Long Domain Endings: Orchestria APM uses e-mail address patterns to identify 'long domains' when extracting the domain element from an SMTP address. Long domains are defined as comprising three segments after the @ symbol, for example, lsteel@unipraxis.co.uk. You can also supplement this list in the user policy; to do this, edit the Additional Long Domain Endings setting in the Definitions folder. ` Archive File Extensions: Files whose names match
any of the values in this list are recognized by Orchestria APM as archive files and therefore included in the %allarchives% variable, if used. For example, the file Sales Figures.zip matches a value of *.zip in this setting.
Decompressed zip files: This setting can alleviate performance slowdowns when searching the text content of zipped files. It specifies the maximum total size for decompressed zip files. Orchestria APM does not analyze files that would, if decompressed, take the cumulative total size of the decompressed zip file above this limit. E-mail distribution lists: This setting can alleviate processing delays when sending e-mails to very large distribution lists or large numbers of recipients. It can limit the volume and type of recipient information retrieved from the e-mail server. For details, see page 329. File size: This setting can alleviate processing delays when processing files. It can specify the maximum size of files to be processed. Process e-mails on arrival: This setting can alleviate operating delays when new e-mails arrive. It can prevent Orchestria APM from processing incoming e-mails until the user tries to open them. Retrieve full sender and recipient details: These settings can alleviate processing delays when receiving and reading e-mails, or when sending e-mails to large numbers of recipients. They can specify that Orchestria APM only retrieves basic information for each recipient or recipient from the user directory and does not retrieve other details such as e-mail address aliases. i
The term user directory is used to mean directories such as Active Directory and Domino Server. These directories hold e-mail address information for the organization.
` User Definitions: Orchestria APM enables you to set up custom variables. Also known as replaceable strings, user definitions are variables that can be referenced by any settings in the current user policy that have a text value (for example, trigger names, address lists, search text lists, messages to users). For example, you can define a 'Version' user definition and reference this as %Version% in any Trigger Name setting.
Enable application integration: This setting can enable or disable integration with specific applications. If integration is disabled, Orchestria APM does not monitor that application and the associated capture and control triggers will never activate. For example, if you disable integration with Microsoft Outlook in the policy for a specific user group, Orchestria APM does not monitor Outlook inboxes or outboxes for members of that group.
Web page buffer size: This setting can prevent a performance slowdown when capturing Web pages. It specifies a maximum buffer size for each user. See page 200. Nested zip files and embedded e-mails: These settings can alleviate performance slowdowns when searching the text content of zipped files or e-mails embedded inside another e-mail. They specify the maximum depth of nesting; Orchestria APM does not analyze nested files or embedded e-mails beyond this depth.
Store e-mail class: This setting determines specifies whether Orchestria APM extracts and stores the message class of captured e-mails. Doing so enables reviewers to search for or, more importantly, exclude from searches specific categories of e-mail such as delivery receipts or meeting requests. Data lookup command time-outs: To ensure that e-mails are not delayed unnecessarily, you can specify lookup time-outs for e-mail control triggers that use User Attribute lookup commands.
142
Extensions
These settings determine what Orchestria APM functionality is available or visible in a user's browser or e-mail application.
E-mail You can show or hide the capture button in the toolbar of a Microsoft Outlook message window. In effect, this allows or prevents users from manually capturing e-mails. You can also choose when to warn users that their e-mail activity may be monitored. i Manual e-mail captures are only available to
Microsoft Outlook users. They are not available in other e-mail applications.
User Policy: Extensions Extensions settings include:
Browser You can show or hide the Orchestria APM capture lights in the status bar. These indicate to users when, for example, a capture is in progress. They also allow access to a context menu that permits users to manually capture Web pages. You can also choose when to warn users that their Web activity may be monitored. 1 2 3 4 Orchestria APM capture lights These light up to indicate: 1 Capture in progress. 2 Transaction detected. 3 XML detected. 4 Right-click to view the Orchestria APM context menu.
143
User policy triggers

Trigger settings account for a substantial part of the user policy. There much repetition though, with similar triggers available in the Capture, Control and Transaction folders. For this reason, we strongly recommend that you give meaningful names to each trigger. These names appear in the Summary tab (see the Data Management Console guide; search the index for event tabs, Summary) and enable you to quickly recognize the nature of a captured event. This section summarizes the full range of triggers supported by Orchestria APM.
Document Classifier n These triggers capture Web pages and uploaded files if they match a particular document classification. You select the classification, and you specify which Web sites and uploaded files are checked against this classification. Content Agent n These triggers activate when a content agent identifies a specific type of document based on its text content. Specifically, they activate if the agent detects a Web page or uploaded file whose text content matches a predefined categorization. i Content agent triggers are available only if
explicitly included in your license agreement. For details, see chapter 13, Content agents.
Web page triggers

This sections lists the full range of Web page triggers. Unless stated otherwise, all are available in the Capture, Control and Transactions policy folders.

URL n These triggers activate if a user browses to a specified URL (these include trigger URLs based on wildcardssee page 108). Secure Sites n These triggers activate if a user browses to a secure Web page, that is, a page that uses HTTPS. Submitted Credit Card n These triggers activate if a user submits a specified card number to a specified Web page. Submitted Search Text n These triggers activate if a user submits specified text to a specified Web page. This includes text that a user types in an HTML form, items selected in a form menu, or any text associated with a form control. HTML Password n These triggers activate if a user submits a password in an HTML form. File Upload n These triggers activate if a user uploads a file containing specified text to a specified Web site. You specify which file types are checked. These triggers can also be configured to activate automatically if the uploaded file is encrypted or password-protected. Content Search Text n These triggers activate when key words or phrases are detected on a specified Web page.
Transaction Detector n These triggers are activated by automatic analysis of the page content to detect possible transactions. You define which Web sites are analyzed. You can also restrict the trigger so it activates only if the Web page matches a specified document classification.
` In the Control folder, you can also specify maximum transaction values for these triggers. If a detected transaction exceeds this value, a blocking or warning is triggered. ` In the Transaction folder, these triggers can
automatically extract items of transaction data, such as the transaction total or the supplier reference.
Manual This is a Capture trigger only. It activates when a user manually captures a Web page.
E-mail triggers
This sections lists the full range of triggers for both incoming and outgoing e-mails. Unless stated otherwise, all are available in the Capture, Control and Transactions policy folders.
Sender n Incoming e-mails only. These triggers activate if an incoming e-mail is sent from a specified address. If required, you can filter the triggers for encrypted or digitally signed e-mails. Recipient n Outgoing e-mails only. These triggers activate if an outgoing e-mail is sent to a specified address. If required, you can filter these triggers for e-mails that are encrypted or digitally signed.
144
Credit Card n These triggers activate if an e-mail contains specified credit card numbers. You specify which sender or recipient addresses trigger a check for these numbers. Search Text n These triggers activate if an e-mail contains specified text or omits specified text (for example, a disclaimer omitted from an outgoing e-mail). You specify which sender or recipient addresses trigger a check for this text. Attachments n These triggers detect e-mail attachments. The trigger can look for attachments with specific file names, or which contain specific words or phrases. You specify which sender or recipient addresses trigger a check for attachments. Triggers can also be set to fire automatically if an attachment is encrypted or password-protected. Content Agent n These triggers activate when a content agent identifies a specific type of document based on its text content. Specifically, they activate if the agent detects an e-mail or attachment whose text content matches a predefined categorization. i Content agent triggers are available only if
explicitly included in your license agreement. For details, see chapter 13, Content agents.
Control triggers for outgoing e-mails also let you specify maximum transaction values. You can then block transactions that exceed this value. i These triggers do not search attachments. They
only look for transaction evidence in the e-mail body.
Manual This is a Capture trigger only. It determines which action is invoked when an Outlook user manually captures an e-mail. i Manual e-mail captures are only available to
Microsoft Outlook users. They are not available in other e-mail applications.
Application Monitor triggers

These allow you to capture usage metrics (key presses and mouse clicks) for targeted applications.
Application n These triggers activate when Orchestria APM detects a specific application running in a window with, optionally, a specific title. For details, see page 130.
Data At Rest triggers

These triggers are used to detect files scanned by the File Scanning Agent (FSA) or imported onto the CMS by an Import Policy job.
Document Classifier n These triggers activate if an e-mail or attachment matches a particular document classification. You select the classification, and you specify which e-mails and attachments are checked against this classification. For control triggers only. If an e-mail matches the document classification, you can block the e-mail or display a warning based on the presence or absence of specific words or phrases. For example, you can block outgoing e-mails if they do not contain your corporate disclaimersee page 177.
File n These triggers activate when Orchestria APM detects a file that meets specified conditions. These include files with specific names or formats, files whose text content matches the specified trigger criteria, or files with specific attributes.
Data In Motion triggers

These triggers are used to detect files being printed or copied to a USB device (removable drive), and files entering or leaving the corporate network.
Transaction Detector n These triggers activate if they detect transaction-related correspondence, such as an e-mail receipt. You define which sender or recipient addresses trigger a check for transaction evidence. You can also restrict the trigger to only fire if the e-mail matches a specified classification.
File n The triggers can activate if the user tries to use a specific printer or USB device. Other trigger criteria can check the file name, analyze its text content and look for files with specific attributes.
145
Machine policies
Settings in the machine policy determine how Orchestria APM computers manage their database of captured transactions, e-mails and Web pages.
Machine Policy [CMS-HARDY] Infrastructure Security Data Management Replication Logging E-mail User Identification Policy Engine Central Management Server Client File System Agent
On client machines, this applies only to policy data. You cannot encrypt captured data such as transactions, e-mails, or Web pages. These settings also determine whether user logon credentials are cached. This enables a user to skip the console logon dialog if that user has already successfully logged on to the CMS during the current session.
Data Management
These settings cover database management on Orchestria APM machines. They determine whether data compression is used, how often the local databases is purged, and how Orchestria APM handles free disk space.
Machine Policy Client File System Agent triggers are only available on the Common client machine.
Centera Integration: These settings cover the optional parameters to configure the integration of your Centera device. For example, they determine the number and size of BLOB files stored in a Centera device, and the method used to calculate the Content Address from BLOB files. Compression: If required, you can compress stored data on Orchestria APM servers and client machines. Specifically, you can compress the blobs (Binary Large Object files), containing policy data and, on the CMS and gateways, captured data. Event purging: For each machine, you determine the frequency and time of each purge, plus the minimum period that captured events are retained before they are earmarked for purging. Other settings provide further control over purge operations. For example, you can choose to suspend the Orchestria APM infrastructure during purge operations or you can specify a purging timeout. See page 83. i The purge settings are particularly important,
and are closely linked with the Replication settingssee below. The significance of these settings is discussed on page 80.
Infrastructure
The Orchestria APM infrastructure is a collection of software components that enable Orchestria APM computers to operate, communicate with each other, and protect confidential data. The infrastructure policy folder includes the following subfolders.
Security
These settings determine when Orchestria APM uses encryption. They apply to records in the machines database and data transfers across the network. You can also specify the thresholds (the volume of encrypted data or an elapsed time period) that trigger an automatic change to the encryption key. On the CMS and gateways, you can cause all database records to be encrypted. These include user and machine account and policy details for each user and machine, plus all captured data.
Free disk space: For each machine, you can specify a warning level and an error level of free disk space. You can also specify how often free disk space is checked. When free disk space falls below the
146
warning level, Orchestria APM adds a series of warnings to the Audit log file. When free disk space falls below the error level, the Orchestria APM infrastructure is suspended. For details, see page 74.
Remote Data Management: These settings cover the optional parameters to configure the integration of the temporary object store. For example, you can configure how long events remain in the object store before being deleted. For details, see the Deployment guide.
Notification of infrastructure changes: You determine how often client machines and the CMS notify each other of new infrastructure changes such as policy edits or user account updates. When the recipient machine receives this notification, it determines if it needs the update; if so, it requests the details. As soon as the recipient machine has processed the notification, the sender machine stops sending notifications. Compression: If required, you can compress policy data and captured data before transmitting it across the network between Orchestria APM machines. Replication over slow links: You can disable the replication of captured data when the connection to the CMS or Gateway is over a Wide Area Network or dial-up (modem) connection. Logging of replication failures: You can specify how soon Orchestria APM begins logging failures by a source machine to contact its target machine. Batch size of captured data and infrastructure data: When a child machine replicates captured data to its parent server, or when a parent server replicates infrastructure changes (such as policy updates) to a child machine, the data is sent in batches to conserve network bandwidth. These settings specify the maximum number of KBytes in each batch. i It is very unlikely that you will ever need to
change the default batch sizes.
Replication
These settings determine how often Orchestria APM machines send notification of newly captured data or local infrastructure changes. These notification messages act as triggers for data replication between Orchestria APM machines. These settings also cover connection management on CMSs and gateways, logging of replication failures, and replication over a WAN or dialup connection.

Connection management: Available for CMSs and gateways only. These settings cover connection management on a CMS or gateway server. They determine the maximum number of simultaneous connections to client machines, and the maximum number of days that infrastructure changes intended for offline client machines are retained in the CMS cache (the 'cache timeout') before being purged. i
Any offline client machines that fail to reconnect to the CMS and retrieve the latest infrastructure changes before the cache timeout expires are flagged as 'out-of-sync'. When an outof-sync machine next reconnects to the CMS or gateway, it automatically resynchronizes all of its infrastructure data.
Replication holding cache: You can set up scheduled operations to automatically move events out of the replication holding cache at regular intervals. For details, see the Deployment guide; search the index for reset the replication holding cache.
When configuring the Replication settings, it is
Notification of captured data: You determine how often a client machine notifies the CMS about newly captured data. When the CMS receives this notification, it transfers the captured data from the client to the CMS and the client stops sending notifications.
important that you take account of the purge settings in the Data Management foldersee page 145.
147
Logging
Orchestria APM can generate Activity, Replication, System, User Administration, Event Import, Account Import and Content Services logfiles. These settings control which infrastructure operations are logged. You can specify:
Filter
This setting is for Event Import operations.
Which operations are logged, for example, policy changes and logins. The maximum number and size of logfiles. The maximum number applies separately to each type of logfile (that is, for each type of logfile you can generate files up to the maximum number). Whether entries in Orchestria APM logfiles are also copied to the NT Event Log. You can specify which categories of message are copied. For example, you can choose to only copy errors and warnings.
User filter: This setting enables you to modify Event Import operations to exclude or only include users with specific account attributes. For example, if your user accounts include a Country attribute, you configure import jobs to only import e-mails owned by users in a specific country. i
For full details about filtering Event Import operations, please refer to the Deployment guide; search the index for filtering event import operations.
Account Import
This setting is for Account Import operations.
Further configuration is possible for Activity, Replication, System and User Administration logfiles:
Activity logs: Logged events include user and machine logins, the creation of any new policies, plus updates to policies currently active. System logs: These record any infrastructure errors while the Orchestria APM service is running. Under normal conditions, this log file is empty. i Any errors detected when the Orchestria APM
service starts up are written to the file
Maximum Number of Threads: This setting specifies the maximum number of concurrent 'worker' threads used by Account Import. Auto-commit threshold: This setting specifies the total number of database operations that can be performed by all transactions before they are all committed to the database. i When a transaction is successfully completed,
it releases any DBMS locks.
wgninfra.out. Find this file in Orchestrias

\data\log subfolder of the Windows All Users profile; see page 89.
Replication logs: Logged events include incoming infrastructure changes and captured data, replicated to the current machine from another Orchestria APM machine. You can log either or both event types.
Retry count for aborted transactions: This setting specifies the maximum number of times Account Import will try to roll back and retry an aborted transaction. If this limit is reached, Account Import fails and an error message is written to the log file. i An error message is also written to the Account
Import log file at the time the transaction aborts.
` Infrastructure log entries include changes to user and machine accounts or general policy updates. ` Captured data log entries include any captured or
imported e-mails, Web pages or IM events, plus any blockings or warnings.
User Administration logs: These record any changes made to user accounts or groups. Previously, these entries were added to the Activity logfile, but now you can specify where they are loggedsee page 90.
148
Lookup Cache Management

These settings are used to configure data lookup caches.
Diagnostics
These settings determine how Orchestria APM servers collect diagnostic data from child machines and how often replication checkpoints are sent to child machines. They allow you to configure operations to minimize network impact.
Disable Caches: You can specify that details retrieved from the CMS database for Data Lookup operations are not cached. Disable Preload: Orchestria APM can start to preload the Data Lookup cache with information from the CMS database before running any lookup operations. This can speed up subsequent Data Lookup operations, as the information is already stored locally. You can specify that this preload be disabled. Maximum Entries: Specify the maximum number of entries in the Data Lookup caches. Maximum JVM Memory (Percent): Specify the maximum percentage of JVM memory that each individual cache will use.
Checkpoints: These settings determine when and how often Orchestria APM generates replication checkpointssee page 87. You can also specify how many days checkpoints and their acknowledgments are retained on the CMS. Data Collection Time: You can specify when, or how often, data is collected, and how long the CMS or gateway spends collecting diagnostic data (this enables you to limit the network impact). Number of Collection Threads: To minimize network impact, diagnostic data is collected as part of the normal communications between a parent and its child machines. But if there has been no communication between these machines during the collection period, this setting creates additional threads to actively collect this diagnostic data. Session Record Expiry Period: This setting is used to rectify inaccurate session records identified when processing the diagnostic data. If diagnostic data indicates a machine has not been running for longer than this expiry period, all open machine and user sessions for this machine are updated to the Logged Out state.
149
Policy Engines
These settings configure the local policy engine. Before running a policy engine, you need to specify how many policies it can hold at one time, how many events it can process simultaneously, and how it handles unrecognized users.
Default Policy for Files This setting specifies the name of an Orchestria APM user. A policy engine will apply this user's policy to scanned, captured or imported files if no other means are available to determine the policy participant. For example, if an Import Policy job for FSA scanning job omit to specify the policy participant, or if the specified user account does not exist, the policy engine applies the Default Policy for Files to the imported or scanned files.
Handling for unrecognized users
Unknown Internal Sender: Policy engines use this setting to apply policy to e-mails sent from unrecognized users within your organization. For example, this can happen if a new recruit has an account in Active Directory but no Orchestria APM account has been created for them yet. The setting specifies the name of an Orchestria APM user. It defaults to UnknownInternalSender; this account is created automatically when you install a CMS. The policy engine applies this users policy if the senders address is internal (that is, it matches an Internal E-mail Address Patternsee below) but no corresponding Orchestria APM user account exists.
Other settings
Maximum Number of Loaded Policies: You can optionally define the maximum number of user policies that the policy engine can hold in its memory at one time. Because each policy requires a significant amount of memory, this setting can prevent excessive memory usage. Maximum Number of Concurrent Operations: You can optionally define the maximum number of e-mails that can be processed simultaneously by a policy engine. This can prevent a performance slowdown on heavily loaded policy engines. Perform LDAP directory lookups? This setting is provided for diagnostic purposes only. It specifies whether the policy engine can retrieve e-mail address details and distribution list members from an LDAP directory. We strongly recommend that you
do not change this setting!
External Sender: Policy engines use this setting to apply policy to external e-mails. That is, e-mails sent from someone outside your organization. The setting specifies the name of an Orchestria APM user. It defaults to ExternalSender; this account is created automatically when you install a CMS. The policy engine applies this users policy if the senders address is external (that is, it does not match an Internal E-mail Address Patternsee below).
Internal E-mail Address Pattern: This setting specifies a list of internal e-mail address patterns. If a user is not recognized, policy engines use this setting to determine whether to apply the Unknown Internal Sender or External Sender policy. Similarly, Address Book (MAPI) lookup operations are only performed for recipients with internal addresses.
150
Embedded Message Identification: This setting enables policy engines to detect embedded content e-mails (that is, EML e-mails contained embedded IM conversations, Bloomberg messages or other communications such as eFaxes). It enables policy engines to set the event type as embedded IM, Bloomberg, or eFax and, for IM conversations, to extract or set the IM network. Retention Period for Unused Policies: This setting defines the frequency of policy timeouts. That is, the amount of time a policy engine retains a policy that has not been used. After this period of time, the policy is unloaded. Deadlock Detection Timeout: This setting is designed to maintain processing capacity. It specifies how long a thread must be inactive before the policy engine considers the thread to have stalled and creates a new processing thread.
Central Management Server

These settings apply exclusively to operations on the CMS. They cover account handling for unknown users or machines, database management, and CMS single sign-on.
New user accounts: These settings determine how the CMS handles logon attempts by new users who have no account on the CMS. i
See the domain prefix requirement for
administrator-created new accounts on page 46.
New machine accounts: These settings determine how the CMS handles the Orchestria APM infrastructure starting on machines that are not registered with the CMS. Default group for new users: You can specify whether client machines are permitted to specify a default parent group for new Orchestria APM users created automatically on the client. Single sign-on: This setting determines whether users skip the logon dialog when they start up an Orchestria APM console. For details, see page 67. Undelete user accounts: This setting determines whether a previously deleted user account can be recreated if a new user is created with a matching user name. For details, see page 47. Move groups: This setting defaults to False and determines whether user groups can be moved within the group hierarchy. ! Changing this setting to True can potentially
cause management group security issues! For details, see page 42.
Prohibit password characters: This setting determines which characters are not allowed as part of a user-created password within the Administration console, Data Management console, or iConsole.
151
Client File System Agent

These settings apply exclusively to Client File System Agent (CFSA) operations.

Default Action for Listed USB devices This setting determines how the CFSA handles attempts by a user to copy files to any USB device included in the USB Device List. The available actions are: Allow write access: The user is permitted to save or copy files directly to unlisted USB devices. Policy is not applied. Read only: The user is not permitted to copy files to unlisted USB devices (unless they are using a trusted application). Policy is not applied. Apply User Policy To File: If the user attempts to copy or save a file to a listed USB device using:
Trusted Applications List These are applications that are exempted from CSFA control. That is, users are always permitted to copy files to USB devices (removable drives) using these applications. i Trusted applications override any device filters.
That is, a user can copy a file directly from a trusted application to a USB device, even if the default action for that device blocks such copy operations or applies policy to the file content.
USB Device List This is a list of USB devices (removable drives) that require specific handling by the CSFA. You can either list the devices you want the agent to control or the ones you want it to ignore.
` Windows Explorer or a command line, policy is

applied to the file using Data In Motion triggers.
` A trusted application, copy operations are always

permitted. Policy is not applied to the file.
Default Action for Unlisted USB devices This setting determines how the CFSA handles attempts to copy files to unlisted USB devices (that is, any other devices not in the USB Device List). The available actions are exactly the same the default actions for listed USB devices (see below).
` Any other application, the copy operation is

blocked; that is, the USB device is set to read only. i For full details about these settings, and
instructions for configuring the CFSA, see the Deployment guide; search the index for client file system agent: machine policy.
152
Categorizing, tagging and classifying
Categorizing, tagging and classifying events

T
chapter 7
events
his chapter describes the categorization, smart tagging, and Document Classification features in Orchestria APM.
E-mail and file categorization is a policy-based feature that enables Orchestria APM to assign a e-mail or file to one or more categories. Categories are specified in e-mail, Data At Rest and Data In Motion triggers and stored with the event as smart tags (see below). The categorization process can be automatic, assisted or manual. See page 154 for details. Policy classes enable Orchestria APM to categorize an event captured when a specific trigger activates. Specifically, you can configure a trigger to capture or detect all e-mails (or attachment, file, or Web page) with a particular theme and categorize them using a pre-defined hierarchy structure of 'solutions', 'classes' and 'policies'. The policy class is stored with the event metadata in the CMS database and can be used by reviewers searching for events in the iConsole. For details, see the Administration console online help; search the index for policy class.
Smart Tags enable Orchestria APM to tag an event when a trigger activates. Specifically, you configure a trigger to detect all e-mails or files with a particular theme and tag them accordingly, for example, as Personal Communication or Client-Attorney Privilege. Smart tags are saved with the event metadata in the CMS database and can be viewed subsequently in the iConsole by reviewers. See page 170 for details. Severity scores enable Orchestria APM to group policy control triggers into bands based on their severity scores. By default, the severity bands are Low, Medium or High. For example, you may want to assign a high severity score to a trigger that detects serious violations of corporate rules. When the trigger activates, the severity score is saved with the resulting event. You can then search for events by severity in the iConsole or Data Management console. For details, see the Administration console online help; search the index for severity bands. Document classifications enable Orchestria APM triggers to detect documents (e-mails, attachments, files and Web pages) with specific themes. For example, you can configure classifications to detect sales proposals or airline Web sites. Document classifications are configured in the user policy. See page 176 for details.
154
Why categorize events?

Orchestria APM enables you to quickly roll out an effective and highly accurate event categorization strategy across your organization. Categorization allows you to structure your captured e-mails, attachments and Web pages. Instead of treating electronic communication as a near-uniform commodity, categorization allows:
Categorizing e-mails and files

Orchestria APM includes powerful and flexible records management categorization. It can optionally assign an e-mail or file to one or more categories, and the categorization process can be fully automated, assisted or manual. Individual categories are defined in e-mail, Data At Rest or Data In Motion triggers and categorize options are available in policy control actions (see page 159). When an e-mail or file causes one or more triggers to fire, the resulting control action causes Orchestria APM to analyze all categories specified in these triggers. It will then either:
Selective archiving. Irrelevant communications such as out-of-office notifications and e-mail newsletters can be categorized accordingly and excluded from archiving, reducing storage requirements and increasing search performance. Optimized storage. Precise categorization by, for example, purpose (business or personal) or regulatory implication, can allow archives to assign much more precise retention dates, eliminating the risk that a message is prematurely moved to offsite storage or even deleted. Faster, more accurate event retrieval. With accurate categorization, the task of monitoring communications is transformed from a lottery based on random review to a process with pinpoint targeting. Now, reviewers can rapidly filter event searches to focus on events that truly merit individual attention.
Automatically assign the e-mail or file to the most appropriate category, or Only available for e-mails and files or documents detected by client agents: Display the categories in a Categorize dialog. The user can manually choose the most appropriate category(ies). You can configure Orchestria APM to list all the possible categories, or only the most likely ones. 1
Categorize dialog
This dialog is displayed when a client agent detects an e-mail, file or document that needs to be categorized. The user can select the most suitable category(ies). 1 Configurable explanatory message. 2 Available categories.
Chapter 7 Categorizing, tagging and classifying events
155
Categorization methods
Orchestria APM will either select the most appropriate category automatically or allow the user to select a category, depending on the categorization method:
Fully automated categorization: Orchestria APM automatically assigns an e-mail or file to a single category or, if applicable, to multiple categories.
You can configure the Categorize dialog to allow the user to choose multiple categories (multi-select) or force them to choose a single category (single-select).
Manual categorization: Available only for e-mails, files or documents detected by a client agent. The e-mail sender, or the user attempting to print a document or save a file to a USB device, is permitted to choose from the full range of possible categories listed in a Categorize dialog. As for assisted categorization, you can configure the Categorize dialog for multi-select or single-select.
` E-mails: You can set up fully automated categorization

for e-mails detected by both server agents and client agents, or imported as part of an Import Policy job.
` Files: Fully automated categorization is available

for files detected by the File Scanning Agent (including Microsoft Exchange Public Folders data), the Network Boundary Agent, Client File System Agent, Client Print System Agent, or imported as part of an Import Policy job.
Assisted categorization: Available only for e-mails, files or documents detected by a client agent. A Categorize dialog permits the sender of an e-mail, or a user attempting to print a document or save a file to a USB device, to choose from a short list of categories deemed most plausible by Orchestria APM, or to confirm a category automatically selected by Orchestria APM.
Note that all categorization methods can be operational at the same time within a single user policy. That is, different triggers and control actions can specify different categorization methods, and the actual method used depends on which triggers activate.
156
How does categorization work?

When an e-mail or file activates a trigger (or triggers), there may be multiple categories associated with these triggers. How does Orchestria APM ensure that the event is correctly categorized? Orchestria APM will select the most appropriate category automatically or allow the user to manually select a category. The actual method used, automatic or manual categorization, depends on:
also determine the order in which categories are listed in the Categorize dialog. Briefly, if you set a category score to:
100 or higher: This indicates certainty. Such scores indicate to Orchestria APM that an e-mail or file definitely fits the associated category. Such categories are always stored with the associated event in the CMS database. 50 to 99: This indicates likeliness. Such scores indicate to Orchestria APM that an e-mail or file is likely to fit the associated category. If the highest scoring category is between 50-99:
Capture method: The first critical determinant is how the e-mail, file or document was captured:
` Client Agent Captures: For e-mails captured by an Outlook or Notes client agent, and files or documents captured by the Client Print System Agent or the Client File System Agent, then Orchestria APM can display the Categorize dialog and allow the user to manually choose the most appropriate category(ies). ` Other Captures: For e-mails captured by an Exchange or Domino server agent or the NBA, and files captured by the FSA or NBA, or imported as part of an Import Policy job, Orchestria APM must either categorize the file or e-mail automatically or assign no category. It cannot allow the user or sender to manually choose the category.
` For e-mails or files detected by a client agent, this

category plus any others scoring 50-99 are always listed in the Categorize dialog. (Categories scoring less than 50 are not shown in the dialog; Orchestria APM assumes the file or e-mail is less likely to match these low scoring categories.)
` For e-mails or files detected by any other method,

this category is automatically stored with the event in the CMS database.
Less than 50: These scores indicate some uncertainty (or possibility). If the highest scoring category is less than 50:
Category score: The second critical determinant is the category score. Each category specified in a trigger must have a category score (set by the policy administrator). Orchestria APM uses these scores to choose the most appropriate categories. Category scores are discussed below.
` For e-mails or files captured by a client agent, all categories are listed in the Categorize dialog. This is because, with all categories scoring less than 50, Orchestria APM cannot confidently determine the most likely categories. ` For e-mails or files captured by any other method,
all categories are discarded. The event is saved on the CMS without an associated category because Orchestria APM cannot confidently determine what the category should be. Note that we recommend you include a None of the Above fallback category if all your categories score less than 50. For details, see page 160. A summary table showing how category scores are handled is shown on page 158.
Category scores
Each category specified in a trigger must have a category score (set by the policy administrator). There are no upper or lower limits, but typical scores range from zero to 100. The category score is an indication of confidence; the higher the score, the greater the confidence that an e-mail fits the associated category. Orchestria APM uses these scores when assigning categories automatically or when assisting the sender to manually choose a category (or categories). The scores
157
How do category scores affect the categorization method?

This section summarizes how different category scores affect the categorization method.
Fully automated categorization: For e-mails or files imported in an Import Policy job or detected by a server agent, the FSA or the NBA, Orchestria APM automatically chooses the highest scoring category, but only if the highest scoring category is 50 or above. If multiple categories score 100 or above, each of them is stored with the event. For e-mails or files detected by a client agent, categorization is automatic and the Categorize dialog is not shown if:
In all cases, to assist the user categories are listed in descending order (of score) in the Categorize dialog. That is, the most likely categories are listed first and the top scoring category is pre-selected. Manual categorization: Available only for e-mails, files or documents detected by a client agent. If no category scores over 50 (that is, all are low scoring), all are listed in the Categorize dialog. For example, when specifying categories in your policy triggers, you may deliberately set very low category scores if you want to force users to choose a category manually. Note that we recommend you include an None of the Above fallback category if all your categories score less than 50. Setting the category score to zero for the None of the Above category ensures that it is always listed last in the Categorize dialog. For details, see page 160. Category Score Listed in Categorize dialog?
Yes Yes Yes Yes Yes
` Any category scores 100 or above. Orchestria APM

simply chooses the highest scoring category(ies).
` A single category is specified, scoring between

50 and 99.
Assisted categorization: Available only for e-mails, files or documents detected by a client agent. Orchestria APM automatically lists all categories scoring between 50 and 99 in the Categorize dialog and omits from the dialog any categories scoring less than 50. This is because Orchestria APM infers that the higher scoring categories are the more likely and restricts the users choice accordingly. Category Score Listed in Categorize dialog?
Yes; Preselected Yes No No No No No
Internal Memo Expenses Claim Personal Humorous None of the Above
40 20 20 20 0
ISDA Confirmation OTC Contract Internal Memo Expenses Claim Personal Humorous None of the Above
90 80 40 20 20 20 0
i For more about setting category scores, see the

trigger guidelines on page 159.
158
Category score summary

This table summarizes how the Orchestria APM client and server agents handle different category scores. For example, if an Outlook client agent detects an e-mail and the resulting triggers specify a single category with a score between 50 and 99, that category is automatically stored with the event on the CMS. Highest score How many categories? Conversely, if the same triggers specify multiple categories, all categories scoring over 50 are listed in the Categorize dialog (assisted categorization) and the user must manually choose the most appropriate category.
E-mails or files detected by: Outlook or Notes client agent CPSA or CFSA
E-mails or files detected by: Exchange or Domino server agent, FSA, NBA, or Import Policy job
No categorization: The category is not stored.
0-49
1 only
Manual categorization: The Categorize dialog is shown and the user must manually choose the only available category.
i We strongly recommend you prevent this

situation from arising by including a None of the Above categorysee page 160.
2 or more
Manual categorization: The Categorize dialog is shown and the user manually chooses the category. Note that these low-scoring categories are not shown in the dialog if any other category scores 50 or higher.
No categorization: No categories are stored.
i Category scores of 0-49 are not

appropriate for file categories. See the trigger guidelines on page 160 for details.
50-99
1 only
Automated categorization: The Categorize dialog is not shown and the category is stored automatically. Assisted categorization: If multiple categories assigned, the dialog is shown and the user manually chooses the category. Note that any category scoring less than 50 is omitted from the Categorize dialog.
Automated categorization: The category is stored automatically.
2 or more
Automated categorization: The highest scoring category or categories are stored automatically.
100+
1 only
Automated categorization: The Categorize dialog is not shown and the category is stored automatically. Automated categorization: The Categorize dialog is not shown. The highest scoring categories are stored automatically.
Automated categorization: The category is stored automatically.
2 or more
Automated categorization: The highest scoring category or categories are stored automatically.
159
Guidelines for categorization control triggers and actions

Using policy triggers, you can set up an e-mail or file categorization strategy to meet the needs of your organization. For example, you may want to automate categorization as much as possible. Alternatively, you may prefer users to manually categorize their own e-mails. Or you can implement a combination of manual and automatic categorization. This section covers:
Trigger guidelines for e-mails and files captured by client agents

i Setting up new categorization triggers and adding
categorization to existing triggers are discussed respectively on page 162 and page 163.
Guidelines for categorization triggers and control actionssee below. Using a None of the Above categorysee opposite. Guidelines for control action numberssee page 160. What happens if both a single-select and a multiselect control action are triggeredsee page 161.
i Setting up new categorization triggers and adding

categorization to existing triggers are discussed respectively on page 162 and page 163.
If you want to automate categorization, you can set up separate triggers for specific categories. If you then define very stringent trigger criteria, this will allow you to set a high category score (100 or higher). For example, you may have a customer complaint e-mail trigger. If any e-mail does cause this trigger to fire, you can be confident that it really is a customer complaint and the high category score ensures that this complaint category is stored automatically with the e-mail. If you want to allow manual categorization, you may prefer to define a single trigger that specifies multiple possible categories, each with a low categor, y score (below 50). In this case, the trigger criteria will be much less stringent in order to detect a wider range of e-mails. The low category scores ensure that all categories are listed in the Categorize dialog (if the e-mail is detected by a client agent), permitting the sender to choose the most appropriate category. But see the following None of the Above section for our recommendation in this situation. Note also that you can explicitly set up e-mail triggers for Outlook or Notes client agents (which permit manual categorization) and for Exchange or Domino server agents (which do not). To do this, you configure the Which E-mail Sources? trigger setting; this setting is included in all e-mail triggers. Similarly, you can explicitly set up Data In Motion triggers for CPSA and CFSA client agents (which permit manual categorization) and for the NBA (which does not). To do this, you configure the Which File Sources? trigger setting; this setting is included in all Data In Motion triggers.
Trigger guidelines for files captured by the FSA, NBA or an Import Policy job
File events captured by the FSA or NBA, or imported in an Import Policy job, can only be categorized automatically. Orchestria APM does not support manual categorization of these files. Consequently, when specifying file categories in your Data At Rest or (for NBA file events) Data In Motion control triggers, do not
assign category scores lower than 50. Such low scoring categories are always discarded!
160
Do I need an None of the Above category?

For e-mails and files captured by client agents, if all your specified categories are low scoring (that is, below 50), we strongly recommend that you include a fallback category such as None of the Above. This is because, for e-mails files detected by a client agent, Orchestria APM compels the user to choose from a list of available categories. By providing a fallback category, you allow the user to indicate the disparate nature of their e-mail or file if none of the other categories are appropriate. If you set up a None of the Above category, note the changes to the usual syntax when specifying the category in the Message to Users policy setting:
Which control action number?

Data At Rest control actions For Data At Rest control actions, the control action number is not important. The categorize action, if specified, is always performed even if other control actions delete or replace the file. E-mail and Data In Motion control actions Although we recommend using the lowest possible control action number as your categorize action (because of control action precedencesee page 232), we recognize this is not practical if you already use a large number of triggers and control actions. Instead, we recommend you use the lowest available control action. For example, if Control Actions 1 to 6 are already in use, designate Control Action 7 as your categorize action. This means, for example, as long as the e-mail is actually sent, it will be categorized. If the e-mail is not sent (because it is blocked or the sender heeds a warning), then it will not be categorized; that is, the resulting event will be stored on the CMS without category details. Similarly, if Orchestria APM blocks an attempt to print a document, the document will not be categorized. There are two further recommendations:
Always set the category score to zero. This ensures that the None of the Above category is always at the bottom of the category list in the Categorize dialog, below the other categories! You do not need to add a smart tag. This is because, with no definite category, there is no point storing the category information on the CMS so there is no need for a category smart tag.
Full syntax details for the Message to Users setting are listed on page 165.
If you use both multi-select and single-select categorize actions, the multi-select categorize action must have a lower number than the single-select action. See the next section for details. You must ensure that your categorize action has a lower control action than your quarantine action. This ensures that quarantined e-mails are categorized before they are quarantined (e-mails are immune from further control actions once they enter quarantine). It is for this reason that we recommend that you configure the highest control action as your quarantine control actionsee page 232.
161
If both multi-select and single-select e-mails categorization actions are invoked

If required, you can have two categorize actions operational at the same time, one to make the Categorize dialog multi-select and the other make it single-select. The resulting Categorize dialog will always be multi-select. That is, the multi-select specification overrides the single-select regardless of the respective control action numbers. However, the explanatory message in the Categorize dialog always derives from the control action with the lowest number (more accurately, the message is provided by the trigger that invokes the control action with the lowest number). This means that the multi-select categorize action must have a lower number than the single-select action. This in turn ensures that the explanatory message is appropriate for a multi-select Categorize dialog (that is, it indicates that the user can choose one or more categories). Explanatory message (from Control Action 1)
Multi-select category list (also from Control Action 1) Multi-select Categorize dialog This example assumes two control actions: Control Action 1 specifies multi-select categorization; Control Action 2 specifies single-select categorization. In the dialog above, the explanatory message and multi-select list both derive from Control Action 1, but the list of categories jointly derives from both Control Action 1 and Control Action 2.
162
Set up new categorization triggers

Orchestria APM event categorization is policy-based. This ensures that e-mails or files are successfully categorized, regardless of how they were captured or imported. 1 First, you must configure a categorize control action. Your categorization triggers will reference this control action in step 5. Specifically, you must specify a Categorize option for the Intervention setting. Note that for e-mail control actions and Data In Motion control actions, there are two Categorize options: When you add a new smart tag, you must set its name (or value) to include a categorization variable such as %category%. See page 167 for details. This variable gets populated with the category label specified by the <smart tag> parameter in the Message To Users setting; see step 4. Note also:
` If you have multiple triggers that specify

categories, you must configure the smart tags identically in each trigger.
` To make the smart tags easily identifiable in the

iConsole, we recommend that you prefix the variables with text labels. For example:
Category: %category%
` Categorize - single category only: This displays a

single-select Categorize dialog. The user can only select a single category for their e-mail or file.
` Categorize - multiple categories allowed: This

displays a multi-select Categorize dialog, permitting the user to select multiple categories. i Because of control action precedence, we
recommend that you designate the lowest possible control action number as your categorize action. See page 160 for details.
` Smart tags are case-sensitive.

See the smart tag guidelines on page 167.
Now you can set up your categorization trigger(s). These can be any e-mail or file control triggers. Set up the triggers to detect the e-mails or files you want to categorize. How you set up the triggers depends on various factors. For example, if you are using Outlook or Notes client agents to detect e-mails and you want to permit users to manually categorize their e-mails, you can set up a single trigger that specifies multiple possible categories, each with a low category score. For trigger guidelines, see page 159.
Next, you must configure the Smart Tags trigger setting to save the final e-mail or file category or categorieswhether selected automatically by Orchestria APM or chosen by the useras smart tags. ! You must add a smart tag to store the
category, otherwise the category details will not be saved on the CMS.
Smart Tags Properties dialog In this example, the smart tag name and value include categorization variables and a text prefix.
163
Next, you must specify the associated category or categories. To do this, you edit the Message To Users trigger setting. For full syntax details, see page 165. Briefly, the message must include the following elements:
<message text> specifies the explanatory message
Add categorization to existing triggers

You can incorporate categorization into any of your existing e-mail, Data At Rest, or Data In Motion control triggers. Orchestria APM event categorization has been designed to integrate with your existing user policies with minimum disruption. For example, if you already have a warning trigger that activates when a user sends an e-mail to an unauthorized recipient, you can include an appropriate category, or a range of possible categories, in the trigger. 1 First, you must set up a new categorize control action as described in step 1 on page 162. But see the recommendations on control action numbers on page 160. The sole purpose of this categorize control action is to ensure that category smart tags are saved with the event on the CMS if an existing trigger fires. Without this new control action, adding categorization to your existing triggers will not work. In your chosen control action:
shown in the Categorize dialog or (for files detected by the FSA) replacement stub files.
<category> specifies a category name that is listed in the Categorize dialog. <score> is the category score. <smart tag> specifies a category label that gets converted to a category smart tag.
As with smart tags in step 3, if you have multiple triggers that specify the same category, you must specify the category name and label identically in each trigger. This prevents variations in spelling or capitalization being stored as separate category smart tags for the same event.
1.1 Set the Intervention setting:

Data At Rest control actions: Choose Categorize. E-mail or Data In Motion control actions: Choose either:
` Categorize - single category only, or ` Categorize - multiple categories allowed

1.2 You need to disable e-mail and file capturing in the new control action. This ensures that e-mails and files are only captured if an existing trigger fires. Set these settings to False:
User Policy Editor, Message To Users Properties dialog This message must conform to the required syntax to ensure that categories and the Categorize dialog are configured correctly.
` Capture Authorized Activity? ` Capture Prohibited Activity?

You will set up a new categorize trigger to invoke this control action in step 3.
Finally, each categorization trigger must point to the same control action. Set the Control Action trigger setting to point to the categorize control action you specified in step 1 on page 162.
164
Now you can amend your existing triggers to support categorization. For each applicable trigger:
2.1 Edit the Message To Users setting so that its existing message is retained (for example, a warning that the current e-mail may be non-compliant, or a notification that the original file has been replaced) but appended with a relevant category. For syntax details, see page 166. For example:
Finally, you must add a single new control trigger that explicitly invokes the categorize control action. Without this new trigger, categorization will not work.
3.1 Set the general trigger criteria. These must be

sufficiently flexible so that the trigger always fires when your existing triggers fire. For example, you can set up a recipient-based trigger that fires when the recipient matches * (that is, the trigger will always fire).
3.2 Edit the Smart Tags setting to include a categorization variablesee step 3 on page 162. 3.3 Skip this step if adding a Data At Rest trigger.
If adding an e-mail or Data In Motion trigger, edit the Message To Users setting to include an explanatory message. You do not need to specify any categories; these are now specified in your existing triggers (step 2.1). In terms of syntax, you need only add the <message text> but without double quotes and without a trailing = symbol. For syntax details, see page 165. User Policy Editor, Message To Users Properties dialog In this example, a category definition has been appended to the original warning message.
2.2 You do not need to change the existing Control

Action trigger setting.
User Policy Editor, Message To Users Properties dialog For this trigger, the explanatory message to users is not appended with any category definitions.
3.4 The new trigger must point to the categorize

control action that you set up in step 1. Set the Control Action setting accordingly.
165
Syntax for specifying categories

You define categories in the Message to Users trigger setting, This section describes the message syntax. Example category definitions are on page 166.
<category1> is only required in e-mail and Data In Motion triggers. It specifies a category name. This name is listed in the Categorize dialog.
` If you include the same category in multiple Category definitions

In the Message to Users trigger setting, use the following syntax: For e-mail and Data In Motion triggers
"<message text>"= { "<category1>"={"<score>","<smart tag>"}, "<category2>"={"<score>","<smart tag>"}, "<category3>"={"<score>","<smart tag>"}, And so on }
triggers, you must use identical spelling and

capitalization for <category1> names, otherwise Orchestria APM will treat the variants as separate categories!
` If the category name includes double quotes (for

example, Humorous), you must prefix the quotes with backslashes to ensure they are interpreted correctly:
{"\"Humorous\""={"20","Funny"}}
For Data At Rest triggers

"<message text>"={"<score>","<smart tag>"}
<score> is the category score. Note that we
Where:
<message text> specifies the explanatory message
recommend you include a None of the Above fallback category with a score of zero if all your e-mail or Data In Motion categories score less than 50. For details, see page 160.
<smart tag> specifies a category label that gets converted to a category smart tag. You must set <smart tag> to a text string (for example, Customer Acknowledgment. This text string is written to a category variable, which in turn is included in the smart tag definition. The resulting smart tag is saved with the event metadata in the CMS database. Category variables and smart tags are discussed on page 167. Note also:
shown in the Categorize dialog (for e-mail and Data In Motion triggers) or replacement stub files (for Data At Rest triggers). You must enclose the message in double quotes. If amending an existing trigger, see page 166. For e-mail and Data In Motion control triggers, note the following:
` To ensure consistency in the message shown to

users, we strongly recommend that you use an identical message for all triggers that invoke a single-select Categorize dialog, and a separate, identical message for all triggers that invoke a multi-select dialog.
` If you include the same category in multiple

triggers, you must use identical spelling and
capitalization for <smart tag> category labels, otherwise Orchestria APM will treat the variants as separate smart tags!
` For new triggers, the explanatory message must

clearly tell the user what action is required. This is particularly important in single-select Categorize dialogs, where there are no check boxes to indicate category selectability. See the Message to Users examples on page 166 for guidance.
` You do not need a <smart tag> category label if defining a None of the Above category. This is because, with no definite category, there is no point storing the category information on the CMS so there is no need for a category smart tag.
166
Changes to existing triggers

To add categories for existing triggers, you need to amend the existing Message to Users setting. Specifically, you must append the new category(ies) to the existing message. Note that the original message must be enclosed in double quotes, followed by an = character, then appended with the category details. E-mail trigger example: If the existing setting is:
This e-mail refers to prospective M&A activity and may contravene corporate guidelines. Click Cancel to accept this warning.
Example e-mail category definitions

Single-select example: This example Message to Users setting defines five possible categories, each with a category score between zero and 40, to display in a single-select Categorize dialog. Note that the None of the Above category has no smart tag label.
"Please select one category for your e-mail from the list below. Categories are listed in descending order of likelihood, and the most likely category is highlighted."= { "Internal Memo"={"40","Memo"}, "Expenses Claim"={"20","Expenses"}, ""\"Humorous\""={"20","Funny"}, "Personal"={"20","Personal_mail"}, "None of the Above"={"0"} }
You can change it to:

"This e-mail refers to prospective M&A activity and may contravene corporate guidelines. Click Cancel to accept this warning."= { "<Unauthorized M&A reference>"= {"80","Acquisition_reference"} }
Multi-select example: This example Message to Users setting defines the same five categories as above to display in a multi-select Categorize dialog. This time, the explanatory message states explicitly that the user can choose multiple categories.
"Please select one or more categories for your e-mail from the list below. Categories are listed in descending order of likelihood, and the most likely category is highlighted."= { "Internal Memo"={"40","Memo"}, "Expenses Claim"={"20","Expenses"}, ""\"Humorous\""={"20","Funny"}, "Personal"={"20","Personal_mail"}, "None of the Above"={"0"} }
Data At Rest trigger example: If the existing setting is:

The previous version of this file contained confidential data and has been deleted.
You can change it to:

"The previous version of this file contained confidential data and has been deleted."= {"80","Confidential_info"}
167
Smart tag category variables

When policy processing is complete, Orchestria APM saves the chosen category (or categories) to a specific variable. Additional variables can be used to store category scores and details of the three next highest scoring categories. The available variables are described on page 167. For any trigger that invokes a categorize control action, you must specify these variables as smart tag names or values (see step 3 on page 162). This ensures that the chosen category, or even the near miss categories, are stored with the event metadata as smart tags on the CMS. Guidelines for assigning these variables to smart tag names and values are on pages 168 to 169. Variable Replaced with
%categoryscore% As for %category%, but the category score is appended to the category. The resulting smart tag takes this format: Complaint (50) If an e-mail or file was assigned to multiple categories, a separate smart tag is generated for each category. %closestcategories% The three near miss categories in a comma separated list. These are the three highest scoring categories that did not 'win' and which each scored 50 or above. When the smart tags are generated, this variable is replaced by a comma separated list of up to three near miss categories. These can be useful additional indicators about an e-mails or files content. If a smart tag value configured with an insertion variable (for example, %closestcategories%) is empty after that variable has been substituted (because there were no closest categories available), then the smart tag is not stored on the CMS.
Smart tags must be consistent!

! If you have multiple triggers that specify a
categorize control action, you must configure the smart tags identically in each trigger! This prevents, for example, variations in spelling or capitalization being stored as separate smart tags for the same event. For example, Orchestria APM would store Reply to Customer and Reply to customer as two separate smart tags.
Category variables
When setting up your categorization triggers, you can specify these variables as smart tag names or values. For guidelines on whether to add these variables to the smart tag name or value, see page 169. Variable Replaced with
i Near miss categories are the three

highest scoring categories that remain after the selected category is removed from the list.
%scoredclosestcategories% As for %closestcategories%, but the category score is appended to each near miss category. The resulting smart tag takes this format: Expenses (70), Hotels (60), Travel (60)
%category% When the smart tags are generated, this variable is replaced by the selected category. If an e-mail or file was assigned to multiple categories, a separate smart tag is generated for each category.
168
Store as smart tag names or values?

A smart tag comprises a name, and optionally, a value. You can choose to store the category directly as the smart tag name or you can store categories as values of a new smart tag with a fixed name. You can easily search for captured e-mails or files by smart tag name in both the Data Management console and the iConsole. But you can only run out-of-the-box searches by smart tag value in the Data Management console. If you want to use the iConsole to search for events by smart tag value, you must add your own custom-written search. This is likely to influence how you specify your category smart tags. Specifically, if your reviewers mainly use the iConsole to review and audit categorized events, we recommend that you store the event category as a smart tag name and, if required, the category score as a smart tag value. In the example opposite, the smart tag name is Category: %category%, while individual category scores are stored as smart tag values, Score: %categoryscore%. This makes the category and score smart tags easy to comprehend when searching for events in the iConsole: See also the smart tag guidelines for categories and category scores on page 169. 2 3a 3b 1
Smart tag names and values 1 iConsole Search Results screen. Smart tags are listed in the Summary pane for each event. 2 User Policy Editor, Smart Tags Add Item dialog. This is where you add smart tags to a policy trigger. 3a Smart tag name. 3b Smart tag value.
169
Smart tag guidelines for categories and category scores

How you assign category variables to smart tag names and values has a significant effect on how the smart tags are displayed in the iConsole Search Results screen. User Policy Editor, Smart Tags Properties dialog 1
Smart Tag Name: Category: %category% Smart Tag Value: Score: %categoryscore%
The examples below show the effect of different approaches. For optimum clarity and searchability, we recommend you use example 1. iConsole Search Results screen
We recommend this configuration. Smart tags are readily identifiable in the iConsole. You can also search by category because individual categories are stored as smart tags names.
Smart Tag Name: Category Smart Tag Value: %category% (%categoryscore%)
Although individual smart tags are readily identifiable in the iConsole, you cannot search for specific smart tags because this information is stored as smart tag values.
Smart Tag Name: Category Smart Tag Value: %category% Smart Tag Name: Category Score Smart Tag Value: %categoryscore%
Do not use this configuration. It splits an events category and category score into two separate smart tags, making it impossible to identify an individual categorys score in the iConsole.
170
Smart tags
Smart tags are an innovative feature that enables Orchestria APM to accurately categorize events at the time of capture. The Smart Tags setting in each policy trigger defines the tag associated with that trigger. For example, you can assign to any trigger a tag such as Privileged Content or Employment Solicitation. When the trigger activates, this tag is saved with the event metadata in the CMS database. Each smart tag has a name. As an optional level of sub-categorization, each tag can have multiple values (see page 172). When defining smart tag values, you can also use variables to represent certain types of information (see page 172). 4 1
2 3
Set up a smart tag

First, you must define your smart tags in user policy triggers. A tag can be any category or descriptive term you choose. For example, you may want to tag e-mails or files as Discussion of Financial Records, Personal Communication, Employment Solicitation, or Privileged Content. All capture, control and transaction triggers support smart tags. When the policy changes are complete, Orchestria APM categorizes each e-mail (or attachment, Web page or file) that activates the trigger with the specified smart tag. 1 In the User Policy Editor, select the trigger you want to configure. Expand the trigger folder, then right-click the Smart Tags setting and choose Properties. In the Smart Tags Properties dialog, click Add and specify a Smart Tag Name and, optionally, a Smart Tag Value. See page 172 for further information about smart tag values. Save the policy changes.
5 User Policy Editor, Smart tag dialogs 1 Smart Tags Properties dialog. 2 Tag name. This example is named Privileged content and will be used to identify e-mails subject to client-attorney privilege. 3 Tag value. This example value is set to %To%, a variable that returns the e-mail address of the recipient. 4 Add button. 5 Add Item dialog. You define the smart tag name and value here.
171
Smart tags and file triggers

You can configure Data At Rest and Data In Motion capture and control triggers to apply smart tags to files using the Smart Tags setting.

If required, you can configure Data In Motion triggers to add smart tags to file events generated by the Network Boundary Agent, Client File System Agent (CFSA) and Client Print System Agent (CPSA). This can be useful to monitor potentially sensitive files being moved across a network, or sent to USB devices or printers. Smart tags are stored in the file events metadata on the CMS database.

You can configure Data At Rest triggers to apply smart tags to any targeted files and their corresponding file events. This can be useful for records management categorization purposes. You can specify that when a Data At Rest trigger activates, certain smart tags are applied to the original scanned file and others to the copy of the scanned file. To do this, you need to add the exact smart tag names (or use the ? and * wildcards) to the Apply Which Smart Tags to Original File? and Apply Which Smart Tags to File Copy? control action settings. i To create a copy of the original file, you need to
configure the Copy File to Location control action setting.
Example trigger usage

Outgoing e-mail triggers
You can assign the same smart tag, for example Privileged content (used to categorize e-mails subject to clientattorney privilege), to separate outgoing e-mail triggers:
Smart tags are stored in the file events metadata on the CMS database. They can also be stored as a file system property, document property, or MAPI property, depending on the type of data being scanned. That is, if the FSA is scanning:
Recipient-based trigger: The first trigger activates when it detects an e-mail sent to a specific attorney. For example, in the Recipient 1 trigger, you can set the Included Addresses list setting to include the various e-mail addresses of the relevant attorneys. Classification-based trigger: The second trigger activates when it detects an e-mail that appears to be subject to client-attorney privilege. For example, in the Document Classifier 1 trigger, you can set the Which Document Classification? setting to a predefined Privileged content document classification.
Microsoft Office documents, then each smart tag is added as a document property, and can be viewed within the file itself. Microsoft Exchange Public Folders (for example an e-mail), then each smart tag is stored as a MAPI property of the e-mail itself. i The FSA can read these MAPI properties in
subsequent scanning jobs using the captureProperties attributesee Deployment
guide, search the index for: FSA job syntax.
In this way, the recipient-based trigger should detect e-mails that are subject to client-attorney privilege but which do not match the specified Privileged content classification, while the classification-based trigger should detect e-mails that are also subject to clientattorney privilege but which are not addressed to one of the listed attorneys.
172
Smart tag names and values

Each smart tag has a name. As an optional level of sub-categorization, each tag can also have one or more values. The value can be a key word or phrase, or it can be a variable. You can then display these values in the iConsole search results screen to provide at-a-glance contextual information for reviewers. In the example trigger usage in the previous section, two separate triggers both apply the Privileged content smart tag. In this example, you could set up smart tag values to indicate the reason that the trigger fired: for the Recipient 1 trigger, set the tag value Matches attorney address; for the Document Classifier 1 trigger. set the tag value to Matches document classification: Trigger
Recipient 1
Use variables as smart tag values

When defining smart tag values, you can use variables to represent certain types of information and to customize the text content based on the circumstances of the event capture. In the example dialog on page 170, the Privileged content smart tag has a value of %To%. When the trigger activates, %To% sets the tag value to the e-mail address of the recipient. The full range of supported variables are the same as those available for notification messages (see page 253). The variables likely to be the most useful as smart tag values are listed below. Variable
%Address%
Notes
This displays the e-mail address, or addresses, that caused the trigger to activate. For outgoing e-mails, this is the recipient address(es); for incoming e-mails, it is the sender address. This displays the original sender of an e-mail. This displays the words or phrase detected by Orchestria APM and which activated the trigger. This displays any recipients listed in the To: field of an e-mail.
Smart tag name

Privileged content
Smart tag value

Matches attorney address Matches document classification %From%
Document Classifier 1
Privileged content
%Keystring% and %Keyword%
%To%
Smart tag variables for categories

There is a special set of smart tag variables that can only be used in conjunction with categorization e-mail control actions. See page 167 for details.
173
Handling for misused variables

As shown in the table in the previous section, some of the variables you can use as smart tagging values are only valid for certain types of event. For example, %From% is not valid for Web triggers, but %URL% is only valid for Web triggers. If a variable is used for a trigger where it cannot return a value, Orchestria APM marks it as recognized, but invalid for that particular trigger. In practice, this means that where Orchestria APM would normally display the value (for example in a user notification message), such variables are replaced by a question mark (?).
Administration console, User Policy Editor: Policy Setting Properties dialog
iConsole, Search Results page Information tab
2 1 Setting the Smart Tag value Shows where to set the smart tag name and value in user policy. 2 Invalid Smart Tag value Shows that the value of the smart tag (in this case %URL%) could not be resolved because it is not a valid value for that trigger. In other words, the %URL% variable cannot return a value for an e-mail trigger.
Variable %To% %Subject% %URL%
Resolves to The recipient of the e-mail. In this example, Spencer Rimmel. The subject of the e-mail. In this example, Corporate Restructuring. ? Variable cannot be resolved, as it is not valid for e-mail triggers.
174
X-headers and smart tags

Orchestria APM enables you to insert x-headers into e-mails through the use of special smart tags. This section describes how to set up policy triggers to generate and insert x-headers. X-header requirements and limitations, such as naming guidelines and maximum character length, are summarized on page 175. X-headers are custom or proprietary headers in an Internet Mail. They are typically used to pass information to e-mail handling applications for processing or as an information repository. For example, you can use x-headers to flag e-mails that require processing by a third party encryption solution. The mechanism that Orchestria APM uses to generate x-headers is based on the Smart Tags setting in e-mail triggers. When the trigger activates, a smart tag is generated that matches the required x-header. Orchestria APM then detects this smart tag and sets an e-mail property. This property is subsequently converted to an x-header when the e-mail is sent as an Internet Mail. i An x-header is only inserted if the e-mail is
actually sent. For example, if a trigger causes an e-mail to be blocked, an x-header is not inserted.
X-headers and Domino servers

To ensure that x-headers specified by Orchestria APM are generated in Internet e-mails resulting from Lotus Notes e-mails, you must first make a configuration change on your Domino servers. For details, see the Deployment guide; search the index for x-header handling, and Domino configuration.
Generate and insert an x-header

1 Agree the x-header name with the third party. For example, X-UNIPRAXIS-MsgSec. In the User Policy Editor, configure your e-mail triggers as required. For example, you may want to detect e-mails containing confidential information. For each trigger you configured in step 2, edit the Smart Tags setting.
3.1 In the Smart Tags Properties dialog, click Add. 3.2 Set the smart tag name to the name you agreed in step 1. The name can be any text string, but see
the requirements on page 175!
3.3 The smart tag value is optional. Any text you

enter here (such as Encryption Request will be appended to the x-header in the format: X-UNIPRAXIS-MsgSec: Encryption Request 4 Save the policy changes.
175
X-header requirements
Be aware that any x-headers generated from your smart tags must adhere to the requirements below. Note also the limitations imposed by Exchange 2003see the next section.
X-header names must start with X Your x-header names must start with X or x. Orchestria APM specifically checks for x hyphen smart tags when generating x-headers.
Although an x-header value is unlikely to be constrained by this limit, it may become relevant in future Orchestria APM releases. For example, if future releases permit users to generate x-header values from tokens or variables (such as a distribution list variable), this could potentially result in very long text strings. i These x-header name and value limits are
imposed by the technologies underlying the e-mail systems (such as Outlook or Exchange). They are not inherent restrictions in the specification of Internet Mails.
X-header names must be strong: This is crucial. When agreeing the x-header name with a third party, you must choose a strong name that will not conflict with other x-headers. Specifically, avoid names that are generic or too short. Notes and Domino users must also take care to choose x-header names that (when they have been stripped of the x prefix) do not conflict with object names used internally by Domino. An example of a strong x-header name is: X-Unipraxis-MessageEncryptionRequest
X-header limitation
Problems in Exchange 2003 cause the following x-header limitation for outgoing e-mails processed by an Orchestria APM Outlook client agent and subsequently sent via Exchange. Do not include periods in x-header names If your x-header name includes a period character (such as XCase.ID), Exchange 2003 will fail to insert the x-header into the e-mail. In detail, although the Outlook client agent successfully sets the appropriate e-mail property, Exchange 2003 will subsequently fail to convert this property to an x-header when this e-mail is sent as an Internet Mail. This limitation has been fixed in Exchange 2007. Likewise, this limitation only applies to outgoing e-mails processed by the Outlook client agent; it does not apply to e-mails processed by Orchestria APM Exchange or Domino server agents or the Notes client agent.
Outlook and encrypted or digitally signed e-mails: The Orchestria APM Outlook client agent cannot add x-headers to e-mails that have been marked to be sent as encrypted or digitally signed. (This limitation does not affect the Exchange server agent, though any policy triggers configured to detect e-mail content may be unable to process encrypted e-mails anyway).
Maximum length, x-header names and values:
` X-header names cannot be longer than 125 characters. Therefore, your smart tag name is similarly restricted. That is, the name you supply when editing the Smart Tags setting (step 3.2 on page 174) cannot be longer than 125 characters. ` X-header values must not exceed 2,000 characters.
(Values are appended to the x-header name as described in step 3.3 on page 174.)
176
Document classifications
Document classifications are a pioneering feature that enable Orchestria APM to detect specific types of document, for example, sales proposals, contract agreements, or airline Web sites. This section describes how to configure the parameters (that is, the policy settings) used to define a classification. Orchestria APM can detect and analyze various file types. For details, see page 113.
Classification types
In the user policy, each document classification has a configuration setting. This broadly determines the type of document. At present, you can configure a classification to identify Travel or Generic documents.
Generic classifications
Generic classifications enable Orchestria APM to identify specific types of document defined by you, for example, airline reservation Web sites or customer complaints. These generic classifications are based on parameter settings. These parameters contain the rules that enable Orchestria APM to identify specific types of document, for example, sales proposals or customer complaints. The classification parameters are described on page 178. Orchestria APM uses these parameters to calculate a document score that quantifies the probability that, for example, an e-mail really is a customer complaint. Various adjustment functions are also available to modify the score to prevent false confirmations, especially for long documents such as e-mail attachments or uploaded files. An example generic document classification is shown on page 181. i For the purposes of classification, the Subject and
Body are taken together as a single document. Each attachment is also considered a single document. All documents are classified separately.
When are document classifications used?

This feature is used by the Document Classifier and Transaction Detector triggers in the user policy. You can associate any document classification with these triggers. When the trigger activates, Orchestria APM compares the active document (this could be a Web page, uploaded file, e-mail or attachment) against the specified classification. If a match is confirmed, the trigger activates. For example, if a capture trigger specifies an 'airline reservation Web page' classification and the user browses to the reservation page of an airline's Web site, the trigger activates.
Classification in e-mails
Document classification works slightly differently with e-mails than with other targeted items (Web pages, or uploaded files). In terms of classification, each part of an e-mail is treated as a separate document, that is, the subject and body text are treated as one document and any attachments are also treated separately. The Document Classifier and Transaction Detector triggers are then applied to each 'document'. The trigger will only fire if one whole document contains all the criteria in the trigger. If all parts of the e-mail meet the classification then the score is based on the document that scored the highest.
Travel classifications
These identify any travel-related documents, for example, Web sites for hotel or airline reservations, e-mail bookings and e-mail confirmations. Travel classifications do not use parameter settings.
177
Set up a document classification

First, you must define your classification in the user policy. This classification can be any type of document identifiable by its text content. For example, you may want to identify airline reservation Web sites or e-mail customer complaints. Second, you associate the classification with a Document Classifier trigger. Versions of this trigger are available in the Capture, Control and Transaction folders. For example, you can use a capture trigger to capture the complaint e-mail; or you could use a transaction trigger to record details about plane tickets purchased on an airline reservation Web site. When the policy changes are complete, Orchestria APM detects each Web page, uploaded file, e-mail or attachment that matches the document classification and reacts accordingly. To set up a document classification in the user policy: 1 Define your classification:
classification, and you specify which items are checked against this classification. Versions of the Document Classifier trigger are available in the Capture, Control and Transaction folders. When Orchestria APM detects that a Web page, uploaded file, e-mail or attachment matches a document classification:

Capture triggers cause the item to be captured. Control triggers generate a control event such as blocking or warning. Transaction triggers cause the Transaction dialog to appear, allowing the user to supply details about the detected transaction.
Document classifications and key words or phrases

For control triggers only, if an e-mail matches the document classification you can block the e-mail or display a warning or advisory dialog based on the presence or absence of specific words or phrases. For example, you may want to block outgoing sales proposals if they do not contain your corporate disclaimer. To do this, add an extract of the disclaimer to the Excluded Search Text list: 'This e-mail may contain confidential or privileged information and is for use by the addressee only.' If Orchestria APM infers that an e-mail is a sales proposal but lacks the corporate disclaimer (because the above extract is missing), it blocks the e-mail.
1.1 Go to the System Settings > Document

Classifications policy folder.
1.2 Expand the Classification folder you want. 1.3 Enter a name for the classification and set the
Configuration setting to Generic or Travel.
1.4 If setting up a generic document classification,

configure Parameters 1 to 7. See page 178 for guidelines. 2 3 Define your Document Classifier trigger. Save the policy changes.
Setting a file size limit

You can specify a limit on the maximum size of files that Orchestria APM will classify. To do this, you need to edit the Maximum Size of Files setting in the user policy System Settings folder. i To ensure that files of any size are classified, set Maximum Size of Files to a value of zero.
i An example generic document classification is

shown on page 181.
Document Classifier triggers

Each user policy contains Document Classifier triggers. These can check targeted itemsWeb pages, files, e-mails or attachmentsto see whether they match a particular document classification. You select the
178
Parameters for generic classifications

The parameters for classifying generic documents are:

Parameter 1: This defines a list of compulsory words or phrases. All must be present for Orchestria APM to confirm a document classification. If validated, this parameter raises the document score by +1. In effect, this parameter specifies a logical AND condition. Parameter 2: This defines a list of required words or phrases, one of which must be present for Orchestria APM to confirm a document classification. If validated, this parameter raises the document score by +1. In effect, this parameter specifies a logical OR condition. Parameter 3: This defines a list of preferred words or phrases. These are positive-indicators. If any are present, this increases the probability that the document matches the specified classification. Orchestria APM raises the document score by +1 for each occurrence of a listed word or phrase. Parameter 4: This defines a list of words or phrases that imply a possible non-match. These are negativeindicators. If any are present, this lowers the probability that the document matches the specified classification. Orchestria APM reduces the document score by -1 for each occurrence of a listed word or phrase. Parameter 5: This defines a list of words or phrases that indicate a definite non-match. If any are present, the document classification fails. If none are present, Orchestria APM raises the document score by +1. In effect, this parameter specifies a Boolean NOT condition. Parameter 6: You can include functions to modify the document score handling. For example: MinScore(n) and MaxScore(n) specify respectively the minimum and maximum scores necessary to confirm document classification. For details of all available functions, see page 179.
Parameter 7: This defines a list of key words or phrases that you can use to search for events captured by a Document Classifier trigger. If a word is found in the document when the trigger activates, the word is saved as an attribute of the capture or control event. You can then run searches that focus exclusively on documents containing this word or phrase. For example, if you define a document classification for sales proposals, you can add a list of products to parameter 7. If Orchestria APM detects one of these product names (say, Product X), in a captured sales proposal, the term 'Product X' is saved as an attribute of this event. This enables you to generate a report focusing on all sales proposals for Product X. i For details about the extensive search text
variables available when defining parameter 7, see page 112.
Parameter 8: This defines a list of 'definite match' words or phrases. If any are present, this confirms the document classification. This parameter is useful if you need to detect specific types of Web site, typically those with limited text content. For example, a Web-based e-mail site may contain very little text except for the term 'webmail'. i In technical terms, this parameter overrides
the Boolean conditions of Parameters 1, 2 and 5 and adds 100 onto the document score.
Parameters 9 and 10: These are not currently used in generic classifications.
179
Parameter 6 functions
You can add the following functions to parameter 6 to modify document handling.

NotSmallerThan(x) This function defines a minimum document length. Orchestria APM does not attempt to classify documents with fewer than x characters (excluding white spaces and characters such as carriage returns). This is useful if you know the typical size of your target documents. For example, to ignore documents smaller than 500 characters, enter: NotSmallerThan(500) You can use this function in conjunction with its NotLargerThan(y) counterpartsee belowto define the permitted size range for target documents.
Extract(1,2,3,4,8) This function causes key text found using the classification parameters 1, 2, 3, 4 and 8 to be extracted and saved as an attribute of the capture or control event. You can extract the text found using any or all of these classification parameters. For example, if you are only interested in the text found using parameters 1, 2 and 8, enter: Extract(1,2,8)
MinScore(n) / MaxScore(n) These define the minimum and maximum document scores needed for Orchestria APM to confirm a document classification. They can be used individually: Enter MinScore(n) where n is the value. For example, type MinScore(10) to set a minimum score of 10. Enter MaxScore(n) where n is the value. For example, type MaxScore(10) to set a maximum score of 10. Or, used together, MinScore(n) and MaxScore(n) can specify a set of ranges for document classification scores, or severity bands. For example: Classifier
1 2
NotLargerThan(y) This function defines a maximum document length. Orchestria APM does not attempt to classify documents with more than y characters (excluding white spaces and characters such as carriage returns). This is useful if you know the typical size of your target documents. For example, to ignore documents larger than 2000 characters, enter: NotLargerThan(2000) You can use this function in conjunction with its NotSmallerThan(x) counterpartsee aboveto define the permitted size range for target documents.
Parameter 3
%CCN% %CCN%
Parameter 6
MaxScore(10) MinScore(11), MaxScore(100) MinScore(101)
Severity
Low Medium
Normalize(m) This function adjusts the document score downwards in order to prevent false confirmations. It is an alternative method to ReduceBySize(n). Enter Normalize(m) where m determines the multiplier used to lower the document score; typically, m matches the average size (in characters) of the documents you want to classify, for example, 10,000. The formula for this function is:
New document score = Old document score
%CCN%
High
Where: Classifier 1 specifies that detecting less than 10 credit card numbers qualifies as low severity. Classifier 2 specifies that detecting 11-100 credit card numbers qualifies as medium severity. Classifier 3 specifies that detecting more than 100 credit card numbers qualifies as high severity.
m ( Characters )
180
Where Characters is the number of characters in the document. For example, if the original document score is 45, and the document size is 25,000 characters, then setting m to 8,500 would lower the document score to around 15:
15.3 = 4 5
Wildcards and other special characters

Note the following wildcards and logical operators:
8,500 25,000
Wildcard characters * and ? are supported For example, 'unipr*' would match any occurrence of 'Unipraxis'.
i This function can result in fractional scores.

Such scores are rounded to the nearest integer before testing against MinScore(n) or MaxScore(n).
Use the | symbol to represent a logical OR For example, the expression: motel|hotel matches motel' or 'hotel'.
! Normalize(m) and ReduceBySize(r) (see

below) are alternative methods for adjusting document scores downwards. Do not include both functions together when specifying parameter 6.

Use { } brackets to define sub-expressions For example, the expression: {room|hotel} reservation matches 'room reservation' or 'hotel reservation'.
ReduceBySize(r) This function also adjusts the document score downwards in order to prevent false confirmations, especially for long documents such as e-mail attachments or uploaded files. Enter ReduceBySize(r) where r determines the value subtracted from the document score; r is typically a very small value, say, 0.3. The formula for this function is:
New document Old document = score score
Use %MONEY% to match any monetary value. For example, this matches $25, $25.99 or even 25.99. It detects $, and currency symbols, and these currency codes: USD, GBP and EUR.
Search for special characters To search explicitly for the characters { } | * or ?, prefix them with a backslash. For example, add \? to match any occurrence of '?'.
( Characters
* (r / 100)
Where Characters is the number of characters in the document. For example, if the original document score is 45, and the document size is 10,000 characters (a typical score for a four or five page document), then setting r to 0.3 lowers the document score to 15:
15 = 45
( 10,000
* (0.3 / 100)
i This function can result in fractional scores.

Such scores are rounded to the nearest integer before testing against MinScore(n) or MaxScore(n).
! ReduceBySize(r) and Normalize(m) (see

previous page) are alternative methods for adjusting document scores downwards. Do not include both functions together when specifying parameter 6.
181
Example document classification

Document classification settings are in a subfolder of the System Settings folder in the user policy (page 140). To associate a classification with a capture trigger, you need to edit an appropriate Document Classifier capture trigger for incoming e-mails. See page 177 for details.
Parameter 3 This specifies words such as unsuccessfully and return. If present, such words raise the probability that the e-mail is a complaint. Parameter 4 These words imply a non-match. If the e-mail contains words such staffing or web site, then this lowers the probability that the e-mail is a complaint about products such the UXLogiCard. Parameter 5 These words indicate a definite non-match. If the e-mail contains words such as catalog request, the classification is rejected. Parameter 6 This parameter contains a score adjustment example. In this example, it specifies that a minimum score of 5 is needed to confirm a Customer complaint classification. Parameter 7 Words listed here can be used as a filter for running a search. That is, you can run a search on any e-mail containing words such as UXLogiCard or UXProPack. Parameter 8 This specifies words that indicate a definite match. Here, if the word complaint is detected, the document classification is confirmed.
Customer complaint e-mails

The example classification below shows a user policy configured to detect customer complaints. Classification 2 has been configured to identify any e-mail complaints about products such the UXLogiCard, supplied by the company Unipraxis. The classification is called Customer complaint. This example uses the following parameters:

Parameter 1 This defines Unipraxis as a compulsory word. This word must be present to confirm a Customer complaint classification. Parameter 2 This specifies words such as criticism or a specific product such as the UXLogiCard. At least one term must be present to confirm a complaint.
1 3
2 Example document classification 1 User Policy Editor. 2 Policy path for the document classification. This shows the location of the Document Classification folder. 3 Parameter settings for the document classification.
182
8. Transactions
Transactions
his chapter shows how Orchestria APM captures online transactions. It also describes how to set spending limits for individual transactions. A transaction can be any purchase from a Web site, plus any associated e-mails such as order confirmations or receipts. You can then use the captured data for analysis, or to keep track of corporate purchasing, or simply to store as provision against future disputes. Orchestria APM supports both manual and automatic transaction captures. The ability to manually capture Web transactions is determined by settings in the user policy. Automatic captures are triggered by Web page or e-mail characteristics; you define these triggers in the user policy. For automatic transaction captures, you define the conditions that trigger a capture (based on content analysis of a Web page or e-mail), how captured items are matched to existing transactions, and how Orchestria APM extracts specific transaction details such as the currency or monetary value. A sophisticated transaction validation process ensures that these details are accurate; you can control the stringency of this validation process by adjusting settings in the user policy. You can also set spending limits for individual transactions and allow users to cancel transactions.
chapter 8
What data is captured?

When capturing a transaction, Orchestria APM makes a distinction between the payment details and the underlying Web page or e-mail. In fact, the two types of data capture are handled by completely separate modules within the user policy: the Transactions folder and the Capture Folder:
Transactions folder To capture payment details automatically, you configure Transaction Detector triggers in the Transactions folder. These details can include the total amount, taxes, the supplier reference number, and so on. Alternatively, you can configure other transaction triggers to display a Confirm Transaction dialog; this dialog prompts users to supply the relevant details. Transaction triggers do not capture the associated Web page or e-mail. Capture folder If you want to capture the underlying Web pages or e-mails, for example to resolve possible supplier disputes, you must set up triggers in the Capture folder. Capture triggers do not capture any payment details associated with a transaction.
This chapter focuses on Transaction triggers, with particular emphasis on Transaction Detector triggers. Capture triggers are discussed in chapter 9, Capturing data.
184
Manual captures
The ability to manually capture Web transactions is determined by settings in the Extensions > Browser folder of your user policy. i You cannot manually capture e-mail transactions. 1 Right-click anywhere on the Orchestria APM capture lights in your browser and choose Transaction. The Transaction Detected light switches on to indicate a capture is in progress: 1 2 Orchestria APM capture lights 1 Transaction Detected light. 2 Browser status bar. 2 Enter the details in the Create Transaction dialog. Note that some fields may be grayed out if your user policy specifies that these details are not required. When you quit the Web site, Orchestria APM checks whether you have supplied all the compulsory transaction items, for example, the transaction total and supplier reference. It then displays the Confirm Transaction dialog and prompts you to confirm the details. Typically, any compulsory details are highlighted in the dialog. i The full range of possible items are listed in
the Transactions >Transaction Action folder of the user policy.
Automatic captures
This section describes how to automatically capture transactions (that is, how to capture the payment details such as the amount, supplier reference, and so on). It does not describe how to capture the underlying Web page or e-mail. i To capture the underlying Web page or e-mail,
you must configure a Transaction Detector trigger in the Capture foldersee page 188.
To automatically capture online transactions: 1 Define the transaction triggers You can find these in the Transaction folder of the user policy. A trigger condition may be as simple as a Web page URL or it may be more sophisticated. For example, you can base triggers on automatic analysis of e-mails to detect credit card numbers. For full details see page 143. In particular, you must configure a Transaction Detector trigger. This explicitly identifies transactions in progress and can extract data such as the transaction total and supplier reference. If this trigger is disabled, you cannot automatically capture the payment details of a transaction. See page 188 for details about these triggers. 2 Define the transaction action This comprises a series of settings that determine how Orchestria APM handles the captured transaction. For example, you can specify how much input is required or permitted from users and whether users are permitted to cancel transactions captured automatically. For full details, see page 139. 3 Configure the compulsory transaction items You can also configure the handling for individual items of transaction data such as the transaction total and supplier reference:
` You can make certain transaction details

compulsory. A transaction cannot be validated unless these details are present and accurate.
Chapter 8 Transactions
185
` You can specify a required confidence level for

each item. This determines how confident Orchestria APM must be that the captured data is accurate before the transaction can be validated (page 187).
Cancel a transaction
If permitted by their policy, a user can manually cancel a transaction capture by clicking the Not a Transaction button in the Confirm Transaction dialogsee above. This flags the transaction as an exception (page 186). You may want to let users cancel a transaction if, for example, a policy trigger incorrectly detected a transaction, or the user chose to cancel the purchase after the trigger had activated. To do this, you must configure the Allow Cancellations setting in the Transaction Action folder of the user policy. This determines whether a user is permitted to manually cancel a transaction capture by clicking the Not A Transaction button in the Confirm Transaction dialog (see the previous section). If Allow Cancellations is set to:
` You can specify whether a user is permitted to

override values captured automatically. 4 Orchestria APM captures a transaction whenever a trigger is activated Wherever possible, Orchestria APM captures transaction details automatically. But it may display the Confirm Transaction dialog if:
` It cannot confidently identify one or more

compulsory details. If so, the user must enter or confirm the highlighted values.
` The user policy requires a user to manually

confirm each automatically-captured transaction. This dialog is controlled by the 'Show Dialog?' policy setting. See page 191 for full details.
Allowed, the transaction is deleted when the user clicks Not A Transaction. Exception, the transaction is saved as an exception when the user clicks Not A Transaction. For further details, see the next section. Disallowed, users cannot cancel the transaction. They must provide the necessary transaction details.
Confirm Transaction dialog 1 Click OK to validates the transaction. 2 Click the Not a Transaction button to mark the transaction as an exception. 3 Missing or uncertain details, if flagged as compulsory in the user policy, are highlighted in red.
186
Transaction exceptions
When a captured transaction is flagged as an exception, it is excluded from statistical analysis in the Executive console. Exceptions can arise in two ways:
Transaction icons
When searching for captured transactions in the Data Management console, the Search Results screen uses icons to indicate the type of transaction item. For example, you can quickly identify captured blocked Web page transactions or e-mail transactions. Transaction type
E-mail - captured
Manual exceptions: If the Allow Cancellations setting in the user policy is set to Exception, a user can manually flag a transaction as an exception. For example, a policy trigger may have incorrectly detected a transaction, or the user chose to cancel the purchase after the trigger had activated. To do this, the user clicks the Not a Transaction button in the Confirm Transaction dialog.
E-mail - blocked
Automatic exceptions: A transaction may also be flagged as an exception automatically. This happens if the policy excludes user input (the users do not see the captured values and cannot override captured values), but one or more captured values do not meet the required level of confidence. For example, this could happen if the supplier reference is a key item of data but Orchestria APM is unable to detect this information with sufficient confidence and the policy precludes user input.
E-mail - the user disregarded a warning
E-mail - the user heeded a warning
E-mail - quarantined
Web page - captured
Web page - blocked
Web page - the user disregarded a warning
Web page - the user heeded a warning
i These icons represent transactions captured by

any transaction trigger. They are not used for Web or e-mail events detected by a Transaction Detector in the Control or Capture policy folders.
187
Spending limits
Orchestria APM allows you to enforce maximum transaction values each time a user conducts a Web transaction. If the user tries to confirm a transaction total that exceeds this value, Orchestria APM either blocks the transaction or warns the user. 5 If you configured the control action to warn the user or block the user with a notification, return to the Transaction Detector trigger and edit the Message To Users setting so that the users see an appropriate message when their transaction exceeds the permitted maximum value. Save the policy.
Set up spending limits

To do this, you must edit the policy of the user or group whose spending you want to control. 1 In the User Policy Editor, expand the Web Pages > Control Triggers folder. Expand the Transaction Detector trigger that you want to use. Make sure this trigger is not disabled. Several Transaction Detector triggers are available. This allows you to set varying transaction limits, depending on the circumstances. For example, you may associate a $1000 limit with an airline Web site, and a $50 limit with an office stationery Web site. 3 The Transaction Detector trigger contains the Maximum Transaction Value setting. Double-click this setting and enter an integer value, for example 1000 or 50. i Do not specify the currency. This maximum
value is universally enforced, regardless of the currency used.
Can I set up period or aggregate spending limits?

No, you can only enforce per transaction spending limits. For example, you cannot define monthly spending limits. But you can monitor aggregate spending if the Executive console is installed on your computer. This allows you to track total spending for an individual user or group, and to trigger alarm actions when spending exceeds limits defined by you. For example, you can set up an alarm to alert you when a user's total transactions exceed $1,000. i Alarms are described in chapter 2 of the
Executive console guide.
The Transaction Detector trigger also contains a Control Action setting.
4.1 Select an action, for example Action 1. 4.2 Edit the settings in the action to specify whether
an attempted overspend triggers a blocking or warning.
188
Transaction detection
To automatically detect transactions, you must configure the Transaction Detector triggers. These activate when they detect a transaction in progress, based on content analysis of a Web page or e-mail. only the Transaction Detector trigger can automatically extract these details; if this trigger is disabled, you cannot automatically capture the payment details of a transaction. i Triggers in the Transaction folder do not cause
Transaction Detector triggers

Transaction Detector triggers are available in the Capture, Control, and Transaction folders.
the actual e-mail or Web page to be captured!
Capture folder Transaction Detector triggers in the Capture folder cause the associated Web page or e-mail to be captured when Orchestria APM detects a transaction. They do not cause the transaction details (the amount, supplier reference, and so on) to be captured!
How do Transaction Detector triggers work?

In all cases, however, the transaction detection process works in the same way. This is a four-step process: 1 Examine specified Web pages and e-mails
Control folder Transaction Detector triggers in the Control folder generate a control event (typically a blocking or warning) when Orchestria APM detects a transaction. These too, like the Capture triggers, do not cause the transaction details (the amount, supplier reference, and so on) to be captured!
Analyze contents and quantify evidence
Compare calculated TP with trigger sensitivity
Transaction folder Only the Transaction Detector triggers in the Transaction folder itself cause transaction details the amount, supplier reference, and so onto be captured when Orchestria APM detects a transaction. A sophisticated transaction validation process ensures that this data is accurate (you control the stringency of this validation by adjusting settings in the user policy). Note that other triggers in the Transaction folder, (such as the 'Submitted Credit Card' trigger) can cause the Confirm Transaction dialog to display, prompting the user to supply any missing details. But
Activate the trigger?
Transaction detection process Steps 1 through 4 are described below. TP = Transaction Probability 1
Examine specified Web pages and e-mails First, Orchestria APM examines each specified Web page for transaction evidence. Its analysis is based on page content, HTML metatags, and any monetary values that it detects. For example, text such as 'order confirmation' and buttons such as 'Proceed to checkout' are usually evidence of transactions.
189
Analyze contents and quantify evidence It then quantifies the available evidence and estimates the probability that the Web page or e-mail is a transaction. In technical terms, Orchestria APM calculates a transaction probability (TP).
Transaction validation
In an ideal world, Orchestria APM would capture a transaction and successfully extract all the items of transaction data. The data could then be used to calculate spend rates and so on. But in practice, the presentation of online transactions is so diverse across the Web that problems can arise. Orchestria APM must therefore validate the transaction data to ensure that the values are accurate. This is a six-step process: Specify compulsory transaction items
Compare calculated transaction probability with the trigger sensitivity level Next, Orchestria APM compares the calculated TP with the minimum TP needed to activate the Transaction Detector trigger. The minimum TP is determined by the Transaction Detector Sensitivity setting, found in the Transactions subfolder of the System Settings folder. Separate sensitivity settings are available for triggers in the Capture, Control, and Transaction folders. See page 140 for further details. In each case, you can set the level of sensitivity needed to activate the trigger. For example, you can choose to activate the trigger for all suspected transactions, or you can demand certainty or nearcertainty before it is activated. (In technical terms, each sensitivity level equates to a minimum TP.)
Define RCLs for each item
Generate CCLs for each item
Compare CCL and RCL
Activate the trigger? If the calculated TP is equal to or greater than the minimum TP, Orchestria APM infers that the current Web page or e-mail is a transaction and activates the Transaction Detector trigger.
Allow users to override?
Validate or flag as exception?
Transaction Validation Steps 1 through 6 are described on the following pages. RCL Required Confidence Level for item of transaction data. CCL Calculated Confidence Level for item of transaction data.
Which items of transaction data are compulsory? In the user policy, you can specify whether individual items of transaction data are needed. For example, you may need a supplier reference but not a buyer reference. Items which you do need are known as 'compulsory items'.
190
Set the Required Confidence Level (RCL). In the user policy, you set the RCL for each compulsory item of transaction data. If all compulsory items meet the required level confidence, then the transaction is validated. If the confidence level for any item falls below the RCL, then the entire transaction is flagged as an exception and excluded from all transaction statistics. You can set the RCL to:
If CCL >= RCL, that is, the CCL is the same or greater than the RCL, the item is validated. If CCL < RCL, that is, the CCL is less than the RCL, the item is not validated. Either the transaction is flagged as an exception, or the user must supply the value or confirm a captured value. For example, the policy requires a medium level of confidence that the supplier reference is correct, but Orchestria APM is able to capture this item with a high level of confidence. Here, the CCL exceeds the RCL so the supplier reference is validated. 5 Are users permitted to override captured values? Orchestria APM checks the policy to determine what input, if any, is required from the user. If the policy specifies that users do not see the Confirm Transaction dialog, Orchestria APM handles the transaction based on only the CCL-RCL comparisons for compulsory items (see step 4). If users are shown the Confirm Transaction dialog, Orchestria APM checks whether they are permitted to override valid captured values:
` Zero: Any value is valid. ` Manual: Values are only valid if they are entered
or confirmed by the user. Go to step 5.
` Low, Medium or High: A value is only valid if

Orchestria APM has, respectively, low, medium or high confidence that the value is accurate. Go to step 3. 3 Generate a Calculated Confidence Level (CCL). When a transaction is captured, Orchestria APM analyzes the content of the associated Web page or e-mail and tries to extract each item of transaction data. Based on the success or failure of this analysis, it then internally allocates a CCL to each item. In effect, this is an attempt to quantify the accuracy of these items. For example, it may be moderately confident that the monetary value is correct, but highly confident that the supplier reference is correct. 4 Compare the CCL and RCL. For each compulsory item, Orchestria APM determines whether the captured value meets the required level of confidence. If the RCL is set to Low, Medium, or High, Orchestria APM compares this required level of confidence with the CCL. 6
` If they are permitted, users may enter their own

values for any compulsory item.
` If they are not, users can only the override

captured values of compulsory items that do not meet the required level of confidence. Validate, or flag as an exception? Orchestria APM can now judge whether to validate the transaction or flag it as an exception. The key determinant here is the Show Dialog? setting. This setting, in conjunction with the factors described above plus the Allow Cancellations? setting, determines the final step in the transaction validation process. See page 191 for details.
191
Show Dialog? setting

This policy setting is pivotal in the transaction validation process. Find it in the Transactions > Transaction Action folder of the user policy. It determines whether Orchestria APM displays the Confirm Transaction dialog (see the screenshot on page 185). This setting has four possible values:

Show Dialog? Never

If this setting is set to Never, the user is never required to confirm transaction details and the validation process is wholly automatic. If Orchestria APM is unable to identify the compulsory details with sufficient confidence, the transaction is either saved as an exception or discarded completely, depending on whether the user policy permits transaction exceptions. For example, you may choose this option if you want to conceal from users the fact that their corporate transactions are being monitored. The validation process is shown below. ! If Show Dialog? is set to Never, do not disable
the Transaction Detector triggers for Web pages or e-mails. If you disable these triggersperhaps because you had planned to rely solely on other transaction triggers, for example, a submitted credit card numberOrchestria APM will be unable to capture transactions.
Show Dialog? Never Show Dialog? Always Show Dialog? Unless transaction matches Show Dialog? If Necessary
These values operate in conjunction with other settings in the transaction action to steer the transaction validation process. For example, the transaction action includes a setting that permits users to cancel transactions captured automatically by clicking a button in the Confirm Transaction dialog. Other settings define the compulsory items of transaction data and the required confidence levels for these items. Compulsory items are highlighted in the Confirm Transaction dialog if Orchestria APM lacks confidence in their accuracy. See the following pages for details of how the Show Dialog? settingin conjunction with other settings in the transaction actionaffects transaction validation. i The following descriptions assume that the
Transaction Detector triggers for Web pages and e-mails are enabled in the Transaction folder. If you disable these triggers, Orchestria APM cannot automatically extract transaction details such as the total amount or the supplier reference.
The Show Dialog? setting is set to: Never The Confirm Transaction dialog is never shown. If CCL >= RCL for all compulsory items The transaction is validated and saved, using the captured values. If CCL < RCL for any compulsory item The transaction is saved as an exception, using the captured values.
Validated Exception CCL Calculated Confidence Level RCL Required Confidence Level
192
Show Dialog? Unless transaction matches

If this setting is set to Unless transaction matches, the Confirm Transaction dialog is always shown unless Orchestria APM detects that the newly captured item refers to an existing transaction. If this proves to be the case, Orchestria APM adds it automatically to the existing transaction. For example, if Orchestria APM identifies a supplier references that matches an existing transaction, it saves the new item automatically without showing the Confirm Transaction dialog. The validation process is shown opposite. If a match is not confirmed and the Confirm Transaction dialog is shown, any compulsory details requiring user confirmation or amending are highlighted in the dialog. i If a transaction match is confirmed, Orchestria
APM saves the transaction item without displaying the Confirm Transaction dialogeven if it was unable to extract a compulsory transaction item with a sufficient level of confidence.
The Show Dialog? setting is set to: Always, Unless transaction matches, or If necessary When the Confirm Transaction dialog appears: User clicks OK If CCL >= RCL for all compulsory items 1 Is the user allowed to override these captured values? Yes: Transaction validated and saved with captured values or values supplied by the user. Transaction validated and saved with the captured values.
No:
If CCL < RCL for any compulsory item If Allow Cancellations? is set to: Allowed or Disallowed The user must confirm or amend all uncertain values. Transaction validated and saved with user-supplied values. Exception Has the user confirmed or amended all uncertain values? Yes: Transaction validated and saved with user-supplied values. Transaction saved as an exception.
Show Dialog? If necessary

If this setting is set to If necessary, the validation process is wholly automatic unless Orchestria APM was unable to capture all the compulsory transaction details with sufficient confidence. If this proves to be the case, the user must supply or confirm these details (highlighted in the Confirm Transaction dialog). For example, if a supplier reference is compulsory, the user must supply a reference if Orchestria APM fails to identify it or if it identifies a possible reference but lacks confidence in its accuracy. The validation process is shown opposite.
No: User clicks Not A Transaction 2
If Allow Cancellations? is set to: Allowed Exception Transaction is not saved. Transaction saved as an exception.
Show Dialog? Always

If this setting is set to Always, Orchestria APM always displays the Confirm Transaction dialog and the user must confirm the compulsory transaction details. If Orchestria APM is unable to capture one or more compulsory details with sufficient confidence, these are highlighted in the dialog. The user must enter or confirm these values before they can confirm the transaction. The validation process is shown opposite.
Validated Exception Not saved CCL Calculated Confidence Level RCL Required Confidence Level 1 If Show Dialog? is set to If necessary, the Confirm Transaction dialog is never shown when CCL >= RCL for all compulsory items. 2 If Allow Cancellations? is set to Disallowed, this button is not available.
193
Transaction matching
A complete transaction typically includes various 'partial transactions': the purchase itself , plus various catalog and checkout Web pages and a subsequent e-mail receipt . Orchestria APM attempts to identify and gather together all e-mails or Web pages that jointly make up the entire context of a transaction. This process is called transaction matching.
Matching process
If a Web or e-mail event activates any trigger in the Transaction folder of the user policy, Orchestria APM automatically attempts to match that item to an existing transaction . If it is unable to do so, it deems that the item represents a wholly new transaction. This topic describes how this automatic matching process works. i You can also manually add captured items to a
transaction.
What is transaction matching based on?

Orchestria APM assigns captured items to transactions based on common transaction details, such as supplier reference numbers and monetary values. It also looks for common Internet domain references in existing transactions and in the newly captured item. Typically, a match is confirmed if there are identical reference numbers, monetary values and, ideally, Internet domains. You can also specify a transaction timeout. When this timeout expires, Orchestria APM deems the transaction complete and closes it.
As soon as a Transaction trigger is activated, Orchestria APM compares the newly captured item with each existing transaction. For each itemtransaction pair, it then calculates a Transaction Matching (TM) score. Next it compares the TM score against a critical range of score values. This range is based on a Confidence Level setting which defines a deviation around the minimum acceptable value. This process eliminates any transactions where there is clearly no possible match. For a technical description, see page 194. Orchestria APM then considers the remaining transactions and adds the captured item to the transactions yielding the highest TM score. For an example of how Orchestria APM compares three potential matches, see page 195.
Can I adjust the sensitivity?

Yes, you can adjust the sensitivity of the automatic transaction matching if you notice frequent errors. For example, if Orchestria APM repeatedly matches unrelated items to existing transactions or if it repeatedly fails to identify the correct transaction, you can raise or lower the trigger sensitivity. You can also adjust the confidence level required for individual items of transaction data. This refines the matching process to allow user input in cases where there is ambiguity or uncertainty. 3
! The matching process is only invoked if an actual

Transaction trigger is activated. It is not invoked if an event activates a 'Transaction Detector' trigger in the Capture or Control folders.
How do I configure transaction matching?

You do this by editing the user policy. You specify:
The transaction timeout and sensitivity settings in the Transactions subfolder of the System Settings folder. For a summary, see page 140. The required confidence level for individual items of transaction data in the Transaction Action folder. See page 139.
194
Technical description
Orchestria APM compares the captured item against each existing transaction and looks for evidence of a match. Such evidence can include common supplier reference numbers, matching transaction amounts, or a common Internet domain. 1 Orchestria APM then weighs this evidence and calculates a TM score. For each transaction, Orchestria APM calculates a TM score with a value between 0 and 1, where 0 is a null match and 1 is a perfect match. This allows Orchestria APM quantify and compare the strength of each possible match. Next, Orchestria APM calculates a critical range of TM score values, defined by the Transaction Matching Sensitivity and Confidence Level settings in the current user policy: Transaction Matching Sensitivity This setting dictates how well a captured item must match an existing transaction. In technical terms, each sensitivity level defines the minimum TM score value needed for a positive match. This prevents Orchestria APM choosing a target transaction simply because it seems the least unlikely. 3 0.0 S3 1.0 defines a deviation around the minimum TM score value as defined by the Transaction Matching Sensitivity setting (S1, S2 or S3):
0.0
S1
S2
S3
1.0
Required Confidence Levels, for matching an event to an existing transaction
` 0.0 to 1.0 is the range of possible TM score values. ` Transaction Matching Sensitivity settings (S1, S2 or S3)
represent actual TM scores.
` The confidence levels represent deviations around S1,

S2 and S3. Ask unless confidence is high Ask when confidence is moderate Ask only if confidence is low Orchestria APM then compares the TM score against the critical value range. If the matching score falls:
S1
S2
` Below this range, the match is rejected. The item

clearly does not belong in the transaction. If this happens for all existing transactions, Orchestria APM creates a new transaction.
Transaction Matching Sensitivity levels 0.0 to 1.0 is the range of possible TM score values. Each sensitivity level equates to a minimum acceptable TM score value. S1 Reduced Sensitivity S2 Medium Sensitivity S3 Raised Sensitivity Confidence level This setting dictates how confident Orchestria APM must be before choosing the target transaction automatically. If it lacks confidence, it asks the user to choose. In technical terms, each confidence level
` Within this range, Orchestria APM cannot

confidently confirm or reject a match, so it asks the user to choose the target transaction.
` Above this range, the match is confirmed and

Orchestria APM adds the item to the transaction. In rare situations where Orchestria APM can plausibly match an item to more than one transaction, it typically assigns the item to the transaction with the highest TM score.
195
Example transaction matching

When Orchestria APM captures a transaction-related Web page or e-mail, it tries to match the item to each existing transaction. For each transaction, it calculates a TM score. This quantifies the strength of the possible match. In this example, TM scores are compared against three existing transactions. 1 Calculating the TM scores First, Orchestria APM compares the captured item against each existing transaction and calculates a TM score for each item-transaction pair. 2 Calculating the critical range for the TM score Next, Orchestria APM calculates the critical range (R) for the TM score. This range is based on two policy settings: Transaction Matching Sensitivity and Confidence Level. In this example, these are set to 'Medium sensitivity' (S2) and 'Ask only if confidence is low' respectively. 3 Comparing the TM scores against the critical range Finally, for each transaction , Orchestria APM checks whether the TM score falls within the critical range R: 1
The TM score is below range R. Orchestria APM infers the captured item does not belong to transaction 1 and rejects the match. The TM score falls within range R. Orchestria APM cannot confidently confirm or reject the match. If this were the highest TM score, Orchestria APM would ask the user to choose the target transaction. In this example, however, transaction 3 yields a higher TM scoresee below.
The diagram below illustrates how Orchestria APM compares the captured item against three existing transactions (1, 2 and 3), rejecting or accepting the match, or prompting the user for assistance, based on the TM score calculated for each item-transaction pair:
R 0.0 S1 1 2 S2 3 S3 1.0
Example: matching an event to existing transactions Transaction 3 yields the highest TM score, so the newly captured item is allocated to this transaction.
` 0.0 to 1.0 is the range of possible TM score values. ` S2 is the minimum TM score necessary to confirm a match.
It is defined by the Transaction Matching Sensitivity setting. S1 and S3 are not used in this example.
` R is the critical range of TM scores, defined by S2 and the

confidence level. (Ask only if confidence is low). Required Confidence Levels Ask unless confidence is high
Ask when confidence is moderate Ask only if confidence is low Transaction Matching Sensitivity levels S1 Reduced Sensitivity S2 Medium Sensitivity S3 Raised Sensitivity
The TM score is above range R. Orchestria APM confirms the match and assigns the captured item automatically to transaction 3.
196
Transaction trigger refinements

Unreadable uploaded files or e-mail attachments
You can configure the File Upload or Attachment transaction triggers so that they always activate if Orchestria APM detects an unreadable file being uploaded to a Web site or an unreadable e-mail attachment. Such files are typically unreadable because they have been encrypted or password-protected. For example, you can set up a File Upload trigger to always capture a transaction if Orchestria APM detects an encrypted file being uploaded to a specified Web site.

Each Transaction trigger has its own Minimum Retention setting. This retention period determines how long captured transactions are retained in the local database before they are eligible for purging. For example, you may want to retain transactions captured by a URL trigger for one day only, but retain transactions captured by a Transaction Detector trigger for seven days. For details on setting up trigger-based purging, see page 82. Minimum retention periods defined in a Transaction trigger override the default retention period for the local machine (defined in the machine policysee page 81). For example, if the machine policy specifies a three day retention period but a Transaction Detector trigger specifies a seven day retention period, these transactions are retained in the local database for seven days before being earmarked for inclusion in the next database purge. i In the Data Management console, users with
appropriate administrative privileges can:
X Set up trigger activation if a file is unreadable

1 Open the User Policy Editor and locate the File Upload or Attachment transaction trigger. 2 Display the trigger settings. 3 Set the Activate Trigger if Text Content Unreadable? setting to True. 4 To configure the trigger more precisely, you can also set the Conditions for Unreadable Text Content setting. This setting is ignored if the Activate Trigger if Text Content Unreadable? setting is set to False. If this is set to:
` Search
for captured transactions whose retention
` All conditions: The trigger activates if all the

available conditions applysee below.
period expires on a particular date (the Expiry Date search filter). See the Data Management console online help; search the index for expiry date.
` Failure on retrieval or analysis: The trigger

activates if Orchestria APM cannot access the attachment (for example, because the Exchange Server is unavailable), or cannot extract the text from the attached document for analysis.
` Override
the expiry date of the retention period in
the Audit tab. See page 303.
` Failure on retrieval only: The trigger activates only

if Orchestria APM cannot access the attachment.
` Document is protected/encrypted: The trigger

activates only if the attachment is protected or encrypted. i Similar settings are available for File Upload and
Attachment capture triggers and control triggers.
9. Capturing data
Capturing data
his chapter shows how to capture e-mails, Web pages, files and application usage metrics. Orchestria APM lets you capture as much data, or as little, as you need. At one extreme, you can simply record the bare details of every e-mail, file, or Web page. For example, you might simply record the URL of every Web page accessed by your users in order to discourage time wasting or visits to inappropriate Web sites. Alternatively, you can capture in full any Web pages, files, or e-mails that match a set of precise conditions. The key to managing data captures is the user policy. Each user policy defines the triggers that cause automatic captures and the settings to allow or deny manual capturing. You can then use the captured data for analysis, or simply store it as provision against future disputes. You define what data is captured and the conditions that trigger a capture.
chapter 9
the user that a capture is in progress. Typically, you will need to set up several complementary actions.
Example
In this example, your strategy uses three complementary capture actions: 1 First, you set up Action 1 for selective, full-detail captures, focusing on a narrow range of triggers, such as visits to Web sites during an HTTPS session. This action causes Orchestria APM to capture all the available information. For Web pages, this includes all text, images and submitted data. For e-mails, this includes the body text, attachments, and Internet header information. For files, this includes the file itself and file attribute details. Next, you set up Action 2 for general, high-volume, minimum-detail captures. For example, you could use this action for Web sites not covered by Action 1. For these sites, you capture the URL but no other details. For e-mails, you may capture only the senders or recipients address plus the subject. For files, you may capture only the file attribute details. Finally, you set up Capture Action 3 for special situations. For example, this action may be identical to Action 1, except that it conceals from users when captures are in progress. This may be useful in situations where particular discretion is needed.
Capture strategies
Orchestria APM lets you set up multiple strategies for automatically capturing data. To set up these strategies, you configure the capture triggers and capture actions in the user policy. Each capture triggerwhether for Web pages, files, e-mails, or application eventsspecifies a capture action. This action defines what data is captured and, for Web pages, whether Orchestria APM indicates to 3
198
Capturing Web pages

Orchestria APM supports manual and automatic Web page captures. There are multiple capture actions, and each action defines what data is captured when Orchestria APM detects a trigger condition. For example, the action determines whether to capture images on a Web page and whether the capture light switches on. Capture actions are described on page 132.
Manual Web captures

Permission to manually capture Web pages is granted by settings in the Extensions > Browser folder of the user policy. These determine whether the capture lights are shown in the status bar of the users browser (see below). Right-click the capture lights, then choose:

Capture trigger: URL URL 1 URL 2 URL 3
Capture Page to capture the current page only. Start Capturing to capture the current Web page, plus all Web pages visited subsequently. Page captures continue until you quit the browser or rightclick the capture lights and choose Stop Capturing. 1 3 2 Orchestria APM capture lights 1 Capture light 2 Browser status bar 2
Trigger settings
Capture actions Action 1 Action 2 Action 3
Action settings
When you capture a Web page manually, you activate the 'Manual capture trigger. In the user policy, you can specify the capture action associated with this trigger.
Switch On Browser Light?
or
Automatic Web captures

To set up automatic captures, you define the capture triggers that kick off a capture. For example, you can automatically capture Web pages when a user browses to a secure site or submits a credit card number. Each trigger includes a setting that specifies a single capture action. Orchestria APM automatically invokes this action when it detects a trigger condition on a Web page, for example, when a user submits a specified credit card number. The full range of triggers is described on page 143. Capture triggers and capture actions Each trigger (1) includes a capture action setting (2). For each trigger, you can choose from a range of available actions (3). Action settings (4) define what data is captured and whether the browser light (5) switches on when a capture is in progress.
Chapter 9 Capturing data
199
Web page issues

Web pages containing XML data
If the current Web page contains structured content, for example a B2B eCommerce document with XML tags, the XML light switches on ( ) in the browser status bar.
JavaScript files are not captured

Orchestria APM can be configured to capture all Web activity on a computer, but the current version is configured to ignore external JavaScript files referenced in a Web page. That is, Orchestria APM does not capture JavaScript files referenced by <SCRIPT> tags in the HTML code. This change has been introduced to eliminate a problem in previous versions of Orchestria APM whereby JavaScript file captures could, under certain conditions, cause dramatic reductions in the level of free disk space when capturing Web activity. Specifically, when users navigated to particular types of Web page (multi-frame pages with frequent and automatic navigation to external files containing extensive JavaScript code), this resulted in multiple captures of the same page. This was intentional behavior for the Orchestria APM integration feature, but it was exacerbated by the format of the Web sites described above. To prevent this problem, Orchestria APM now ignores external JavaScript files.
Unreadable uploaded files

You can configure the File Upload capture triggers so that they always activate if Orchestria APM detects an unreadable file being uploaded to a Web site. Such files are typically unreadable because they have been encrypted or password-protected. For details, see page 212.

Some triggers let you search the contents of a file for key words or phrases. If Orchestria APM detects this text, the trigger activates. List settings in these triggers define which files are searched. For details, see page 113.
Captured pages do not match pages in the browser

When Orchestria APM displays Web pages in the console, it does so with active scripting disabled. This prevents captured Web pages from behaving in a way that could be undesirable. For example, this permits you to safely click a Submit Order button in any captured page without risk of re-submitting your order. But this also means that, potentially, a Web page in the console can differ slightly from the page you saw in the browser. For a detailed explanation and a workaround, see page 331.
200
Setting a maximum buffer size to prevent a performance slowdown

In previous versions of Orchestria APM, an overloaded buffer of captured Web events could, in some circumstances, reduce the level of free disk space to the extent that machine performance is affected. When a user browses a Web site and a capture trigger is not activated immediately, Orchestria APM buffers these Web events in anticipation of a capture trigger being activated later. The buffer is eventually flushed when the user leaves the current site. If a user were to browse extensively on a single site, or a single site were to cause very large amounts of data to be captured, the buffer could become excessively large. To prevent an overloaded buffer causing a performance slowdown, Orchestria APM allows you to set a maximum buffer size for each user. A typical maximum buffer size is 20 Web pages; the default size is based on extensive testing and you are unlikely to need to change it, but see below. i Buffering only occurs under particular conditions.
If a capture trigger activates as soon as a user browses to a Web site, pages are captured immediately and are not buffered.
X Changing the default buffer size

If you are satisfied with the performance of Orchestria APM machines during Web captures, you need do nothing. However, if you do need to lower the maximum number of pages in the buffer (to alleviate performance problems), or raise the maximum (to prevent Web pages being lost), you can do so. To do this: 1 In the Administration console, expand the User Administration branch . 2 Select the user whose policy you want to edit and click or right-click and choose Edit Policy. 3 In the User Policy Editor, browse to the System Settings folder.
User Policy: System Settings 4 Now specify the Web Page Buffer Size setting as required.
201
Capturing e-mails
As with Web pages, Orchestria APM supports manual and automatic e-mail captures. i Orchestria APM does not indicate to users when
an e-mail has been captured. Unlike the capture lights in the browser status bar (page 142), there is no equivalent indication for e-mail users.
Automatic e-mail captures

To set up automatic captures, you define the triggers that kick off a capture. There is a wide range of triggers available for incoming and outgoing e-mails. For example, you can capture e-mails sent to or from specific addresses or which contain key words or phrases. Triggers are described on page 143. For each trigger, you can specify a capture action that determines what e-mail details are captured. You can capture as much data, or as little, as you need. Orchestria APM always captures the To, From, CC and Subject fields plus details such as the capture date and user name. But you can also capture the e-mail content, attachments, and Internet Mail Header. Capture actions are described on page 132.
Manual e-mail captures

i Manual captures are only available to Microsoft
Outlook users. They are not available in other e-mail applications.
Permission to manually capture e-mails is granted by settings in the Extensions > Browser folder of the user policy. If permitted, you can manually capture incoming and outgoing e-mails by clicking the Capture button in the toolbar of your message window:
Capture trigger: Sender Sender 1 Sender 2 Sender 3
1 2 Trigger settings
Manual e-mail captures 1 Capture button. Click to capture the current e-mail. When you capture an e-mail manually, you activate the 'Manual capture trigger. Separate Manual triggers are available for incoming and outgoing e-mails. In the user policy, you can specify the capture action associated with these triggers.
Action settings
E-mail capture triggers and capture actions Each trigger (1) includes a capture action setting (2). For each trigger, you can choose from a range of available actions (3). Action settings (4) define what data is captured.
202
Attachments
Display options for e-mail attachments
By default, when you view captured e-mails Orchestria APM includes any attachments as icons within the body text of the e-mail, for example:
Unreadable e-mail attachments

You can configure the Attachment capture triggers so that they always activate if Orchestria APM detects an unreadable e-mail attachment. Such files are typically unreadable because they have been encrypted or password-protected. For example, you can set up the Attachments trigger to always capture encrypted e-mail attachments.

1 Open the User Policy Editor and locate the File Upload or Attachment capture trigger. Captured e-mail with attachments in body text 1 Attachment icons. But if you notice such e-mails are slow to load in the console, you can configure the console to display attachment icons in a separate pane, permitting the e-mail to load much faster. To do this: 1 2 3 Choose Tools > Options. Go to the Captured Data tab. Clear the Show captured e-mail attachments in the body text check box. 2 Display the trigger settings. 3 Set the Activate Trigger if Text Content Unreadable? setting to True. 4 To configure the trigger more precisely, you can also set the Conditions for Unreadable Text Content setting. This setting is ignored if the Activate Trigger if Text Content Unreadable? setting is set to False. If this is set to:



if Orchestria APM cannot access the attachment. Captured e-mail with attachments in separate pane 1 Attachment icons.

activates only if the attachment is protected or encrypted. i Similar settings are available for Attachment control
triggers and File Upload capture and control triggers.
203
E-mail attachments are not captured

In certain circumstances, Orchestria APM cannot capture an e-mail attachment in Microsoft Outlook. If this happens, Orchestria APM records details about the failed capture in the Errors display tabsee the Data Management Console guide; search the index for Errors tab. This problem can arise when:
Access denied to Outlook plug-ins In exceptional circumstances, idiosyncratic interactions between Outlook and the Messaging API combine to deny full message access to third-party plug-ins such as the Orchestria APM Outlook Integration feature. In these circumstances, Outlook users may still be able to manually capture the e-mail attachment by clicking the Capture button in the toolbar of the message window. (Manual e-mail captures are only available to Microsoft Outlook users. They are not available in other e-mail applications.)
The Orchestria APM Outlook client agent is designed to capture e-mail activity. Therefore, it only captures directional embedded objects, such as messages, draft messages and meeting requests; by design, it does not capture non-directional objects. For example, the Outlook client agent is not designed to capture all the data needed to reconstitute and display an Outlook calendar event in the Data Management console. However, all e-mails containing embedded message objects are represented in the Search Results screen of the Data Management console by e-mail with attachment icons. This includes e-mails with non-directional embedded items because it would be misleading to imply that such e-mails did not contain an attachment:
E-mail with attachment icons i Draft messages, even though they have no
recipients, are classed as directional items by Orchestria APM.
Attachment is a non-directional embedded message object In Microsoft Outlook, users can send various items to colleagues as e-mail attachments, including messages and draft messages, meeting requests, tasks, contacts and calendar events. These items are actually embedded message objects. Some, such as messages and meeting requests, are directional (that is, the object itself is explicitly addressed to specific users); others, such as tasks and calendar events, are non-directional.
204
Importing e-mails
If required, you can import existing e-mails from an external source, for example, an e-mail archive or Microsoft Exchange mailbox, into your CMS using the Event Import utility.
E-mail address matching

Many e-mail triggers in the user policy allow you to define lists of included or excluded e-mail addresses. When you define these lists, be aware of the different e-mail address formats. For example, if your organization uses Microsoft Outlook, you can define lists of EX addresses to capture e-mails sent internally. See page 109 for full details.
Event Import utility: Event Import automatically associates imported events with their correct 'owners'. If required, it can even create new users to 'own' imported events. You can then search for these e-mails as normal in the Data Management console. For full details about Event Import, see the Deployment guide; search the index for Event Import utility. Integration with e-mail archives: For full details about the archive integration and event import process, see the Deployment guide; search the index for e-mail archive integration. i For the current release, Orchestria APM only
provides integration support for Educom Exchange Archive Server (EAS).
E-mails in Public Folders excluded from policy

The Orchestria APM Outlook client agent does not handle e-mails saved in Public Folders. This prevents triggers from activating unnecessarily to capture or block attempts to read e-mails in Public Folders.
Viruses and captured e-mails

! If your virus scanners fail to prevent a virus
attack, infected e-mails may be captured and saved in your Orchestria APM database.
E-mail issues
Captured e-mails and viruses
If your organization suffers a virus attack, your cleanup operations after the attack must target any infected e-mails that were captured and saved in your Orchestria APM database. See page 328 for details.
If your organization suffers a virus attack, there is a risk that infected e-mails or attachments may be captured and saved in your Orchestria APM database. If this happens, you must delete any infected e-mails or attachments from all affected Orchestria APM databases (on the CMS plus any gateways or client machines that may also be at risk) as part of your cleanup operations after the attack.
Exempting e-mails from capture

Because there will always be exceptional e-mails that need unique handling, Orchestria APM provides trigger settings that allow you to exempt particular events from the normal trigger coverage or, conversely, refine the trigger to focus only on particular events. For e-mails, these settings fall into these categories: unreadable attachments; encryption; and digital signatures. For details, see page 212.
Alleviate delays when sending e-mails to many recipients or large distribution lists
By default, Orchestria APM extracts full details for each recipient from the e-mail server when capturing outgoing e-mails. But if a e-mail is sent to many recipients, or to a very large or heavily nested distribution list, delays can occur while these details are retrieved from the e-mail server. To alleviate these delays, you can limit the volume and type of information that is retrieved. See page 329.
205
Importing IM conversations
Orchestria APM uses two utilities to extract archived IM conversations and import them into a CMS, as it cannot capture these conversations directly. The IM Import utility, IMFrontEnd.exe, is a standalone utility that extracts IM conversations from log or dump files. It then saves the extracted IM conversations to CNV files, which can be accessed by the Event Import utility. IM Import is dependent on various parameters to configure the extraction and conversion process. Event Import then uses its own parameters to determine how the individual CNV files are segmented into chapters and how to identify those participants who are internal to your organization. For more details about IM Import or Event Import, see the Deployment guide; search the index for IM Import and Event Import, parameters respectively. i Currently, IM Import can extract data from the
following archive file formats: Instant Bloomberg, IB Inet, IB Bloomberg, IB Unified, MindAlign and FaceTime.
Capturing application usage

Orchestria APM can capture usage details for specified applications. These show the number of key presses and mouse clicks that a user makes while using a targeted application over a specific period. Orchestria APM also records the window title, the time of capture, the active time (how long the application was in active use), and the user running the application. You can view these details when searching for captured application events in the Data Management console (see the Data Management Console guide for details; search the index for captured data, Data Management console).
Capture triggers
To capture application usage details, you must configure the Application Monitor capture triggers in the user policy. These triggers activate when Orchestria APM detects that a user is running a particular application. These triggers are based on two criteria, both of which must be confirmed for the trigger to activate:
Window title: You can restrict the triggers so they only activate when the window in which the application is running has a specific title. A trigger setting lets you specify a list of windows titles that activate the trigger. For example, if you specify Netscape then window titles such as 'Unipraxis Netscape' will activate the trigger. You can also use this feature to modify the trigger so it only activates when the window title indicates a specific document or screen has been opened, for example, Hotmail - Compose. Application: You can define applications by the executable name and path (for example, msimn.exe) or by the executable properties. Specifically, when checking executable properties Orchestria APM looks for specified text in these Version Information fields: Company, Internal Name, Original File Name and Product Name. This lets you identify applications by their familiar product name rather than their less familiar executable name (for example, Netscape rather than netscp.exe).
When a trigger activates, it invokes a capture action. This action determines whether to record key presses, mouse clicks, or both. It also determines the event timeout (see page 206).
206
Application events
As soon as a capture action is invoked, Orchestria APM starts counting the key presses and mouse clicks. It records these metrics in an application event. These events are generated automatically when:

The user closes an application, or The user switches to another application, or The event timeout expires (see below).
15
30
45
60 67
82
9 9 8 8
1 2 3 Timeouts and No Activity events Key presses or mouse clicks detected?
9
4
Timeouts (15 minutes) Application events
Timeouts for application events

The event timeout determines how often events are closed if an application is continuously active. For the duration of this timeout, all key presses and mouse clicks are added to the current event. After the timeout expires, the current event is closed and any new key presses and mouse clicks are added to a new event. For example, if the timeout is 15 minutes and the specified window is constantly in use for one hour, then four events are created during this period. Of course, if a user closes the application or switches to another window before the timeout expires, Orchestria APM automatically closes the current event. i See also Zero activity events on page 206.
1, 2 All key presses or mouse-clicks detected during the first two timeout periods are added to events 1 and 2. But these are followed by two periods when no activity is detected. 3 Eventually, a key press in the 67th minute causes Orchestria APM to create a single zero activity event 3. This covers the entire period of inactivity between the 30th and 67th minutes. 4 The 15 minute timeout sequence resumes immediately. Any further key presses or mouse-clicks are added to event 4. This event is closed after 82 minutes (that is, 67+15 minutes).
9 8
Yes.
No.
Exceptions
But under certain conditions, monitoring continues for targeted applications until:

Zero activity events

If a window remains open and active but no key presses or mouse clicks are detected, Orchestria APM extends the timeout until the next key press or mouse click. At this point, the 'zero activity' event is closed, and the key press or mouse click is added to a new event. This ensures that long periods of inactivity (for example, if an application is left running unattended overnight) are captured as single extended events instead of numerous short events.
The application is changed, or The window title changes. For example, this may happen if the user opens a new document.
This is because, if you edit a policy to disable a capture trigger or change a capture action setting to False, the updated policy only applies to new sequences of captured application events. To ensure database integrity, Orchestria APM is unable to apply these policy changes to sequences that it is already capturing. i Closing an application or a change of window title
will automatically close a sequence of captured application events.
Turning off application monitoring

To turn off application monitoring, you simply change the relevant policy settings in the Application Monitor folder. You can disable the relevant capture triggers, or you can turn off the Count Key Presses? or Count Mouse Clicks? settings in the capture action (set them to False).
207
Capturing files
Using Data In Motion and Data At Rest file triggers and Orchestria APM file agents, you can capture files that users are trying to print, save to a USB device, or upload to or download from a Web site. You can also capture file attachments in Webmails or IM conversation and files scanned by the File Scanning Agent (FSA).
File sources
Orchestria APM provides various file agents and ingestion mechanisms to capture files. To specify which file sources Orchestria APM will monitor, you set configure the Which File Sources? setting in each file trigger:
File triggers
Orchestria APM supports two types of file trigger:

For these triggers, the Which File Sources? setting lists the following sources:
Data In Motion triggers can capture files being printed or copied to a USB device. They can also capture files entering or leaving the corporate network. These triggers are used by the Client Print System Agent, Client File System Agent, and the Network Boundary Agent; see the next section. i Data In Motion capture triggers and actions
are summarized on page 131 and page 132.
Client File System Agent (CFSA): Also known as policy on save or PoS, this agent enables you to capture files being copied to USB devices. Client Print System Agent (CPSA): This agent enables you to capture files being printed. Network Boundary Agent (NBA): The NBA analyzes individual data packets crossing the boundary between your organization and the Internet. It can reassemble these packets into e-mails and files.
Data At Rest triggers are used to capture items scanned by the File Scanning Agent (see the next section) or files imported onto the CMS. i Data At Rest control triggers and actions are
summarized on page 130 and page 132.

What file information is captured?

The Capture File Details? setting in each file capture action determines what information is captured. You can choose to capture:

File Scanning Agent (FSA): The FSA can scan, analyze and apply policy to files saved in designated folders, items in Microsoft Exchange Public Folders, and items hosted on SharePoint sites. File Importer: This option enables policy engines to capture files imported onto the CMS as part of an Import Policy job. External Agent API for File: This option enables policy engines to capture files received from the External Agent API, allowing integration with third party archives.
File attributes only: Orchestria APM captures various file attributes but not the file itself, such as: the file name and path; the host machine; the created and last modified dates; the document title and author (if available); plus other details in XML format. Please contact the Orchestria service desk for details; see page 24. Attributes and file data: Orchestria APM captures the attributes described above plus the file itself. None: You can optionally set up the capture action to not capture any file details. You may choose this option if you only want to capture trigger details, say, for testing purposes.
For further details, see the corresponding section on file sources for control triggers on page 246 in chapter 10 Controlling user activity.
208
When are files captured?

Orchestria APM can capture files in the following circumstances:
What do file triggers look for?

Data In Motion and Data At Rest triggers activate when they detect files, or print or copy operations, that match the specified trigger criteria.
Files copied to USB devices: When a user tries to copy a file to a removable USB device, the CFSA applies machine policy to determine whether the copy action is permitted. You can also optionally channel users into using Windows Explorer or a DOS command to copy their files (by blocking copy operations from other applications); the CFSA can then apply Data In Motion capture triggers to capture the file being copied. For details, see the corresponding section on Data In Motion control triggers on page 248 in chapter 10 Controlling user activity.
Printers and USB devices: Data In Motion triggers can activate if the user tries to use a specific printer or USB device. File properties or text content: All file triggers can detect specific file formats (such as Microsoft Word documents). They can also analyze a files text content and even analyze nested files contained within a zip file or embedded in a master file. File lists: All file triggers can detect specific file names (defined in the Top Level File Lists), or names of nested files contained within a zip file or embedded in a master file (defined in the Individual/Embedded File Lists).
Printed files: When a user tries to print a file, the CPSA can apply Data In Motion capture triggers to monitor or exempt specific printers and to capture the documents being printed. For details, see the corresponding section on Data In Motion control triggers on page 247 in chapter 10 Controlling user activity. Scanned files: Using Data At Rest capture triggers, the FSA can scan, analyze and capture files saved in local and remote file systems, and files stored in Microsoft Exchange Public Folders. For further details, see the corresponding section on Data At Rest control triggers on page 249 in chapter 10 Controlling user activity. Files entering or leaving your corporate network: The NBA can detect and capture files entering or leaving your corporate network. These include FTP file transfers, files sent as attachments to Webmails or IM conversations, and files uploaded to or downloaded from Web sites. For further details, see the corresponding section on Data In Motion control triggers on page 250 in chapter 10 Controlling user activity.
For further details, see the corresponding section on file control triggers on page 245 in chapter 10 Controlling user activity.
209
How are captured files associated with Orchestria APM users?

The methods used to determine which user policy gets applied to file events, and which users are associated with these events, depend on how the file events were captured. Briefly:
Defining the file archive list

You can specify which file types Orchestria APM will recognize as archive files. To do this: 1 In the Administration console, expand the User Administration branch . Select the user whose policy you want to edit and click or right-click and choose Edit Policy. In the User Policy Editor, browse to the \System Settings\Definitions folder.
For documents captured by the CPSA or CFSA, Orchestria APM applies the policy of the user currently logged on to the client machine. For files captured by the NBA, Orchestria APM applies the default user policy. For imported files or files scanned by the FSA, the job definitions typically specify which user policy gets applied.
For further information, see the corresponding section on page 247 in chapter 10 Controlling user activity.
User Policy: System Settings 4 Specify the list of file extensions in the Archive File Extensions setting as required. For example, *.zip, *.pst, *.gz.
210
Capture trigger exemptions and refinements

Because there will always be exceptional Web, file and e-mail activity that requires special handling, Orchestria APM provides trigger settings to accommodate these exceptions. These allow you to exempt particular events from the normal trigger coverage or, conversely, refine the trigger to focus only on particular events. These settings fall into the following categories:

Disabling e-mail, file and browser integration

For each user or group, you can disable Orchestria APM integration with specific e-mail applications or import sources. You can do this for the whole policy or for individual triggers. i You can also disable browser integration when
you install Orchestria APM, or you can specify that e-mail, file, or browser integration is disabled automatically if the Orchestria APM infrastructure fails to start. For details, see page 76.
Data Lookup Disabling e-mail and browser integration Unreadable uploaded or imported files, or e-mail attachments Encrypted e-mails E-mails with digital signatures
Disabling integration completely

If you completely disable integration with a specific application or import source, Orchestria APM does not monitor that application or import source and the associated capture and control triggers will never activate. For example, you may want to fully disable Outlook integration for a group of users because their e-mails will be captured by the Exchange server agent. This means that Orchestria APM does not monitor Outlook inboxes or outboxes for members of that group. To do this: 1 2 Open the User Policy Editor and locate the System Settings folder. In the Enable Application Integration? setting, clear the check boxes of the sources you want to disable.
Data Lookup
Data Lookup settings provide highly flexible extensions to e-mail capture and control triggers. These settings enable control triggers to selectively detect or exempt e-mails based on: the attributes of an Orchestria APM recipient or sender; the Outlook Address Book properties of the recipients or the sender; or the potential impact on network traffic. For maximum flexibility, Data Lookup settings take the form of user-defined commands. Full details about the required command syntax, plus extensive examples, see chapter 11, Data lookup.
211
Disabling integration for specific e-mail triggers

You can also disable integration with a specific e-mail application or import source for a particular capture trigger. In effect, Orchestria APM disables that trigger when it detects e-mails sent or opened using the specified application or imported from the specified source. To disable integration for a specific e-mail trigger: 1 Open the User Policy Editor and locate the e-mail capture trigger that you want to change. Edit the Which E-mail Sources? setting and choose which sources to target, for example, Microsoft Outlook.
2.2 Edit the Which E-mail Sources? setting and select only the Microsoft Exchange Server (Mailbox) option. 2.3 Set any other trigger settings as required. For
example, configure the trigger to only activate when it detects e-mails sent to members of the Research department. 3 Save the policy. The same policy now captures all e-mails imported from archive files, but only captures unauthorized e-mails passing through your Exchange server.
Re-enabling integration
To re-enable integration with a specific application or import source that has previously been disabled: 1 Open the User Policy Editor and locate the System Settings folder. In the 'Enable Application Integration?' setting, select the check boxes of the sources you want to enable.
i You can also exempt specific e-mail sources from

control triggerssee page 260.
Example You may want to set up triggers to capture all e-mails imported from archive files (as part of an Import Policy job) but only capture unauthorized e-mails transiting through your Exchange server. This would require you to set up two complementary capture triggers: 1 Specify the import trigger: Set up a trigger to capture all e-mails imported from, say, PST files. 2
Prevent trigger details being captured

You can configure individual capture actions to prevent details about the capture trigger being recorded. That is, the event is still captured, but when viewed in the Data Management console Summary tab there are no details about the trigger(s) that activated when the event was captured. For example, in an Import Policy job, you can disable capture trigger details to prevent the CMS database filling up with excessive detail for each event.
1.1 In the User Policy Editor, locate the e-mail

capture trigger that you want to use, for example, Recipient 1.
1.2 Edit the Which E-mail Sources? setting and select only the Archive File Importers option. 1.3 Set up other trigger settings to ensure that all
imported e-mails are captured. 2 Specify the Exchange trigger: Set up a second trigger to only capture unauthorized e-mails transiting through your Exchange server.
X Disable capture trigger details

1 Open the User Policy Editor and locate the capture action you want. 2 Set the Capture Triggers? setting to False.
2.1 In the User Policy Editor and locate the e-mail

capture trigger that you want to change, for example, Recipient 2.
212
Unreadable uploaded files or e-mail attachments

You can configure the File Upload, Data At Rest, or Attachment capture triggers so that they always activate if Orchestria APM detects an unreadable file. This can be an imported file, one being uploaded to a Web site, or an unreadable e-mail attachment. Such files are typically unreadable because they have been encrypted or password-protected. For example, you can set up the Attachments trigger to always capture encrypted e-mail attachments.
Encrypted e-mails
If required, you can always capture unencrypted e-mails, but exempt e-mails that are encrypted. Alternatively, you can set the trigger to always capture encrypted e-mails but exempt non-encrypted e-mails! Encryption exemptions are available for all incoming and outgoing e-mail capture triggers.
X Set up encryption exemptions

1 Open the User Policy Editor and locate the e-mail capture trigger that you want to change. 2 Edit the Encryption Filter setting and choose whether to target encrypted e-mails only or non-encrypted e-mails. i You can also exempt encrypted e-mails from
control triggers and transaction triggers.

1 Open the User Policy Editor and locate the File Upload, Data At Rest, or Attachment capture trigger. 2 Display the trigger settings. 3 Set the Activate Trigger if Text Content Unreadable? setting to True. i This setting is ignored if the Activate Trigger if
Text Content Unreadable? setting is set to False.
Digital signatures
If required, you can always capture e-mails if they do not have a digital signature, but exempt e-mails if they are digitally signed. Alternatively, you can set the trigger to always capture signed e-mails but exempt unsigned emails! Digital signature exemptions are available for all incoming and outgoing e-mail capture triggers.
4 To configure the trigger more precisely, you can also set the Conditions for Unreadable Text Content setting. This setting is ignored if the Activate Trigger if Text Content Unreadable? setting is set to False. If this is set to:

X Set up digital signature exemptions

1 Open the User Policy Editor and locate the e-mail capture trigger that you want to change. 2 Display the trigger settings. 3 Edit the Digital Signature Filter setting and choose whether to target signed e-mails only or unsigned e-mails. i You can also exempt digitally signed e-mails from
control triggers and transaction triggers.


if Orchestria APM cannot access the attachment.

activates only if the attachment is protected or encrypted. i Similar settings are available for transaction
triggers.
213

Each Capture trigger has its own Minimum Retention setting. This retention period determines how long captured events are retained in the local database before they are eligible for purging. For example, you may want to retain events captured by an Application Monitor trigger for one day only, but permanently retain events captured by a Transaction trigger. For details on setting up trigger-based purging, see page 82. Minimum retention periods defined in a Capture trigger override the default retention period for the local machine (defined in the machine policysee page 81). For example, if the machine policy specifies a seven day retention period but an Application Monitor trigger specifies a one day retention period, captured application events are retained in the local database for one day only before being earmarked for inclusion in the next database purge. i In the Data Management console, users with
` Search
for captured events whose retention period
expires on a particular date (the Expiry Date search filter). See the Data Management console online help; search the index for expiry date.
` Override
the Audit tab. See page 303.
214
10. Controlling user activity
Controlling user activity

his chapter shows how to control users Web, file, e-mail, Data At Rest, and application activity across your organization. You implement this through Control settings in the user policy. These provide enormous flexibility to restrict or guide users behavior. For example, you can warn users against sending e-mails that fail to comply with corporate guidelines, remove inappropriate files, or prevent users from uploading files to a Web site or using an unauthorized application. You can also notify users if, say, an e-mail requires their attention. You can even forward intercepted e-mails to other accounts and redirect users from a blocked Web page to an alternative URL.
chapter 10
Openly restrictive: If you prefer to openly restrict user activity, you can block inappropriate e-mails, Web pages or data submissions and display an explanatory message to users. Discretionary: If you trust users to respect your organization's guidelines on Web and e-mail usage, you can warn them that their Web or e-mail activity is inappropriate while allowing them to decide whether to continue or quit. Advisory: If you just want to inform users that a Web page, data submission or e-mail has been identified as potentially significant, you can display a notification dialog. Discreetly attentive: If you just want to monitor Web, file or e-mail activity, you can set up control actions that do not generate blockings or warnings, or remove or replace files, but which can still capture items of interest without alerting users to the presence of Orchestria APM.
Planning a control strategy

Orchestria APM lets you set up multiple strategies for controlling users behavior. To do this, you configure the control triggers and control actions in the user policy. For example, with a few simple policy changes you can quickly rollout the following control strategies:
i Data At Rest triggers are always silent. You can implement any combination of strategies. First, you define control triggers to trap any Web, file, or e-mail behavior that contravenes your organizations rules. Then you configure the control actions to handle this behavior in the manner you require. This procedure is summarized in the following section.
Discreetly restrictive: If discretion is essential, you can quietly block inappropriate e-mails, Web pages or data submissions, or delete and replace files without alerting users to the presence of Orchestria APM.
216
Control procedure
When a control trigger is activated, for example because an unauthorized e-mail is detected, Orchestria APM implements a chain of policy settings to control and (typically) capture this behavior. The diagram below summarizes key steps in the control procedure, with special emphasis on the role of the Intervention setting and how it determines the type of control event: i If using an Exchange server agent, see page 220.
1 Orchestria APM detects a trigger condition, for example, an e-mail lacking an official disclaimer. A trigger setting invokes a control action.
Control trigger
2 The control action defines how to handle targeted Web, or e-mail activity. It can also invoke separate capture actions for prohibited (3) and authorized (4) user activity.
Control action
5 Capture actions define what information is captured. 6 6 The Intervention setting in the control action determines whether to block or warn the user, or simply inform them. You can even set up silent monitoring. Warning dialogs (7) and some Inform dialogs (8) allow users to judge for themselves whether to continue or quit. Intervention Block
Warning
Inform
Notify
None
User clicks: Cancel Continue
User clicks: Cancel OK
9 The final outcome is a control event, such as a blocking, warning or silent event. 10 Control events fall into two categories. The category determines which capture actions are applicable.
8
9 Blocking Heeded Warning Disregarded Warning Inform event Silent event
10 Prohibited activity
10 Authorized activity
Chapter 10 Controlling user activity
217
Control events
Each control action generates a control event. Control event types fall into two categories: those for Web, e-mail, or application events and those for file events.
Disregarded warnings
These refer to occasions when a user is shown a warning dialog and consequently clicks Continue. That is, the user acknowledges the warning but, despite being explicitly warned against doing so, proceeds to: open or send the e-mail anyway; browse the Web page; submit the data to a Web site; or start up the application. The message in the warning dialog is fully configurable in the user policy.
Web, e-mail and application events

There are seven possible event types in this category: a blocking, quarantine event, heeded warning, disregarded warning, inform event, notify event or silent event. These are summarized below. i If using an Exchange or Domino server agent,
see page 220.
Inform events
These occur when Orchestria APM detects user activity that is potentially significant and displays an advisory dialog (fully configurable in the user policy). This is useful if, say, you want to alert a user to corporate guidelines on browsing the Internet, or you want to remind a user to include some additional information in the e-mail they are about to send.
Blockings
These represent the severest form of intervention and refer to occasions when Orchestria APM blocks a users e-mail or Web activity, or prevents an application starting up. When you configure a blocking, you can choose whether or not to display an advisory dialog notifying the user about the blocking. The message in the optional advisory dialog is fully configurable in the user policy.
Notify events
Apply only to incoming e-mails. They are triggered when Orchestria APM detects an e-mail of interest arriving in a user's Inbox. Notify events use the same advisory dialog as Inform events, which is fully configurable in the user policy.
Quarantine events
These apply only to outgoing e-mails. They occur when a quarantine control action is triggered. Orchestria APM does not send the e-mail, but transfers it to a quarantine list for urgent review. You can choose whether or not to notify the user that their e-mail has been quarantined. The notification message is fully configurable in the user policy.
Silent events
When a silent event is triggered, Orchestria APM discreetly records a users e-mail or Web activity, or their use of a particular application. It does not block the user or display an advisory dialog leaving the user unaware that their activity has been recorded. Silent events are useful if you want to gauge the severity or frequency of a situation (such as disclaimers being omitted from e-mails) before taking further action.
Heeded Warnings
These refer to occasions when a user is shown a warning dialog and consequently clicks Cancel. That is, the user accepts the warning and quits trying to: open or send the e-mail; browse the Web page; upload the file; submit the data to a Web site; or start up the application. The message in the warning is fully configurable in the user policy.
File events
All file events are silent. That is, the user is completely unaware of any action as it occurs. The only control action that a user can become aware of is if they try to access a file that has been deleted.
218
Control event icons in the console

Web, application and e-mail events
When browsing captured data in the console, icons indicate blockings and warnings. Inform and Silent events are shown as normal Web or e-mail captures. Note that captured data for Web control events can include file uploads and data submissions to a Web site. For e-mail control events, captured data can include attachments. Application
Data At Rest file events

When browsing file events in the console, icons indicate files that were moved, copied, or deleted, including files that were replaced by stub files: Control event Moved Icon
Deleted
Control event Blocking
E-mail
Web
Deleted and replaced
Copied Heeded warning Copied and replaced Disregarded warning
Inform event or Notify event
i All of these file events are silent. Orchestria APM

does not notify users when deleting, moving or copying files.
219
What determines the event type?

The event type is determined by the Intervention settingsee page 220. Each option for this setting corresponds to specific type of control event. For the Warning and Inform Intervention options, the type of control event is determined by which button the user clicks in the advisory dialog (this does not apply to the Block or Notify options). Control event Intervention option The user clicks
Authorized and prohibited activity

Note that some settings in the user policy only apply to certain types of control event. Specifically, Orchestria APM uses these terms to group similar control events:
Authorized activity: Disregarded warnings, Inform events, Notify events and Silent events. Prohibited activity: Blockings and Heeded Warnings.
Blocking
Block Quietly, or Block With Notification
Heeded warning Disregarded warning Inform Notify Silent
Warn, or Warn, but ... Personal Warn, or Warn, but ... Personal Inform Notify None
Cancel Cancel Continue Personal OK
i All file events are silent. They are not determined

by any user interaction.
220
Intervention setting
The Intervention setting is the pivotal determinant in the control procedure. In the user policy, each control action, whether for Web pages, e-mails, files, or application monitoring, contains a version of this setting. In turn, this setting determines the type of control event (see page 217).
User Policy [Spencer Rimmel] Capture Control Web Pages Incoming E-mails Outgoing E-mails Control Triggers Control Actions Action 1 Intervention
Available intervention options

The available Intervention options are listed below and on the following page: Intervention options Incoming e-mails
Block quietly Block with notification 223 222 224 225 225 226 227 227 230 231
Page
Categorize - single category only Categorize - multiple categories allowed

Inform No further actions None Notify Warn
User policy control actions: Example Intervention setting An Intervention setting is contained within each control action Specifically, the intervention option you choose determines whether to block, warn or inform the user, or delete or replace a file. You can also configure this setting to quarantine e-mails, categorize events, remove or replace files detected by Data At Rest triggers, or silently monitor user activity. The available intervention options for each type of control action are summarized opposite.
Warn, user may designate as personal Outgoing e-mails

Block with notification
222 224 225 225 226 227 228 228 230 231
Categorize - single category only Categorize - multiple categories allowed

Inform No further actions None
Intervention options and e-mail server agents

When used in conjunction with the Exchange or Domino server agent, the Block, Warn and Inform options generate a non-interactive notification e-mail instead of an advisory dialog. For details, see page 264.
Quarantine quietly Quarantine with notification

Warn
Warn, user may designate as personal
221
Intervention options (Continued) Web pages

Block quietly Block with notification Inform No further actions None Warn
Page
Intervention options (Continued) Data At Rest
Page
223 222 225 226 227 230 231
None
227 224 225 229 225 226 229
Categorize DoD overwrite and delete silently DoD overwrite and replace silently
Delete silently No further actions
Warn, user may designate as personal Application Monitor

Block with notification
Replace silently Data In Motion
222 230 225 226 227
Block
Categorize
223 224 225 226 227 230
Warn
Inform No further actions
Inform - Not available for NBA

No further actions None
None
Warn - Not available for NBA
222
Option: Block With Notification

Available for: Incoming e-mails, outgoing e-mails, Web pages, Application Monitor Not available for: Data At Rest, Data In Motion. However, note that the Block option for files detected by Data In Motion triggers does support notifications; see page 223. Choose Block with Notification to display the Blocking dialog whenever a Web page, data submission, or e-mail is blocked. You can specify customized notification messages for each control triggersee page 251 for further details.

Web pages: The Block with Notification option is tied to the Redirect setting. This means that users trying to browse an unauthorized Web site are automatically sent to an alternative URL such as a page on your intranet when they click Go in their browser. i Redirection only occurs when a Web page is
blocked. You cannot redirect users if the control action was triggered by an unauthorized data submission or file upload.
Applications: For blocked applications, the application fails to start up. The mouse pointer temporarily changes to 'busy' then reverts to 'normal'.
E-mails: For intended recipients, you could combine this option with a Forward Incoming E-mail setting to effectively redirect the e-mailsee page 252. You can use the notification message in the blocking dialog to explain what action has been taken. For incoming e-mails, you can send an automatic reply to the sender and either delete the e-mail from the users Inbox or leave it in the Inbox but with its body text replaced by a standard notification message. i If using an e-mail server agent, see page 264.
Blocking dialog 1 The dialog message is configurable. Each control trigger allows you to supply a customized message for your users.
223
Option: Block Quietly

Available for: Incoming e-mails, Web pages Not available for: Outgoing e-mails, Application Monitor, Data At Rest, Data In Motion. However, note that the Block option for files detected by Data In Motion triggers does support silent blockings; see the next section. Choose Block Quietly to discreetly block Web pages, file uploads, data submissions to a Web page, incoming e-mails, or attempts to start up an application. From a users viewpoint, the effects are as follows:
Option: Block - files

Available for: Data In Motion Not available for: Incoming e-mails, Outgoing e-mails, Web pages, Application Monitor, Data At Rest. However, note that silent blockings and blockings with notification are also available for e-mails and Web pages (see page 222 and the previous section respectively). Choose Block to block a file or document detected by a Data In Motion control trigger. The blocking is either silent, or the user is shown a notification dialog, depending on which agent detected the file:
E-mails: For intended recipients, their awareness of the blocking depends on the Delete or Replace setting. If this deletes blocked e-mails from their Inbox, the user will normally be unaware that their e-mail has been blocked (in rare cases, the blocked e-mail may briefly appear then disappear in the Inbox). Conversely, you can configure the setting to allow blocked e-mails to arrive in the recipients Inbox, but with their body text replaced by a standard notification message. Web pages: The Block Quietly option is tied to the Redirect setting. This means that users trying to browse an unauthorized Web site are automatically sent to an alternative URL such as a page on your intranet when they click Go in their browser. For users trying to submit data to a Web page such as a credit card number, the Submit button (or its equivalent) will appear broken.
CFSA and CPSA: For files detected by the Client Print System Agent or Client File System Agent, Orchestria APM displays the Blocking dialog. For example, the Blocking dialog is shown if a user tries to print an unauthorized file or copy it to a USB device (removable drive). You can use the dialog's notification message to explain to the user why this action was taken. NBA: For files detected by the Network Boundary Agent, the blocking is silent. That is, no Blocking dialog is shown.
Applications: For blocked applications, the application fails to start up. The mouse pointer temporarily changes to 'busy' then reverts to 'normal'.
In all cases, you can capture the associated event. You can also forward e-mails to another address, send automatic replies to incoming e-mails, and redirect Web users to alternate URLs.
224
Option: Categorize - files

Available for: Data At Rest, Data In Motion Not available for: Web pages, incoming e-mails, outgoing e-mails, Application Monitor. Note that e-mail categorize actions are also available. Choose Categorize to ensure that file events are automatically categorized. This option can be applied to files captured by Data At Rest and Data In Motion triggers:
Option: Categorize - single category only

Available for: Incoming e-mails, outgoing e-mails Not available for: Web pages, Application Monitor, Data At Rest, Data In Motion. But note that a categorize option is also available for files detected by Data At Rest and Data In Motion triggers; see the previous section. Choose Categorize - single category only to ensure that an e-mail is successfully categorized. If the Categorize dialog is shown, the user must choose a single category for their e-mail. Note that this option is not applicable for automatic categorization. E-mail categorization can be either automatic or manual, depending on how the e-mail control triggers are configured and whether the e-mail was detected by a client agent or server agent, or imported in an Import Policy job (see page 156). 1
Data At Rest triggers: Use this option to categorize files in a local or remote file system, or in Exchange Public Folders. Data In Motion triggers: Use this option to categorize files sent to a printer, copied to a USB device, or detected by the Network Boundary Agent (NBA).
File events are always categorized automatically; the Categorize dialog is never shown. If an imported file causes multiple triggers to fire, Orchestria APM automatically chooses the category with the highest score (see page 156).
Categorize dialog
This dialog is displayed when an Outlook or Notes client agent detects an e-mail that needs to be categorized. The user can select the most suitable category(ies). 1 Configurable explanatory message. 2 Available categories.
225
Option: Categorize - multiple categories allowed

Available for: Incoming e-mails, outgoing e-mails Not available for: Web pages, Application Monitor, Data At Rest, Data In Motion. But note that a categorize option is also available for files detected by Data At Rest and Data In Motion triggers; see page 224. Choose Categorize - multiple categories allowed to ensure that an e-mail is successfully categorized. If the Categorize dialog is shown, the user is permitted to choose multiple categories from the list. Note that this option is not applicable for automatic categorization. E-mail categorization can be either automatic or manual, depending on how the e-mail control triggers are configured and whether the e-mail was detected by a client agent or server agent, or imported in an Import Policy job (see page 156).
Option: DoD overwrite and delete silently

Available for: Data At Rest Not available for: Incoming e-mails, Outgoing e-mails, Web pages, Application Monitor, Data In Motion i For items detected in Exchange Public Folders or
Microsoft SharePoint Services, DoD Overwrite and Delete Silently actions are not supported, but Delete Silently actions without DoD deletions are supportedsee above.
Option: Delete Silently

Available for: Data At Rest Not available for: Incoming e-mails, outgoing e-mails, Web pages, Application Monitor, Data In Motion. i DoD Overwrite and Delete Silently actions are
also supported (see below).
Choose DoD Overwrite and Delete Silently to silently delete files, using DoD deletions (see below) to ensure deleted files cannot be recovered. These can be files located in a local or remote file system, or retrieved from the SharePoint Document Management System. From a user's viewpoint, they will only be aware that their file no longer exists when they next try to view it. You can still capture the associated file event and copy the file to an alternative location. You can combine this control action with a Copy action to effectively move files to a new location (see page 137).
Option: Inform
Available for: Web pages, incoming e-mails, outgoing e-mails, Application Monitor, Data In Motion Not available for: Data At Rest i For Data In Motion control actions, note that
Inform actions are not available for files detected by the Network Boundary Agent (NBA).
Choose Delete Silently to silently delete files. These can be files located in a local or remote file system, or retrieved from the SharePoint Document Management System. From a users viewpoint, they will only be aware that their file no longer exists when they next try to view it. You can still capture the associated file event and copy the file to an alternative location. You can combine this control action with a Copy action to effectively move files to a new location (see page 137).
Choose Inform to display an advisory dialog whenever Orchestria APM detects e-mail, Web, Data In Motion, or application activity that is potentially significant. This option is useful if, say, you want to remind users that their activity is being monitored, or you want to notify users when specified e-mails arrive in their Inbox, or you want to display a softer reprimand than that shown in the Warning dialog. You can specify customized notification messages for each control triggersee page 251.
226
For Web pages, incoming e-mails, and when specified applications start up, the dialog has a single OK button. Clicking this generates the inform event. i If using an e-mail server agent, see page 264.
Option: No further actions

Available for: Web pages, incoming e-mails, outgoing e-mails, Application Monitor, Data In Motion, Data At Rest Not available for: Always available Choose No further actions to stop any further control actions being applied whenever Orchestria APM detects specific e-mail, Web, file, or application activity. Orchestria APM immediately stops processing the event and no further policy actions are performed (for example, forwarding, or sending a reply). When used as the first control action, the No further actions option is typically used to filter out spam e-mails without using Include and Exclude lists. Orchestria APM can also exempt specific files, applications or Web pages (such as intranet sites).
For uploaded files, data submissions, and outgoing e-mails, the dialog also has a Cancel button. Clicking this cancels the dialog and allows the user to amend the e-mail or data submission before continuing. No control event is generated. For Data In Motion file events, the dialog displays when a user tries to print a file or copy it to a USB device (removable drive). The dialog has OK and Cancel buttons. Clicking OK allows the print or copy operation to continue and generates a control event. Clicking Cancel stops the print or copy operation, allowing the user to amend their file before continuing; no control event is generated.
2 Inform dialog 1 The dialog message is configurable. Each control trigger allows you to supply a customized message for your users. 2 Cancel button. Only available for uploaded files, data submissions to a Web page and outgoing e-mails.
227
Option: None
Available for: Web pages, incoming e-mails, outgoing e-mails, Application Monitor, Data In Motion, Data At Rest Not available for: Always available Choose None to generate a silent event whenever Orchestria APM detects unauthorized e-mail, Web, file, or application activity. This means that Orchestria APM silently records these events without blocking them or displaying a warning, or without deleting or replacing the original file. The user is completely unaware that their activity has triggered a control event. For example, a humorous but inoffensive e-mail attachment is circulating within your organization and your bandwidth is suffering. Configuring your control actions to generate silent events lets you discreetly trace the source of these e-mails without resorting to blocking users and the attendant risk of offending your workforce. Alternatively, an administrator is concerned about an inappropriate Web site and so decides to silently monitor site visits in order to assess the extent of the problem before officially blocking the site. In all cases, you can capture the associated event. You can also forward e-mails to another address and send automatic replies to incoming e-mails.
Option: Notify
Available for: Incoming e-mails Not available for: Outgoing e-mails, Web pages, Application Monitor, Data At Rest, Data In Motion Choose Notify to display an advisory dialog whenever an e-mail of interest arrives in a users Inbox. This is the same as the advisory dialog used by Inform events, but Notify events have some important differences. In particular, Notify events occur when an e-mail is received; Inform events (see page 225) occur when a user opens or previews the e-mail. The handling of Notify events also varies according to the e-mail system running on the machine receiving the e-mail:
Microsoft Outlook If Outlook is configured so that e-mails stay in your mailbox on the Exchange server, then any e-mails that arrive while Outlook is not running (for example, overnight) will not trigger a Notify event. If Outlook is configured to migrate e-mails down into your Personal Folders, Outlook must be running for the advisory dialog to appear. This means that if any advisory-triggering e-mails arrive while Outlook is not running (say, overnight or while you are on holiday), you may be greeted by a flurry of notifications when you next start up Microsoft Outlook!
Lotus Notes If you connect to your mail directly on a Domino Notes server, an incoming e-mail cannot trigger a Notify event. If you have a local mail file, with regular replication between the Domino Notes server and your local database, then a Notify event is triggered when the incoming e-mail is replicated to your local database.
228
Option: Quarantine with notification

Available for: Outgoing e-mails Not available for: Incoming e-mails, Web pages, Application Monitor, Data At Rest, Data In Motion Choose Quarantine with notification to quarantine e-mails that require urgent review and to notify the sender that this has happened and that the e-mail has not been sent to its intended recipients. This option is useful if you want to educate your users on acceptable e-mail usage. The text in the advisory message is fully customizable. After the e-mail has been reviewed, it will either be released from quarantine and sent on to its recipients, or it will be rejected and not sent. In both cases, the e-mail is retained in the CMS database.
The message in the quarantine notification e-mail only needs to inform the sender that their message has been quarantined pending approval by a reviewer. E-mail client agents: When a user sends an e-mail that is subsequently quarantined, the compose message window stays visible on their screen. Therefore, you must edit the message in the notification dialog so it:
` Informs the user that their e-mail has been sent,

but that it has been quarantined pending approval by a reviewer.
` Instructs the user to close the compose message

window and to not resend the e-mail!
Option: Quarantine quietly

Available for: Outgoing e-mails Not available for: Incoming e-mails, Web pages, Application Monitor, Data At Rest, Data In Motion Choose Quarantine quietly to silently quarantine e-mails that require urgent review without notifying the senders. That is, the sender remains unaware that their e-mail has not been sent to its intended recipients. After the e-mail has been reviewed, it will either be released from quarantine and sent on to its recipients, or it will be rejected and not sent. In both cases, the e-mail is retained in the CMS database.
Quarantine dialog 1 The dialog message is configurable. You can specify a customized message for each control trigger. But see the guidelines above.
Advisory message guidelines

Be aware that different guidelines apply, depending on whether an e-mail is quarantined by an e-mail client agent or an e-mail server agent.
E-mail server agent: When an e-mail is sent and subsequently quarantined, it initially appears to the sender as though their e-mail has been sent as normal. However, they will shortly receive a notification e-mail.
229
Option: Replace Silently

Available for: Data At Rest Not available for: Incoming e-mails, Outgoing e-mails, Web pages, Application Monitor, Data In Motion ! Be aware that for items detected in Exchange
Public Folders, a Replace Silently action will silently delete each item, but will not replace it with an explanatory stub file. A warning is written to the Activity log.
Option: DoD overwrite and replace silently

Available for: Data At Rest Not available for: Incoming e-mails, Outgoing e-mails, Web pages, Application Monitor, Data In Motion i For items detected in Exchange Public Folders,
DoD Overwrite and Replace Silently actions are not supported.
i DoD Overwrite and Replace Silently actions are

also supportedsee page 229.
Choose Replace Silently to silently delete files and replace them with an explanatory stub file to alleviate any user concerns. This replacement file contains the message specified in the Message To Users setting in the Data At Rest trigger. For example, you can inform a user that their file was inappropriate and has been removed to a new location. These can be files located in a local or remote file system, or retrieved from the SharePoint Document Management System or Exchange Public Folders. You can combine this control action with a Copy action to effectively move files to a new location (see page 137).
Choose DoD Overwrite and Replace Silently to silently delete files using DoD deletion (see below) and replace them with an explanatory stub file to alleviate any user concerns. This replacement file contains the message specified in the Message To Users setting in the Data At Rest trigger. For example, you can inform a user that their file was inappropriate and has been removed to a new location. These can be files located in a local or remote file system, or retrieved from the SharePoint Document Management System. You can combine this control action with a Copy action to effectively move files to a new location (see page 137).
230
Option: Warn
Available for: Incoming e-mails, outgoing e-mails, Web pages, Application Monitor, Data In Motion Not available for: Data At Rest. Note also that Data In Motion warnings are not available for files detected by the Network Boundary Agent.

Cancel: If the user clicks Cancel, this generates a heeded warning. In effect, the user accepts the warning and quits what they were trying to do, for example, printing a file, sending an e-mail, or starting up a prohibited application. Continue: If the user clicks Continue, this generates a disregarded warning. The user is allowed to continue (for example, they can open or send the e-mail anyway, or copy a file to a USB device), but Orchestria APM records the fact that the user did this despite being explicitly warned against doing so. i A disregarded warning does not necessarily
imply any misconduct by the user. For example, a user may want to send a non-encrypted e-mail,
Choose Warn to display the Warning dialog whenever Orchestria APM detects unauthorized e-mail, Web, Data In Motion, or application activity. You can specify customized warning messages for each control trigger. The warning dialog lets the user choose whether to continue or not.
in breach of corporate guidelines, because it concerns a trivial matter.
In all cases, you can capture the associated event, forward e-mails to another address and send automatic replies to incoming e-mails. For heeded warnings, you can also redirect Web users to alternate URLs. i If using an e-mail server agent, see page 264. Warning dialog 2 3
1 The dialog message is configurable. 2 Continue button. This generates a disregarded warning. 3 Cancel button. This generates a heeded warning.
231
Option: Warn, but allow users to designate as Personal

Available for: Incoming e-mails, outgoing e-mails, Web pages Not available for: Application Monitor, Data At Rest, Data In Motion. Note also that this warning option is not available for e-mails detected by an Exchange or Domino server agent. Choose Warn, but allow... Personal to display a modified Warning dialog whenever Orchestria APM detects an unauthorized Web page, data submission, or e-mail. Just like the standard Warning dialog, this lets the user choose whether to continue or not. Most importantly, it also allows the user to mark a Web page or e-mail as 'Personal'. There are three dialog buttons:

Cancel: f the user clicks Cancel, this generates a heeded warning. In effect, the user accepts the warning and abandons the data submission or file upload, or quits trying to open or send the e-mail or browse the prohibited Web page. Continue: If the user clicks Continue, this generates a disregarded warning. The user is allowed to open or send the e-mail anyway, or browse the Web page, or complete the data submission or file upload, but Orchestria APM records the fact that the user did this despite being explicitly warned against doing so. i A disregarded warning does not necessarily
imply any misconduct by the user. For example, a user may want to send a non-encrypted e-mail, in breach of corporate guidelines, because it concerns a trivial matter.
Personal: Users can click this button to indicate that they are opening or sending a personal e-mail or that they are browsing the Web page for personal reasons. This overrides the warning, and allows the user to continue. It also generates a 'disregarded warning' event, though the event itself is identified as a personal e-mail or Web page in the Console. ! If the user clicks Personal, the Web page or
e-mail content is not recorded, even if the control action setting Capture Disregarded Warnings? is set to True.
In all cases, you can capture the associated event. You can also forward e-mails to another address, send automatic replies to incoming e-mails, and redirect Web users to alternate URLs. i If using an e-mail server agent, see page 264.
232
Control action precedence

An event can fire multiple control triggers and each trigger can potentially fire a separate control action. The order in which multiple control actions are applied is determined by the control action number. That is, the control action with the lowest number takes precedencesee example below. This has important implications for the Intervention setting. For example, if a Warning control action takes precedence over a Blocking control action, the event generates a warning but is not necessarily blocked. In the example below, an e-mail causes three control triggers to activate (Attachment, Recipient and Search Text). These triggers respectively invoke Control Action 5, Control Action 2 and Control Action 3, with Control Action 2 being applied first: This control trigger
Attachment Recipient Search Text
Intervention action behavior

The table below shows the consequences of the various Intervention settings. That is, whether subsequent actions are invoked. Intervention action
Blocking
The resulting behavior is
No other actions are invoked If the user clicks Cancel, no other actions are invoked If the user clicks Continue, the next control action is invoked No other actions are invoked The next action is invoked
Warning
Quarantine Silent
Invokes this control action

Control Action 5 Control Action 2 Control Action 3
In this order
3rd 1st 2nd
Quarantine control actions

The precedence of control actions has an important effect on quarantined e-mails. We therefore recommend that you designate the highest control action (for example Action 10 where there are 10 control actions) as the quarantine control action. This ensures that the quarantine control action is applied to the e-mail last, allowing other control actions, such as warnings, to be invoked first. How does this work? If an e-mail invokes a quarantine control action, the e-mail becomes immune from further control actions. This means a quarantined e-mail cannot also be blocked or generate a warning. For example if a user sends an e-mail containing bad language, you may want to warn the user. If he or she ignores the warning and the same e-mail also contains possible insider trading, you may want to use a lower priority control trigger to then quarantine the message.
In the above example, the only action invoked against the event will be Control Action 2. After an event is blocked, no other actions can be invokedsee the next section.
233
Controlling Web activity

How control actions operate
Settings in a Web control action govern how Orchestria APM handles unauthorized or borderline attempts to access Web pages, upload files or submit data to a Web site. When a control action is triggered, the first determinant is the Intervention setting (see page 220). This determines the event type, which in turn determines which settings in the control action are applicable. The procedure is summarized below:
Which settings are applicable?

The full range of settings in a Web control action are described on page 136. The Capture settings are applicable to all types of control event, except Web pages marked as personal. The Redirect User settings are applicable only to blockings and heeded warnings. For full details, see page 234.
Intervention setting: available options Block Quietly Block With Notification Warn Warn, but allow user to mark as Personal None Inform
Warning dialog Cancel Personal Continue
Inform dialog OK Cancel control 8 No event
3 Blocking Heeded Warning Disregarded Warning applicable 8 No settings Disregarded Warning Silent event Inform event
5 Prohibited activity Control action: Applicable settings Capture Redirect user
6 Authorized activity Control action: Applicable settings Capture
Web pages, file uploads and data submissions: control actions and applicable settings 1 Intervention options These determine the control event type. 2 Buttons on the Warning dialog Note that the Personal button is only available if you choose the Warn, but allow user to designate as Personal option. 3 Buttons on Inform dialog Note that the Cancel button is only available for data submissions to a Web page.
4 Control events These fall into two categories: prohibited activity and authorized activity. 5 Applicable settings for prohibited activity You can invoke any of these settings when an e-mail triggers a blocking or heeded warning. 6 Applicable setting for authorized activity You can invoke any of these settings when an e-mail triggers a disregarded warning, inform event or silent event.
234
Capture
Applies to all control events, except Web pages marked as personal.
Browser requirements when exempting secure Web sites

If you plan to implement a Web page control strategy based on the keystrength of encryption algorithms used by secure Web sites, you must first adjust the security settings for Internet Explorer on each client machine in your Orchestria APM installation. For example, if you want to block users from accessing insecure Web sites, you can set a keystrength exemption for each control trigger. This means that a Web site is blocked only if it uses a keystrength that is lower than the minimum value specified by the control trigger. However, the default security settings for Internet Explorer prevent the exemption from operating correctly. Specifically, Internet Explorer caches each secure Web page browsed during a single session. So if a user revisits the page, the page is loaded from the cache instead of the Web server. As a consequence, Orchestria APM is unable to verify the security settings during subsequent visits to the page, effectively nullifying the keystrength exemption settings in your control triggers. How does this affect users? It means that a user is initially permitted to browse a secure Web site (because the sites high encryption keystrength exempts it from being blocked) but Orchestria APM blocks any subsequent attempts to revisit the site (because it is deemed to have zero security). To fix this problem, you must adjust the security settings for Internet Explorer.
If you want to capture the Web page associated with a control event, you can specify two separate capture actions: one for blockings and heeded warnings; the other for disregarded warnings, inform events and silent events. The capture actions define which Web page details are captured. These can include the Web page content, images, any data submitted in an HTML form, and any uploaded files. i Both capture actions are optional.
Redirect user
Applies to Web page blockings and heeded warnings only. You cannot redirect users if the control action was triggered by an unauthorized data submission or file upload.
When the control action is triggered, Orchestria APM automatically redirects users to an alternative URL. For example, you can divert users to the Web site of a preferred supplier if they try to visit the site of a rival supplier. If you do not specify an alternative URL, the user is redirected to a default Orchestria APM screen that contains an explanation. For details about which triggers can cause a redirection, see page 235.
Trigger exemptions and refinements

Because there will always be exceptional Web events that require unique handling, Orchestria APM provides trigger settings that allow you to exempt particular events from the normal trigger coverage or, conversely, refine the trigger to focus only on particular events. For Web events, these trigger exemptions and refinements are based on Web site encryption and, for uploaded files, password-protection. For details, see page 260.
X Adjust the security settings for Internet Explorer

You must make the following changes on each client machine in your Orchestria APM installation: 1 Open Internet Options in the Control Panel. 2 Go to the Advanced tab and scroll down to the Security settings. 3 Switch on the Do not save encrypted pages to disk setting. (By default, this setting is turned off. That is, the check box is not selected.)
235
When are users redirected to alternative Web pages?

Each control action can redirect the user to an alternative URL or, if no URL is specified in the policy, to a default Orchestria APM screen containing an explanation. But the user is only redirected under certain circumstances. Specifically, the user is redirected if a Web page triggers a blocking or a heeded warning (that is, the user clicks Cancel in a Warning dialog). Users are not redirected if a Web Page triggers a disregarded warning (that is, the user clicks Continue in a Warning dialog) or if a data submission is blocked.
Users are not redirected

Users are not redirected if these content triggers generate a disregarded warning:

URL n Secure Sites n Content Search Text n Document Classifier n Transaction Detector n
Neither are they redirected if these submission triggers activate:
Submitted Credit Card n Submitted Search Text n HTML Password n File Upload n
Users are redirected

Users are redirected only if these content triggers generate a blocking or heeded warning:

URL n Secure Sites n Content Search Text n Document Classifier n Transaction Detector n
If the Intervention setting is set to Block with Notification you can add a customized message to the blocking dialog, informing users that they are about to be redirected to an alternative URL.
236
Controlling e-mails
How the control action operates
Settings in an e-mail control action govern how Orchestria APM handles unauthorized attempts to open or send e-mails. You can also configure the control action to notify users when important incoming e-mails are detected. Whenever an e-mail control action is triggered, the first determinant is the Intervention setting (see page 220). This setting determines the event type, which in turn determines which settings in the control action are applicable (page 237). The procedure is summarized below:
Intervention setting: available options Block Quietly Block With Notification Warn Warn, but allow user to mark as Personal None Notify Inform Quarantine
2 Warning dialog Cancel Personal Continue
3 Inform dialog OK Cancel control 8 No event Silent event Inform event Quarantine event
3 Blocking Heeded Warning Disregarded Warning applicable 8 No settings Disregarded Warning
5 Prohibited e-mail activity Control action: Applicable settings Capture Forward Reply
6 Authorized e-mail activity Control action: Applicable settings Capture Reply Forward
Reviewer Release Reject
Delete or replace
E-mail delivered
E-mail not sent
E-mails: control actions and applicable settings 1 Intervention options: These determine the control event type. i The Intervention options differ slightly in their effects when using the Exchange server agentsee page 220. 2 Buttons on the Warning dialog: Note that the Personal button is only available if you choose the Warn, but allow user to designate as Personal option. 3 Buttons on Inform dialog: Note that the Cancel button is only available for incoming e-mails. 4 Control events: These fall into two categories: prohibited activity and authorized activity. 5 Applicable settings for prohibited activity You can invoke any of these settings when an e-mail triggers a blocking or heeded warning. 6 Applicable settings for authorized activity You can invoke any of these settings when an e-mail triggers a disregarded warning, inform event or silent event. 7 Handling for quarantined e-mails: A reviewer determines whether to release or reject quarantined e-mails. Sender notifications are optional.
237
Which settings are applicable?

The full range of settings in a control action are described on page 136. For outgoing e-mails, the range of applicable settings is always the same, that is, Capture and Forward. For incoming e-mails, the range varies with the control event and can include Reply and Delete or Replace settings. These are described below. warning and sends an unauthorized e-mail, you can forward a copy to their manager. The manager receives a standard notification e-mail with the original e-mail included as an attachment or message thread. You define the subject and body text of the notification e-mail. You can even use variables to customize the text content so it reflects the condition that caused the control trigger to activate. For an overview of notification e-mails, see page 252. i If you forward an e-mail to another address:
Capture
Applies to all control events.
If you want to capture the e-mail associated with a control event, you can specify two separate capture actions: one for blockings and heeded warnings; the other for disregarded warnings, inform events and silent events. The capture actions define which e-mail details are captured. These can include the e-mail body text and any attachments plus, for incoming e-mails, the Internet mail header. For example, you may set up one capture action to save the basic details of any e-mails that are not sent (because the user heeds a warning dialog), and set up a separate capture action to save the full details of any e-mails that are sent (when the user disregards the warning). i Both capture actions are optional.
` The
recipient account has certain requirements.
See page 238 for details.
` Limitations ` If
apply if you want to forward an
e-mail to multiple addresses. See page 239. a recipient of a forwarded e-mail wants to
send the e-mail to someone else, the procedure depends on the type of e-mail system. See page 239.
Reply
Applies to incoming e-mails only.
Delete or replace
Applies to blockings and heeded warnings, for incoming e-mails only.
Whenever an incoming e-mail is blocked or canceled by the user (by clicking Cancel in a warning dialog), you can delete the e-mail from the recipients Inbox. Or you can allow the e-mail to arrive in the recipients Inbox, but with its body text replaced by a standard notification informing the user that a blocking has occurred.
For any incoming e-mail that triggers a control action, you can send an automatic reply to the sender. For example, you can use this feature to send automatic acknowledgements to your customers. To do this, you set up a control trigger to activate whenever an incoming e-mail refers to, say, one of your products. You can then configure the associated control action to send an automatic reply, thanking the customer for their interest. Remember to set the Intervention setting to None or Notify. To set up automatic replies, see page 252. You choose what information is included in the reply. You define the subject and body text of the reply message, and whether or not the original incoming e-mail is included as an attachment. You can even use variables to customize the text contentsee page 253. i For notes on using a variable to identify which
e-mail triggered the reply, see page 240.
Forward
Applies to all control events.
You can forward any e-mail that activates a control trigger to another address. For example, you can block suspicious incoming e-mails and divert them to a reviewer account. Likewise, if a user disregards a
238
Account requirements for recipients of forwarded e-mails

Control actions allow you to forward incoming and outgoing e-mails. For example, you may want to forward suspicious e-mails to a manager for their approval or to a reviewer account. You specify the target account for forwarded e-mails in the user policy. The recipient account for forwarded e-mails has special requirements. The handling of undeliverable e-mails varies, according to the e-mail system used by the forwarding machine:
Microsoft Outlook If Outlook cannot deliver an e-mail, it sends an 'Undeliverable' notification to the intended recipient. This notification message includes a Send Again button that enables users to read the original e-mail. In this case, a user will be able to read the forwarded e-mail.
Do not send automatic replies using Out of Office

Do not configure Out of Office to send automatic replies to incoming messages. For example, if you choose to forward e-mails to a manager but this person turns on Out of Office when they go on holiday, the intended recipient of a forwarded e-mail will receive an automatic reply from Out of Office. This may cause confusion if the original incoming e-mail was blocked without notifying the intended recipient (Block Quietlysee page 223).
Lotus Notes Orchestria APM configures the Notes delivery options so that delivery reports are turned off. This allows you to quietly block inappropriate incoming e-mails and forward them without any risk of alerting the intended recipient if the forwarding fails. (Delivery report inform intended recipients about a nondelivery and allow them to read the original e-mail.)
i These problems also occur if a forwarded e-mail
Correctly specify the recipient address

! This requirement applies particularly to
incoming e-mail control actions.
cannot be delivered to the target address because, for example, there is a network problem or the e-mail server is down.
Do make sure that you correctly specify the target account for forwarded e-mails. If you misspell part of the e-mail address, your e-mail server will be unable to deliver forwarded e-mails to this account and may send an Undeliverable notification to the intended recipient. This is clearly undesirable in the case of incoming e-mails that were blocked without notifying the intended recipient (see the Block Quietly option on page 223).
239
Forwarding e-mails to multiple addresses

In the user policy, you can configure the Forward To? setting in an e-mail control action to forward an e-mail to multiple addresses. Separate each address with a comma or semi-colon:
srimmel@unipraxis.com,fschaeffer@unipraxis.com srimmel@unipraxis.com;fschaeffer@unipraxis.com
E-mail address matching

Many e-mail triggers in the user policy allow you to define lists of included or excluded e-mail addresses. When you define these lists, be aware of the different e-mail address formats. For example, if your organization uses Microsoft Outlook, you can define lists of EX addresses to capture e-mails sent internally. See page 109 for full details. Alternatively, you can define universal list items to match against all e-mail address formats. With careful planning, you can define lists of included or excluded e-mail addresses that match against any targeted address, regardless of the e-mail address format. For full details, page 109.
i You can only forward e-mails to multiple addresses

from Orchestria APM machines that use Lotus Notes.
Sending forwarded e-mails to someone else

If the recipient of a forwarded e-mail wants to send the e-mail to someone else, the method depends on the type of e-mail system:
Modifying recipient fields

i These actions are only available for Outlook e mails. Control actions allow you to move To or Cc recipients to the Bcc field on outgoing e-mails, to ensure the e-mail complies with your organization's regulations. You can choose to move:
Lotus Notes: When you forward an e-mail in Notes, for example to a manager, it is included as a message thread in a notification e-mail. If the manager wants to send the e-mail to someone else, they can simply forward the notification e-mail in the normal way. Microsoft Outlook: When you forward an e-mail in Outlook, for example to a manager, it is included as an attachment in a notification e-mail. If the manager then wants to send the forwarded e-mail to someone else, they can forward the notification e-mail, with the original e-mail still included as an attachment, or open the attachment and forward the original e-mail.
None: Leaves recipients exactly where they are in the To or Cc field. All external addresses: Moves all external recipients from the To and Cc fields to the Bcc field. That is, any recipient not marked as 'internal'. All addresses: Moves all recipients from the To and Cc fields to the Bcc field.
i If you choose to move all recipients or all external

recipients, the e-mail event is marked accordingly. This information can then be seen when reviewing the event.
240
Identifying the e-mail that triggered an automatic reply

If you configure a user policy to send automatic replies, be aware that the reply does not explicitly identify the original e-mail that triggered the control action. If you choose not to attach the original e-mail to the reply, the sender may not know which of their e-mails the reply refers to. For this reason, we recommend two fixes. You can use them individually or together:
Trigger exemptions and refinements

Because there will always be exceptional e-mails that need unique handling, Orchestria APM provides trigger settings that allow you to exempt particular events from the normal trigger coverage or, conversely, refine the trigger to focus only on particular events. For e-mails, these trigger settings focus on unreadable attachments, encryption, digital signatures; and Data Lookup. For details, see page 260.
Fix 1: Always attach the original e-mail in any automatic reply. To do this, set the Attach Original? setting to True in the user policy. i Use the Find feature
See page 99 for details. to locate this setting.
E-mails in Public Folders are excluded from policy

The Orchestria APM Outlook client agent does not handle e-mails are saved in Public Folders. This prevents triggers from activating unnecessarily to capture or block attempts to read e-mails in Public Folders.
Fix 2: Include the %subject% variable when you configure the Reply Subject setting (this setting defines the subject for the automatic reply). The %subject% variable appends the original e-mails subject to the subject in the e-mail reply. So if the subject of a blocked e-mail was Job Opportunities! and you set the Reply Subject setting to: This e-mail is a reply to: %subject% This sets the subject in the e-mail reply to: This e-mail is a reply to: Job Opportunities! i For the full range of available variables that be
used in an automatic reply, see page 253.
241
Blocking a Webmail
The classic way to beat company e-mail rules is to send messages from work using Web-based e-mail services such as Yahoo! or MSN Hotmail. Organizations seeking regulatory compliance should regard these Webmail accounts as potential compliance loopholes. You can easily block these Webmails using Orchestrias Network Boundary Agent (NBA); contact the service desk for detailssee page 24. But if you are not using the NBA, this section shows how you can still close these loopholes using a range of Web Page control triggers.
Allow e-mails but block attachments

Alternatively, you may only want to prevent users sending attachments by Web-based e-mail. To implement this less restrictive policy, you need to set up a File Upload control trigger for Web pages. These triggers detect attempts to upload files to a specified Web site.
User Policy Capture Control Web Pages Control Triggers File Upload 1 Control Actions
Block specific URLs

To do this, you configure a URL-based control trigger for Web pages. Then specify the Included URLs trigger setting to detect the URLs you want to block. For example, by specifying mail.yahoo, rather than simply yahoo, you can ensure that only the Yahoo! mail pages are blocked, so users are free to use the rest of the site for other legitimate purposes.
User Policy Capture Control Web Pages Control Triggers URL 1 Included URLs Control Actions
User policy: Web page control triggers
But what about Netscape?

Orchestria APM only integrates with Internet Explorer. To stop users exploiting this limitation and using a Netscape browser to send Webmails, you need to set up an Application Monitor control trigger to block any attempts to start up the Netscape browser application (netscp.exe). For further details, see the Administration console online help; search the index for application monitoring.
User Policy Capture Control Web Pages Incoming E-mails Outgoing E-mails Application Monitor Control Triggers Application 1 Control Actions
User policy: Included URLs control trigger
User policy: Outgoing E-mail Control Triggers
242
Controlling application usage

How control actions operate
Settings in an Application Monitor control action govern how Orchestria APM handles attempts to start up unauthorized applications. For example, you can configure a policy to block or warn against attempts to run Netscape or Outlook Express. Whenever a control action is triggered, the key determinant is the Intervention setting (see page 220). This determines the type of control event. For disregarded warnings and silent or inform events, a Capture setting determines what application usage data is captured. The procedure is summarized below:
Intervention setting: available options Block Quietly Block With Notification Warn None Inform
Warning dialog Cancel Continue
Inform dialog OK Cancel
3 Blocking Heeded Warning Disregarded Warning Silent event Inform event
control 8 No event
5 Prohibited applications Control action: Applicable setting Capture control event?
6 Authorized applications Control action: Applicable setting Capture control event? Capture application usage data?
Application Monitor control actions and applicable settings 1 Intervention options These determine the control event type. 2 Warning dialog Cancel and Continue buttons. 3 Inform dialog OK and Cancel buttons. 4 Control events These fall into two categories: prohibited activity and authorized activity. 5 Applicable settings for prohibited activity You can capture summary details of the control event. No other settings apply. 6 Applicable setting for authorized activity You can capture the control event and also invoke a Capture action to record application usage details.
243
Application Monitor control triggers

To control application usage details, you must configure the Application Monitor triggers in the user policy. These triggers activate when Orchestria APM detects that a user is running a particular application. You can define applications by the executable name and path (for example, netscp.exe) or by the executable properties. Specifically, when checking executable properties, Orchestria APM looks for specified text in these Version Information fields: Company, Internal Name, Original File Name and Product Name. This lets you identify applications by their familiar product name rather than their less familiar executable name (for example, Netscape rather than netscp.exe). If you want to continuously monitor attempts to run unauthorized applications, you can set up a Generic Trigger statistic to track the relevant Application Monitor control trigger. You can view the resulting statistics in the Executive console. For details about Generic Trigger statistics, see the Executive Console guide; search the index for Generic Triggers statistics.
What data is captured by Application Monitor triggers?

Whenever an Application Monitor control action is invoked, Orchestria APM records information such as the window title, the time of capture, the active time (the period that the application was in active use), and the associated user and machine. For authorized activity, that is, disregarded warnings and silent or inform events, there is also a setting in the control action that lets you invoke an Application Monitor capture actionthis records usage details for the specified application. These show the number of key presses and mouse clicks that a user makes while using a targeted application over a specific period. You can view these details when searching for captured application events in the Data Management console (see the Data Management Console guide; search the index for captured data, viewing).
244
Controlling files
Using Data In Motion and Data At Rest file triggers and Orchestria APM file agents, you can apply policy when users try to: save a file to a USB device; print a file; send a file attachment in a Webmail or IM conversation; or upload or download a file. Likewise, you can apply policy to scanned files and files imported onto the CMS by an Import Policy job. This section covers the following:
File triggers
Orchestria APM supports two types of file trigger:
File triggers, including the available control actions (see next section), plus details about circumstances that cause file triggers to activate (see page 245). File sources. That is, the file agents and other file ingestion methods supported by Orchestria APM. See page 246 for details. The methods used to determine which user policy gets applied to file events. See page 247. Handling for files copied to USB devices. See page 248. Handling for printed files. See page 247. Handling for files entering or leaving your corporate network. See page 250. Handling for scanned files. See page 249.
Data In Motion triggers can control attempts to print files or copy files to a USB device. They can also control files entering or leaving the corporate network. In all cases, you can block and categorize the files. For files being printed or copied to USB devices, you can also warn or inform the user. These triggers are used by the Client Print System Agent, Client File System Agent, and the Network Boundary Agent; see the next section. i Data In Motion control triggers and actions are
Data At Rest triggers can control scanned (or imported) files or other scanned items. You can use these triggers to delete specified items, replace them with explanatory stub files, copy or move them to a new location, or simply categorize the files. These triggers are used to capture items scanned by the File Scanning Agent (see the next section) or files imported onto the CMS. i Data At Rest control triggers and actions are
245
When do file triggers activate?

Data In Motion and Data At Rest triggers activate when they detect files, or print or copy operations, that match the specified trigger criteria.
File lists specify which files to monitor

All file triggers can detect specific file names (defined in the Top Level File Lists), or names of nested files contained within a zip file or embedded in a master file (defined in the Individual/Embedded File Lists). For each trigger, you choose whether to use an Include or Exclude list.
Printers and USB devices

For files being printed or copied to a USB device (removable device), Data In Motion triggers can activate if the user tries to use a specific printer or USB device. Likewise, you can exempt specific printers or USB devices from policy control. You define the printers and USB devices you want to control in the Included USB Devices or Printers and Excluded USB Devices or Printers trigger settings.
Top Level File List When you specify the Top Level File Include or Exclude lists, you are, in effect, specifying the files, or types of file, that you want Orchestria APM to apply policy to. For example, you can specify:
File properties or text content

In all cases, file triggers can detect specific formats (such as Microsoft Word documents). They can also analyze a files text content to detect the presence or absence of key phrases, or to determine whether the file matches a particular document classification. If required, these triggers can also analyze nested files contained within a zip file or embedded in a master file (see the next section). Finally, when used in combination with XML Attribute data lookup commands (see page 276), you can set up file triggers to detect a files attributes such as its size, date created, date last modified, and the file author.
` * to search all files ` *.doc to search all .doc files ` A list of specific .zip files to search. ` %allarchives% to search all archive files. That is,
all file types listed in the Archive File Extensions settingsee page 141. Use the Which Top Level File List? setting to configure Orchestria APM to only monitor files according to either the Included or Excluded list. In addition, you can also specify a list of top level files to be ignored. For example, you can configure Orchestria APM to search all .zip files, except those in a particular subfolder.
Individual/Embedded File List These are lists of actual files you want to search for. These can be either individual files in a subfolder, or files contained within another file. When you specify the Individual/Embedded Include or Exclude lists to specify which files to look for. Used in conjunction with the Which Top Level File list setting, you can feasibly search all subfolders or .zip files for a specific file. For example, set Included Top Level Names to *.zip and Included Individual/Embedded File Names to *.doc to search for all .doc files contained within .zip files.
246
File sources
Orchestria APM provides various file agents and ingestion mechanisms to control or categorize files on your network. To specify which file sources Orchestria APM will monitor, you set configure the Which File Sources? setting in each file trigger:

File Scanning Agent (FSA) The FSA can scan, analyze and apply policy to:

` Files saved in designated folders on local and

remote file systems.
` Items in Microsoft Exchange Public Folders. ` Items hosted on SharePoint sites.

In all cases, the FSA applies Data At Rest triggers to scanned items, enabling Orchestria APM to delete, replace, copy or move items as required.
Client File System Agent (CFSA) Also known as policy on save or PoS, this agent enables you to control attempts to copy or save files to USB devices, such as removable flash drives. If Windows Explorer or a DOS command is used to copy files to USB devices, the CFSA can apply Data In Motion triggers in real time to the file being copied.
File Importer This option enables policy engines to process imported files as part of an Import Policy job.
Client Print System Agent (CPSA) This enables you to capture or control attempts by users to print files or documents on local or network printers. When the CPSA detects a specified print job, it applies Data In Motion triggers in real time to the document being printed.
External Agent API for File This option enables policy engines to process files received from the External Agent API. The External Agent can integrate with third party archives and pass files to Orchestria APM for policy processing. i Files from the NBA via the External Agent are
flagged accordingly and processed using Data In Motion triggers, not Data At Rest triggers.
Network Boundary Agent (NBA) The NBA runs on dedicated hardware and analyzes individual data packets crossing the boundary between your organization and the Internet. It is designed to prevent confidential information from leaving your corporate network. It can apply:
` Data In Motion triggers to FTP file transfers, files

sent as attachments to Webmails or IM conversations, and files uploaded to or downloaded from Web sites.
` Outgoing E-mail triggers to SMTP and POP3

e-mails, Webmails (such as Hotmail or Yahoo!), and IM conversations. E-mail controls are covered on pages 236 to 241.
247
How are files events associated with Orchestria APM users?

The methods used to determine which user policy gets applied to files event, which users are associated with these events, depends on how the file events were captured.
Printed files
When the CPSA detects a print job, it applies Data In Motion triggers in real time to the document being printed. You can configure these triggers to monitor or exempt specific printers and to analyze the files or documents being printed (see page 251). For full details about how the CPSA works, and how to configure the agent, see the Deployment guide; search the index for client print system agent.
Client File System Agent Client Print System Agent These client agents always apply the user policy of the Orchestria APM user currently logged on to the client machine.
Available control actions

You can set up Data In Motion control actions to block print jobs, to warn or inform the user that their print job may be unauthorized, or to categorize the file or document. Note that when print jobs are blocked, Orchestria APM displays a notification dialog; see page 223. For a list of all the available Data In Motion control actions, see page 221.
Network Boundary Agent (NBA) The NBA typically saves the machine ID of the source and destination machines as event participants. When NBA-captured files are passed to policy engines for processing, the policy engines always apply the Default Policy For Files. See the NBA guide for full details, available from the Orchestria service desk; see page 24.
Monitoring specific printers

The CPSA can monitor any printer on your network. To define the printers that you want to monitor (or the ones you want to exempt from control), you list add their device names to the appropriate USB Devices or Printers setting in the Data In Motion triggers.
File Scanning Agent (FSA) Scanning job definitions can explicitly identify which users as associated scanned files and which user policy is applied. If the scanning job omits these details, policy engines always apply the Default Policy For Files. For full details, see the Deployment guide; search the index for FSA.
Imported files The following Event Import parameters associate imported files with participant e-mail addresses. For full details, For full details, see the Deployment guide; search the index for FSA. ImpFile.AssociatedParticipant ImpFile.PolicyParticipant
i For full details of how Orchestria APM assigns

participants to file events and determines which user policy to apply, see the Event Participants technical note, available from the Orchestria service desk; see page 24.
248
Files copied to USB devices

When the CFSA first detects a user trying to copy a file to a removable USB device, it applies machine policy settings in real time to the document being copied. You can configure the machine policy to either block or allow users to copy files to USB devices, and to always allow copy operations from trusted applications. Alternatively, you can channel users into using Windows Explorer or a DOS command to copy their files (by blocking copy operations from other applications); the agent can then apply Data In Motion triggers to the files being copied and use the results of policy processing to allow or block the copy operation. For full details about how the CFSA works, and how to configure your machine policies and user policies, see the Deployment guide; search the index for client file system agent.
Specifying USB devices

When you edit your policies to specify the USB devices you want to monitor, you must supply the exact device name or you can use ? and * wildcards. You can check device names in Windows Device Manager (but see the warning below). You can also check device names in Windows Explorer; when you view the properties of a removable drive, the device name is listed in the Hardware tab of the Properties dialog.
Known device name issue

! Windows Device Manager automatically appends
USB Device to device names.
You must omit this appended text when you specify the USB device name in the machine policy or user policy. For example, if the Device Manager lists Unipraxis DataStick 2.0 USB Device Enter this in the machine policy or user policy as: Unipraxis DataStick 2.0

When a user tries to copy a file to a USB device, Orchestria APM checks the name of the USB device and which application they are using to copy the file. If the user is not using a trusted application, or if Write access to the USB device is disallowed, then Orchestria APM blocks the copy operation; from the users viewpoint, the USB device has been set to Read Only. But if the user is using Windows Explorer or a DOS command to copy their file and if the USB device is flagged accordingly in the machine policy, then the CFSA can apply Data In Motion triggers and control actions. You can set these up to block specific files or USB devices, or to warn or inform the user that their copy operation may be unauthorized, or to categorize the file. Note that when file copying is blocked, Orchestria APM displays a notification dialog; see page 223. For a list of the available Data In Motion control actions, see page 221. i For details about specifying USB device names,
see the next page.
249
Files entering or leaving your corporate network

The NBA can control files entering or leaving your corporate network. These include FTP file transfers, files sent as attachments to Webmails or IM conversations, and files uploaded to or downloaded from Web sites.
Scanned files
The FSA can scan, analyze and apply Data At Rest triggers to files saved in local and remote file systems, and files stored in Microsoft Exchange Public Folders. For full details about deploying the FSA and setting up scanning jobs, see the Deployment guide; search the index for FSA.
NBA packet filters

Filters in the NBAs own policy can block data packets based on such criteria as the source or destination machine IP address or the associated protocol. For full details, see the NBA guide, available from the Orchestria service desk; see page 24.

You can set up Data At Rest control actions to delete scanned files. If necessary, you can specify DoD deletions; these ensure that deleted files cannot be recovered (see below). You can also replace deleted files with an explanatory stub file to alleviate any user concerns or categorize the resulting file event. Data At Rest control actions also support copy action, permitting you to scanned files to an alternative location. When used in combination with a delete actions, a copy action effectively becomes a move file action; see below for a discussion of how the FSA handles copied files. For a list of all the available Data In Motion control actions, see page 221.

The NBA can also pass reassembled files to policy engines for processing. The policy engines apply Data In Motion triggers to NBA-captured files. You can use these triggers to block unauthorized files or categorize the resulting file events. Note, however, that NBA blockings are silent; the NBA itself does not notify users when files are blocked (although the user may be aware of the blocking; for example, a file upload may time out). Similarly, you cannot use the Warn or Inform options provided with Data In Motion control actions, as the NBA does not support user notifications.
DoD deletion
This is forensic deletion, so called because the storage media are purged to guarantee that a file cannot be recovered and used to obtain evidence in legal discovery. DoD is a reference to Department of Defense approved methods for purging storage media.
Imported files
If you import files onto the CMS as part of an Import Policy job, policy engines apply Data At Rest triggers to those files. Be aware, however, that the standard Delete, Replace, and Copy control actions are not supported for these imported files. i Note also that files imported from the NBA are
subject to Data In Motion triggers when processed by policy engines (see the previous section).
Copying scanned files

For details about copying scanned files to a new location, see page 250.
250
Copying scanned files

Data At Rest control actions include settings that determine how Orchestria APM handles scanned files copied to an alternative location: review
To copy MyProject.mpp to a new location after it has been scanned, you need to edit the relevant settings in the Data At Rest control action as follows: Example target folders for copied files
Copy File to Location: C:\Evaluate
Copy File To Location: This setting specifies the target folder for copied files. It can be any valid UNC or local file system path. ! You must specify a path outside of the scan
location defined in the job file, otherwise the copied files will get scanned again! See example 5 opposite.
As above, the target location is a subfolder outside of the scan location defined by the <location> tag in the scanning job file. 1 If Copy Location Mode is set to Relative, the file gets copied to: C:\Evaluate\Projects\Q1sales.mpp If Copy Location Mode is set to Absolute, the file gets copied to: C:\Evaluate\Q1sales.mpp ..\Review
For this reason, we recommend a target location that begins ..\ such as ..\Review.
Copy Location Mode: Set this to either Relative or Absolute. This setting modifies the Copy File To Location folder.
` In Relative mode, files are copied to a subfolder of

Copy File To Location that matches the directory structure of the original file's location. See the examples opposite.
Copy File to Location:
` In Absolute mode, files are copied directly to the

Copy File To Location folder, not to subfolders.
This is the method we recommend. Here, the target location is a subfolder outside of the scan location defined by the <location> tag in scanning job file. 3 If Copy Location Mode is set to Relative, the file gets copied to: C:\Review\Projects\Q1sales.mpp If Copy Location Mode is set to Absolute, the file gets copied to: C:\Review\Q1sales.mpp Review
Copy Conflict Resolution: This setting determines what happens if a file with the same name already exists in the target folder. The options are:
` Discard the copied file ` Overwrite the file already in the target folder ` Rename the copied file (adding a numeric suffix) Example copied files
In this example, the FSA scans the C:\MyDocs\Temp folder. This contains the file Q1sales.mpp that you want to copy elsewhere. The scanning job definition is set up as follows:
<location path="C:\MyDocs"/> <folders subfolders="yes"> <include>Projects</include> </folders>
Copy File to Location:
Avoid this situation! Here, the target location is interpreted as a subfolder below the original scan location and so the file gets scanned again! 5 If Copy Location Mode is set to Relative, the file gets copied to: C:\MyDocs\Review\Projects\Q1sales.mpp
251
User notifications
You can configure control actions to block, warn or inform users, and to display a notification dialog containing an explanatory message. E-mail control action also lets you forward e-mails to another address, with the forwarded e-mail included as an attachment or thread within a notification e-mail. In all cases, you can configure the notification text. Specifically, you can define the title and message in the notification dialog, and the subject and body text in the notification e-mail. i Options for the Intervention setting are described
in full on pages 220 to 227.
Dialog messages
You can customize the message that appears in notification dialogs or e-mails. To do this, edit the Message To Users setting in each control trigger. For example: Trigger
File Upload n
Example message to users

Corporate guidelines do not permit you to upload files to this Web site. Corporate guidelines do not permit you to send sales proposals unless they contain an official disclaimer. You are not authorized to open this e-mail. It contains an attachment that includes inappropriate material. Corporate guidelines do not permit you to use this Internet browser.
Document Classifier n
Notification dialogs
For each control trigger, you can define a message that appears in the notification dialog when the trigger activates. You can use variables to customize the text content so it reflects the condition that caused the control trigger to activate. You can also use delimiters to tag sections of the message as selectable, enabling users, for example, to copy missing disclaimers directly from the notification dialog into an e-mail or attachment. Some control triggers even allow you to define multiple messages, so that the message seen by users varies according to the key text detected by the trigger. Finally, you can configure the titles of the various notification dialogs.
Attachments n
Application n
i You can also use variables to customize the text content. These are described on page 253.
Special character Multiple message control triggers

Some triggers allow you to define separate messages for each item in a list of key words of phrases. When Orchestria APM detects that word or phrase, it displays the corresponding message. This allows you to tailor the message using a single control trigger. See page 107.
Dialog titles
You can configure the title that appears in the various Orchestria advisory dialogs. For example, you can define dialog titles for blockings and warnings (see page 230 for examples). You can find the relevant settings in the System Settings > User Notifications folder of the user policy.
Messages for categorization triggers

When setting up e-mail categorization, you use the Message To Users setting to define the list of available categories shown to users in the Categorize dialog. For details, see page 165.
252
Notification e-mails
Orchestria APM can generate three types of notification e-mails. These include:
Notifications generated by the Exchange server agent and sent to the original sender. Automatic replies and notifications forwarded to another recipient, both generated by the Outlook and Notes client agents.
notification e-mail and a single outgoing notification e-mail for each user policy. You can use variables to customize the subject and body text, for example, to include the original senders e-mail address. Some examples are shown below: Forwarded e-mail
Incoming
Example e-mail subject
Notifications generated by e-mail server agents

These e-mails are described on page 265. See also, the known issue in the Deployment guide; search the index for Exchange server agent, troubleshooting, or Domino server agent, troubleshooting.
Incoming e-mail for %To% requires your attention Please authorize the attached outgoing e-mail
Outgoing
Forwarded e-mail
Incoming
Example e-mail body text
Automatic replies generated by client agents

For any incoming e-mail that triggers a control action, you can send an automatic reply to the sender. You can define separate replies for each e-mail control action. To do this, you configure the Send Reply? setting in each control action for incoming e-mails. To define the subject and body text, you edit settings in the Reply folder within the control action.
The e-mail %Subject% may breach corporate guidelines. It has been forwarded to you for authorization. Review the attached e-mail sent by %From%. If the e-mail adheres to corporate guidelines, please forward it to the intended recipient, %To%. %default%
See page 255 for details.
Outgoing
Incoming or outgoing
i You can also use variables to customize the text content. These are described on page 253.
Notifications forwarded by client agents

These are e-mails containing e-mails that have been intercepted and forwarded by a control trigger. You can define subject and body text for both incoming and outgoing notification e-mails (that is, notification e-mails containing forwarded incoming and forwarded outgoing e-mails). To define the subject and body text you must edit the relevant system settings in the user policy. You can find these settings in the System Settings > User Notifications > Forwarded E-mail Settings folder. Unlike automatic e-mail replies or the messages in notification dialogs, you cannot specify separate notification e-mails for each control trigger or control action. Instead, you define a single incoming
Notification messages in replacement files

For each File control trigger, you can define a message that appears in the replacement file when the trigger activates. You can also use variables to customize the text content so it reflects the condition that caused the control trigger to activate.
253
Variables in notification dialogs and e-mails

When defining the text in a notification dialog, notification e-mail or an automatic e-mail reply, you can use variables to represent certain types of information and to customize the text content based on the circumstances of the control event. For example, if a control trigger displays a warning when users browse to various Web sites, you can use the %URL% variable to include the actual URL in your notification message. The full range of variables are shown below and described on the following pages: Variable
%Address% %Application% %ApplicationPath% %BCC% %CC% %CCN% %SSN% %Default% %From% %Keystring% and %Keyword% %Keystrength% %MailDateTime% %Site% %Subject% %To% %URL% User-defined variables, <fallguy> and <offlimits>
Variables in file events

The following notification variables are available for file event. For example, if a control trigger displays a warning when users attempt to copy a Microsoft Office document to a USB device, you can use the %author% variable to include the name of the file author in your notification message. For full details, contact the service desksee page 24. i Note that the nature of these variables is such
that they are not all relevant for all situations.
Notes
Variable %accessed% %author% %channel% %created%
Available for
Imported files and files scanned by the FSA only All Microsoft Office documents (excluding CPSA file events) Files captured by the NBA only Imported files and files scanned by the FSA only Files scanned by the FSA only CFSA and CPSA file events All file events (excluding CPSA file events) Files captured by the NBA only Imported files and files scanned by the FSA only Imported files and files scanned by the FSA only Files captured by the NBA only All file events Files captured by the NBA only All file events Files captured by the NBA only
* *
%dest% %device% %filename%
** %host% %modified% %path% %protocol% %size% ** %source% %subject%
* Available only for notification e-mails and automatic e-mail replies.
%URL%
** Available for Data At Rest Message To Users setting.
254
Case sensitivity
Message variables are not case-sensitive. So, for example, you can type %URL% or %url% when defining a notification message.
%ApplicationPath%
This displays the path and executable name of the application that activated an Application Monitor control trigger. For example, this message in the policy: Orchestria APM has detected the following program starting up: %ApplicationPath%. Displays like this in a notification message: Orchestria APM has detected the following program starting up: c:\program files\netscape\netscp.exe.
%Address%
This displays the e-mail address, or addresses, that caused the control trigger to activate. For outgoing e-mails, this is the recipient address(es); for incoming e-mails, it is the sender address. For example, these messages in the policy:
` You are not authorized to receive e-mails from

%Address%.
%BCC%
This displays any recipients listed in the Bcc: field of a forwarded e-mail. For example, if the user policy specifies this message for the body text of the notification e-mail: The attached e-mail has been forwarded to you for approval because the Bcc: addressees include %BCC%. It displays like this in a notification e-mail: The attached e-mail has been forwarded to you for approval because the Bcc: addressees include spencerrimmel@unipraxis.com.
` You are not authorized to send e-mails to

%Address%. Display like this in notification messages:
` You are not authorized to receive e-mails from

Spencer Rimmel.
` You are not authorized to send e-mails to

srimmel@unipraxis.com, fschaeffer@unipraxis.com.
%Application%
This identifies the application that activated an Application Monitor control trigger. For example, this message in the policy: You are not authorized to run %Application%. Displays like this in a notification message: You are not authorized to run Netscape.
%CC%
This displays any recipients listed in the Cc: field of a forwarded e-mail. For example, if the user policy specifies this message for the body text of the notification e-mail: The attached e-mail has been forwarded to you for approval because the Cc: addressees included %CC%. It displays like this in the actual e-mail: The attached e-mail has been forwarded to you for approval because the Cc: addressees included frankschaeffer@unipraxis.com.
255
%CCN%
This displays the credit card number detected by Orchestria APM and which activated a Credit Card control trigger. For example, this message in the policy: You are not authorized to procure goods using credit card number %CCN%. Displays like this in a notification message: You are not authorized to procure goods using credit card number ************1234. i The display of credit card numbers in notification
messages is subject to the same constraints as elsewhere in Orchestria APM. This is governed by the Sensitive Information Handling setting in the System Settings foldersee page 140.
%Default%
For the body text of notification e-mails only.
This displays summary details about the forwarded e-mail. For example, this body text in the policy: %default% Displays details like this in the notification e-mail: The original mail message is: From: lyndasteel@unipraxis.com To: Spencer Rimmel <EX:/O=UNIPRAXIS/OU=UK/ CN=RIMMEL/CN=SPENCER> Subject: Corporate Restructuring
%From%
This displays the original sender of an e-mail that was detected by a control trigger and forwarded to another address. For example, if the user policy specifies this message for the body text of a notification e-mail: An e-mail from %FROM% has been intercepted and forwarded to you for approval. It displays like this in a notification e-mail: An e-mail from lyndasteel@unipraxis.com has been intercepted and forwarded to you for approval.
%SSN%
This displays the social security number detected by Orchestria APM and which activated a classifier, keystring or attachment control trigger. For example, this message in the policy: An e-mail containing the social security number %SSN% has been intercepted for review. You are not authorized to send personally identifiable information. Displays like this in a notification message: An e-mail containing the social security number 123-45-6789 has been intercepted for review. You are not authorized to send personally identifiable information. Orchestria APM uses a sophisticated recognition process to cross-check against an imported system definition file listing currently available SSNs. To ensure that this data is accurate, we recommend you import an updated version of the file on a regular basis using the Administration consolesee page 38.
%Keystrength%
This displays the keystrength of the encryption algorithm used on a Web site. For example, this message in the policy: This site uses %Keystrength% encryption. You are only permitted to browse sites that use at least 256 bit encryption. Displays like this in a notification message: This site uses 128 bit encryption. You are only permitted to browse sites that use at least 256 bit encryption. i Note the following:
` %Keystrength%
does not return a value when
used in a URL control trigger (because the trigger activates as soon as it detects the URL, before can check the encryption level).
` Be
aware of the browser requirements when
exempting secure Web sitessee page 234.
256
%Keystring% and %Keyword%

These variables are available for use with the Data At Rest Message To Users setting.
%Subject%
This displays the Subject of the forwarded e-mail. For example, if the user policy specifies this message for the body text of the notification e-mail: The e-mail %Subject% has been intercepted and forwarded to you for approval. It displays like this in the notification e-mail: The e-mail Corporate Restructuring has been intercepted and forwarded to you for approval. Note the optional use of double-quotes to highlight the Subject reference in the notification e-mail.
This displays the words or phrase detected by Orchestria APM and which activated any control trigger that can search Web pages, e-mails and document contents for key text. For example, these messages in the policy:
` Warning: this e-mail refers to %Keystring%. Such

references are normally prohibited in corporate correspondence.
` You are not permitted to send e-mails containing

the word(s) %Keyword%. Display like this in the notification message:
` Warning: this e-mail refers to Project Alpha. Such

references are normally prohibited in corporate correspondence.
%Site%
This displays the 'site' element of a Web site URL or the 'organization' element of an e-mail address. This can be useful if you want to make the notification message easier to read. For example, these messages in the policy:
` You are not permitted to send e-mails containing

the word(s) Project Alpha. In practice, these variables are interchangeable but you may find notification messages easier to maintain if you use the variables in their 'natural' context. That is, you use %Keyword% to represent single words and %Keystring% for phrases.
` It is forbidden to browse the %site% Web site. ` It is forbidden to send e-mails to %site%.
Display like this in notification messages:
` It is forbidden to browse the Unipraxis Web site. ` It is forbidden to send e-mails to Unipraxis.
%MailDateTime%
This displays the time and date when an incoming e-mail was received and when outgoing e-mail was sent. For example, if the user policy specifies this message for the Subject of the notification e-mail: Unauthorized e-mail detected: %MailDateTime% It displays like this in the notification e-mail: Unauthorized e-mail detected: 16/05/2003 8:23 You cannot configure the date and time format from within Orchestria APM. The format shown in a notification e-mail is determined by the short date format defined for the local machine.
257
%To%
This displays any recipients listed in the To: field of a forwarded e-mail. For example, if the user policy specifies this message for the body text of the notification e-mail: The attached e-mail has been forwarded to you for approval because it was addressed to %To%. It displays like this in a notification e-mail: The attached e-mail was intercepted and forwarded to you because it was addressed to spencerrimmel@unipraxis.com.
User-defined variables, <fallguy> and <offlimits>

You define these variables in data lookup commands. For syntax details and advice on variable naming, see pages 280 to 281. <fallguy> This identifies the e-mail address of the recipient (or sender) for whom the data lookup command returned a True value and who, as a consequence, caused the control trigger to activate. For example, if an unauthorized recipient causes a control trigger to activate, you can set <fallguy> to, say, %interdicted.user%. That is, the address of each disqualifying recipient is written to %interdicted.user% for incorporation into a user notification message. For example, this message in the policy: You are not permitted to send e-mails to: %interdicted.user%. Displays like this in a notification message: You are not permitted to send e-mails to: fschaeffer@unipraxis.com. <offlimits> This identifies the Address Book property or user attribute for which the data lookup command returned a True value and, as a consequence, caused the control trigger to activate. For example, if e-mails sent to members of certain teams (Equity Markets, Debt Markets or Securities Services) cause a control trigger to activate, you can set <offlimits> to, say, %taboo.team%. This means that for each disqualifying recipient, their team name is written to %taboo.team% for incorporation into a user notification message. For example, this message in the policy: You are not permitted to send e-mails to members of these teams: %taboo.team% Displays like this in a notification message: You are not permitted to send e-mails to members of these teams: Equity Markets, Debt Markets, Securities Service.
%URL%
This displays the URL of the Web site that activated the trigger. For example, this message in the policy: You are not authorized to browse %URL% Displays like this in a notification message: You are not authorized to browse http:// www.unipraxis.com. Note that query strings are excluded from the URL displayed in the message. This is the part of a URL containing the search parameters when submitting data to a dynamic Web site. For example, id=LogiCard is a query string in this URL: www.unipraxis.com/solutions.cgi?id=LogiCard. In the actual notification message, this URL will therefore be represented as: www.unipraxis.com/solutions.cgi?
258
User definitions
User definitions, also known as replaceable strings, are variables that can be referenced by any settings in the current user policy that have a text value (for example, trigger names, address lists, search text lists, messages to users). For example, you can define a Disclaimer user definition and reference this as %Disclaimer% in any Trigger Name setting. 5 Enter a value for the definition, such as: Unipraxis distributes this document for informational purposes only. 6 This user definition can now be referenced as a string value in any other policy trigger, for example, in a Message To Users setting: "Your e-mail attachment has been blocked as it is missing the mandatory corporate disclaimer: %Disclaimer%" i Note the following:
Set up a user definition

In the Administration console, expand the User Administration branch. 1 Select the user whose policy you want to edit , or right-click and choose Edit Policy. and click In the User Policy Editor, browse to the System Settings folder. In the Definitions policy folder, select the User Definitions setting and the User Definition you want to configure. Enter a name for the user definition, such as Disclaimer. i This name is case sensitive and must not
contain spaces or a percentage symbol (%).
` If you inadvertently define multiple User Definitions

with the same name, then any duplicate definitions are ignored and an error is written to the Activity log.
` User
definitions can themselves contain variables
specified by other user definitions. Ensure that you do not create circular references. For example, if User Definition 1 references User Definition 2, User Definition 2 must not reference User Definition 1.
259
Copying text from notification dialogs

When defining notification messages, you can configure them so that users can copy selected phrases directly into other documents. This is useful when an outgoing e-mail or attachment lacks an official disclaimer. You can configure a control trigger to display a notification dialog that includes the missing disclaimer. The user can then copy the disclaimer directly into their e-mail (or attachment) before resending it. You can also use this feature to control the content of files uploaded to a Web site. To set up notification messages with selectable text: 1 In the user policy, expand the control trigger you want and select the Message To Users setting. Double-click this setting or right-click and choose Properties. In the Policy Setting Properties dialog, enter the notification message. To tag words or phrases as selectable, add t wo __ characters (underscores) as delimiters before and after the relevant section of the message. 1 1 8 Example notification dialog Users can copy specified text into an e-mail message or other document. They can drag and drop any bold text (1), or they can right-click it and choose Copy. The user can now copy the text from the notification dialog directly into the original e-mail, attachment or file upload. The user can either drag and drop the message text directly, or they can copy and paste it. 5 Make sure the control trigger is associated with a control action that displays a notification message. That is, make sure the Intervention setting in the control action is set to Block with notification, Warn, or Inform. Save the policy changes. When the control trigger activates, the resulting notification dialog contains a message with the tagged, selectable section shown in bold:
6 7
` Drag and drop: As soon as the user drags the

message text, this cancels the notification dialog. i Drag and drop is not supported for e-mails in
Lotus Notes.
` Copy and paste: The user must right-click the bold

text and choose Copy. They can then paste the text into their e-mail or other document before resending it (or resubmitting the file upload). But see the warning below. Policy Setting Properties dialog, for the Message To Users setting Two underscore characters (1) before and after the specified section identify this part of the message as selectable. This text displays in bold in the notification dialog. ! For Inform and Warning dialogs, the user must
click OK or Cancel to clear the notification dialog. If they click Continue, the e-mail is sent (or the file is uploaded) immediately, before they can paste in the copied text!
260
Control trigger exemptions and refinements

Control triggers offer a highly effective and extremely flexible means of regulating Web and e-mail activity across your organization. But there will always be exceptions, special cases that need unique handling. For example, your organization may generally allow staff to send internal e-mails with attachments but not allow them to do so if the e-mail is sent to very large numbers of recipients. Or you may want to block all staff from submitting corporate credit card numbers to Web sites unless the site is extremely secure. Orchestria APM recognizes this problem and provides trigger settings to accommodate these exceptions. These settings allow you to exempt particular events from the normal trigger coverage or, conversely, refine the trigger to focus only on particular events. These settings fall into the following categories:

Disable integration for specific e-mail triggers

For each control trigger in any user or group policy, you can disable Orchestria APM integration with specific e-mail applications or import sources. In effect, Orchestria APM disables that trigger when it detects e-mails sent or opened using the specified application or imported from the specified source. Integration can be disabled for any e-mail control trigger. To disable integration for a specific trigger: 1 2 Open the User Policy Editor and locate the e-mail control trigger that you want to change. Edit the Which E-mail Sources? setting and choose which sources to target, for example, Microsoft Outlook.
Data Lookup Disable integration for specific e-mail triggers Unreadable uploaded files or e-mail attachments E-mails with digital signatures Encrypted e-mails
i You can also:
` Disable ` Disable
e-mail integration completely, or for e-mail integration when you install
individual capture triggers. See page 210. Orchestria APM, or you can specify that integration is disabled automatically if the Orchestria APM infrastructure fails to start. For details, see page 76.
For each control trigger, you can also specify minimum retention periods. These determine how long control events are excluded from database purges.
Example
You may want to set up control triggers to disregard unauthorized e-mails when imported from an archive file, but to block these e-mails when they transit through your Exchange server. To do this: 1 Specify the Exchange control trigger: Set up a control trigger to block unauthorized e-mails transiting through your Exchange server.
Data Lookup
Data Lookup settings provide highly flexible extensions to e-mail capture and control triggers. These settings enable control triggers to selectively detect or exempt e-mails based on: the attributes of an Orchestria APM recipient or sender; the Outlook Address Book properties of the recipients or the sender; or the potential impact on network traffic. For maximum flexibility, Data Lookup settings take the form of user-defined commands. Full details about the required command syntax, plus extensive examples, see chapter 11, Data lookup.
1.1 In the User Policy Editor and locate the e-mail control trigger that you want to use. 1.2 Edit the Which E-mail Sources? setting and
select only the Microsoft Exchange Server (Mailbox) option. This ensures that the trigger ignores other e-mail applications and imported e-mails.
261
1.3 Set any other trigger settings as required. For

example, configure the trigger to only activate when it detects e-mails sent to members of the Research department.
1.4 Set up a control action to block and, if required, capture these e-mails.
2 Specify a capture trigger for imported e-mails: Set up a capture trigger to capture all e-mails imported from, say, PST files.
4 To configure the trigger more precisely, you can also set the Conditions for Unreadable Text Content setting. This setting is ignored if the Activate Trigger if Text Content Unreadable? setting is set to False. If this is set to:


activates if Orchestria APM cannot access the attachment (for example, because the Exchange Server is unavailable), or cannot extract the text from the file or attached document for analysis.
2.1 In the User Policy Editor, locate the e-mail

capture trigger that you want to use.
2.2 Edit the Which E-mail Sources? setting and select only the Archive File Importers option. 2.3 Set up other trigger settings to ensure that all
imported e-mails are captured. 3 Save the policy. The same policy can now be used to block unauthorized e-mails as they transit through your Exchange server, and to capture such e-mails when imported from archive files but without generating an associated blocking event.

if Orchestria APM cannot access the file or attachment.

activates only if the attachment is protected or encrypted. i Similar settings are available for File Upload and
Attachment capture triggers and transaction triggers.
Unreadable uploaded/imported files or e-mail attachments

You can configure File Upload, File, or Attachment control triggers to always activate if they detect an unreadable file being uploaded to a Web site, an unreadable imported file, or an unreadable e-mail attachment. Such files are typically unreadable because they have been encrypted or password-protected. For example, you can set up an Attachments trigger to always display a warning if Orchestria APM detects an encrypted e-mail attachment.
Digital signatures
If required, you can block or warn against sending e-mails if they do not have a digital signature, but exempt e-mails if they are digitally signed. Alternatively, you can set the trigger to detect signed e-mails but exempt unsigned e-mails! Digital signature exemptions are available for all incoming and outgoing e-mail control triggers. To set up digital signature exemptions: 1 Open the User Policy Editor and locate the e-mail control trigger that you want to change. This can be an incoming or outgoing e-mail trigger. Display the trigger settings. Edit the Digital Signature Filter setting and choose whether to target signed e-mails only or unsigned e-mails.

1 Open the User Policy Editor and locate the File Upload, Data At Rest, or Attachment control trigger. 2 Display the trigger settings. 3 Set the Activate Trigger if Text Content Unreadable? setting to True. 2 3
i You can also exempt digitally signed e-mails from

Capture and Transaction triggers.
262
Encryption
Exempting secure Web sites
If required, you can block or warn against access to insecure Web sites but exempt secure Web sites so they do not trigger blockings or warnings. To do this, you specify a minimum keystrength for the encryption algorithms used by secure Web sites. This means that the control trigger activates only if the Web site uses a keystrength that is lower than the minimum value specified by the control trigger. Encryption exemptions are available for all Web control triggers. To set up keystrength exemptions: 1 Open the User Policy Editor and locate the Web page control trigger that you want to change. Display the trigger settings. Edit the Keystrength Exemptions setting and choose a minimum keystrength. But note the browser requirements on page 234.

Each Control trigger has two Minimum Retention settings. The first refers to authorized activity (disregarded warnings, plus inform, notify and silent events). The second refers to prohibited activity (that is, blockings and heeded warnings). In both cases, the retention period determines how long the respective events are retained in the local database before they are eligible for purging. For example, you may want to retain blocked events captured by a Web page URL trigger for one day only, but permanently retain disregarded warnings captured by an e-mail Document Classifier trigger. For details on setting up trigger-based purging, see page 82. Be aware also that minimum retention periods defined in a Control trigger override the default retention period for the local machine (defined in the machine policysee page 81). For example, if the machine policy specifies a seven day retention period but a URL control trigger specifies a one day retention period, control events generated by the URL trigger are retained in the local database for one day only before being earmarked for inclusion in the next database purge. i In the Data Management console users with
2 3
Targeting or exempting encrypted e-mails

If required, you can block or warn against sending e-mails if they are not encrypted, but exempt e-mails that are encrypted. Alternatively, you can set the trigger to detect encrypted e-mails but exempt non-encrypted e-mails! Encryption exemptions are available for all incoming and outgoing e-mail control triggers. To set up encryption exemptions: 1 Open the User Policy Editor and locate the e-mail control trigger that you want to change. This can be an incoming or outgoing e-mail trigger. Edit the Encryption Filter setting and choose whether to target encrypted e-mails only or non-encrypted e-mails.
` Search
for control events whose retention period
expires on a particular date (the Expiry Date search filter). See the Data Management console online help; search the index for expiry date.
` Override
the Audit tab. See either the iConsole user guide, or the Data Management Console guide; search the index for expiry date, changing and expiry date, resetting in Audit tab respectively.
i You can also exempt encrypted e-mails from

Capture and Transaction triggers.
263
Integration with e-mail servers

Orchestria APM can integrate with Microsoft Outlook and Exchange, and with Lotus Notes and Domino. This e-mail integration is achieved through Orchestria APM agents:
Fewer intervention options for the server agents

A crucial difference between the e-mail client agents and server agents is that the available control interventions are slightly more limited when Orchestria APM monitors e-mails on Exchange Server or Domino. Specifically, Orchestria APM can intervene by blocking an e-mail and sending a notification message to the sender, but it cannot display warning or inform dialogs that require user interaction (unlike e-mail integration based on the client agents). It can, however, deliver a warning e-mail to the sender.
Outlook and Notes client agents run on client machines, that is, the end-users workstations. Each client agent monitors incoming and outgoing e-mails on a single workstation. Exchange and Domino server agents run on an e-mail server (that is, an Exchange Server or Lotus Domino host computer) and monitors all e-mail activity transiting through the e-mail server.
The main advantage of the Exchange and Domino server agents over the Outlook and Notes client agents is that they enable Orchestria APM to track corporate e-mail activity that would otherwise be missed. However, there are other important differences between the server agents and the client agents. These differences affect control triggers for outgoing e-mails. In particular, they affect how Orchestria APM interacts with the sender when a control trigger activates.
How the Exchange or Domino server agent affects the Intervention setting in a control action is described on page 264. Automatic notification e-mails generated by the server agent are described on page 265. Interactive warning e-mails generated by the server agent are described on page 266.
Monitoring e-mail activity that would be missed by client agents

The main purpose of the Exchange and Domino server agents is to enable Orchestria APM to monitor and control corporate e-mail activity that would otherwise be missed by client agents alone. This includes e-mails sent using BlackBerry handhelds, Microsoft Office Outlook Web Access or Notes Web Clients. In such cases, outgoing e-mails do not pass through Microsoft Outlook or Notes, are not monitored by Outlook or Notes client agents and are not captured on Orchestria APM client machines.
Outgoing e-mail triggers only on Exchange Server and Domino

When Orchestria APM intercepts e-mails in Exchange Server or Domino, it only applies triggers from the senders perspective. That is, each e-mail can only activate triggers for outgoing e-mails. This approach avoids unnecessary duplication of analysis and processing. When analyzing e-mails, the Exchange or Domino server agent compares the e-mail against triggers defined in the senders policy or, if the sender is not a recognized Orchestria APM user, in the policies for the Unknown Internal Sender or External Sender (see page 149). This contrasts with e-mail integration based on client agents, where Orchestria APM can apply either incoming e-mail triggers or outgoing e-mail triggers, depending on whether the user is the sender or recipient of the e-mail.
264
Intervention options and e-mail server agents

When Orchestria APM detects an e-mail in Exchange Server or Domino Server that activates a control trigger, the e-mail server sends a warning e-mail to the sender. At the same time, the senders policy permits the full range of options for the Intervention setting (see page 220). The consequences of each Intervention option when invoked by e-mails in Exchange Server or Domino Server are shown below: Intervention option
Block quietly
Intervention option
Quarantine quietly
Orchestria APM does this
Marks the e-mail for quarantine. The sender is unaware that the e-mail has not been sent. Marks the e-mail for quarantine and notifies the sender. See the next page for details about automatic notifications.
Quarantine with notification
Orchestria APM does this

Warn Warn (but ... personal)

This option is not available for outgoing e-mail control triggers.
Allows the e-mail to be delivered. Sends a notification to the sender. The original e-mail is not included. For details about automatic notifications, see page 265.
Block with Notification
Blocks the e-mail. Sends a notification to the sender, including the original e-mail as an attachment. See the next section for details about automatic notifications.
With interactive warnings enabled:

Warn Warn (but ... personal) Inform
Categorize...
Automatically assigns a category to the e-mail. For details about e-mail categorization, see page 154. Allows the e-mail to be delivered. Sends a notification to the sender. The original e-mail is not included. See the next section for details about automatic notifications.
Retains the e-mail and sends a warning to the sender, enabling them to allow or disallow the e-mail. The e-mail is not sent unless the user actively allows it by responding to the warning. For details about interactive warnings, see page 266. The sender cannot designate the e-mail as Personal, see page 231.
Inform
None Notify
Allows the e-mail to be delivered.
This option is not available for outgoing e-mail control triggers.
265
Automatic notifications and e-mail server agents

This section describes notification e-mails for Domino and Exchange. You can specify a global sender for notification e-mails, and you can also define the subject and body text. If Orchestria APM intercepts an e-mail transiting through:
Subject text
You can define the subject for a notification e-mail in the senders policy. To do this, you edit settings in the System Settings/User Notifications folder:
Domino and the e-mail generates a blocking, warning, or inform event, Orchestria APM sends a notification e-mail to the sender. This is also the case for intercepted e-mails that have generated blocking events when using Exchange Server. Exchange and the e-mail generates a warning or inform event, Orchestria APM can automatically send a notification or interactive warning e-mail to the sender, depending on how it is configured. For details on interactive warning e-mails, see page 266. i Interactive warning e-mails are currently only
supported for use with Exchange Server.
Blockings: For blocked e-mails, you define the subject text in the Dialog Title - Blockings setting. Warnings: For e-mails that generate warnings, you define the subject text in the Dialog Title - Warnings setting. Inform: For e-mails that generate inform events, you define the subject text in the Dialog Title - Inform and Notify Events setting.
Body text
You can define the body text for a notification e-mail in the senders policy. To do this, you edit the Message to Users setting in the relevant control trigger. For example, if an e-mail is blocked when the Search Text 1 trigger activates, the notification e-mail includes this triggers Message to Users setting as its body text. This means that for each outgoing e-mail control trigger in a senders policy, the Message to Users text must reflect the Intervention option specified in the associated control action. For example: Your e-mail has been blocked. It refers to %Keystring% and such references violate corporate guidelines. Please contact the Compliance Officer for further details.
Global sender
When a user receives a notification e-mail from Orchestria APM, the From: field indicates the sender of the notification e-mail. However, the senders identity is configurable. For example, you can specify that the From: field in notification e-mails is always set to ComplianceTeam@Unipraxis.com. To define a global sender, you must edit the registry on the machine hosting the Exchange Server or Domino server agent. Specifically, you need to add the NotificationFromAddress registry value; see the Deployment guide for details.
266
Interactive warning e-mails and Exchange Server

i Interactive warning messages are currently only
supported for the Exchange server agent.
Interactive warnings and follow-up messages

The sender of an e-mail can receive a warning message and, possibly, a follow-up Unmatched response message from the Exchange server agent. The text in these automated messages (including the subject of the unmatched response message) is configurable, using template text filessee page 267.
If Orchestria APM intercepts an e-mail transiting through Exchange Server and the e-mail generates a warning or inform event, Orchestria APM can automatically send a notification or interactive warning e-mail to the sender. If the sender replies to this warning promptly (that is, before the warning timeout expires), then their e-mail is released and sent on to its intended recipients. Note that the sender does not need to add any comment or other text to their reply; clicking the Reply button is sufficient to release their e-mail if they still want it to be delivered. If they do not reply (or reply too late), then Orchestria APM deems that they have heeded the warning and the e-mail is not sent. For details, see the next section. 1
Warning message: This is the first message the user receives. It is sent automatically when the Exchange server intercepts an e-mail which has generated a warning or inform event. By default, the message has the users original e-mail attached and states that it has triggered one or more warnings. It lists the warnings and advises the sender that if they want the e-mail to be sent, they must reply to the warning message. Unmatched response message: This message is automatically sent when the user does reply to the warning message, but the original e-mail is no longer on the Exchange server. In this situation, the users reply cannot be matched to the original e-mail and so the e-mail cannot be released and sent. Replies are matched to their corresponding e-mails by a unique ID in the Subject.
Example interactive warning message This example is based on the default template for warning messagessee page 267. The sender of the original e-mail must reply to this warning if they still want the e-mail to be delivered. 1 Reply button. 2 Text generated by insertion variables.
267
Message templates files

The template text files for the warning and unmatched response messages can be in ANSI, UTF-8, Unicode, or HTML format and can also include insertion variables. Default template files, WarningTemplate.txt and UnmatchedResponseTemplate.txt, are installed with the Exchange server agent into the following folder on the machine hosting the server agent \Program Files\Orchestria \Active Policy Management\Client The default warning message template is shown below. To overwrite or amend the default message templates, you need to edit the registry on your Exchange server. For details, see the Deployment guide; search the index for interactive warnings, Exchange Server. 1
Template insertion variables

Certain insertion variables can be used directly in the registry value used to set the unmatched response message title. A complete list of supported variables is given below:
%subject%
Warning message template: The variable is replaced by the subject of the original e-mail. Unmatched response message template: The variable is replaced by the subject of the users reply to the warning message. i This variable can be typed directly into the UnmatchedResponseTitle registry value.
%maildatetime%
Warning message template: The variable is replaced by the date and time of the original e-mail, relative to the time zone of the host server. Unmatched response message template: The variable is replaced by the date and time of the users reply to the warning message, relative to the time zone of the host server. The date and time is displayed in RFC 2822 format. For example, if the template file contains this text: You e-mail on %maildatetime% appears to breach corporate guidelines.
1 Default template for warning messages 1 Insertion text variablessee the next section. an example warning e-mail generated by this template is shown on page 266.
It displays like this in the warning: Your e-mail on Fri, 12 May 2006 16:22:10 +0100 appears to breach corporate guidelines. +0100 indicates that the time given is one hour ahead of UTC, in other words, BST. -0400 indicates EDT (Eastern Daylight Time) or four hours behind UTC, effectively 5 hours behind BST.
268
%formattedwarningtext1% Warning message: The variable is replaced by details of the warnings (or inform events) triggered by the e-mail. For each trigger that activates, this variable returns two text items: a title and message:
%formattedwarningtext2% Warning message: The variable is replaced by the details of the warnings (or inform events) triggered by the e-mail. For each trigger that activates, this variable returns a message, based on the Message To Users setting, included in each policy trigger. If the senders e-mail causes multiple triggers to activate, the %formattedwarningtext2% variable writes to the warning e-mail a message for each trigger, separated by a blank line: <warning #1 message> <blank line> <warning #2 message> i This variable is not suitable for use with the UnmatchedResponseTemplateFile registry value or the UnmatchedResponseTitle
message template.
` The title derives from the Dialog Title - Warnings setting in the \User Notifications policy folder (or for Inform events, the Dialog Title - Inform and Notify Events setting). ` The message is based on the Message To Users setting, included in each policy trigger.
If the senders e-mail causes multiple triggers to activate, the %formattedwarningtext1% variable writes to the warning e-mail a title and message pair for each trigger, with each pair separated by a blank line: <Warning dialog title 1> <Trigger 1 message> <Blank line> <Warning dialog title 2> <Trigger 2 message> For example, if two triggers activate the following text could be written to the warning e-mail: Orchestria Advisory You are not permitted to send e-mails to these teams: Equity Markets, Debt Markets. Orchestria Advisory This e-mail refers to Project Alpha. Such references are normally prohibited in corporate correspondence. i This variable is not suitable for use with the UnmatchedResponseTemplateFile registry value or the UnmatchedResponseTitle
message template.
%to% Warning message template: The variable is replaced by the address(es) in the To field of the original e-mail. For example, if the template file contains: Your e-mail to %to% breaches corporate rules. It displays like this in the warning: Your e-mail to srimmel@unipraxis.com breaches corporate rules. i This variable is not suitable for use with the UnmatchedResponseTemplateFile registry value or the UnmatchedResponseTitle
message template.
%cc% Warning message: The variable is replaced by the address(es) in the Cc field of the original e-mail. i This variable is not suitable for use with the UnmatchedResponseTemplateFile registry value or the UnmatchedResponseTitle
message template.
269
Maximum number of pending warnings

To prevent a backlog of e-mails awaiting a warning reply from accumulating in the Compliance Release mailbox on the Exchange server, Orchestria APM sets a maximum limit on the number of warnings pending. To configure this limit, you need to edit the registry on the machine hosting the Exchange server agent. When the maximum number of pending warnings is reached, the oldest warning is automatically heeded enabling another pending warning to be held.
Policy checks
E-mails that generate warnings are subject to two policy checks. The first occurs when the e-mail is originally sent: this policy check triggers the warning message. The second occurs immediately before the Exchange server agent resumes processing the e-mail (either because the user has replied to the warning message, or because the Auto Heed warning timeout has expired). Normally, the policy engine detects that policy has not changed between the two checks. If the user:
Autoheed warning timeout

For each warning message, Orchestria APM sets a timeout. If no reply to the warning is received before the timeout expires, the warning is deemed to have been heeded by the sender. That is, the e-mail is not delivered to its intended recipients and is saved as a heeded warning event on the CMS. To configure this timeout, you need to edit the registry on the machine hosting the Exchange server agent. For details, see the Deployment guide; search the index for interactive warnings, Exchange Server. i This timeout defaults to 4 hours. We recommend
you keep it reasonably short to reduce the risk of policy changing during this time.

Replied to the warning message (that is, the user disregarded the warning), the original e-mail is sent. Did not reply to the warning message (that is, the user heeded the warning), the original e-mail is deleted unsent.
Sometimes however, the policy engine may detect that policy has changed. If this is the case and the user:
Replied to the warning message (that is, the user disregarded the warning), the original e-mail is checked against the new policy. If the e-mail violates the new policy, the sender receives a new interactive warning message. If the e-mail does not violate the new policy, it is sent. Did not reply to the warning message (that is, the user heeded the warning), the original e-mail is deleted unsent.
i The autoheed warning timeout (see previous

section) can expire prematurely if the maximum number of pending warnings is reachedsee the previous section.
270
11. Data lookup
Data lookup
his chapter introduces data lookup commands. Data Lookup settings provide highly flexible extensions to e-mail and Data At Rest capture and control triggers. These settings can incorporate data lookup commands to exempt particular e-mail or file events from the normal trigger coverage or, conversely, to refine the trigger to focus only on particular types of e-mail or file. This chapter provides an overview of data lookup True-False tests and describes how to add data lookup commands to these triggers. It also provides full details for all the available variables and syntax elements in a data lookup command, including various example commands. In particular, see:

chapter 11
Lookup command syntax, on pages 274 to 275. Available lookup command variables on pages 277 to 287. Advanced data lookup commands on page 291. User Attribute lookup examples on page 297. Address Book lookup examples on page 298. Message Attribute lookup examples on page 299. XML Attribute lookup examples on page 300. 6
8
7
Data lookup commands: e-mail example A user sends an e-mail (1). Orchestria APM detects the e-mail and invokes a data lookup command in the users policy (2). This can be a User Attribute lookup (3), Address Book lookup (4) or a Message Attribute lookup (5). If the lookup command evaluates to False (6), the trigger does not activate; if it evaluates to True (7), the trigger activates and a capture or control action is invoked (for example, a blocking).
272
Overview
Orchestria APM supports three types of data lookup:
User Attribute lookup: E-mail triggers can selectively detect (or exempt) e-mails based on the account attributes of the Orchestria APM sender or recipients. These are the customized user attributes defined for your organization (see page 51). For example, if you created a Department attribute for your organization, you could modify control triggers to warn against e-mails sent to Orchestria APM users who belong to specific departments. For an overview of the syntax, see page 274.
Data Lookup commands and True-False tests

A Data Lookup command is an individual setting within an e-mail trigger. The command itself specifies one or more tests. Each test is a True or False statement that relates to an e-mail characteristic. For example, a Data Lookup command may test whether any of the e-mail recipients belong to a particular department. Or it may test whether an e-mail is larger than, say, 50KB. A Data Lookup command for this test is shown below: msgattr WHERE msgsizekb > 50 If the test returns a True value, the Data Lookup command causes the e-mail trigger to activate. If you define a command with multiple tests, you can specify whether any or all of the test results must be True in order to activate the trigger. For example, you can define a Message Attribute lookup command that activates a control trigger if the total message impact (the message size multiplied by the number for recipients) exceeds, say, 1MB. If this returns a True value, the trigger activates to block the e-mail or warn the user against sending it. Likewise, you can define an Address Book lookup command that activates a control trigger if the test for any e-mail recipient returns a True value. For example, you may want to prevent certain users sending e-mails to members of the Sales department. Here, for each targeted e-mail, recipient tests return a False value if a recipient is not in Sales. If Orchestria APM detects any recipient who is in the Sales department, the Data Lookup test for that recipient returns a True value and the control trigger activates to block the e-mail.
Address Book lookup: E-mail triggers can selectively detect (or exempt) internal e-mails based on Outlook Address Book properties of the recipients or the sender. For example, they can block e-mails sent to users in a particular office. Or they can exempt e-mails from being blocked if a manager is included in the recipients. For an overview of the syntax, see page 275. Message Attribute lookup: These lookups provide access to information contained in an e-mail that is not accessible through any other trigger test. They enable e-mail triggers to assess each message for its potential impact on network traffic. For example, they can block e-mails if the number of recipients is excessive or if the e-mail is too big. For an overview of the syntax, see page 275. i Message Attribute lookup exemptions are not
appropriate for Sender incoming e-mail triggers.
XML Attribute lookup: These lookups enable policy triggers to test targeted events for metadata attributes (this metadata is stored in XML format). For example, file metadata includes details about the file creation and modified dates, the file name and path, its title and author. The full range of available metadata varies according to the file type. For an overview of the syntax, see page 276; for an example of XML metadata, see page 302.
Chapter 11 Data lookup
273
Adding Data Lookup commands to e-mail triggers

You define Data Lookup commands in the Data Lookup Command setting of an e-mail capture or control trigger. 1 Open the User Policy Editor and locate the e-mail trigger that you want to change. Display the trigger settings. Edit the Data Lookup Command setting and type a command to exempt or target specific types of e-mail. You can define simple or complex lookup commands, or combine multiple commands to target internal e-mails that meet a precise set of conditions. Command syntax details are given as follows:
About Data Lookup Failure Mode

The Data Lookup Failure Mode setting determines how to handle e-mails if the Data Lookup command cannot run. This can happen if, for example, there is a syntax error or the computer cannot connect to the Microsoft Exchange server to extract Address Book details. This last reason particularly affects laptop users. If an e-mails meets all the trigger criteria but the Data Lookup command cannot run, you can set the lookup failure mode to:

2 3
Fire trigger: The trigger is always activates. Do not fire trigger: Orchestria APM ignores the e-mail is ignored and the trigger does not activate. Block event (client only): Only available for outgoing e-mails. This option varies, depending on whether an Orchestria APM client agent or server agent is processing the e-mail. If a:
` User Attribute lookup: See page 274. ` Address Book lookup: See page 275. ` Message Attribute lookup: See page 275. ` File Attribute lookup: See page 276.
5 Edit the Data Lookup Failure Mode setting. If the Data Lookup command cannot run, this setting determines whether or not the trigger activates. Choose an action from the list of available options. For example, choose Fire trigger to specify that the trigger always activates if the Data Lookup command fails to run. Or you can choose Block Event. This simply blocks the e-mail with an advisory dialog. If you block the e-mail, you can configure the title and message in the advisory dialog; find the relevant settings in the System Settings > User Notifications policy folder. i Data Lookup commands can fail to run if, for
example, there is a syntax error or the computer is not connected to the network so Address Book details cannot be extracted from the Microsoft Exchange server. This last reason particularly affects laptop users.
` Client agent is processing the e-mail, Orchestria

APM always blocks the e-mail with an accompanying notification message. This message is defined by the Terminate E-mail Processing settings. Find these settings in the System Settings > User Notifications folder.
` Server agent is processing the e-mail, Orchestria APM always activates the trigger. Note that the range of available control interventions is more limited for Orchestria APM server agents. See page 264.
274
User Attribute lookup syntax and configuration

User Attribute lookup can detect e-mails sent to or from Orchestria APM users with specific account attributes. i It is also possible to detect e-mails sent to or
from non-Orchestria APM users by the absence of a specific user attribute.
Complex commands
More complex commands can include AND, OR and NOT operators to combine multiple True or False tests. For example, if Team and Rank attributes have been created for your organization, you can define a command to test whether an e-mails recipients include a senior manager in the equity markets team. For full details and examples, see page 291.
Syntax summaries and brief examples are given below.
Full syntax details for the various command elements start on page 277. Examples of more complex User Attribute lookup commands start on page 297.
Configure lookup time-outs

You can also specify time-outs for lookup commands in the user policy. These prevent e-mails being delayed unnecessarily if it is taking too long to retrieve the attribute details from the parent server. These time-outs are defined in the System Settings policy foldersee page 141.
Simple commands
These commands test a simple True or False statement relating to a single user attribute of the e-mail recipients or sender. For example, if a Team attribute has been created for your organization, you can define a command to test whether any e-mail recipients are members of a specific team. The syntax is: userattr WITH <who> [labeled <fallguy>] WHERE <uservar> [labeled <offlimits>] <stringoperator> <text> The simple example below detects all outgoing e-mails where any of the recipients are members of the equity markets team: userattr WITH any %recipient% WHERE Team IS "Equity Markets"
E-mail address mapping

Before Orchestria APM can evaluate e-mail triggers based on User Attribute lookup commands, it must map the recipients of an outgoing e-mail (or the sender of an incoming e-mail) onto Orchestria APM users. It can then evaluate the lookup command, comparing the attributes of the recipients (or the sender of an incoming e-mail) against the test criteria. If the lookup command is unable to map a recipient onto an existing Orchestria APM user, the command typically evaluates to False so the trigger does not activate. For details about e-mail address mapping, see the Deployment guide for details; search the index for e-mail address mapping.
275
Address Book lookup syntax

Address Book lookup can detect e-mails with specific sender or recipient characteristics sent internally within an organization. It can only detect e-mails sent to or from addresses in the Global Address List. Syntax summaries and brief examples are given below.
Message Attribute lookup syntax

Message Attribute lookup can be used to access information contained in a message that is not accessible through any other trigger. For example, the number of particular recipient types; their e-mail addresses and display names; and the size of the message including attachments. It can also detect e-mails based on their potential impact on network traffic. (Message impact tests are primarily used to detect outgoing e-mails. There is little point using them to detect incoming e-mails). Syntax summaries and brief examples are given below.
Full syntax details for the various command elements start on page 277. Examples of more complex Address Book lookup commands start on page 298.
Simple commands
These commands test a simple True or False statement relating to a single Outlook Address Book property of the e-mail recipients or sender. For example, a command may test whether any e-mail recipients are members of specific e-mail distribution lists. The syntax is: mapi WITH <who> [labeled <fallguy>] WHERE <uservar> [labeled <offlimits>] <stringoperator> <text> The simple example below detects all outgoing e-mails where any of the recipients belong to the Sales or Marketing departments: mapi WITH any %recipient% WHERE Department IS ANY {"Sales","Marketing"}
Full syntax details for the various command elements are given in the next section. Examples of more complex Message Attribute lookup commands start on page 299.
Simple commands
These commands test a simple True or False statement relating to a message attribute. For example, a command may test whether the number of recipients exceeds the maximum permitted, or whether the total message impact (the message size multiplied by the number for recipients) exceeds a maximum threshold. The syntax is: msgattr WHERE <msgvar> <numericoperator> <msgvalue> The simple example below detects all outgoing e-mails where the total message impact exceeds 1MB:
Complex commands
More complex commands can include AND, OR and NOT operators to combine multiple True or False tests. For example, a command may test whether any e-mail recipients work in the London office and are in the Sales department. For full details and examples, see page 291. msgattr WHERE msgimpactkb > 1000
Complex commands
You can also combine multiple commands using AND, OR and NOT operators. For example, you can combine two commands to test, first, whether an individual message exceeds a maximum size and, second, whether it is addressed to, say, more than ten recipients. For full details and examples, see page 291.
276
XML Attribute lookup syntax

XML Attribute lookup can be used to detect metadata attributes of events (see below). This metadata is stored in XML format. This allows policy triggers to access event information that is not accessible through any other trigger. Syntax summaries and brief examples are given below.
WITH and WHERE statements

In a simple xmlattr lookup command, the WHERE statement locates and identifies the actual file attribute whose value is to be tested. But xmlattr lookup commands can optionally include a WITH statement to locate the attributes, allowing the use of simplified WHERE statements to identify which attributes to test. This is useful if you want to test multiple attributes. For example, the filename and size attributes are both located on the file XML node; the command below tests for MS Word documents over 1Mb: xmlattr WITH apm/event/file WHERE (filename IS "*.doc") AND (size > 1048576)
Full syntax details for the various command elements are given in the next section. Examples of more complex XML Attribute lookup commands start on page 300.
What is XML metadata?

XML metadata contains ancillary information about an event (for example, when a file was created). This metadata is not the same as the event metadata stored by Orchestria APM. Orchestria APM event metadata is stored on the CMS and contains ancillary details about the Orchestria APM event (for example, the event capture date, participants, trigger details, and so on.
Property sets
A files metadata can also include one or more property sets. These are collections of related file properties. For example, a Microsoft Word document includes a Summary property set that includes Total editing time and Word count properties. The <xpath> syntax for referencing a property is: apm/event/file /property_set[@name=<set name>] /property[@name=<property name>] Where <set name> and <property name> must be enclosed in double quotes. For an example, see page 300.
Simple commands
These commands test a simple True or False statement relating to an XML attribute. For example, a lookup command may test the file name of an imported file. The syntax is: xmlattr [WITH <xpath>] [labeled <offlimits>] WHERE <xpath> [labeled <offlimits>] <stringoperator|numericoperator> <attribvalue> Where <attribvalue> must be enclosed in double quotes. The simple example below detects all files created on or after 6am, 18 May 2007: xmlattr WHERE apm/event/file/created >= "2007-05-18T06:00:00"
Complex commands
More complex commands can include WITH, AND, OR and NOT operators to combine multiple True or False tests. For example, a command may look for files created after 14 May and before 18 May. For full details and examples, see page 291.
277
Data lookup variables

This section provides full details for all the available variables and syntax elements in a data lookup command. Extensive examples are shown on pages 297 to 300. Variable
<who> Such as %recipient% and %sender%. <attribvalue> The text, date or numeric value of an event attribute. labeled <fallguy> Based on an IS or IS NOT operator. labeled <offlimits> Based on an IS or IS NOT operator. <msgvalue> An integer value. <msgvar> Such as %recipient% and %ccnum%. <numericoperator> For example, > >= or <> <stringoperator> For example, IS, IS NOT, CONTAINS and EXCLUDES. <text> The search term whose presence or absence you want to test for. <type> Userattr, mapi, msgattr, xmlattr. <uservar> and <mandatory> An Orchestria APM user attribute, user group or Outlook Address Book property.
Variable
<xpath> The location of an element, or an attribute of an element, within the XML hierarchy of event metadata. AND, OR and NOT Operators used to define complex data lookup commands.
Page
290
Page
278
291
279
280
General notes
281
283
282
Syntax is case-insensitive: All syntax elements and variables are case-insensitive. This includes <text> search terms in double quotes. For example, to detect e-mails sent to the Sales department, you can set <text> to Sales, sales or SALES. All will return a True value if Orchestria APM detects a member of the Sales team. Command layout: When entering Data Lookup commands in the Policy Editor, you can add line breaks and extra spaces to make commands easier to read and maintain:
283
284
286
286
287
Policy Setting Properties dialog for Data Lookup Command setting
278
<who>
For userattr, msgattr, and mapi commands. <who> determines whether the e-mail recipients or the sender are tested for characteristics that match the Data Lookup criteria. The following formats are supported: %recipient% The trigger activates if the user attributes, Address Book properties, e-mail addresses, or display names for the recipients match the Data Lookup criteria. Specifically, there must be a match for any recipient, or every recipient, depending on whether the ANY or ALL operator is used. Data lookup commands that compare strings have either a positive or negative inference. The example below uses the IS operator and therefore has a positive inference: mapi with ANY %recipient% where department IS "Sales" The next example uses the IS NOT operator and therefore has a negative inference: mapi with ALL %recipient% where department IS NOT "Sales" To simplify matters, you can use %recipient% without actually specifying ANY or ALL. For example, in the positive mapi command, there is an implicit ANY before %recipient%: mapi with %recipient% where department IS "Sales" In the negative mapi command, there is an implicit ALL before %recipient%: mapi with %recipient% where department IS NOT "Sales" any %recipient% The trigger activates if the user attributes or Address Book properties for any of the recipients match the Data Lookup criteria. If none of the recipients have matching user attributes or Address Book properties, the trigger does not activate. all %recipient% The trigger activates only if the user attributes or Address Book properties of every recipient match the Data Lookup criteria. If any of the recipients have user attributes or Address Book properties that do not match the Data Lookup criteria, the trigger does not activate. %sender% Only the senders user attributes or Address Book properties can activate the trigger. i These formats can all be used in conjunction with <fallguy> subexpressionssee page 280.
279
<attribvalue>
For xmlattr commands. <attribvalue> is the value of the XML metadata attribute you are testing. It can be a text value, a number, or a date. For an XML metadata example, see page 302.
Properties in a property set

<attribvalue> can also test the value of properties in a files property set (if included in the files XML metadata). In effect, property sets are collections of related file attributes. For example, the Version property set for an executable file typically contains properties such as Company, File Version and Language. A lookup command to test the value of a property takes the following format: WHERE apm/event/file /property_set[@name="Version"] /property[@name="Language"] IS "English" Similarly, a Microsoft Word document can include a Custom property set, which can include any custom properties defined for that document. For example, an organization may use Security and Status custom properties to define a documents audience and to indicate whether the document has been approved. A lookup command to test these custom properties takes the following format: WITH apm/event/file/ property_set[@name="Custom"] WHERE (property[@name="Security"] IS "Public") AND (property[@name="Status"] IS "Approved") Note that in all cases, the @name property identifier must be enclosed in square brackets.
Text: For example, if <xpath> specifies the title attribute, then set <attribvalue> to Sales Q1 2007 to detect documents whose Title property includes that term: WHERE apm/event/file/title CONTAINS "Sales Q1 2007" Number: For example, if <xpath> specifies the file size attribute, then set <attribvalue> to 1,048,576 to detect files with a minimum size of 1MB. Note that the file size attribute is measured in bytes, not KB or MB. WHERE apm/event/file/size >= 1048576 i You do not need to enclose numeric values in
double quotes.
Date: For example, if <xpath> specifies the date modified attribute, then to detect all imported files that have been modified since 21 May 2007, set <attribvalue> to the following. But see the next section for date format details. WHERE apm/event/file/modified >= "2007-05-21"
Date formats
Note that dates must take the following format: 2007-05-21T18:00:00 If the time element (T18:00:00 in the example above) is omitted, the time defaults to midnight. For example: 20007-05-21 is equivalent to: 20007-05-21T00:00:00
For full details about specifying the <xpath> to a property set or an individual property within an XML hierarchy, see page 290.
280
labeled <variable>
For any lookup commands. This is an optional subexpression that can be used to identify a variable for which the data lookup command returned a True value. The next two sections describe two ways to use labeled <variable>. userattr WITH all %recipient% labeled %XYZ_interdicted_users% WHERE Team IS "Equity Markets" For example, a user attempts to send an e-mail to various people, including unauthorized recipient Frank Schaeffer. %XYZ_interdicted_users% is therefore set to, for example, Frank Schaeffer or fschaeffer@unipraxis.com. i Where possible, <fallguy> returns the users
e-mail display name.
labeled
<fallguy>
labeled <fallguy> can be used to identify the e-mail recipient (or sender) for whom the data lookup command returned a True value and who, as a consequence, caused the e-mail trigger to activate. The e-mail address of this recipient (or sender) is assigned to the <fallguy> variable for inclusion in a user notification message. This is especially useful if an e-mail is sent to lots of people, but only a small number of these are on the list of unauthorized recipients. <fallguy> permits you to identify these unauthorized recipients in a notification dialog, which in turn enables the sender to remove them from the addressees before resending the e-mail.
Likewise, if multiple unauthorized recipients are detected, the Data Lookup command writes all of their user names to %XYZ_interdicted_users%. These are displayed in the notification dialog as a comma-separated list:
fschaeffer@unipraxis.com,srimmel@unipraxis.com
Variable names: <fallguy> is a variable name chosen by you and, like all user notification variables, must be enclosed in percent marks. You must not choose a variable name already used by Orchestria APM (for a list of these, see page 253). For example, one way to ensure your chosen variable name is acceptable is to include your company in the variable name. For example: %XYZ_interdicted_user% For details about incorporating <fallguy> variables into a user notification message (for example, in a warning dialog), see page 257.
IS NOT example: If you use an IS NOT operator in a data lookup command, <fallguy> works as normal and returns the e-mail address of every recipient for whom the data lookup command returned a True value. But you need to remember that the command logic is reversed! For example, the command below returns a True value if none of the recipients are directors. In this case, the address of each recipient is written to the variable %XYZ_renotify_these_guys% (because in each case, the recipient is not a director and so the test returns a True value): userattr WITH all %recipient% labeled %XYZ_renotify_these_guys% WHERE Rank IS NOT "director" For example, if none of the recipients are directors then %XYZ_renotify_these_guys% will contain a list of addresses for all the intended recipients, for example:
fschaeffer@unipraxis.com,srimmel@unipraxis.com
IS example: <fallguy> subexpressions are most easily understood in terms of data lookup commands that use an IS operator. In the example below, if an unauthorized recipient in the Equity Markets team causes an e-mail trigger to activate, the address of that recipient is written to the variable, %XYZ_interdicted_users%:
281
labeled
<offlimits>
For example, if a user attempts to send an e-mail to members of the Equity Markets team. %XYZ_taboo_team% is set to Equity Markets. Likewise, if multiple unauthorized recipients are detected, the Data Lookup command writes all of their teams to %XYZ_taboo_team%. These are displayed in the notification dialog as a commaseparated list:
Equity Markets,Debt Markets,Securities Services
labeled <offlimits> can be used to identify the Address Book property or user attribute for which the data lookup command returned a True value and, as a consequence, caused the e-mail trigger to activate. The property or attribute is assigned to the <offlimits> variable for inclusion in a user notification message. This is especially useful if an e-mail is sent to lots of recipients, but only a small number of these have attributes or properties that disqualify them from receiving the e-mail. <offlimits>, when used in conjunction with <fallguy>, permits you to identify these recipients and highlight their disqualifying property or attribute. In turn, this enables the sender to remove them from the addressees before resending the e-mail.
Variable names: <offlimits> is a variable name chosen by you and, like all user notification variables, must be enclosed in percent marks. You must not choose a variable name already used by Orchestria APM (for a list of these, see page 253). For example, one way to ensure your chosen variable name is acceptable is to include your company in the variable name. For example: %XYZ_taboo_team% For details about incorporating <offlimits> variables into a user notification message (for example, in a warning dialog), see page 257.
IS NOT example: If you use an IS operator in a data lookup command, <offlimits> works as normal and returns the attribute or property of every recipient for whom the data lookup command returned a True value. But you need to remember that the command logic is reversed! For example, the command below returns a True value if none of the recipients are directors. In this case, the actual rank of each recipient is written to the variable %XYZ_too_junior% (because in each case, the recipient is not a director and so the test returns a True value): userattr WITH all %recipient% WHERE Rank labeled %XYZ_too_junior% IS NOT "director" For example, if none of the recipients are directors then %XYZ_too_junior% will contain a list of the ranks that were detected, for example:
Intern,Management trainee,Non-officer
IS example: <offlimits> subexpressions are most easily understood in terms of data lookup commands that use a CONTAINS operator. In the example below, e-mails sent to members of certain teams (Equity Markets, Debt Markets or Securities Services) cause an e-mail trigger to activate. For each disqualifying recipient, their team name is written to the variable %XYZ_taboo_team%: userattr WITH any %recipient% WHERE Team labeled %XYZ_taboo_team% IS ANY {"Equity Markets", "Debt Markets","Securities Serv"}
282
<msgvar>
For msgattr commands only. <msgvar> represents the message attribute whose numerical value you want to test. The following operators are supported:
Numeric values
Used with <numericoperator>; see page 283 msgsizekb
Internal and external recipients

Internal e-mail addresses and, by inference, external addresses are defined by the Internal E-Mails setting in the Definitions folder of the user policy. The mechanism for matching e-mail addresses against internal address patterns is the same as that used by Orchestria APM to match e-mail addresses against lists of addresses defined in the capture or control triggers of a user policy. For details, see E-mail address matching on page 98.
Message size, including attachments (in kilobytes) i This is useful for blocking large e-mails, for
example, to prevent a user sending a 25MB e-mail. The calculation methods used may not be accurate enough for blocking e-mails with a smaller impact.
msgimpactkb Total message impact (in kilobytes sent), calculated as Message Size * Number of Recipients. i This is useful for blocking large e-mails, for
example, to prevent a user sending a 5MB e-mail to 100 recipients. The calculation methods used may not be accurate enough for blocking e-mails with a smaller impact.
String values
Used with <stringoperator>; see page 284 %sender% Sender e-mail address(es) and display name. %recipient% Recipient e-mail address(es) and display name. i Results from these string values depend on the
expansion of the e-mail, which in turn is determined by the machine policy setting Perform LDAP directory lookups? and the user policy setting Retrieve Full Recipient/Sender details.
recipnum Number of recipients. internalrecipnum Number of internal recipients. See the following section for details about internal recipients. externalrecipnum Number of external recipients. See the following section for details about external recipients. tonum Number of 'To' recipients. ccnum Number of 'CC' recipients. bccnum Number of 'BCC' recipients.
List continues on next page.
283
toccnum Number of 'To' and 'CC' recipients. domainnum Number of unique domains in recipient list. For details about how Orchestria APM extracts the domain from an e-mail address, see page 301. externaldomainnum Number of unique external domains in recipient list. This domain count is based only on external recipients; see the following section for details about external recipients. For details about how Orchestria APM extracts the domain from an e-mail address, see page 301.
<msgvalue>
For msgattr commands only. <msgvalue> is always entered as a numbersee the numeric values supported by <msgvar> in the previous section. It defines the threshold for a particular message attribute. For example, to specify a maximum permitted message size of 25MB, set <msgvalue> to 25600. WHERE msgsizekb >= 25600 Note that numbers are always extracted as integers. For example, 25.5 is truncated to 25.
Variables to detect blank e-mails or missing attachments

Used with <numericoperator>; see page 283 The following four attributes can be used to detect poorly written e-mails. For example, an e-mail with a blank Subject field, no body text, or without a mandatory attachment. subjectlen Number of characters in the Subject line, excluding any leading or trailing spaces. normalizedsubjectlen Number of characters in the normalized Subject line, excluding any leading or trailing spaces. A normalized Subject line is one where prefixes such as RE: and FW: have been removed. bodylength Number of characters in the mail body text, excluding any leading or trailing spaces. attachmentnum Number of attachments.
<numericoperator>
For msgattr and xmlattr commands only. <numericoperator> defines the comparison operator used to test whether the message equals, exceeds or falls below the threshold specified by the <msgvar> and <msgvalue> variables. The operator can be:
<, <=, =, >=, >, <>
or numeric
Use these operators if the message attribute being tested has a numeric value, such as the number or recipients or message size. For example, use >= to whether the message size exceeds 25KB. WHERE msgsizekb >= 25 i Spaces before and after <numericoperator> are optional. For example, tonum>5 and tonum > 5
are equally acceptable.
284
<stringoperator>
For any lookup commands. <stringoperator> determines whether the specified text, or search term, must be present or absent. ! Search terms are defined by the <text> value. You must enclose the <text> search terms in
double quotes. This even applies to single-word search terms. See page 286 for details.
IS NOT ALL This defines multiple search terms, none of which must be present. The Data Lookup test returns a True value if Orchestria APM detects none of these terms for an individual sender or recipient. (If any of these terms are detected, the test returns a False value.) For example, you can use this to detect e-mails where, say, none of the recipients are in the Hong Kong, Kuala Lumpur or Tokyo offices: WHERE Office IS NOT ALL {"Hong Kong","Kuala Lumpur","Tokyo"} i
This operator is rarely used in practice.
The following operators are supported: IS or IS ANY These terms are interchangeable. They define one or more search terms that must be present exactly as specified (although * wildcards are permitted). The Data Lookup test returns a True value if Orchestria APM detects any of these terms for an individual sender or recipient. (If it detects none of the search terms, the test returns a False value.) For example, you can use this to detect e-mails, say, where a recipient is in the Securities Services team: WHERE Team IS "Securities Services" Similarly, you can use this operator to detect e-mails, for example, where a recipient is in either the London or Paris offices: WHERE Office IS ANY {"London","Paris"}
CONTAINS or CONTAINS ANY INCLUDES or INCLUDES ANY All of these terms are interchangeable. They define one or more search terms that must be present. Implicit leading and trailing * wildcards are added to any search terms specified by this operator. The Data Lookup test returns a True value if Orchestria APM detects any of these terms for an individual sender or recipient. (If none of these terms are detected, the test returns a False value.) For example, you can use the extract below to detect e-mails where a recipient belongs to a team such as Securities Services or Global Securities: WHERE Team CONTAINS "Securities" Similarly, you can use these operators to detect e-mails, for example, where a recipient is in either the Equity Markets, Debt Markets or Securities Services teams: WHERE Office CONTAINS ANY {"Equity","Debt","Securities"}
IS NOT This defines a search term that must not be present. The Data Lookup test returns a True value if Orchestria APM detects this term for an individual sender or recipient. (If this term is not detected, the test returns a False value.) For example, you can use this to detect e-mails where, say, none of the recipients are in the Equity Markets team: WHERE Team IS NOT "Equity Markets"
285
CONTAINS ALL or INCLUDES ALL These terms are interchangeable. They define multiple search terms that must be present. The Data Lookup test returns a True value if Orchestria APM detects all of these terms for an individual sender or recipient. (If it fails to detect any term, the test returns a False value.) For example, you can use this to block e-mails where a recipients team name contains the terms Equity and Markets. The trigger will not activate if the recipient is a member of, say, the Debt Markets team. WHERE Office CONTAINS ALL {"Equity","Markets"}
EXCLUDES ANY This defines multiple search terms that must not be present. The Data Lookup test returns a True value if Orchestria APM fails to detect any of these terms for an individual sender or recipient. (If all of these terms are detected, the test returns a False value.) This enables you to exempt e-mails if all of the listed terms are detected (because the test returns a False value so the trigger will not activate). For example, you can use this to block an e-mail unless one or more recipients is a Senior Manager. WHERE Rank EXCLUDES ANY {"Manager","Senior"}
EXCLUDES or EXCLUDES ALL These terms are interchangeable. They define one or more search terms that must not be present. The Data Lookup test returns a True value if Orchestria APM detects none of these terms for an individual sender or recipient. (If any of these terms are detected, the test returns a False value.) This enables you to exempt e-mails if a term is detected (because the test returns a False value so the e-mail trigger will not activate). For example, you can use this to block an e-mail unless one or more recipients is a Manager. WHERE Rank EXCLUDES "Manager" Likewise, you can exempt e-mails only if a manager or director is included in the recipient list: WHERE Rank EXCLUDES ALL {"Manager","Director"}
CONTAINS and EXCLUDES operators

When using the CONTAINS or EXCLUDES operators, be aware that it is often more efficient to use the IS or IS NOT operators, respectively. The example below uses an exact match: msgattr WHERE %recipient% IS "Sales" It is therefore more efficient than the following example, which infers a substring match: msgattr WHERE %recipient% CONTAINS "Sales"
286
<text>
For userattr and mapi commands only. <text> represents the search term (or terms) whose presence or absence you want to test. For example, if <uservar> is set to Department, you may want to set <text> to Sales or Marketing.
<type>
For userattr, mapi, msgattr and xmlattr commands. <type> determines the type of Data Lookup command. The different types of command have slight differences in syntax and accept different variables. The following types are supported: userattr This defines a User Attribute lookup command. The basic command syntax is: userattr WITH <who> WHERE <uservar> <stringoperator> <text>
Double quotes: You must enclose search terms

in double quotes! This even applies to single-word search terms. For example:
{"Equity","Debt","Securities"} Case-insensitive: Search terms are not case sensitive. For example, if <uservar> and <text> jointly specify the Sales department, then Sales, sales and SALES all return a True value if detected. Multiple search terms: If required, you can specify a list of multiple search terms as the <text>. For example, you can define multiple search terms if <operator> is set to IS ANY or IS NOT ANY. The format for multiple terms is shown in the example below: {"Manager","Director","Reviewer"} Note that search term lists are comma-separated and enclosed in {curly brackets}.
mapi This defines an Address Book lookup command. The basic command syntax is: mapi WITH <who> WHERE <uservar> <stringoperator> <text>
msgattr This defines a Message Attribute lookup command. The basic command syntax is: msgattr WHERE <msgvar> <operator> <msgvalue>
Wildcards: If required, you can use ? and * wildcards when defining search terms. For example, ma* would match both Marketing and Management.
xmlattr This defines an XML Attribute lookup command. The basic command syntax is: xmlattr WHERE <xpath> <operator> <attribvalue>
287
<uservar>
For userattr and mapi commands only. <uservar> is an Orchestria APM user attribute or group or an Outlook Address Book property. It is this attribute, group or property that is tested for a True or False match against the Data Lookup criteria. The supported formats are listed below; Outlook Address Book formats are described on page 288. i <uservar> properties and attributes also support the mandatory keywordsee page 289. Orchestria APM user attribute
For User Attribute lookup only. These are the customized user attributes defined for your Orchestria APM installationsee page 51.
Wgn.GroupParent Use this variable to specify a user group that heads a specific branch of the user hierarchy. Data Lookup tests whether the user belongs to a user group within this branch. For example, consider this user hierarchy:
USA New York
Directors Sales
Boston Legal
Sales
Specify the name of the user attribute that you want to test against. For example, if a Team attribute has been created for your organization, you can specify this as the <uservar> by typing Team. i User attributes are not case sensitive. Always
enclose the attribute name in double quotes, for example, Rank or Team Name.
To configure a trigger to block e-mails sent to members of the Boston Legal or Boston Sales groups, the command syntax is: WHERE Wgn.GroupParent IS "Boston" Both Wgn.Group and Wgn.GroupParent also support the CONTAINS operator. For example: WHERE Wgn.Group CONTAINS {"Sales","Legal"}
Orchestria APM user group

For User Attribute lookup only. You can configure
lookup commands to test which Orchestria APM user group a user belongs to. In effect, data lookup handles the users parent group as if it were a user attribute. Wgn.Group Use this variable to specify a specific parent user group that you want to test against. For example, to configure a trigger to block e-mails sent to members of the Sales user group, the command syntax is: WHERE Wgn.Group IS "Sales" If multiple groups exist with the same name in different branches of the user hierarchy, Data Lookup tests all matching groups.
i Group names are not case sensitive. Always

enclose the group name in double quotes, for example, Legal or New York.
i The Wgn.GroupParent parameter, even when

used in conjunction with the Wgn.Group parameter, cannot identify a specific, individual user group if multiple groups exist with the same name in the user hierarchy.
288
Address Book extension attribute

For Address Book lookup only. These are custom
Address Book special properties

For Address Book lookup only. To specify an
user attributes created in Active Directory and used by Address Books in Outlook. Administrators can define up to 15 custom attributes per user. For example, you can type: ExtensionAttribute3 to specify <uservar> as Custom Attribute 3, as defined in the advanced Exchange user properties in Active Directory. In the examples on page 298, Custom Attribute 3 shows an employees hire date. i For details about custom user attributes, see
to your Active Directory documentation.
Address Book special property as the <uservar>, type: Title State Country Region City Department Office MemberOf
` Country and Region refer to the same Address

Book property.
` MemberOf refers to membership of a mail group

or distribution list. It takes the group or list Display Name as its <text> match. But see below. ! If you use the MemberOf variable to detect outgoing e-mails, be aware that MemberOf does
not check for membership of nested mail groups or distribution lists. For example, an organization has an 'All US' distribution list. This list contains several nested lists, including 'All Chicago'. If
Address Book hexadecimal property code

For Address Book lookup only. Code numbers
identify Address Book properties in the Active Directory schema. The correct <uservar> syntax is: MAPIID0x<n> Where <n> is the hexadecimal code. i You may need to calculate hexadecimal codes
from the decimal schema codes. For schema details, see your Active Directory documentation.
MemberOf is set to detect members of the 'All

US' mail group, the trigger will not activate when sent to members of 'All Chicago' unless these users are also explicitly members of 'All US'.
289
mandatory <uservar> The mandatory keyword ensures that e-mail triggers always activate when required, or equally important, do not activate unnecessarily. The example below specifies that the lookup command must detect a value for the Team attribute, otherwise the entire command will fail to run: WHERE mandatory Team IS "Equity Debt" Normally, <uservar> specifies an Outlook Address Book property or an Orchestria APM user attribute, the presence or absence of which determines whether the lookup command returns a True value. But if no value has been set for the attribute or property (for example, the Orchestria APM account for a new recruit has not been updated to show their Team), or the specified address book property does not exist (for example, the lookup command specifies Titel instead of Title), Orchestria APM ignores this omission and evaluates the remaining True-False tests within the data lookup command. In the worst case, this could mean that a trigger fails to activate, allowing an e-mail to be sent to a proscribed recipient. For example, you have configured a lookup command to block e-mails sent between the Research and Investment Banking (IB) teams. But a new member of the IB team has not been added to the IB mail group (that is, their MemberOf address book property is not up to date). Consequently, when a researcher sends an e-mail to this new IB member, the lookup command fails to identify him or her as a proscribed recipient, so the e-mail trigger does not activate and the e-mail is not blocked. To eliminate these risks, you can qualify <uservar> with the mandatory keyword. This ensures that if no value has been set for the specified attribute or property, or if the address book property does not exist, the data lookup command always returns an error, so invoking the Data Lookup Failure Mode setting (see step 5, page 273). i For userattr commands, if the specified
attribute does not exist (for example, the lookup command specifies Teem instead of Team), the data lookup command always returns an error, regardless of whether mandatory is used or not, so invoking the Data Lookup Failure Mode setting.
290
<xpath>
For xmlattr commands only. <xpath> specifies the location of an element (or node) within an XML hierarchy. Specifically, xmlattr lookup commands use <xpath> to locate the file attribute, stored as an XML element, whose value they need to test (where this value is specified by <attribvalue> see page 279). The examples below specify, respectively, a file events file name, file size, the date when the file was last modified, and a property set named ID (property sets are described in the next section). apm/event/file/filename apm/event/file/size apm/event/file/modified apm/event/file/property_set[@name="ID"] For full details about available elements, see the XML metadata example on page 302.
Properties in a property set

<xpath> can also specify the location within an XML hierarchy of a property set or an individual property within a property set. In effect, property sets are collections of related file attributes. In this situation, <xpath> actually specifies the name attribute of a property set or property element. For example, Microsoft Word documents can include a Custom property. This can include any custom properties defined for that document, such as Security and Status. The example below locates the Custom property set: apm/event/file/ property_set[@name="Custom"] <xpath> can also specify an individual property within a property set. The example below locates the Security property within the Custom property set: apm/event/file /property_set[@name="Custom"] /property[@name="Security"] Note that in all cases the @name property identifier must be enclosed in square brackets. For two example property sets, see the XML metadata on page 302.
291
Advanced Data Lookup Commands

For precision targeting of specific e-mails, you can use AND, OR and NOT operators and brackets to define more complex data lookup commands. These enable you to include multiple True-False tests within a single command or link separate commands into a composite lookup command. But note the rules governing command evaluation.
Subcommands linked with an OR operator. Here, Orchestria APM quits evaluating if any subcommand returns True (because this sets the entire command to True and activates the trigger).
Command evaluation
Orchestria APM evaluates lookup commands from left to right. This is particularly important if your lookup command contains three or more True-False tests and if you use brackets to set evaluation precedence. The examples in the table below show how three logical tests (A, B and C) combine to produce an overall result: Example tests 1 2 3 4 5 A AND B AND C A OR B OR C A OR B AND C A AND B OR C B AND (A or C) Results
False True True True False
In examples 2 and 3, if A, B and C represent linked commands, then commands B and C are not evaluated because, with command A returning True, the overall command must also return True. This is a deliberate optimization designed to minimize delays when processing outgoing e-mailssee page 296. i This optimization does not apply to multiple
True-False tests within a single lookup command. In this case, all tests are fully evaluated.
Examples of data lookup syntax

The following sections detail various types of data lookup commands. The table below lists the users in the examples and their corresponding user names and e-mail addresses: User Spencer Rimmel Lynda Steel Frank Schaeffer Omar Abassi User name
srimmel
E-mail address
srimmel@unipraxis.com
Where A and C are True, and B is False.
lsteel fschaeffer
lsteel@unipraxis.com fschaeffer@unipraxis.com
When defining a complex data lookup command, you must use parentheses to separate the sub-tests. Note also that Orchestria APM quits evaluating as soon as it detects any subcommand that allows the overall command to be unambiguously resolved. Specifically, this affects:
oabassi
oabassi@unipraxis.com
Subcommands linked with an AND operator. Here, Orchestria APM quits evaluating if any subcommand returns False (because this sets the overall command to False, so the trigger does not activate).
292
Simple True-False test: Positive operator, IS

This example is a simple True-False test that uses the positive operator IS, in the following single lookup command: mapi with %recipient% where dept IS "sales" When %recipient% is used with IS in this way, the operator ANY is implicit, so the lookup command is actually as follows: mapi with ANY %recipient% where dept IS "sales" If there are three recipients, this command requires the following three lookup operations: (mapi with srimmel@unipraxis.com where dept IS "sales") OR (mapi with lsteel@unipraxis.com where dept IS "sales") OR (mapi with fschaeffer@unipraxis.com where dept IS "sales") For the test to be true, only one of the lookup commands needs to be true. That is, if Spencer is in the Sales department, the lookup command is true and does not check to see if Lynda and Frank are also in the Sales department. If you want to use ALL with the same lookup command, you need to add it explicitly, as shown below: mapi with ALL %recipient% where dept IS "sales"
With the same three recipients, this command requires the following three lookup operations: (mapi with srimmel@unipraxis.com where dept IS "sales") AND (mapi with lsteel@unipraxis.com where dept IS "sales") AND (mapi with fschaeffer@unipraxis.com where dept IS "sales") This time, for the test to be true, all three lookup commands must be true. That is, Spencer, Lynda and Frank must all be in the Sales department for the test to be true.
Simple True-False test: negative operator, IS NOT

This example is a simple True-False test that uses the negative operator IS NOT, in the following single lookup command. mapi with %recipient% where dept IS NOT "sales" When %recipient% is used with IS NOT in this way, the operator ALL is implicit, so the lookup command is actually as follows: mapi with ALL %recipient% where dept IS NOT "sales" If there are three recipients, this command requires the following three lookup operations: (mapi with srimmel@unipraxis.com where dept IS NOT "sales") AND (mapi with lsteel@unipraxis.com where dept IS NOT "sales") AND (mapi with fschaeffer@unipraxis.com where dept IS "sales")
293
For the test to be true, all three lookup commands must be true. That is, Spencer, Lynda and Frank must all be in a department other than Sales for the test to be true. If you want to use ANY with the same lookup command, you need to add it explicitly, as shown below: mapi with ANY %recipient% where dept IS NOT "sales" With the same three recipients, this command requires the following three lookup operations: (mapi with srimmel@unipraxis.com where dept IS NOT "sales") OR (mapi with lsteel@unipraxis.com where dept IS NOT "sales") OR (mapi with fschaeffer@unipraxis.com where dept IS "sales") For the test to be true, only one of the lookup commands needs to be true. That is, if Spencer is not in the Sales department, then that lookup command is true and the details for Lynda and Frank are not checked.
Complex True-False test

The next example is a complex True-False test. It uses the positive operator IS in both lookup sub-tests within the following single lookup command: mapi with %recipient% where (dept IS "sales") AND (position IS "manager") If there are three recipients, this command requires the following three lookup operations, each containing two lookup sub-tests. (mapi with srimmel@unipraxis.com where (dept IS "sales") AND (position IS "manager") ) OR (mapi with lsteel@unipraxis.com where (dept IS "sales") AND (position IS "manager") ) OR (mapi with fschaeffer@unipraxis.com where (dept IS "sales") AND (position IS "manager") ) For such a lookup command to be True, both subtests must be true. For example, for the first lookup command to be true, Spencer must be a manager and in the Sales department. For the test itself to be true, only one of the three lookup operations needs to be true. That is, if Spencer is a manager and in the Sales department, then the test is true and the details for Lynda and Frank are not checked.
294
Composite True-False test

You can combine multiple commands using AND, OR and NOT operators. For example, you can combine multiple msgattr commands to detect messages that exceed a maximum size or where the number of recipients exceeded a maximum limit. You can even link totally disparate commands. This is particularly useful if you want to combine different types of Data Lookup command. All in cases, the syntax is: [NOT] (CMD1) AND|OR [NOT] (CMD2) [AND|OR [NOT] (CMD3)] Where (CMDn) is a complete, self-contained userattr, mapi or msgattr data lookup command, as described on pages 274 to 275. The following sections demonstrate good and bad (page 295) examples of composite lookup commands. Good examples For example, you can combine Message Attribute and Address Book lookup commands to block e-mails sent to the La Paz or Lima offices unless the total message impact is less than 5MB. The syntax is: NOT (msgattr WHERE msgimpactkb < 5000) AND (mapi WITH any %recipient% WHERE Office CONTAINS ANY {"La Paz","Lima"}) If there is one sender and three recipients, this command requires the following three lookup operations, each containing two sub-operations: ((mapi with oabassi@unipraxis.com where dept IS "sales") AND (userattr with srimmel@unipraxis.com where position IS "manager")) OR ((mapi with oabassi@unipraxis.com where dept IS "sales") AND (userattr with lsteel@unipraxis.com where position IS "manager")) OR ((mapi with oabassi@unipraxis.com where dept IS "sales") AND (userattr with fschaeffer@unipraxis.com where position IS "manager")) For any lookup operation to be true, both its suboperations must be true. For example, for the first lookup operation to be true, Omar must be in the Sales department and Spencer must be a manager. For the test itself to be true, only one of the three lookup operations needs to be true.
The following is another example of a composite True-False test. It uses the positive operator IS with two sub-commands. (mapi with %sender% where dept IS "sales") AND (userattr with %recipient% where position IS "manager")
295
Bad example In contrast, the following is a bad example of a composite True-False test: (mapi with %recipient% where dept IS "sales") AND (userattr with %recipient% where position IS "manager") Like the previous composite true-false test, this test also uses the positive operator IS with multiple lookup operations and one sub-operations. This test is confusing however, because of its apparent intention. At first glance it appears to prevent e-mails from being sent to the sales manager. The actual behavior of the lookup is very different. It prevents e-mails from being sent if at least one recipient is in the Sales department, and also, if at least one recipient (possibly the same one) is a manager. If there are three recipients, this command requires the following nine lookup operations, each containing two lookup sub-operations. For each lookup operation to be true, both its suboperations must be true. For the test itself to be true, only one of the nine lookup operations needs to be true. Corrected version of bad example ((mapi with srimmel@unipraxis.com where dept IS "sales") AND (userattr with srimmel@unipraxis.com where position IS "manager")) OR ((mapi with srimmel@unipraxis.com where dept IS "sales") AND (userattr with lsteel@unipraxis.com where position IS "manager")) OR ((mapi with srimmel@unipraxis.com where dept IS "sales") AND (userattr with fschaeffer@unipraxis.com where position IS "manager")) OR ((mapi with lsteel@unipraxis.com where dept IS "sales") AND (userattr with srimmel@unipraxis.com where position IS "manager")) OR ((mapi with lsteel@unipraxis.com where dept IS "sales") AND (userattr with lsteel@unipraxis.com where position IS "manager")) OR ((mapi with lsteel@unipraxis.com where dept IS "sales") AND (userattr with fschaeffer@unipraxis.com where position IS "manager")) OR ((mapi with fschaeffer@unipraxis.com where dept IS "sales") AND (userattr with srimmel@unipraxis.com where position IS "manager")) OR ((mapi with fschaeffer@unipraxis.com where dept IS "sales") AND (userattr with lsteel@unipraxis.com where position IS "manager")) OR ((mapi with fschaeffer@unipraxis.com where dept IS "sales") AND (userattr with fschaeffer@unipraxis.com where position IS "manager"))
296
Complex Composite True-False test

The following example is a complex composite True-False test. It contains two sub-lookups, one of which contains two sub-tests. (mapi with %sender% where dept IS "sales") AND (mapi with %recipient% where (dept IS "marketing") AND (position IS "manager")) If there is one sender and three recipients, then this command requires the following four lookup operations, three of which contain two sub-tests. (mapi with oabassi@unipraxis.com where dept IS "sales") AND ( (mapi with srimmel@unipraxis.com where (dept IS "sales") AND (position IS "manager")) OR (mapi with lsteel@unipraxis.com where (dept IS "sales") AND (position IS "manager")) OR (mapi with fschaeffer@unipraxis.com where (dept IS "sales") AND (position IS "manager")) ) For an operation to be true, all of its sub-operations must be true. For the test itself to be true, the first simple lookup operation and at least one of the three other operations need to be true.
OR and <fallguy> handling

If you combine multiple lookup commands, Orchestria APM quits evaluating as soon as a subcommand returns a True or False value that allows the overall command to be unambiguously resolved. This is a deliberate optimization designed to minimize delays when processing outgoing e-mails. But for commands linked with an OR operator, it could mean, in certain circumstances, that the <fallguy> variable only returns recipients identified by one subcommand (because, with a True value already returned, there is no logical need to evaluate the other subcommands). For example, a combined lookup command detects e-mails sent to the London office (subcommand A) OR members of the Sales team (subcommand B). It evaluates subcommand A first. If it successfully detects a London recipient, the overall command must also be True so there is no logical need to evaluate subcommand B. This means that no Sales recipients are written to the <fallguy> variable. If this variable is included in a notification dialog, shown when the e-mail trigger activates, the message to users may contain an incomplete list of triggering recipients.
297
User Attribute lookup examples

These examples assume that the custom attributes Team and Rank have been defined for the Orchestria APM users in your organization.

This example detects all outgoing e-mails where one or more recipients is in the Equity Markets team. If Orchestria APM detects such a recipient, that users name and team are written to the %which_guy% and %proscribed_team% variables respectively. You can then incorporate these variables in a user notification message: userattr WITH any %recipient% labeled %which_guy% WHERE Team labeled %proscribed_team% IS "Equity Markets" This example detects all outgoing e-mails where a recipient is a member of teams such as Equity Markets or Debt Markets: userattr WITH any %recipient% WHERE Team CONTAINS ANY {"Equity","Debt"} This example detects all outgoing e-mails where recipients include any junior ranking staff (in this case, Non-officers): userattr WITH any %recipient% WHERE Rank CONTAINS ALL {"non","officer"} This example detects all outgoing e-mails that do not include a director in the list of recipients: userattr WITH all %recipient% WHERE WgnUser.CfgProperty4 EXCLUDES "director" Where customized user attribute 4 is set to Rank.
This example detects all outgoing e-mails that do not include an executive director in the list of recipients. The command returns a True value (and activates the e-mail trigger) unless the recipients include a user whose rank contains both executive and director: userattr WITH all %recipient% WHERE "Rank" EXCLUDES ANY {"director","executive"} This detects all outgoing e-mails where the recipient list excludes an executive director in the Equity Markets team. That is, the command returns a True value (and activates the e-mail trigger) if no such recipient is detected. Note the NOT operator and the mandatory keyword! The NOT operator ensures that if an executive director in the Equity Markets team is detected, the command returns a False value (and the trigger does not activate). The mandatory keyword ensures that, if no Rank is specified, the data lookup command fails and invokes the Data Lookup Failure Mode setting (see step 5, page 273). userattr WITH all %recipient% WHERE (Team IS NOT "Equity Markets") AND (mandatory Rank IS NOT "executive director") This combines Message Attribute and User Attribute lookup commands to detect e-mails sent to members of any securities team where the total message impact exceeds 1MB: (msgattr WHERE msgimpactkb > 1000) AND (userattr WITH any %recipient% WHERE Team IS "Securities")
298
Address Book lookup examples

These examples illustrate the various operator combinations in an Address Book lookup command.

This example detects all outgoing e-mails where one or more recipients is in the Sales department. If Orchestria APM detects such a recipient, that users name and department are written to the %which_guy% and %proscribed_dept% variables respectively. You can then incorporate these variables in a user notification message: mapi WITH any %recipient% labeled %which_guy% WHERE Department labeled %proscribed_dept% IS "Sales" This detects all outgoing e-mails unless one or more recipients is in the London or Manchester offices: mapi WITH all %recipient% WHERE Office IS NOT ALL {"London","Manchester"} This example detects all incoming e-mails where the sender is a member of the Executive Management mail group: mapi WITH %sender% WHERE MemberOf IS "Executive Management" This example detects all outgoing e-mails where one or more recipients has a hire date of 2001. (In this example, Address Book custom attribute 3 is set to an employees hire date.) mapi WITH any %recipient% WHERE ExtensionAttribute3 IS "2001" This example detects all outgoing e-mails that do not include a supervisor in the list of recipients: mapi WITH all %recipient% WHERE Title IS NOT "Supervisor"

This example detects all outgoing e-mails that do not include a supervisor or team leader in the list of recipients. The command returns a True value (and activates the e-mail trigger) unless a supervisor or team leader is included in the To, Cc or Bcc lists: mapi WITH all %recipient% WHERE Title IS NOT {"Supervisor","Team Leader"} This detects all outgoing e-mails where the recipient list excludes a member of the Compliance Team mail group in the London office. That is, the command returns a True value (and activates the e-mail trigger) if no such recipient is detected. Note the NOT operator! This ensures that if any member of the London Compliance Team is detected, the command returns a False value (and the trigger does not activate). mapi WITH all %recipient% WHERE NOT ((MemberOf CONTAINS ALL {"Compliance","Team"}) AND (Office IS "London")) This combines Message Attribute and Address Book lookup commands to detect e-mails sent to the Santiago office where the total message impact exceeds 5MB: (msgattr WHERE msgimpactkb > 5000) AND (mapi WITH any %recipient% WHERE Office IS "Santiago")
This tests the Company attribute of the user, but specifies it by its MAPI numerical codesee page 288:
mapi WITH any %recipient% WHERE
MAPIID0x3A16 IS "Unipraxis"
299
Message Attribute lookup examples

These examples illustrate the various operators in Message Attribute lookup commands.

This example detects all outgoing e-mails from specific users at Unipraxis to any user at Unipraxis. msgattr WHERE (%sender% IS ANY {srimmel@unipraxis.com, lstee@unipraxis.com}) AND (%recipient% labeled %which_recip% IS @orchestria.com) This example detects all outgoing e-mails sent to 20 or more recipients in the To list: msgattr WHERE tonum >= 20 This example detects all outgoing e-mails with no recipients in the Cc list: msgattr WHERE ccnum = 0 This example detects all outgoing e-mails that do not have one recipient in the Bcc list: msgattr WHERE bccnum <> 1 This example detects all outgoing e-mails where the total number of To and Cc recipients is over 20: msgattr WHERE toccnum > 20
This example detects all outgoing e-mails bigger than 50KB: msgattr WHERE msgsizekb > 50
This example detects all outgoing e-mails where the total message impact exceeds 1MB: msgattr WHERE msgimpactkb > 1000 This example detects all outgoing e-mails with 10 or more recipients: msgattr WHERE recipnum >= 10 This example detects all outgoing e-mails sent to more than ten internal addresses: msgattr WHERE internalrecipnum > 10 This example detects all outgoing e-mails sent to more than one external address: msgattr WHERE externalrecipnum > 1

300
XML Attribute lookup examples

These examples illustrate the various operator combinations in XML Attribute lookup commands.

This detects all imported files smaller than 10KB. Note that the file size attribute is measured in bytes, not KB. xmlattr WHERE apm/event/file/size < "10240" This example tests the path attribute to detect all files imported from the \Tips folder on the machine UX-RIMMEL: xmlattr WHERE apm/event/file/path IS "\\UX-RIMMEL\Personal\Tips" Note that you do not need to specify a UNC path. You can also specify a local drive path if your policy engine is running on the same machine as the source folder.
This example checks the Security property in Microsoft Word documents. This property is in the Custom property set. Here, the xmlattr lookup command detects documents that are not marked as Confidential: WHERE apm/event/file /property_set[@name="Custom"] /property[@name="Security"] IS NOT " Confidential" This example uses a WITH statement to check the Security and Status properties in Microsoft Word documents. Status, like Security in the previous example, belongs to the Custom property set. Here, the xmlattr lookup command detects documents marked as Confidential and whose status is Approved: WITH apm/event/file /property_set[@name="Custom"] WHERE ([property@name="Security"] IS " Confidential" ) AND ([property@name="Status"] IS "Approved") This example simply checks whether a Custom or Version property set is defined in the XML metadata: WHERE apm/event/file/property_set /@name IS ANY {"Custom","Version"}
This example detects all imported files that were modified between 21 and 25 May 2007: xmlattr WHERE (apm/event/file/ modified >= "2007-05-21") AND (apm/event/file/modified < "2007-05-26") Many files, particularly Microsoft Word documents, include an Author property. Orchestria APM always attempts to identify and store this as an attribute in the file events metadata. This example detects all files where the author name includes the strings Rimmel or Steel: xmlattr WHERE apm/event/file/author CONTAINS ANY {"Rimmel","Steel"}
301
Counting unique domains

An important feature of Message Attribute (msgattr) lookup is the ability to count the number of unique domains in a list of e-mail recipients. This enables administrators to block users from sending individual e-mails to, say, more than five companies at a time. This feature relies on Orchestria APM successfully extracting the domain element of an SMTP e-mail address. The domain element comprises either two segments (short domain) or three segments (long domain) after the @ symbol. For example: Short domain: spencerrimmel@unipraxis.com Long domain: spencerrimmel@unipraxis.co.uk When extracting the domain from an SMTP e-mail address, Orchestria APM always assumes this is a short domain and so extracts the final address two segments unless these final two segments match any one of a list of known exceptions, in which case Orchestria APM infers that is must extract a long domain (that is, the final three segments).
List of known long domains

This list of known exceptions is hard-coded within Orchestria APM and includes all commonly used long domain patterns such as .*.uk and .ru.com. However, as the list of worldwide domains continues to grow, it is inevitable that new long domains will emerge that do not match this hard-coded list. If required, you can also supplement this list in the user policy; to do this, edit the Additional Long Domain Endings settingsee below. i The full list of hard-coded long domain patterns is
available in the Orchestria APM release notes, Relnotes_APM_<ver>.htm; find this file on your Orchestria APM distribution media.
Adding to the list of long domains

If you do need to supplement the default list of long domain patterns, you need to edit the Additional Long Domain Endings user policy setting; find this in the Definitions policy folder. When you edit this setting, be aware of the following:
Long domain example

Consider an e-mail sent to two recipients, lsteel@unipraxis.co.uk and srimmel@monitrax.co.uk. It is clear from the recipient addresses that the e-mail is being sent to two companies, Unipraxis and Monitrax. But if Orchestria APM did not have the ability to extract long domains, it would only extract the final two address segments, co.uk, and so would incorrectly infer that the domain was the same for both recipients (giving a unique domain count of 1). However, because .*.uk is one of the known domain exceptions, when Orchestria APM detects .co.uk in an e-mail address it recognizes this as part of a long domain and so extracts the final three segments. In the example above, this enables Orchestria APM to recognize that the two recipients belong to two different companies and so it correctly calculates the unique domain count to be 2.
All entries must start with a period and contain exactly two periods, for example: .ins.kr .fin.tz
If required, you can use a * wild card in place of an entire segment, for example: .*.pb However, we recommend you avoid using wildcards where possible because the scope of the resulting match may be greater than anticipated, causing in short domains to be inadvertently treated as long domains. This is particularly true if the domain element of an address includes a geographical subdomain. For example, adding .*.pb to the exceptions list would cause Orchestria APM to treat ny.unipraxis.pb and london.unipraxis.pb as separate domains.
302
XML metadata example

The table below shows an example XML hierarchy of metadata for a typical imported file (in this case, a Microsoft Word document). As far as possible, Orchestria APM attempts to fully populate the file metadata with relevant attributes. However, note that the range of available metadata items will vary by file type and file source. For example, if a third party application passes the file data to Orchestria APM in the form of a byte stream, rather than providing Orchestria APM with access to the original file, then policy triggers can test for file attributes included in the byte stream. That is, Orchestria APM cannot independently identify or determine any missing attributes.
Example XML metadata <?xml version="1.0"?> <apm schema_version="1" xmlns="http://www.orchestria.com" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.orchestria.com xmleventattributes.xsd"> <event> <file> <host>UX-RIMMEL</host> <filename>Sales_2007_Q1.doc</filename> <path>\\UX-RIMMEL\Personal\Tips</path> <created>2007-05-13T19:26:32</created> <accessed>2007-05-17T08:12:44</accessed> <modified>2007-05-16T21:05:54</modified> <size>41984</size> <title>Unipraxis Sales Q1 2007</title> <subject>Sales Revenue</subject> <author>Spencer Rimmel</author> <property_set name="Summary"> <property prop_id="1" name="TotalEditingTime" type="xs:string">01:26:35 </property> <property prop_id="2" name="WordCount" type="xs:string">824</property> <property prop_id="3" name="LastPrinted" type="xs:string"> 2007-05-17T08:14:36</property> </property_set> <property_set name="Custom"> <property prop_id="1" name="Security" type="xs:string">Confidential </property> <property prop_id="2" name="Status" type="xs:string">Approved </property> </property_set> </file> </event> </apm>
12. Configuring event audit options
Configuring event audit options

his chapter describes how to set up the Orchestria APM event auditing features. For any Web, e-mail, file, or IM event, you can view and update an audit trail. This shows the events audit summary, when audit activity occurred (for example, a change of expiry date), who the reviewer was (the Orchestria APM user associated with the audit activity), and which machine was used to update the audit trail. They can also include other information such as comments added by a reviewer. Full Orchestria APM auditing features are available in the iConsole; basic auditing features are also available in the Data Management console. But first, administrators must configure audit status labels and the contents of the auditing dialogs using the Administration console. This chapter describes how to configure the auditing features. It also includes instructions for quarantine setup and reviewing quarantined events. i
For full details on reviewing events in the
chapter 12
Customizable audit features

! If these audit features are not fully configured,
then they will not be available in the iConsole or Data Management console. That is, reviewers will not be able to audit events in either console.
In order for reviewers to make full use of the iConsole and Data Management console event audit features, administrators need to configure the following features in the Administration console.
Audit fields: Audit field names and list items available in audit fields are fully configurable so that the terminology used and the available options can be customized to meet your organizations requirements. For example, administrators can define multiple 'audit status' labels, 'actions taken' labels and other predefined comments. They can also specify additional, mandatory updates to the audit trail when a reviewer changes an event's audit status. For more details about audit statuses, see page 304.
iConsole and Data Management console, please refer to the iConsole user guide and Data Management console guide respectively.
304
Audit e-mail templates: Administrators can define templates for audit e-mails and make them available to reviewers in the iConsole (in the Compose Mail dialog). These templates can include predefined recipient lists, plus predefined body and subject text to match your organization's terminology and requirements. Reviewers can use these templates, and change the predefined details if necessary, when composing audit e-mails. One-click review buttons: Administrators can customize the behavior of one-click review buttons in the iConsole toolbar. These buttons allow reviewers to instantly change specific audit details from one value to another. For example, they can configure a button to automatically change the audit status of the currently selected events, or to change the Action Taken from Reviewed to Referred to Compliance Officer. Up to five separate buttons can be configured. i If an administrator reconfigures the iConsole
one-click review buttons, these changes will only become effective the next time a user logs into the iConsole. Users currently logged on to the iConsole must log off and log back on before these changes become effective.
Types of audit status

You can define up to 40 audit statuses and label them as required. Audit status 0 and audit status 1 are special cases:
Audit status 0 is the default status for unreviewed events. Newly captured or imported events are automatically assigned to audit status 0. Events with this status are yet to be reviewed and we recommended that you define audit status 0 as Not reviewed. Audit status 1 is the default status for reviewed events. By default in the iConsole, the one-click review button automatically advances the audit status from 0 to 1. If you intend to use this button with its default configuration, we recommend that you define audit status 1 as Approvedsee page 306 for details.
Audit status 2 through 39 are standard status types. You can change or delete their status names as required.
For full details, see the Administration console
online help; search the index for iConsole.
Chapter 12 Configuring event audit options
305
Auditing privileges
Access to the Orchestria APM audit features is controlled by administrative privileges, permitting administrators to closely control the scope of a reviewer's authority. Your reviewers must have the necessary administrative privileges. i To assign administrative privileges, see page 50.
For the full range of privileges, see page 57. To do this Define audit status names, predefined comments and other audit fields. Change the audit status of an event without needing to view it. Change the audit status of multiple events in a single operation. View events without adding a Viewed Event entry to the audit trail. Audit: Always suppress automatic auditing You need this privilege Admin: Customizable console text Change the audit status of events and update the audit trail. View event audit trails. Search for captured Web, e-mail and application data. View captured data associated with any user in the users management group. Audit: Update audit trail To do this Choose whether to view events without adding a Viewed Event entry to the audit trail. You need this privilege Audit: Choose to suppress automatic auditing
Audit: View audit trail Events: Allow event searches
Audit: Allow auditing without viewing the event
Events: View captured data
306
Configuring audit buttons and field labels

Administrators use the Administration console to configure the audit field names, audit status labels, audit mail templates, and one-click review buttons that are available for reviewers in the iConsole and, to a limited degree, in the Data Management console. The diagram below shows how audit configuration tasks in the Administration console affect screens and dialogs in the iConsole and Data Management console. i You must have appropriate privileges before you
can customize the audit features. See page 305.
Administration console Options dialog: Audit tab
Data Management console Search Results screen
Modify Value dialog
Review dialog
Audit Mail Templates dialog
iConsole Search Results screen
Audit Options dialog
Options dialog, Audit tab: All audit configuration tasks begin here. From this tab, you can configure:
Modify Value dialog: The names of the <Field 1>, <Field 2> and <Field 3> audit fields that appear in the iConsole Issue dialogs and DMC Review dialog. Audit Mail Templates dialog: Templates for audit mails, including recipients and default body and subject text. (Audit mails are sent by reviewers from the iConsole.) Audit Options dialog: The one-click review buttons in the iConsole Search Results screen, plus the list items available in audit fields in various iConsole auditing dialogs and the DMC Review dialog.
New Issue dialog Edit Issue dialog
Expiry Date dialog
Compose Mail dialog
307
Define audit field names (Fields 1,2,3)

These field names appear as labels for the drop-down lists available to reviewers in the iConsole Issues dialogs and the Review dialog in the Data Management console. 1 In the Administration console, choose Tools > Options. In the Audit tab, click Modify to edit the names of <Field 1>, <Field 2> and <Field 3>. Still in the Audit tab, click Edit Audit Options to edit the list items available in each audit field (see the next section for details). To enable multiple selection for Field 3 items, select the Allow multiple selection for Field 3. 1
Define list items for audit fields

These are the list items available to reviewers in the Issue dialogs in the iConsole and the Review dialog in the Data Management console. <Field 1> always lists the available statuses for captured events being reviewed. That is, the type of audit status see page 304. 1 In the Administration console, choose Tools > Options. In the Options dialog, go to the Audit tab and click Edit Audit Options to display the Audit Options dialog. Define your field list items using the following tabs:
` <Field 1>: Double-click an item, or use the Modify

button to define up to forty status names, for example, Not reviewed or Approved. Audit status 0 and audit status 1 are special casessee page 304. i
You can also specify further mandatory audit
changes for any individual status changesee page 308.
` <Field 2>: Double-click an item or use the Modify

2 button to define up to forty <Field 2> items.
` <Field 3>: Double-click an item or use the Modify

button to define up to forty <Field 3> items. i Use the Move Up/Move Down buttons to change the order of <Field 1>, <Field 2>, or <Field 3> items as they appear when creating or
editing an issue. This does not affect the database index entry of each audit status.
3 Options dialog, Audit tab: 1 Names of audit fields (Fields 1, 2, and 3). 2 Modify button. Click to define field names.
Comment: Use the Add, Remove and Modify buttons to create a list of comments, for example, Potential compliance violation or Satisfactory explanation provided by sender. This list of comments is also available in the Review dialog, which reviewers can access in the Data Management console and the Expiry Date dialog in the iConsole. i
The maximum length for a comment is 255
characters.
3 Allow multiple selection for Field 3 check box. Select if required. 3 Edit Audit Options button. Click to edit list items in audit fields. 4 Define Templates button. Click to define templates for audit e-mails.
Click OK to save your settings and return to the Options dialog.
308
Specify mandatory audit changes

If necessary, you can force reviewers to add further details when changing an events status. For example, if a reviewer changes an events status to Actionable, you can specify that they must also specify a reason for this and any accompanying action taken. There are two fields that can be made mandatory: <Field 2> and <Field 3> (see page 307). You configure these fields in the Administration console. 1 2 In the Administration console, choose Tools > Options. Go to the Audit tab, click Edit Audit Options and select the <Field 1> tab. Double-click an audit status or select an audit status and click Modify. From the Other Audit Fields list box, select Must be completed to specify that further details must be supplied if this audit status is selected. Click OK. Your changes will take effect with the next logon.
In the Available '<Field 2>' Values list box, use the check boxes to modify the list of <Field 2> values you want to be available to reviewers when they select the current <Field 1> value. i By default, all audit field values are available.
Click Apply. Your changes will take effect with the next logon.
To configure <Field 2> to <Field 3> dependencies, follow the steps above, selecting the <Field 2> tab in step 3 to show the Available '<Field 3>' Values list box.
Suppress automatic auditing

By default, Orchestria APM automatically updates an events audit trail each time the event is viewed in the Data Management console or the iConsole. You can assign audit privileges to suppress this:
Audit: Always suppress automatic auditing: If a reviewer has this privilege, they can view events without Orchestria APM adding a Viewed Event entry to the audit trail. Audit: Choose to suppress automatic auditing: If a reviewer has this privilege, they can choose to view events without adding a Viewed Event entry to the audit trail each time they open an event. The reviewer is prompted to choose when opening the first event of a new search and that choice stands for all events in the current search results. If the same search is rerun, they are prompted again. i
If both privileges are set, Audit: Always
Specify audit field dependencies

If necessary, you can configure which audit values are available for selection when a specific audit <Field 1> or <Field 2> value is selected. That is, you can configure dependencies between audit <Field 1> and <Field 2> values, and between audit <Field 2> and <Field 3> values. For example, if <Field 1> is "Status" and <Field 2> is Classified As, you can configure these audit field dependencies so that if a reviewer then uses the iConsole to set an issue status to Not Approved, they can only choose from a specific subset of Classified As values. To configure <Field 1> to <Field 2> dependencies: 1 2 3 4 In the Administration console, choose Tools > Options. Go to the Audit tab and click Edit Audit Options. Select the <Field 1> tab. Double-click the <Field 1> value that you want to configure the list of available <Field 2> values for. Or, select the <Field 1> value and click Modify.
suppress automatic auditing overrules Audit: Choose to suppress automatic auditing.
Both privileges permit the reviewer to view events without updating the audit trail. The reviewer can still update the audit trail manually, but Viewed Event entries are not added automatically. For a full list of audit privileges, see page 305.
309
Set up audit e-mail templates

i Only available in the iConsole. Orchestria APM enables reviewers to forward non-issue related events or individual audit issues as e-mail attachments using the iConsole. For example, you can send separate issues from the same important event to different colleagues for further assessment. In order to match an organization's terminology and requirements, administrators can define several e-mail templates for reviewers to choose from when they click Send Mail . To define e-mail templates: 1 2 In the Administration console, Choose Tools > Options. In the Options dialog, go to the Audit tab and click the Define Templates button (see item 4 in the Audit tab screenshot on page 307). In the Audit Mail Templates dialog, click the Edit or Add buttons to modify an existing template, or create a new one. i
If you choose to create a new template, Orchestria APM prompts you to give it a name.
In the Edit Template dialog, specify the recipient e-mail addresses, then type a default subject and body text. For full details, see the online help,
Edit Template dialog: Save Template button !

iConsole users will need to re-enter any
e-mail address(es) when using an e-mail template. For details, see the 'Compose Mail' topic in the iConsole help.
4.1 The details specified are automatically added to

the e-mail when a reviewer clicks Send Mail in the iConsole. i If necessary, the reviewer can change these
fields (the subject, body text and recipient address), or choose another template before sending the actual e-mail.
4.2 Still in the Edit Template dialog, click the Save Template button. Then close the Audit Mail Templates dialog and the Options dialog.
Audit Mail Templates dialog
310
Set up the iConsole customizable toolbar buttons

Administrators can customize the behavior of one-click review buttons in the iConsole toolbar. These buttons allow reviewers to instantly change specific audit details from one value to another. For example, they can configure a button to automatically change the audit status of the currently selected events, or to change the Action Taken from Reviewed to Referred to Compliance Officer. Up to five separate buttons can be configured using the Audit Options dialog: 1 2 In the Administration console, choose Tools > Options. Go to the Audit tab and click Edit Audit Options to display the Audit Options dialog. 3 The columns in the Tool Buttons table are populated using the <Field1>, <Field2> and <Field3> tabs in the Audit Strings dialog. See step 3 on page 307. Configure the buttons, using the various drop-down list boxes:
` Change column: Choose which audit field you want the tool to modify. In this example, that is, Status, Classification, or Action. ` From column: Select the field value that will be
changed. Only events that currently have this field value can be reviewed using this tool. That is, only valid events will be reviewed and have this issue added to their audit trail.
10
11
Administration console: Audit Options dialog 1 Button: These numbers correspond to the toolbar buttons. 2 Change: Defines which field to change in the event's audit trail for events reviewed using this button. Choose from <Field 1> (Status), <Field 2> (Classification), or <Field 3> (Action). 3 From: Defines which events this issue is valid for. That is, only events with this field value can be reviewed using this button. The contents of this list depends on which field is displayed in the Change column and the list is populated using the equivalent field tab. 4 To (Status): Defines the new status for events updated using this button. 5 To (Classification): defines the new classification for events updated using this button. 6 To (Action): Defines the new action for events updated using this button. 7 Comment: Defines which comment is displayed for events reviewed using this tool. It is optional and can be left blank. 8 Issue Name: This appears in the Issues pane of the iConsole Search Results screen for events associated with this issue. It is optional and can be left blank. 9 Enabled: Defines whether the button is enabled or disabled in the iConsole. A tool can be enabled for reviewing only single events, multiple events, or both. 10 Action if Invalid: When reviewing multiple events, the selection may include invalid events, that is, events with issues that are not valid for the tool button (3). This column defines what happens if an invalid event is reviewed using this button. 11 Tooltip: Type the label that displays when the mouse pointer hovers over the button in the toolbar.
311
` To columns: After making your selection in the

From column, choose one of the To columns to define what the field value will be changed to. For example, you may want the tool to change the audit status from Approved to Escalate, in which case you need not make a selection from the remaining To columns.
Abort and warn: Abandon the bulk review, make changes to none of the events and warn the user via a warning dialog. Ignore silently: Review only valid events. Ignore any invalid events but do not warn the reviewer. Ignore and warn: Review only valid events. ignore any invalid events and warn the reviewer.
` Comment column: Type in the comment you want

added when updating events using this button. This column is optional and can be left blank.
` In the Tooltip column, type in a name for the

button to be displayed when the mouse pointer hovers over it in the toolbar. i Note the following:
` Issue Name column: Type in a name to be

displayed when this issue is associated with an event. The name is displayed in the Issues section of the iConsole Search Results screen. This column is optional and can be left blank.
` Enabled column: Choose whether the button is

enabled for reviewing only single events, only search results, or both. You can also choose to disable the button so it does not appear on the iConsole Search Results screen.
If an administrator reconfigures the iConsole one-click review buttons, these changes will only become effective the next time a user logs into the iConsole. Users currently logged on to the iConsole must log off and log back on before these changes become effective. After an event has been reviewed using one of these buttons, the corresponding issue is added to the event's audit trail. For more details on issues, refer to the Data Management console online help; search the index for event auditing, multiple audit issues.
` Action if Invalid column: Configure what happens if an invalid event is encountered in a bulk review using this tool. Choose from the following options:
312
Quarantined e-mails
SEC regulatory requirement 472 requires that certain categories of documents sent to multiple external recipients must be approved by an appropriate representative. The Orchestria APM quarantine feature enables your organization to enforce this requirement. This feature is implemented in the user policy as a new intervention option in control actions for outgoing e-mails. The quarantine procedure is summarized below.
8a
8b
9
4 6
98
Quarantined e-mails: Example based on Exchange server integration This example shows how the Quarantine feature operates in conjunction with the Exchange server agent. However, it can also operate in conjunction with Outlook and Notes client agents. An e-mail is sent (1) and monitored by Orchestria APM (2) as it transits through the Exchange server (3). A control trigger quarantines the e-mail. The CMS (4) maintains a queue of quarantined e-mails. A reviewer (5) checks quarantined e-mails in the iConsole or Data Management console. The reviewer can either release or reject a quarantined e-mail. The Quarantine Manager (6) regularly checks the quarantine queue on the CMS for e-mails that have been released or which have timed out (7). It then forwards these e-mails, either via the original Exchange server (8a) or, if so configured, though an alternative Exchange server (8b), to the intended recipient (9).
313
When the Orchestria APM Exchange server agent detects e-mails that match the specified criteria, it diverts them to a quarantine queue. At the same time, it can optionally send a 'quarantine notification' to the original sender. The reviewer can retrieve quarantined e-mails in the Data Management console or the iConsole and either approve or reject them. If the reviewer approves an e-mail, it is immediately released from quarantine and forwarded to its intended recipients; if the reviewer rejects the e-mail, it is effectively blocked, that is, it is not forwarded to its intended recipients and this 'quarantine rejection' is recorded in the event's audit trail on the CMS. To avoid unnecessary disruption to users' workflow, administrators can also configure a quarantine time-out. If a quarantined e-mail has not been reviewed before the time-out expires, it is automatically released. i Quarantined e-mails are not sent until released.
Quarantine setup procedure

The quarantine setup is a three step procedure. First, you need to set up the control action in the user policy, then configure the Quarantine Manager (see the Deployment guide; search the index for Quarantine Manager, configuring). Finally, you can set up a quarantine alarm to alert you to when new e-mails are added to the quarantine list. This procedure is illustrated below.
Mark e-mails for quarantine

Available for outgoing e-mails only.
Any outgoing e-mail that triggers a control action can be marked for quarantine. To do this, you must first define a Quarantine control action. 1 For the control action that you want to use, specify the Intervention settingsee pages 220 to 227. You can configure the Quarantine control action to:
Mark e-mail for quarantine Set up Quarantine Control Action Set up Quarantine Control Triggers
` Quarantine with notification: An e-mail is marked

for quarantine and Orchestria APM notifies the sender. You can define the notification text in the senders policy.
` Quarantine quietly: This option can only be used

with server integration. An e-mail is marked for quarantine, but the sender remains unaware of this.
Configure the Quarantine Manager
We recommend that you use the highest
number control action as the quarantine control action in order to give it the lowest priority. For example, if there are 10 control actions, configure Control Action 10 as the quarantine control action. An event is immune to other control actions, such as warnings or blockings after it is marked for quarantinesee page 232.
Set up quarantine alarm Define quarantine statistic in Administration console Set up Executive console alarm 2
Quarantine events: Setup procedure 1 Set up control actions to quarantine targeted e-mails. 2 Configure the registry settings for the Quarantine Manager. 3 Use the Executive console to alert you when new e-mails are added to the quarantine list.
Next, set up triggers to detect those e-mails that must be quarantined. Finally, for each of these triggers, you need to invoke the previously defined Quarantine control action.
314
Set up a quarantine alarm in the Executive console

Orchestria APM can compile statistical data for outgoing e-mail events for each user group. With this information, you can then create an alarm to alert reviewers when new e-mails are added to the quarantine list: 1 Define quarantine statistic in Administration console: Use the Statistics screen to configure summary statistics for all outgoing e-mails that trigger the Quarantine control action. See the Executive Console guide for details about setting up statistics; search the index for statistics, overview. Set up an alarm in the Executive console: Use the statistic configured in step 1 to define an alarm in the Executive console. See the Executive Console guide for details about setting up alarms; search the index for alarms.
Reviewing quarantined events

i You can only review quarantined events if you
have the administrative privilege Events: Control quarantined events. See page 57 for details.
To review a list of quarantined e-mail events, you need to run a search in either the Data Management console, or the iConsole. When viewing quarantined events in the Data Management console or iConsole, the following toolbar buttons become enabled:
Release From Quarantine: Click this to remove the quarantine status from the e-mail and allow it to be sent on to its intended recipient(s). Reject From Quarantine: Click this to remove the e-mail from the quarantine list and effectively block it. That is, it is not sent on to its intended recipient(s). This activity is recorded in the event audit trail.
Automatically release expired e-mails

You can configure the Quarantine Manager to automatically release e-mails from quarantine after a specified period (the quarantine timeout). For details, see the Deployment guide; search the index for Quarantine Manager.
i In both cases, a copy of the formerly quarantined

e-mail is retained in the CMS database.
13. Content agents
Content agents
i Content Agents are available only if explicitly
included in your license agreement. The technology underlying these features is used under license from Fast Search and Transfer International AS. See
chapter 13
page 2 for copyright details. his chapter describes content agents. Based on innovative pattern-matching technology and intelligence contained in your Orchestria APM Content database, content agents give you the ability to capture and control Web, file and e-mail documents based on their text content.
1 3 4
Overview
In a typical installation, your store of captured data will grow quickly and unless you have the right tools it can be hard to keep track of user activity. In content searches and content agents, you have the right tools. Content Agents can identify specific types of document based on their text content. They form the basis of enormously flexible content agent triggers. These triggers let you capture or control attempts by users to browse, upload, print, copy to removable drives, send or receive documents that match the specified types.
Content searches and content agents 1 Orchestria APM Content database. 2 Content searches look for captured events (3) in the content database. 4 Content agents use intelligence in the content database to identify document types. When tested and published, they can be incorporated into user policies (5) as Content Agent triggers.
316
Why use Content Agent triggers?

Document Classification triggers already let you capture and control specific types of document (see page 177). So why use Content Agent triggers? Because they use agent technology, making them much smarter and much easier to configure.
Before you start

Deployment
Before you can define content agent features, you must: 1 Install the software components that enable the content services to run. These components are the content database, the content proxy server and the content indexer utility. You can find full deployment instructions in the Deployment guide; search the index for content services. Populate the content database with indexed captured data. To do this, use the content indexer utility. You can find full instructions in the content indexer online help. ! You do not need to index all your captured
data, but the larger the content database, the more accurate the content agents will be.
Smart detection: Document Classification triggers can examine targeted documents for keywords butas with database searchescannot contextualize these keywords. By comparison, Content Agent triggers can contextualize. This greatly improves their accuracy when categorizing or rejecting a targeted document. Adaptive, example-based training: The accuracy of Document Classification triggers depends heavily on the ability of administrators to define sophisticated classification parameters. You cannot train them to recognize specific categories of documents simply by exposing them to examples of documents. But this is precisely how you train content agents. You can even retrain your agents to reflect a better selection of example documents or an expansion of your Content database. This allows the agents to continually adapt their search algorithms to focus on the documents you want and reduce the number of false hits.
The diagram below shows how the content services components support the content search and content agent features. This example shows the components all installed on the same host machine. Alternative configurations may suit your organization better. See the Deployment guide for details. 1 5
i For simple, non-contextualized analysis (that is, if

you want the mere presence or absence of a key word to activate a policy trigger), the Document Classification triggers are a more appropriate choice than Content Agent triggers.
Content services: a typical deployment 1 CMS. 2 Content Services host machine. Captured data is indexed by the Content Indexer (3) into a Content database (4). From an Orchestria APM console (5), users can run content searches or train content agents based on data in the Content database. All database queries are routed through the Content Proxy server (6).
Chapter 13 Content agents
317
Content agents
A content agent can detect a specific type of document based on its text content. A document can be any Web page, e-mail, attachment, or file. For example, you could train an agent to identify, customer e-mail enquiries, an airline reservation Web site or offensive e-mails. After you have trained and published an agent, you can incorporate it into a content agent trigger. These triggers let you capture or control any attempt by users to browse, upload, print, copy to removable drives, send or receive documents that match the specified type. For example, you could train a content agent to recognize reports produced by your research team. This would allow you to display a warning, or even block the user, if they attempted to send a report to unauthorized recipients or upload the report to a Web site. i Administrators require the Edit content agents
privilege before they can set up or edit content agents. See page 57 for details.
Training documents
These are example documents, similar to the ones you want to detect. The agent analyzes the content of these training documents and identifies their characteristic text patterns. To do this, it exploits the content databases sophisticated understanding of similar text patterns identifiable in the database. You can train an agent using positive and negative training documents:
Positive training documents are example documents that accurately portray the type of document you want to detect. Orchestria APM uses these documents to build a positive 'term pool', that is, a list of words and phrases that indicate a possible match. Negative training documents represent definite non-matches. Learning to recognize negative examples helps the agent exclude ambiguous documents and reduces the number of false hits. Orchestria APM uses these documents to build a negative 'term pool', that is, a list of words and phrases that indicate a possible non-match. Entries in the negative term pool are then subtracted from the positive 'term pool'.
Content agent icons

You train content agents in the Administration console. The Content Agents tree uses these icons: Content Agent icons
Content agent - published Content agent - unpublished Positive training documents Negative training documents Test documents Event link (contains associated documents)
For any agent, you need significantly more positive documents than negative documents. In fact, we recommend a ratio of no less than 5:1 in favor of positive training documents.
Test documents
You use these to calibrate content agents. When you have chosen your training documents, you can test the fledgling agent against a selection of test documents. For example, if you are training the agent to recognize customer enquiries about a specific product, include an actual customer e-mail as a test document.
318
When you test the agent, Orchestria APM displays a percentage score for each test document; your aim is train the agent so that each test document scores as accurately as possible (that is, 'realistic' test documents score high and deliberately non-matching test documents score low). To maximize training effectiveness, all agents are tested automatically against their own, dedicated test documents and against a set of default test documents see the next section.
Define content agents

Before you can use a content agent to capture or control user activity, you must first create, train and publish the agent. Only then can you incorporate the agent into policy triggers. The procedure is summarized below:
Prepare the content database
Default test documents

When you have chosen your training documents, you can test the fledgling agent against test documents. Ideally, you want to test the agent against as many documents as possible in order to gauge the agent's accuracy. For this reason, all agents are tested automatically against their own, dedicated test documents and against a common set of default test documents.
Create a new agent
Train the agent
Publish the agent
Edit the policy triggers
X Set up default test documents

1 In the Administration console, expand the Defaults agent branch . 2 Select the Test Documents branch then: Creating a content agent 1 Populate a content database with indexed captured data. 2 In Administration console, create a new agent. 3 Use example documents to test and train the agent. 4 Publish the agent. This makes it available to the User Policy Editor. 5 Configure the associated capture and control triggers in the user policy.
` Right-click the right-hand pane of the

Administration console and choose Add Files, or
` Drag and drop the files you want from Windows

Explorer into the right-hand pane. 3 Right-click any agent and choose Test to open the Agent Testing dialogsee page 320. 4 In the Documents Tested column, Orchestria APM displays a percentage score for both the agent's own test documents and the default test documents. As always, your aim is to train the agent so that each test document scores as accurately as possible (that is, 'realistic' test documents score high and deliberately non-matching test documents score low).
Prepare the content database

As a precondition for training content agents, you must populate your content database with indexed captured data. Ideally, you need to add as many captured items to the content database as possible. You use the Content Indexer utility to populate the content database; full instructions are available in the Content Indexer online help. When this is complete, you are ready to create a new content agentsee page 319. ! You do not need to index all your captured
data, but the larger the content database the more accurate the content agents will be.
319
Create an agent
In the Administration console: 1 If you have not already done so, select a Content Proxy server (see either the iConsole user guide, or the Data Management Console guide; search the index for content searches, before you start.). Right-click the Content Agent branch and in the toolbar. choose New Agent. Or click
Add your training and test documents When choosing your training documents, you can add any file types supported by Orchestria APM. For a list of file types with searchable content, see page 113. You can also add .EVL event link files to your training documents. These files point to Web or e-mail documents associated with the captured event. If you is added add an event link file, a sub-branch below the document branch. Expand this sub-branch to see copies of the documents associated with the event.
This adds a new, unpublished agent to the Content Agent branch. Give the agent a name that describes what type of documents it will be targeted at, such as Offensive e-mails or Product enquiries. You are now ready to train the agentsee the next section.
1.1 In the Administration console, expand the

unpublished agent branch.
Content Agents Customer complaints
Train the agent

Now you must train the agent to recognize a specific type of document. This is an iterative process. First, you must choose some training documents. These are simply example documents, similar to the ones you want to detect. The agent analyzes the content of these training documents and identifies their characteristic text patterns. To do this, it exploits the content databases sophisticated understanding of similar text patterns identifiable in the database. Your training documents will mainly include positive examples, that is, documents that accurately portray the type of document you want to detect. But you can also include negative examples; these documents represent definite non-matches. Learning to recognize negative examples helps the agent exclude ambiguous documents and reduces the number of false hits. When you have chosen your training documents, you can test the fledgling agent against them. For example, if you are training the agent to recognize customer enquiries about a specific product, include an actual customer e-mail as a test document. When you test the agent, Orchestria APM displays a percentage score for each test document; your aim is to train the agent so that each test document scores as accurately as possible (that is, realistic test documents score high and deliberately non-matching test documents score low).
1 2 3
Inappropriate humor Airline reservations Product enquiries Positive Training Documents My_event_link Negative Training Documents Test Documents
Content Agents branch: 1 Published agents. 2 Unpublished agent. 3 Document branches.
1.2 For each document branch

the documents you want:
, add
` Right-click the right-hand pane of the

Administration console and choose Add Files, or
` Drag and drop the files you want from Windows

Explorer into the right-hand pane. See the screenshot on page 320.
1.3 If you have not already done so, you can also set
up a set of default test documents. See page 318.
320
Adding agent training and test documents 1 Administration console. Select the target document branch. 2 Windows Explorer. Drag and drop your documents into the right-hand pane of the console. 2
1 Agent Testing dialog 1 Scores indicate how well training and test documents match the document type targeted by the agent.
Test the agent Now you must test the accuracy of the agent. Right-click the unpublished agent and choose Test to open the Agent Testing dialog. Orchestria APM calculates a percentage score for each training and test document. The score quantifies how well the document matches the document type targeted by the agent. You want the realistic test documents to score as highly as possible, ideally matching the scores of the positive training documents (conversely, you want any deliberately non-matching test documents to score as low as possible). By definition, positive training documents should score very highly because they embody precisely the type of documents you want the agent to detect. A negative training document naturally scores lower; its actual score depends on how subtle the differences are between it and the positive training documents.
The first time you test a new agent, it is likely that the test documents will not score highly enough. In other words, the agent is not accurate enough to detect your test documents. This means you must adjust the agent definition; either you extend the range of training documents, or you adjust the agent properties. Or you can do both. Adjusting the agent properties is described in step 3.
321
Adjust the agent properties

This step is optional. When fine-tuning the accuracy
of a new agent, you may need to iteratively adjust its properties until you are satisfied with the scores awarded to your test documents. and choose Right-click the unpublished agent Properties to open the Agent Properties dialog. Here you can adjust the following:
` Required words: You can define a list of compulsory words or phrases. All must be present in a target document for the content agent to confirm a match. In effect, this property specifies a Boolean AND condition. ` Disqualifying words: You can define a list of words
or phrases that indicate a definite non-match. If any are present, the agent disregards the target document and does not confirm a match. In effect, this property specifies a Boolean NOT condition. 4 When you are satisfied with the scores for your test documents, you are ready to publish the content agentsee the next section.
` Minimum number of words: A common problem

when matching text patterns is that agents may be activated by very short documents, perhaps just a few words long, simply because they contain one of your search terms. To reduce the number of false hits, you can specify a minimum word count; the content agent triggers will ignore documents with fewer words than this.
Publish the agent

Right-click the unpublished agent and choose Publish. Or click in the toolbar. As soon as the publishing completes, the agent is available for inclusion in a content agent triggersee the next section. The agent icon also changes from to . If necessary, you can republish an agent at a later date to use an amended or more accurate definition. If you republish an agent, any triggers will automatically use the updated agent definition. Republishing is described in the next section.
` Firing threshold: This is the minimum percentage

score that a document needs to activate the agent (and any dependent triggers). If a document score is below this threshold, the agent will not activate. When defining your firing threshold, you need to consider the typical scores achieved by your test documents; these are your best guide as to what threshold you need to set. i This threshold is measured as a percentage
of the agents benchmark scorethat is, the average score for the agents positive training documents.
322
Edit the policy triggers

Content agent triggers are available as both capture and control triggers, for Web pages and e-mails. 1 In the User Policy Editor, select the Content Agent trigger you want. The trigger settings display in the right-hand pane.
User Policy [Spencer Rimmel] Capture Control Web Pages Control Triggers Content Agent n Control Actions Incoming e-mails Control Triggers Content Agent n Control Actions Outgoing e-mails Control Triggers Content Agent n Control Actions
Edit the content agent for files policy settings

Content agent for files settings are available in both capture and control file triggers. 1 In the User Policy Editor, select the Data At Rest or Data In Motion trigger you want. In the trigger, amend the Use Content Agents For Files setting. Set this to Use Content Agents to Analyze Text Content. Double-click the Which Content Agents? setting. In the Properties dialog, click Add and choose from the agent you want. Only published agents can be used by a content agent trigger. 4 Save the policy changes.
User Policy: Example content agent triggers 2 3 Double-click the Agent Names setting. In the Properties dialog, click Add and choose from the agent you want. Only published agents can be used by a content agent trigger. Save the policy changes.
i For details about unpublishing and republishing agents, see page 323.
323
Managing content agents

You can republish, clone, unpublish and delete content agents. In the Administration console, you must first expand the Content Agent branch . i Administrators require the Edit content agents
privilege before they can set up or edit content agents. See page 57 for details.
Unpublishing an agent
To unpublish an agent, right-click a published agent and choose Unpublish. This is useful if, for example, you are dissatisfied with an agents definition and you want to withdraw it from the user policy until it has been redefined. But see the policy trigger warning below.
Republishing an agent
In the future, you may want to republish an agent. For example, based on your experience of observing how the content agent triggers work, you may decide to alter the agent definition in order to improve its accuracy. To do this, you simply retrain the agent and then republish it. All triggers that use this agent will automatically start using the updated agent definition. When you are ready to do so, right-click a published agent and choose Republish. To undo any changes you make while retraining a published agent (for example, changes to the training documents or agent properties), right-click the agent and choose Undo Changes. This restores the agent to its original state.
Deleting an agent
Right-click an agent and choose Delete. But see the policy trigger warning below.
Policy triggers and unpublished or deleted agents

! If you unpublish or delete an agent, it is no
longer available for use by Content Agent triggers in the user policy.
When you unpublish an agent, the policy will continue to operate, but:
If a trigger uses a single agent and that agent is subsequently unpublished, the trigger is effectively disabled. If a trigger uses multiple agents, only the unpublished agent will cease to operate; other agents are unaffected.
Cloning an agent
As a shortcut to creating a new agent, you can simply clone an existing agent and then amend its training documents or agent properties as required. Right-click any existing agent and choose Clone.
324
14. Troubleshooting
Troubleshooting
his chapter provides the information you need to solve problems that may arise when you use Orchestria APM. Note that you can also contact technical support if problems persistsee page 24 for contact details.
chapter 14
Searching for events

A search for captured data unexpectedly finds no matching events
If you search for captured events in the Data Management console or iConsole, the search can sometimes find no matching events even when you know such events exist in the CMS database.
Although one of the users associated with a participant is in your management group, they were not when the event was captured or imported. Management group boundary enforcement is based a participants user group at the time of capture. For example, if an e-mail sender was not in your management group when the e-mail was captured, you cannot search for that e-mail at a later date,
even if the sender has subsequently been moved into your management group.
To override management group constraints, you can assign the Admin: Disable management group filtering privilege to an administrator. This is described on page 44. The events you are searching for have already expired. That is, their minimum retention period has expired and they have been purged from the CMS database. The event you are searching for has a capture date in the future. Such events are excluded from search results until after the capture date. This can only happen if the system clock is set to the wrong date on the relevant source machine (for example, a client machine hosting the Outlook client agent or, for imported e-mails, the senders machine).
There are several possible reasons why this happens:
No event participants are associated with Orchestria APM users. For example, this can happen if you import e-mails or IM data but fail to keep e-mail addresses for your Orchestria APM users up to date. In this situation, Orchestria APM may be unable to map event participants to existing Orchestria APM users. None of the Orchestria APM users associated with participants fall within your management groups. You can only retrieve search results for users belonging to groups within your management branches.
326
Captured passwords are not obscured in the Data Management console

If you choose to obscure passwords submitted to a Web page, be aware that in rare situations Orchestria APM may inadvertently expose these passwords in the Form Data tab of the Data Management console. In particular, this affects the Hotmail site.
E-mails
E-mails are not captured by recipient-based policy if the user is offline
This problem can only occur with client integration when outgoing e-mail triggers are configured to perform recipient lookup operations.
This problem can only occur if a Web page has been designed so that passwords are submitted as hidden data. Normally, when Orchestria APM monitors data submitted to a Web page, it looks in the pages HTML source code for <INPUT type=password> input fields. It then infers that any value entered in this field is a password and must be obscured. But some Web pages submit passwords using other field types, such as <INPUT type=hidden>. Orchestria APM is unable to recognize these passwords and assumes that any information submitted using these input fields is not sensitive and does not need to be obscured. If this problem affects captured data on your CMS, the only solution is to turn off capturing of submitted form data. This is described on page 128.
Orchestria APM policy triggers can be configured to look up recipient details on an Exchange or Domino server in order to process outgoing e-mails. If this is the case and an e-mail is sent to a distribution list, Orchestria APM extracts details for each member of the list. But if a user sends an e-mail while disconnected from their organization's e-mail server, Orchestria APM cannot connect to Exchange or Domino and so cannot extract details for members of distribution lists saved in the local address book. As a result, e-mail triggers set up to detect specific recipients may not fire and the e-mail will not be captured or controlled. This problem applies to users working offline in Microsoft Outlook and running Lotus Notes in island mode. In Outlook, you cannot expand distribution lists when working offline. In Lotus Notes, you can expand distribution lists when working in island mode, but only if the local address books have been synchronized with those on the Domino server. To ensure that any policy triggers dependent on recipient details are correctly applied to e-mails sent under these conditions, we strongly recommend installing a hybrid client and server agent deployment. In practical terms, this means you must explicitly configure the Exchange or Domino server agent to reprocess e-mails already processed by an Outlook or Notes client agent. i If you do install both client and server agents, you must edit the ReprocessClientEmails
registry value on the Exchange or Domino serverfor details, see the Deployment guide.
Chapter 14 Troubleshooting
327
Outlook integration stops working for Outlook 2002 (XP), 2003, or 2007
The Office Safe Mode feature in Microsoft Outlook 2002 (XP), 2003 and 2007 can disable (sometimes silently) Outlook add-ins that are deemed to prevent Outlook from functioning correctly. This can result in the Orchestria APM Outlook Integration feature (wgnemol.dll) being disabled.

OutlookRepairDisabledExtension Type: REG_DWORD Data: Defaults to zero. Determines whether to re-enable the Outlook client agent if it is found to be disabled. If this registry value:
If you notice that e-mail triggers have stopped working for Outlook 2002 (XP), 2003 or 2007, we recommend that you first check the Outlook list of disabled items. If the Orchestria APM Outlook Integration feature is listed, try to re-enable the feature. There are two methods for doing this. i If these methods fail to fix the problem, please contact the Orchestria APM service desk (see page 24
for contact details).
` Is set to a non-zero value and the Outlook client

agent is found to be disabled, Orchestria APM re-enables the client agent and writes a Windows application log entry to that effect.
` Has not been manually added to the registry, it

defaults to zero, meaning that the client agent will not be re-enabled. i If Orchestria APM discovers that Microsoft
Automatic re-enabling To set up automatic re-enabling, you must manually add certain values to the following registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Orchestria \Active Policy Management \CurrentVersion\Email Within this registry key, the registry values that you need to add are: OutlookMonitorIntervalInSeconds

Outlook had disabled the Outlook client agent but Orchestria APM has since re-enabled it (for example when Microsoft Outlook is restarted), it writes a Windows application log entry to that effect.
Manual re-enabling 1 On the affected machine, open Microsoft Outlook and choose Help > About Outlook. In the About dialog, click the Disabled Items button. In the Disabled Items dialog, enable the wgnemol.dll add-in (if listed). Restart Microsoft Outlook.
2 3
Type: REG_DWORD Data: Defaults to 5 seconds. While Orchestria APM is running, this value determines how often Orchestria APM checks whether the Outlook client agent is disabled in the current session. Specifically, it checks the registry for the wgnemol.dll name and path.
328
E-mail attachments are not captured

In exceptional circumstances, Orchestria APM cannot capture an e-mail attachment in Microsoft Outlook. For further details, see page 203.
These restrictions do not apply to Lotus Notes. When you forward an e-mail in Notes, for example to a manager, it is included as a message thread in a notification e-mail. If the manager wants to send the e-mail to someone else, they can simply forward the notification e-mail in the normal way.
What happens if Orchestria APM captures an e-mail or attachment that has a virus?
If your virus scanners fail to prevent a virus attack, infected e-mails may be captured and saved in your Orchestria APM database.
Address Book lookup commands fail if user display name is changed

In Outlook 2003, if a user's display name is changed in the Active Directory, the new display name does not appear in the Offline Address Book until the next cache update. This may take up to 24 hours.
If your organization suffers a virus attack, there is a risk that infected e-mails or attachments may be captured and saved in your Orchestria APM database. If this happens, you must delete any infected e-mails or attachments from all affected Orchestria APM databases (on the CMS plus any gateways or client machines that may also be at risk) as part of your cleanup operations after the attack.
If this user is in a distribution list, the user information in that list will not match parallel information in the Offline Address Book until both lists are synchronized. If the distribution list is then the recipient of an e-mail, the fact that its user information differs between the Active Directory and Offline Address Book may result in a trigger not firing. The Microsoft Knowledge Base has an existing workaround, which is also valid for this problem. For details, see article KB831124.
I cannot send a redirected e-mail to someone else

In Microsoft Outlook, when you redirect an e-mail, it is included as an attachment in a notification e-mail sent to an alternative account, say, to a manager. But the manager cannot open the attachment and send the redirected e-mail to someone else (the Send command is disabled in Microsoft Outlook).
Audit e-mails are not always sent

This problem only affects reviewers with Microsoft Outlook 2002 (XP) or 2003 installed.
Instead, if the manager wants to forward the redirected e-mail to someone else, they can:
Forward the notification e-mail, with the redirected e-mail still included as an attachment. Open the attachment and forward the redirected
e-mail to its intended recipient (using the Forward
If Outlook is not running and you try to send an audit e-mail from the iConsole you may sometimes find that the e-mail remains unsent without your being notified. This is because there is temporarily no MAPI connection between Outlook and the Exchange Server. The e-mail is sent as soon as Outlook is running again.
command in Microsoft Outlook).
329
There are delays when sending e-mails to many recipients or large distribution lists
Processing delays before an e-mail is sent can occur when Orchestria APM extracts the full details for each recipient from the e-mail server. To alleviate these delays, you can limit the volume and type of information that is retrieved.
display name, e-mail address and the address format. It does not include a recipient's 'true' display name or e-mail address aliases. When using Exchange/Domino server integration, the recipient's true display name is retrieved, but e-mail aliases are not. i This may affect other triggers which include
display names or address aliases in, for example, an Included Addresses list.
i Throughout this section, the term user directory

is used to mean directories such as Active Directory and Domino Server. These directories hold e-mail address information for the organization.
By default, Orchestria APM extracts full details for each recipient from the organizations user directory when processing outgoing e-mails. But if the e-mail is sent to many recipients, or to a very large or heavily nested distribution list, delays can occur while these details are retrieved from the organizations user directory. The problem is exacerbated by slow connections between the senders Orchestria APM machine and the organizations user directory. For Microsoft Outlook users, the problem can be alleviated by editing the user policy or configuring the registry. Edit the user policy In the System Settings folder, edit these settings:
Configure the registry You can configure the registry to specify the maximum number of recipients that can be extracted from all distribution lists (excluding personal distribution lists) in a single e-mail. When Orchestria APM expands a distribution list and the cumulative number of extracted recipients reaches this maximum limit, no further recipients are extracted from that list or any other lists not yet expanded. The registry value you need to configure is located in the following registry key: HKLM\Software\Orchestria \Active Policy Management \CurrentVersion\EMail In this key, configure the following registry value: MaxNumExpandedRecipients

Maximum Size of E-mail Distribution Lists Specify a threshold number of list members. After expanding this number of recipients from a distribution list, or if Orchestria APM detects that expanding a nested distribution list would exceed this number, no further individual recipients are extracted from that list. Details for all extracted recipients are saved as attributes of outgoing e-mails and can be viewed in the Data Management console. Details of non-extracted recipients are not saved.
Type: REG_DWORD Data: Set this to the maximum number of recipients you want to extract from all distribution lists in a single e-mail. Set to zero to allow the extraction of an unlimited number of recipients.
Retrieve Full Information for Outgoing E-mail Recipients? If you set this to False, the Outlook plug-in only extracts basic information from the Global Address List for each recipient. This includes the recipient's
i Both the Maximum Size of E-mail Distribution

Lists setting and the MaxNumExpandedRecipient registry value only apply to distribution list members (but not members of personal distribution lists).
330
iConsole
Unable to download or forward .msg files
The iConsole permits you to download an .msg file containing a copy of the original e-mail, or to forward this .msg file to a colleague. When the application server is using IIS 5.x, users may encounter error messages when trying to download or forward original .msg files. In order for IIS 5.x to use MAPI services on the application server, the local IWAM_<machinename> user must have local administrator rightsfor details, see the Deployment guide. Typically, an audit e-mail contains the original .msg file as an attachment. If this is the case, and the e-mail failed to send, users will encounter the following error message on trying to resend the same e-mail: System.Reflection.TargetInvocationException: This error occurs because when the iConsole sends an e-mail with an attachment, it creates a temporary file for the attachment, which is then deleted when the e-mail is sent. If the SMTP server is not running or the connection is not configured correctly, then the temporary file is not deleted and the e-mail cannot be sent. To enable the iConsole to send audit e-mails with or without the original .msg file, you must first ensure that the SMTP server is correctly configured and running (see page 79), and then restart IIS.
Unable to send audit e-mails

If the iConsole application server uses IIS 5.x, users can encounter the following error messages when trying to send audit e-mails. SMTP server not running / Connection not configured correctly; The transport failed to connect to the server. Relay not configured correctly; The server rejected one or more recipient addresses. The server response was: 550 5.7.1. Unable to relay for lynda.steel@unipraxis.com. These errors occur if the SMTP server is not running or the connection is not configured correctly. For SMTP configuration details, see page 79.
Microsoft IE7 limitation

Internet Explorer 7 enables you to view multiple Web sites in a single browser window using tabs. In the iConsole, if a user tries to log in as different users in two of these tabs, then the session login details of the iConsole in the first tab is overwritten. This is because IE7 tabs share session cookies and so tabs must share the session for a particular domain or URL. It is therefore not possible to use Internet Explorer 7 tabs to log in as different users.
331
Web pages
Can I disable Windows Explorer integration?
Yes. You can configure this when you install Orchestria APM client integration features.
Why is a secure Web site not exempted from blockings or warnings?

A secure Web site is correctly exempted from blockings or warnings when a user first browses to the site, but when they later try to revisit the site during the same browser session, it triggers a blocking or warning.
By default, the Microsoft Internet Explorer Integration feature enables capture or control of any Web activity in Internet Explorer or Windows Explorer. But you can use an Msiexec.exe variable to turn off integration with Windows Explorer. This is described in the Deployment guide; search the index for Windows Explorer.
Can I disable Outlook browser integration?

Yes. You can configure this when you install Orchestria APM client integration features.
When the Internet Explorer and Outlook integration features are installed on the same machine, Orchestria APM automatically integrates with the Microsoft Outlook browser. That is, if a user surfs the Web using Outlook as a browser, Orchestria APM can capture and control this activity. But you can use an Msiexec.exe variable to turn off integration with the Outlook browser. This is described in the Deployment guide; search the index for Microsoft Outlook. i If you disable integration with the Outlook
browser, this does not affect e-mail monitoring. Orchestria APM continues to monitor Outlook e-mail activity as normal.
This is caused by misconfigured security settings for Internet Explorer. By default, these settings cause Internet Explorer to cache each secure Web page browsed during a single session. So if a user revisits the page, the page is loaded from the cache instead of the Web server. As a consequence, Orchestria APM is unable to verify the security settings during subsequent visits to the page, effectively nullifying the keystrength exemption settings in your control triggers. To fix this problem, you must adjust the Internet Explorer security settings on each client machine in your Orchestria APM installation: 1 2 Open Internet Options in the Control Panel. Go to the Advanced tab and scroll down to the Security settings. Switch on the Do not save encrypted pages to disk setting. (By default, this setting is turned offthat is, the check box is not selected.)
i For further details, see page 234.
332
The Web page shown in the console does not match the Web page I saw in my browser
This can arise when you capture Web pages while active scripting is enabled in your browser. It cannot occur if active scripting is disabled.
When Orchestria APM displays Web pages in the console, it does so with active scripting disabled. This prevents captured Web pages from behaving in a way that could be undesirable. For example, because scripting is disabled, you can safely click a Submit Order button in any captured page without risk of re-submitting your order. This means that, potentially, a Web page in the console can differ slightly from the page you saw in the browser. For example, animated adverts typically display as static adverts. In effect, the console displays Web pages as the site authors intended when browsed by users who have scripting disabled. Wherever possible, Orchestria APM uses intelligent processing to eliminate these differences. However, the degree of mismatch between Web pages in the console and in your browser depends on how the site authors have implemented the <SCRIPT> and <NOSCRIPT> tags in the HTML source code.
Typically, sites are designed so that important information always displays, regardless of whether the browser has scripting enabled. But some poorly designed sites effectively close down if scripting is disabled; instead, they simply show a message such as Sorry, you
don't have Javascript enabled on your browser. Please enable Javascript and refresh this page. In
this situation, the page versions in the console and browser will not match. i These problems can only affect browsers which
have active scripting enabled. You can eliminate this problem entirely by disabling scripting on your browser. Indeed, it is the policy of many organizations to disable active scripting because of the security risks posed by JavaScript. If your Windows administrator has granted you the necessary permissions, you can disable active scripting yourself:
1 2
In Internet Explorer, choose Tools > Internet Options. In the Security tab, select the Internet zone and click Custom Level. In the Security Settings dialog, scroll the list to find the Active Scripting settings.
333
User Administration
Can I rename users?
Yes, but this can be a complicated area and depends entirely on how your CMS policy handles new users.
Windows user authentication is used If your Orchestria APM installation does use Microsoft Windows user authentication, you must synchronize any name changes for Orchestria APM users with identical changes for the corresponding native Windows users. This is because Orchestria APM generates and maintains a mapping between each Orchestria APM user account and its corresponding native Windows user account. This means that users do not have to log on to Orchestria APM each time they start up their browser or e-mail application. If you fail to synchronize these account name changes (that is, you rename one but not the other), the mapping will be broken. To restore this mapping, you must apply the missing name change as soon as possible. Specifically, you must do this before the user next logs on to Orchestria APM (when they start up their browser or e-mail application). If you fail to do so, the consequences depend on how the Account Handling for New Users setting is configured:
The key policy determinant is the Use Microsoft Windows User Authentication? setting:
If your Orchestria APM installation is configured to use Microsoft Windows user authentication, you must ensure that any changes to an Orchestria APM user name or its corresponding native Windows user name are closely co-ordinated. See the next section. If Orchestria APM is not configured to use Microsoft Windows user authentication, you must ensure that the renamed user is aware that their account name has changed! See page 334.
The second policy determinant is the Account Handling for New Users setting. This controls how the CMS handles new (or unrecognized) users. This setting becomes important if, after renaming a user, you fail to meet the requirements described above. The relationship between these policy settings when you rename a user are summarized below:
Account Handling for new users Create new user account Use Microsoft Windows User Authentication? Disable applications or Ignore
Scenario 1 - Create new account: Orchestria APM no longer recognizes the users native Windows credential and so creates a new Orchestria APM user account in the default user group. It is not possible to merge this new user account with the existing account. Scenario 2 - Disable applications or Ignore: Orchestria APM no longer recognizes the users native Windows credential and so either waives policy management and allows unrestricted Web and e-mail usage or disables the users browser and e-mail application.
True
Scenario 1
Scenario 2
How CMS policy settings affect user renaming Details about each scenario are given in the following sections.
False
Scenario 3
Scenario 4
Ideally, we recommend that you rename the Orchestria APM user account before renaming the native Windows user account. This minimizes the risk of suffering the consequences described above. In practice, the native Windows user name may have changed first, in which case you must rename the Orchestria APM user as soon as possible.
334
Windows user authentication is not used If your Orchestria APM installation does not use Microsoft Windows user authentication, Orchestria APM user accounts exist independently of any native Windows user account. This means you can safely rename any Orchestria APM user but you must ensure that the user knows their new account name (and password) before they next log on to Orchestria APM by starting up their browser or e-mail application. If the user attempts to log on to Orchestria APM using their old credentials (user name and password), then the consequences depend on how the Account Handling for New Users setting is configured:
Policy
A policy is no longer working or can no longer be edited
This is due to a corrupt policy. When you try to edit a corrupt policy, an error message indicates a failure to load a policy from the database.
A corrupt policy can manifest itself in various ways:
Scenario 3 - Create new account: Orchestria APM no longer recognizes the users old credentials and so creates a new Orchestria APM user account in the default user group. It is not possible to merge this new user account with the existing account. Scenario 4 - Disable applications or Ignore: Orchestria APM no longer recognizes the users old credentials and so either waives policy management and allows unrestricted Web and e-mail usage or disables the users browser and e-mail application.
A corrupt machine policy causes all Orchestria APM operations to stop on that machine. For example, the infrastructure and any browser e-mail integration features will stop working. If a common client machine policy or a common gateway policy is affected, this will affect all client machines or all gateways respectively. If a user policy is corrupted, all policy settings stop working. In particular, triggers will not activate. It may also cause e-mail and Web applications to be disabled, depending on how the Infrastructure Failure setting is configured (see page 140). The position of the associated user or group within the user hierarchy is also important because any child policies will also be adversely affected.
As soon as the user logs on to Orchestria APM using their new user name (and password), their user policy resumes normal operation.
To overcome a corrupt policy: 1 First, you must identify the .BLB file containing the corrupt policy. To identify the corrupt policy, run: wgninfra -exec wigan/infrastruct /policy/PolicySetup PolicyCheck i These commands are case-sensitive. 2 This command forces Orchestria APM to examine each policy file on the CMS. If a corrupt policy is detected, an identifying entry is written to the latest System log (see page 31). When you have identified the corrupt policy and the associated file, please contact the service desk for further advice. For contact details, see page 24.
335
Client machines and gateways are unable to connect to the CMS
A change to the CMS system clock can, in specific circumstances, prevent client machines and gateways from connecting to the CMS.
Can I rename Orchestria APM machines?

! We strongly recommend that you do not rename
the CMS or gateway servers. However, you can rename client machines.
A change to the CMS system clock can sometimes cause subsequent connection attempts by client machines or gateways to fail. (This is because key service objects on the CMS are mistakenly deleted as a result of the unexpected time change.) The problem is very rare, but if it happens the following error message is written to the Orchestria APM system log on the client machine or gateway (you may also see it on-screen): java.rmi.NoSuchObjectException: no such object in table If you suspect that this problem has occurred, or you see this error message, you must restart the Orchestria APM infrastructure on the CMS (see page 63). i All logfiles are saved in the \data\log subfolder in
the Orchestria APM installation folder. For further details about finding and viewing log files, see the Administration console online help; search the index for logfiles.
CMS and gateways Renaming the CMS or a gateway can cause severe communication problems between the server and its child machines. This is due to the authentication mechanism used by Orchestria APM machines to ensure data security. Client machines You can rename client machines, but be aware that Orchestria APM handles the renamed client as though it were a new machine. That is, the renamed machine is given a new account and inherits the common client policy. If the local machine policy previously contained customized settings, these will be lost when the client is renamed. You will need to re-configure these settings in the policy for the new machine account.
336
Replication
Why cant I switch off replication when I connect to the CMS over a WAN or dial-up connection?
When an Orchestria APM machine is connected to its parent server over a WAN or using a dial-up connection, it continues to replicate captured data to the parent even if its machine policy specifies that it does not replicate data over slow links.
Data replication suddenly stops when I am using ADSL

If an Orchestria APM machine is connected to its parent server using ADSL (Asymmetric Digital Subscriber Line), data replication can suddenly stop because of a lost connection even though ADSL is always on.
Normally, the ability to turn off replication over slow network links is controlled by the Replicate Captured Data on Slow Links setting in the machine policy (see the Infrastructure > Replication folder). But if the file sensapi.dll is missing, Orchestria APM handles this setting as though it were set to True (even if it is set to False in the actual policy). In other words, replication is continuous. It also adds an entry to the Audit log file once per session:
W0078 This machine cannot detect low-bandwidth network connections.
Under certain network conditions, a broken remote procedure call between Orchestria APM machines can trigger a communication timeout. Because the default timeout can be lengthy (hours, rather than seconds), it can appear as though replication has been permanently lost. In fact, if communication resumes between the machines, data replication will resume automatically when the timeout expires. But for usability purposes, you may want to configure a shorter timeout: 1 On both the Orchestria APM machines, go to the Orchestria APM installation. In the \System subfolder locate (or create) the file, jvm.properties. Add the following line to this file: jvm.define1=sun.rmi.transport.tcp. readTimeout=120000 This resets the idle connection timeout to two minutes (that is, 120,000 milliseconds), so eliminating the perception that replication has stopped completely. 4 On both machines, restart the Orchestria APM service. For details, see page 63.
To restore the ability to turn off replication over slow network links, you must install the Offline Browsing Pack on the affected machine, then restart the Orchestria APM infrastructure. i The Offline Browsing Pack is a component of Microsoft Internet Explorer. Sensapi.dll is part of
the Offline Browsing Pack.
337
Database problems
I cannot connect to the CMS because the credentials for the Orchestria APM logon account have changed
When you attempt to connect to a CMS in the Administration console, you cannot do so. An error message indicates that The logon failed and the error description reads Unable to connect to the database. (Startup Error). machine with no capture lights visible in the browser taskbar, the only evidence of the problem may be that capture and control settings are no longer operative.
This is a known problem and only affects client machines running Microsoft Jet. To fix this, apply the latest Jet service pack and restart the Orchestria APM infrastructure service. For details, see article Q304536 on the Microsoft Product Support Services Web site. Diagnosis: System log You can diagnose whether a client machine is suffering from this problem or an unrelated issue by examining the contents of the System logfile in the Orchestria APM console. If this problem is indeed affecting the client machine, the System logfile will contain multiple error messages such as: Object invalid or no longer set Too many tables open Cannot open any more tables Fix: Apply Jet 4.0 service pack 6 If a client machine is affected by this problem: 1 Open Computer Management (Local) and select Services. Stop the Orchestria APM infrastructure. To do this, select the service Orchestria Active Policy Management Infrastructure and choose Action > Stop. 3 Apply Microsoft Jet 4.0 Service Pack 6. You can download this service pack from the Microsoft Product Support Services Web site. Restart the Orchestria APM infrastructure (see 2 for details of how to do this).
Orchestria APM uses a logon account to access the CMS database. You cannot connect to the CMS if the password for the logon account has been changed on your database server (say, for security reasons) and the Orchestria APM infrastructure has subsequently been restarted but Orchestria APM has not yet been supplied with the new password. (Under normal conditions, you would supply Orchestria APM with the updated system database credentialssee page 37before you restart the infrastructure.) The workaround is to run the following command from the \System subfolder of your Orchestria APM installation folder. This will update Orchestria APM with the new credentials: wgninfra -exec wigan/schema/Schema UpdateDBPassword "<DBpassword>" Where <DBpassword> is the new password for the Orchestria APM logon account on your database server. If the password includes spaces, remember to enclose it in quotes.
Orchestria APM suddenly stops working after a database operation such as running a search or updating a statistic
This problem affects client machines only and can manifest itself in various ways. For example, you may be unable to log on to an Orchestria APM console or use your browser. If a console is already running when the problem occurs, it may become disabled and generate numerous error messages. On a client
338
Far Eastern characters

Far Eastern characters do not display in event screens
Events or user names containing Far Eastern characters may display incorrectly when viewed in an Orchestria APM console. For example, an e-mail subject may be shown as a string of question marks.
Dial-up connections
Why must I enter my dial-up details even if I connect to the CMS over a LAN?
Laptop users who normally connect to the CMS using a dial-up connection may be prompted for their dial-up connection details if they subsequently connect to the CMS over a LAN.
This problem typically affects machines running English versions of Windows. Orchestria APM consoles can display captured or imported events and user names that contain strings of Far Eastern characters. But first you must set up your console machines and (if required) your Oracle database to provide Unicode support.
This is caused by misconfigured dial-up settings for Internet Explorer. To prevent the Dial-up Connection dialog from appearing, laptop users must edit the dial-up settings in their Internet Explorer properties. To do this, they must: 1 2 3 Open Internet Options in the Control Panel. Go to the Connections tab. In the Dial-up Settings list, choose Dial whenever a network connection is not present.
Client machines: You need to implement Unicode support on all Orchestria APM client machines that are likely to capture e-mails and other events containing Unicode characters (for example, Far Eastern text captured on an English OS). To do this, you need to edit the startup.properties file. For details, see the Deployment guide; search the index for startup.properties: UTF-8. Oracle database: If your Orchestria APM installation uses an Oracle database, you must also set up the database for Orchestria APM to use UTF-8 encoding for the DBMS code page. For details, see the Deployment guide; search the index for UTF-8. i There is no equivalent requirement for SQL
Server databases. SQL Server databases automatically support Unicode characters.
Why cant I switch off replication when I connect to the CMS?

When an Orchestria APM machine is connected to its parent server using a dial-up connection, it continues to replicate captured data to the parent even if its machine policy specifies that it does not replicate data over slow links.
This is caused by a missing file, sensapi.dll. You can find a full discussion of this issue in the Machine administration section on page 336.
Index
Index
A B C D E F G H Wildcards and variables
__ (double underscore) delimiters, in notification messages, 259 ? wildcard document classifications, 180 policy lists, 108 { } brackets document classifications, 180 * wildcard document classifications, 180 policy lists, 108 %Address% variable, 254 %Application% variable, 254 %ApplicationPath% variable, 254 %BCC% variable, 254 %category% variable, 167 %CC% variable, 254 %CCN% variable, 255 %Default% variable, 255 %From% variable, 255 %Keystrength% variable, 255 %Keystring%, %Keyword%, %Keywords% variables, 256 %MailDateTime% variable, 256 %MONEY% variable, 180 %Site% variable, 256 %SSN% variable, 255 install system definition file, 38 %Subject% variable, 256 %To% variable, 257
J K L M N O P Q R S T U V W X Y Z
%URL% variable, 257 < > operators data lookup commands, 283 | symbol (logical OR) document classifications, 180 control actions Application Monitor, 137 Data At Rest, 137 e-mails, 136 overview, 236 settings, 136 overview, 136 Web pages, 136 overview, 233 transactions, 139 Active Directory, 54 activity logfiles, 89 machine policy settings, 147 %Address% variable, 254 Address Book lookup, 272, 298 examples, 298 syntax, 275 address lists dynamic, 38 user properties, 51 address matching, e-mails and policy lists, 109 Administration console console only installations, 62 options, 36 overview, 25 tools, 36 administration searches, 30, 93 overview, 94 predefined searches, 94 running, 94
09
472 SEC requirement, 312
A
acceptable usage message, 55 Account Import data files, 54 LDAP, importing from, 54 machine policy setting, 147 machines, 73 Account Import wizard logfiles, 90 users, 54 actions capture actions, 132 Application Monitor, 132 Data At Rest, 132 Data In Motion, 132 e-mails, 132 Web pages, 132
A B C D E F G H
340
A B C D E F G H
saving, 96 search filters, 96 administrative privileges See privileges administrators creating, 56 primary administrator, 56 responsibilities, 21 Adobe PDF files, searching content, 114 advisory dialogs See notification dialogs age of events, calculating, 81 agents content agents, 317 Domino server agent, 263 Exchange server agent, 263 AND operator spaces in e-mail addresses, 109 application events, 206 application integration, disabling system settings, 141 See also browser integration See also e-mail integration application monitor, 242 capture triggers, 205 capturing application usage, 205 control triggers, 243 icons, 218 System settings, 140 triggers, 144 turning off monitoring, 206 zero activity events, 206 %Application% variable, 254 %ApplicationPath% variable, 254 archive files searching for text content, 115 archive integration, 204 archive list for file events, 209 ASDL, troubleshooting, 336 assigned policy version, 125
assisted categorization, 155 attachments Attachments triggers, 144 display options, 202 searching content for key text, 113 unable to capture, 203 unreadable capture triggers, 202, 212 control triggers, 261 transaction triggers, 196 viruses, 328 attributes policy folders and settings, 116 users, 51 data lookup commands, 274 filtering event import operations, 147 <attribvalue> lookup operator, 279 audit e-mails, 309 auditing privileges, 305 auditing See event auditing authorized activity, definition, 219 autoheed timeout, for interactive warnings, 269 automatic replies to e-mails identifying the source e-mail, 240 Reply overview, 237 setting up, 252 blob files purging, 80 Block with notification option, for Intervention setting, 222, 223 blocking Blocking dialog, 222 blocking user activity, 222, 223 control event, 217 Bloomberg alias addresses, 110 branch policy branch inheritance, 119 browser cannot access, 337 capture lights, 55 integration, disabling infrastructure failure, 76 msiexec.exe, 76 system settings, 210 Microsoft Outlook, 331 security settings, 234 Windows Explorer, 331 browser integration, disabling troubleshooting, 331 buffer size for captured Web pages, 200
C
cache, for replication failures, 146 caching logon credentials, 145 secure Web sites, 234 canned searches See predefined searches capture actions, 132 Application Monitor, 132 Data At Rest, 132 Data In Motion, 132 e-mails, 132 Web pages, 132 capture button, for e-mails, 55 capture lights, in browser, 55
B
Back button, in Policy Editors, 100 background captures, turning off See e-mail integration, disabling backing up the CMS, 67 backslashes, use to search for special characters, 113 backups (of CMS), 67 %BCC% variable, 254 blank e-mails detecting, 283
A B C D E F G H
Index
341
A B C D E F G H
capture process browser diagram, 198 e-mail diagram, 201 capture strategies, 197 capture triggers Application Monitor, 130 Data At Rest, 130 Data In Motion, 131 detailed, 143 e-mails, 130 exemptions, refinements, 210 overview, 129 Web pages, 130 captured data e-mails, 201 files, 207 for groups, 45 overview, 197 Web pages, 198 categories See categorization categorization, 154 add to existing triggers, 163 control action numbers, 160 scores, 156 effect of, 157 summary, 158 set up new triggers, 162 smart tag guidelines, 169 smart tag names or values?, 168 smart tag variables, 167 syntax for categories, 165 examples, 166 trigger guidelines, 159 Categorize option, for Intervention setting Data At Rest control action, 224 Data In Motion control action, 224 E-mail control action, 224, 225 categorizing events, overview, 154 %category% variable, 167 %CC% variable, 254
CCL (calculated confidence level), for transaction validation, 190 %CCN% variable, 255 central management server See
CMS
check interval, free disk space, 74 checkpoints, 87 machine policy settings, 148 child group, 43 child policy, 119 Chinese characters See Unicode characters class, of e-mail, 141 classifiers See document classifications Client File System Agent, 246 controlling USB devices, 248 machine policy settings, 151 client machines adding, 70 default policies, 71 definition, 61 deleting, 70 icons, 62 moving, 70 renaming, 335 replication, 66 Client Print System Agent, 246 controlling printers, 247 clipboard, copying administration search results to, 96 cloning, content agents, 323 CMS adding, 68 backing up, 67 backing up and restoring, 67 connecting, 67 connecting to as different user, 67 connection failure, 335, 337 definition, 61 groups, 68 icons, 62
machine policy settings, 150 multiple CMSs, 68 overview, 66 policy, 66 renaming, not recommended!, 335 single sign-on, 67 suspending, 75 code, installation, 36 columns, in exported user hierarchy spreadsheets, 53 combination list checking, 104 command line operations exporting user hierarchy, 52, 72 importing machines, 73 common client policy, 71 common gateway policy, 69 compressed files See zip files compression, of data overview, 79 policy setting stored data, 145 transmitted data, 146 confidence levels transaction validation, 190 configurations, for document classifications, 176 connecting to CMSs, 67 failure to, 335 connection management settings, 146 console Administration console, 25 tools, 36 cannot access, 337 options, 36 Administration, 36 single sign-on, 67 console-only machines, 62 contact details, 24 content agents, 317 administrative privileges, 57 before you start, 316
A B C D E F G H
342
A B C D E F G H
cloning, 323 Content Agent file settings editing, 322 Content Agent triggers editing, 322 e-mail, 144 Web, 143 creating, 319 default test documents, 318 deleting, 323 icons, 317 properties, 321 publishing, 321 republishing, 323 screen, 33 testing, 320 training, 319 training and test documents, 317 unpublishing, 323 content database, preparing, 318 content indexer logfiles, 90 content searches before you start, 316 Content Search triggers, 143 control overview, 215 controlling users, 55 events, 217 procedure diagram, 216 strategies, 215 control actions, 136 Application Monitor, 137 overview, 242 settings, 137 Data At Rest, 137 e-mails, 136 overview, 236 settings, 136 overview, 136 precedence, 232 suspended machines, 76
Web pages, 136 overview, 233 control events blocking, 217 disregarded warning, 217 heeded warning, 217 quarantined event, 217 silent events, 217 control triggers Application Monitor, 134 Data At Rest, 135, 244 Data In Motion, 244 detailed, 143 e-mails, 134 exemptions, refinements, 260 overview, 133 suspended machines, 76 Web pages, 134 control triggers, overview, 133 copying policies, 128 policy list items, 105 scanned files, 250 text from warning dialogs, 259 corrupt policies, 334 credentials database accounts events searches, 37 system, 37 logon details, caching, 145 credit card numbers obscuring captured numbers, 127 variables in notification messages, 255 Credit Card triggers, 144 CSV files policy lists, importing into, 105 currency characters, detecting, 180 custom items, in policy lists, 103 customized attributes, 51
D
DALs See dynamic address lists Data At Rest capture actions, 132 capture triggers, 130 control actions, 137 control triggers, 135 DoD deletions, 249 icons, 218 smart tags, 171 trigger settings file lists, 245 triggers, 144 data compression, 79 data encryption, 77 data files, Account Import, 54 Data In Motion capture actions, 132 capture triggers, 131 smart tags, 171 triggers, 144 data lookup, 272 Address Book lookup, 272 examples, 298 syntax, 275 blank e-mails, detecting, 283 cache management settings, 148 capture trigger settings e-mail, 130 file, 131, 135, 136 commands complex True-False test, 293 defining, 273 examples, 297299 control trigger settings, 134 domains, counting, 301 failure mode, 273
A B C D E F G H
Index
343
A B C D E F G H
keywords and, 274, 275 contains, 284 contains all, 285 contains any, 284 excludes, 285 excludes all, 285 excludes any, 285 includes, 284 includes all, 285 includes any, 284 is, 284 is any, 284 is not, 284 is not all, 284 labeled, 280, 281 mapi, 275, 298 msgattr, 275, 299 not, 274, 275 or, 274, 275, 296 userattr, 274, 297 xmlattr, 276, 300 Message Attribute lookup, 272, 299 counting domains, 301 syntax, 275 overview, 271 settings, in machine policy, 150 true-false tests, 272 User Attribute lookup, 274 examples, 297 syntax, 274 variables, 277 %recipient%, 278, 282 %sender%, 278, 282 <attribvalue>, 279 <msgvalue>, 283 <msgvar>, 282 <numericoperator>, 283 <stringoperator>, 284 <text>, 286 <type>, 286 <uservar>, 287 <who>, 278 <xpath>, 290
XML Attribute lookup examples, 300 syntax, 276 data management settings, 145 data replication See replication data security, 145 databases backing up and restoring, 67 credentials event searches, 37 system, 37 troubleshooting, 337 purging, 80 machine policy settings, 145 turning off, 83 default group definition, 43 editing, 45 default items, in policy lists, 103 default policies users, 48 Default Policy for Files setting, 149 default test documents, for content agents, 318 %Default% variable, 255 definitions, in user policy, 258 definitions, user policy settings, 140 Delete Silently option, 225 deleting client machines, 70 content agents, 323 gateways, 69 groups, 42 users, 47 Detail tab Machine Administration, 27 User Administration, 26 detect blank e-mails, 283 detect key words or phrases, 111, 112 diagnostics machine policy settings, 148 diagnostics, for machines, 85 dial-up connections, 338 digital signatures exempting e-mails capture triggers overview, 212 settings, 130 control triggers overview, 261 transaction triggers, 138 Disable attribute, 116 disabling integration See browser integration See Data At Rest See e-mail integration policy folders and settings, 116 replication, 65 disclaimers, checking for, 144, 177 disk space, monitoring, 74 display names, in e-mails, 109 disregarded warnings clicking Continue, 230, 231 clicking Personal, 231 definition, 217 distribution lists, and data lookup, 288 DOC and DOT files, searching content, 114 document classifications e-mails, 176 example generic classification, 181 generic, 176 overview, 176 parameter 6 functions, 179 policy settings, 140 setting up, 177 types, 176 Document Classifier triggers, 177 e-mails, 144 setting file size limit, 177 Web pages, 143 documents
A B C D E F G H
344
A B C D E F G H
triggers detect key text content, 113 DoD deletion, 249 DoD Overwrite and Delete Silently option, 225 DoD Overwrite and Replace Silently option, 229 domain extraction, 301 Domino addresses, 110 Domino Server, 54 Domino server agent notification e-mails, 265 overview, 263 dynamic address lists, 38 SQL query guidelines, 39
capture triggers, 211 control triggers, 260 Infrastructure Failure setting, 76 system settings, 210 e-mails archive integration, 204 attachments See "A" attachments automatic captures, 201 capture button, 55 class, user policy setting, 141 delays, 329 Domino, integration with, 263 embedded messages policy settings, 141 searching for text content, 115 Exchange, integration with, 263 forwarding, 238 icons, 186 importing, 204 manual captures, 201 marking for quarantine, 313 modifying recipient lists, 239 notification e-mails, 252 process on arrival, 141 Public Folders, 204 Public Folders, saved in, 240 quarantined e-mails, 312 replies identifying the source e-mail, 240 Reply overview, 237 setting up, 252 retrieving full details, user policy setting, 141 triggers, 143 viruses, 328 embedded e-mails policy settings, 141 searching for text content, 115 EMC Centera integration, 145 enabling integration
See browser integration,
disabling
See e-mail integration, disabling
E
EAS archive, integration with, 204 editing policies, 99 client machines, 71 CMS, 66 gateways, 69 groups, 45 users, 48 e-mail addresses Bloomberg aliases, 110 display names, 109 Domino, 110 EX, 110 importing into policy lists, 106 internal e-mails See EX addresses matching addresses to policy lists, 109 SMTP, 109 updating, 51 variables in user notifications, 253 wildcards, 108 X.400, 110 e-mail categorization, 154 e-mail integration, disabling
encryption attachments, unreadable capture triggers, 202, 212 control triggers, 261 transaction triggers, 196 exempting e-mails capture triggers overview, 212 control triggers overview, 262 settings, 134 transaction triggers, 138 exempting secure Web sites browser requirements, 234 control triggers overview, 262 settings, 134 files, unreadable capture triggers, 212 keys, 77 machine policy, 145 master key, 78 replicated data, 77 stored data, 77 uploaded files, unreadable capture triggers, 202 control triggers, 261 transaction triggers, 196 variable in notification message, 255 Enforce attribute, 117 Enforce Branch command, 117 enforced policy folders and settings, 117 engines See policy engines error level, free disk space, 74 event auditing audit field dependencies, 308 customized toolbar, 310 customizing the audit features, 303, 306
A B C D E F G H
Index
345
A B C D E F G H
forwarding events, 309 mandatory changes, 308 required privileges, 305 suppress automatic auditing, 308 types of audit status, 304 event, calculating age of, 81 Event Import logs, 90 Event Import utility account synchronization, 51 event purging See purging events event status See audit status EX addresses, 110 Excel files, searching content, 114 exceptions, 186 Exchange server agent interactive warnings, 266 insertion variables, 267 message templates, 267 notification e-mails, 265 overview, 263 Excluded lists, 103 exemptions e-mails See also e-mail integration capture triggers, 211 control triggers, 260 data lookup, 271 digital signatures capture triggers, 212 control triggers, 261 encrypted capture triggers, 212 control triggers, 262 Web sites (secure), 262 browser requirements, 234 expiry date See also Minimum Retention settings expiry date, of minimum retention period, calculating, 81 exporting machine hierarchy, 72 policies, 128 user hierarchy, 52
extensions settings, 142 External Agent API, 246 External Sender policy setting, 149 See also searches policy settings, 100 firing threshold, for content agents, 321 Forward button, in Policy Editors, 100 forwarded e-mails, 237 account requirements, 238 defining the notification e-mail, 252 forwarding to multiple addresses, 239 sending to another user, 239 variables in notification messages, 253 free disk space, 74 check interval, 74 error level, 74 machine policy setting, 145 warning level, 74 %From% variable, 255 FSA, 246, 247 controlling scanned files, 249 copying scanned files, 250 functions, for adjusting document classification scores, 179
F
failure mode, data lookup, 273 <fallguy> variable in data lookup commands, 280 in user notification messages, 257 Far Eastern characters detected by triggers, 112 failure to display, 338 Favorites folder, importing from, 106 file agents, 246 file categorization, 154 file events archive list, 209 capturing, 207 controlling files, 244 File Scanning Agent See FSA file sources, 246 file triggers, 244 File Upload triggers, 143 file uploads See uploaded files files copied to USB devices, 248 printing, 247 scanned, 249 searching content, 113 searching for key text, 105 smart tags, 171 unreadable capture triggers, 212 control triggers, 212 filters administration searches, 96 event import operations, 147 policy reports, 123 find items, 34
G
gateways, 69 default policies, 69 definition, 61 deleting, 69 icons, 62 moving, 69 renaming, not recommended!, 335 global sender, for notification emails, 265 groups captured data, for, 45 creating, 42 default group, 43
A B C D E F G H
346
A B C D E F G H
deleting, 42 editing policies, 45 importing, 54 management, 43 moving, 42 moving users, 47 parent and child, 43 searching for, 94 Users group, 43
customized toolbar, 310 customizing audit features, 303 one-click review buttons, configuring, 306 Ignored lists, 104 IM conversations, importing, 205 imported files searching, 113 unreadable capture triggers, 212 control triggers, 212 importing e-mails, 204 IM conversations, 205 machines, 73 policies, 128 policy list items, 105 users, 54 Included lists, 103 incoming e-mails replies identifying the source e-mail, 240 Reply overview, 237 setting up, 252 Inform option, for Intervention setting detail, 225 summary, 217 infrastructure, 63 failure to start, 76, 140 Infrastructure Failure setting, 140 machine policy settings, 145 running as named user, 63 Solaris wgninfra script, 63 stopping and restarting, 63 wgninfra.exe, usage, 63 inheritance See policy inheritance initialization settings, 140 installation code, 36 integration, disabling See browser integration
See Data At Rest See e-mail integration interactive warning e-mails autoheed timeout, 269 interactive warnings Exchange server agent, 266 insertion variables, 267 message templates, 267 internal events definition in policy, 140 Internet Explorer control trigger requirements, 234 dial-up settings, 338 secure Web sites not exempted, 331 Intervention setting, 220 Block Quietly, 223 Block With Notification, 222 Block with notification, 222, 223 Categorize E-mail control action, 224, 225 Categorize options Data At Rest control actions, 224 Data In Motion control actions, 224 E-mail control actions, 225 Delete Silently option, 225 DoD Overwrite and Delete Silently option, 225 DoD Overwrite and Replace Silently option, 229 Exchange and Domino server agents, effect of, 264 Inform, 225 No further actions option, 226 None, 227 Notify, 227 policy details, 220 Quarantine quietly, 228 Quarantine with notification, 228 Replace Silently, 229 Replace Silently option, 229
H
heeded warnings clicking Cancel, 230, 231 definition, 217 hidden policy folders and settings, 118 Hide attribute, 118 holding cache suspended machines, 75 holding cache, for replication failures, 65 HTML files, searching content, 113 HTML Password triggers, 143 HTTPS Web sites, exempting, 234 hyperlinks Administration console, 35 policy navigation, 100 hyphenated words, detecting, 113
I
icons CMS tree, 62 content agents, 317 control events, 218 file events, 218 machine administration, 62 machines, 62 policy list items, 103 transactions, 186 iConsole
A B C D E F G H
Index
347
A B C D E F G H
Warn, but ... Personal option, 231 Warn option, 230 intranet sites definition in policy, 140
List tab Machine Administration, 27 User Administration, 26 listed files searching for key text, 105 lists for file events, 245 lists, in policy settings, 102 combination list checking, 104 copying and importing, 105 default and custom list items, 103 Included and Excluded lists, 103 wildcards, 108 logfiles, 89 configuring, 90 copy entries to Windows event log, 91 Logging settings, in machine policy, 147 remote files, 91 screen layout, 31 types, 89 viewing, 91 long domains, 301 Look For settings, in administration searches, 96 Lookup Cache Management machine policy settings, 148 Lotus 1-2-3 files, searching content, 114 compression stored data, 145 transmitted data, 146 controlling changes, 101 data management settings, 145 diagnostic settings, 85 Diagnostics, 148 editing client machines, 71 gateways, 69 encryption, 145 filter setting, 147 free disk space, 145 infrastructure settings, 145 inheritance, 120 logging settings, 147 Lookup Cache Management, 148 Machine Policy Editor, 29 policy engines, 149 purging events, 83 remote data management settings, 146 replication settings, 146 resetting, 71 security settings, 145 Machine Policy Editor, 29 machines administration, 61 diagnostic support, 85 icons, 62 importing, 73 moving manually, 70 new clients, 70 searching for, 94 mail groups, and data lookup, 288 %MailDateTime% variable, 256 management groups, 43 assigning, 49 overriding, 44 purpose, 56 example usage, 297 mandatory, lookup variable, 289
J
Japanese characters See Unicode characters java.rmi error message, 335 JavaScript files not captured, 199 Jet Database Engine, troubleshooting, 337 JVM.Properties file, 336
K
key presses, recording, 205 key words, detected by triggers, 111 variables in notification messages, 256 keys, encryption, 77, 78 %Keystrength% variable, 255 keystrength exemptions, 234 %Keystrength% variable in notification messages, 255 control triggers, 134 setting up, 262 troubleshooting, 331 keystrength substitution, 255 %Keystring%, %Keyword%, %Keywords% variables, 256 Korean characters See Unicode characters
M
Machine Administration screen, 27 icons, 62 machine hierarchy, exporting, 72 machine policies, 145 Account Import setting, 147 checkpoints, 148 Client File System Agent, 151 CMS settings, 150
L
labeled lookup operator, 280, 281, 338 LDAP directory, 54 license files, 24, 36
A B C D E F G H
348
A B C D E F G H
Manual capture triggers e-mails, 144 Web pages, 143 manual suspensions, 75, 275 master encryption key, 78 maximum buffer size, for captured Web pages, 200 maximum document length, for content agents, 321 maximum transaction values defining, 187 Transaction Detector triggers outgoing e-mails, 144 Web pages, 143 MaxScore(n), document classifications, 179 MemberOf variable, and data lookup, 288 Message Attribute lookup, 272, 299 counting domains, 301 examples, 299 syntax, 275 message templates, for interactive warning e-mails, 267 metadata attributes, data lookup, 276 metadata, for events XML schema, 302 metadata, purging, 80 Microsoft Excel files, searching content, 114 Jet Database Engine, troubleshooting, 337 Office documents, searching content, 114
Outlook disabling browser integration, 331 exempting e-mails, 210 optimization, 329 policy settings, 141 Outlook 2002 (XP), 2003 and 2007, triggers stop working, 327 Public Folders e-mails, 240 PowerPoint files, searching content, 114 Project 98 files, searching content, 114 Windows Explorer disabling browser integration, 331 Word files, searching content, 114 Works files, searching content, 114 MIF files, searching content, 113 minimum retention period calculating, 81 triggers, 82 capture triggers, 213 control triggers, 262 transaction triggers, 196 MinScore(n), document classifications, 179 %MONEY% variable, 180 money variables, 180 mouse clicks, recording, 205 moving gateways, 69 groups, 42 machines, 70 users, 47 MP3 files, searching for metadata, 114 MPP files, searching content, 114 msgattr, data lookup command, 275 <msgvar> lookup operator, 282 msiexec.exe, disabling browser integration, 76 multiple CMSs managing, 68 multiple message control triggers notification messages to users, 251 overview, 107 multiple users forwarding e-mails to, 239 multi-select categorize control actions, 161
N
names for actions See actions NBA, 246, 247, 249 negative training documents, for content agents, 317, 319 nested zip files, 115 Network Boundary Agent, 246, 247 new client machines, 70 importing, 73 CMS, 68 gateways, importing, 73 groups, 42 importing, 54 users, 46 importing, 54 Windows authentication, 46 No further actions option, 226 None option, for Intervention setting, 227 Normalize(m), document classifications, 179 notification dialogs, 251 Blocking dialog, 222, 223 Categorize dialog, 224, 225 dialog titles, 251 System settings, 140 Inform dialog, 225
A B C D E F G H
Index
349
A B C D E F G H
messages copying text, 259 variables, 253 variables for file events, 253 Notify dialog, 227 Quarantine dialog, 228 advisory guidelines, 228 Warning (Personal) dialog, 231 Warning dialog, 230 notification e-mails, 252 Exchange and Domino server agents, generated by, 265 System settings, 140 text variables, 253 notification messages, and data replication, 64 Notify option, for Intervention setting, 227 summary, 217 NotLargerThan(y), document classifications, 179 NotSmallerThan(x), document classifications, 179 Novell eDirectory, 54 NT event logs See Windows event logs <numericoperator> lookup variable, 283
options Administration console, 36 Out of Office Assistant, 238 Outlook See Microsoft Outlook overspending See spending limits common client policy, 71 common gateway policy, 69 controlling changes, 101 copying, 128 corrupt, 334 default user policies, 48 definition, 97 editing, 99 exporting, 128 find items, 100 gateways, 69 groups, 45 hyperlinks, 100 importing, 128 inheritance See policy inheritance list settings, 102 Machine Policy Editor screen, 29 navigation, 100 read-only mode, 99 reports See policy reports shortcuts, 99 suspended machines, 76 tooltip explanations machine policy, 29 user policy, 28 User Policy Editor screen, 28 users, 48 version checking with wgnpol.exe, 128 version numbers, 125 policy branch enforcing, 117 generating reports for, 122 inheritance, 119 policy engines, machine policy settings, 149 policy folders attributes (disable, enforce, hide), 116 inheritance, 119 policy inheritance, 119120 enforced folders, 117
P
parameter 6 functions, for document classifications, 179 parameters document classifications, 178 parent group, 43 parent policy, 119 parent-child inheritance, 119 partition-based purging, 80 passwords captured passwords obscuring, 127 troubleshooting, 326 password-protected attachments and files capture triggers, 212 password-protected attachments and uploaded files capture triggers, 202 control triggers, 261 transaction triggers, 196 Reset passwords privilege, 59 resetting database credentials system, 37 user passwords changing, 48 for new users, 46 PDF files, searching content, 114 pending warnings, maximum, 269 personal Web pages and e-mails, 231 phrases, detected by triggers, 111 policies client machines, 71 CMS, 66
O
Office documents, searching content, 114 <offlimits> variable in data lookup commands, 281 in user notification messages, 257 Offline Browsing Pack, need for, 336 one-click review buttons, iConsole, 306 operators in data lookup commands, 283
A B C D E F G H
350
A B C D E F G H
parent-child inheritance, 119 policy branch inheritance, 119 policy lists, 102 Policy on Print See Client Print System Agent Policy on Save See Client File System Agent policy path, 28, 29 policy reports, 121 available actions, 123 filters, 123 saving to file, 122 policy settings attributes (enforce, hide), 116 machine policy, 145 tooltip explanations machine policy, 29 user policy, 28 user policy, 129 polimex.exe, 128 positive training documents, for content agents, 317, 319 PowerPoint files, searching content, 114 PPT files, searching content, 114 predefined searches, for administration data, 94 primary administrator, 56 printing files, controlling, 247 privileges assigning to roles, 49 definitions, 57 event auditing requirements, 305 selecting, 50, 51 process e-mails on arrival, 141 prohibited activity, definition, 219 Project 98 files, searching content, 114 properties content agents, 321 users, 48 Public Folders, e-mails are ignored, 204, 240
publishing content agents, 321 punctuation matching, 112 purging events, 80 machine policy settings, 83 minimum retention period, 81 purge SPs, 81 trigger-based retention periods, 82 turning off, 83 what data is purged?, 80 ReduceBySize(r), document classifications, 180 remote data management machine policy setting, 146 remote logfiles, viewing, 31 renaming client machines, 335 CMS, not recommended!, 335 gateways, not recommended!, 335 users, 47 troubleshooting, 333 reparenting machines manually, 70 Replace Silently option, 229 Replace Silently option, for Intervention setting, 229 replication compression, of data, 79 disabling, 65 encrypted data, 77 failures, 65 holding cache, 65 immediate, to client machines, 66 logfiles, 89 machine policy settings, 147 notification intervals, 64 overview, 64 settings, 146 suddenly stops when using ASDL, 336 suspended machines, 76 troubleshooting, 336 turning off on slow networks, 65 replication checkpoints, 87 replication failures suspended machines, 75 replication holding cache, policy settings, 146 replies to incoming e-mails identifying the source e-mail, 240
Q
QDF files administration data, 96 quarantine control actions, 232 Quarantine quietly option, for Intervention setting, 228 Quarantine with notification option, for Intervention setting, 228 quarantined e-mails, 312
R
RCL (required confidence level), for transaction validation, 190 read-only mode, viewing policies in, 99 %recipient% lookup operator, 278 Recipient triggers, 143 recipients moving to Bcc field, 239 records management categorization, 154 recreate users, 47 redirecting users to alternate URLs control actions, 136 overview, 234 which triggers?, 235
A B C D E F G H
Index
351
A B C D E F G H
Reply overview, 237 setting up, 252 reported policy version, 125 reports policy reports, 121 republishing content agents, 323 resetting machine policies, 71 policies, 99 restoring the CMS, 67 retention period See Minimum Retention settings reviewer (role), 59 roles assigning to users, 49 creating, 49, 50 definitions, 59 redefining privileges, 49 RTF files, searching content, 114
database credentials, 37 file contents, 113 filters administration data, 96 group accounts, 94 machine accounts, 94 no matching events returned, 325 predefined searches, 94 saving search expressions administration data, 96 screenshots administration searches, 30 Search Text triggers, 144 text, detected by triggers, 111 user accounts, 94 SEC 472, 312 Secure Sites triggers, 143 secure Web sites, exempting, 234 security bypassing management group limitations, 44 of data, 145 settings, 145 self-enrollment (new users), 46 %sender% lookup operator, 278 Sender triggers, 143 sensapi.dll file, 336 sensitive information handling overview, 127 policy settings, 140 sensitivity Transaction Detector triggers, 189 transaction matching adjusting, 193 policy settings, 140 separators, in policy list settings commas, semicolons, tabs and others, 105 server agents, versus client agents, 263 server-side warnings, 266 service desk URL, 24 short domains, 301 shortcuts console hyperlinks, 35 policy editing, 99 silent events Intervention option, 227 summary, 217 single sign-on, 67 single-select categorize control actions, 161 %Site% variable, 256 slow network links, 336 Smart Tagging, 170 categorization variables, 167 file triggers, 171 names and values, 172 variables, 172 mishandling of, 173 x-headers, 174 requirements and limitations, 175 SMTP addresses, 109 social security numbers variables in notification messages, 255 sources, of captured files, 246 spending limits, 187 spreadsheets policy lists, importing from, 105 searching content, 114 user hierarchy, exporting to, 53 SPs, purging, 81 SQL queries, for dynamic address lists, 39 SQL tab Administration console, 95 privilege to control access, 57 %SSN% variable, 255 SSW See server-side warnings statistics Statistics screen, 32 stored procedures See SPs
S
scanned files, 249 copying to new location, 250 score adjustment functions See parameters parameter 6 functions scores, category, 156 search text punctuation, 112 triggers, 144 search text variables, 112 searches See also find items See also detect key words or
phrases
administration data, 93 new searches, defining, 95 overview, 94 predefined searches, 94 running a search, 94 screen overview, 30
A B C D E F G H
352
A B C D E F G H
strategies capture strategies, 197 control strategies, 215 <stringoperator> lookup variable, 284 %Subject% variable, 256 Submitted Credit Card triggers, 143 Submitted Search Text triggers, 143 Sun ONE Directory Server, 54 suspended machines CMSs, 75 insufficient free disk space, 74 overview, 75 replication failures, 75 syntax categories, specifying, 165 data lookup Address Book lookup, 275 Message Attribute lookup, 275 User Attribute lookup, 274 XML Attribute lookup, 276 stopping and restarting the infrastructure, 63 system database credentials, 37 troubleshooting, 337 system definition file administrative privileges, 57 installing, 38 system logfiles, 89 contacting the service desk, 24 machine policy settings, 147 System Settings folder, in the user policy, 140
audit e-mails, 309 interactive warning e-mails, 267 insertion variables, 267 test documents, for content agents, 317, 319 default test documents, 318 testing a content agent, 320 <text> lookup variable, 286 text, detected by triggers, 111 variables in notification messages, 256 text files, searching content, 114 time-outs transaction activity, 140 User Attribute lookup commands, 274 timeouts interactive warning e-mails, replies to, 269 TM (transaction matching) score, 193 %To% variable, 257 tooltips Machine Policy Editor, 29 User Policy Editor, 28 TP (transaction probability), 189 training documents, for content agents, 317, 319 Transaction Detector triggers, 144 description, 143 maximum transaction values outgoing e-mails, 144 Web pages, 143 overview, 188 transaction settings, 138 action, 139 triggers, 143 transaction triggers, overview, 138 transactions automatic captures, 184 captured items, 139 exceptions, 186 icons, 186 manual captures, 184 matching, 193 overview, 183 spending limits, defining, 187 system settings, 140 validation, 189 travel configurations, for document classifications, 176 triggers Application Monitor, 144 capture triggers Application Monitor, 130 Data At Rest, 130 Data In Motion, 131 e-mails, 130 overview, 129 Web pages, 130 control triggers Application Monitor, 134 Data At Rest, 135 e-mails, 134 overview, 133 Web pages, 134 Data At Rest, 144 Data In Motion, 144 e-mails, 143 exemptions See exemptions minimum retention periods, 82 not saving details, 211 Search Text, 144 summary, 143 transaction detector, 188 transaction triggers, overview, 138 Web pages, 143 troubleshooting, 325 browsers, disabling integration, 331 cannot send audit e-mails, 330 cannot send forwarded .msg files or audit e-mails, 328 cannot use MAPI services, 330 CMS connection failure, 335, 337
T
tabs Detail and List tabs Machine Administration screen, 27 User Administration screen, 26 tags See smart tagging templates
A B C D E F G H
Index
353
A B C D E F G H
dial-up connections, 338 e-mail attachments, 203 e-mail delays, 329 e-mail triggers stop working for Outlook 2002 (XP), 2003 and 2007, 327 event searches find no results, 325 features stop working, 328, 337 MS IE7 limitation, 330 passwords inadvertently exposed, 326 policies, 334 replication cannot turn off, 336 suddenly stops when using ASDL, 336 updating database logon credentials, 337 user renaming, 333 Web pages captured page does not match page in browser, 326 exempting secure sites, 331 true-false tests, in lookup commands, 272 TXT files, searching content, 114 <type> lookup variable, 286
content agents, 323 uploaded files searching content, 113 triggers, 143 unreadable capture triggers, 202, 212 control triggers, 261 transaction triggers, 196 %URL% variable, 257 URLs %Site% variable in notification messages, 256 %URL% variable in notification messages, 257 URL triggers, 143, 144 wildcards, 108 US Social Security High Group file installing, 38 USB devices, blocking, 248 user administration logfiles machine policy settings, 147 User Attribute lookup, 274 examples, 297 syntax, 274 user definitions, 141 User Definitions, settings, 258 User Filter, machine policy setting, 147 user groups See groups user hierarchy, exporting, 52 user notifications, 251 user policies capture settings, 129 control settings, 133 controlling changes, 101 default, 48 definitions, 258 editing, 48 extensions settings, 142 inheritance, 120 list items, 102 settings, 129 system settings, 140 transaction settings, 138 transaction validation, 191 triggers, 143 User Policy Editor screen, 28 user properties, 48 account history, 48 customized attributes, 51 syntax, 274 users Users group, 43 adding, 46 attributes, 51 deleting, 47 importing, 54 moving, 47 properties, 48 recreating, 47 renaming, 47 troubleshooting, 333 searching for, 94 updating e-mail addresses, 51 User Administration screen, 26 <uservar> lookup variable, 287 utility machines, 62 icons, 62
U
"Undeliverable" e-mail notification messages, 238 unenforcing policy items, 117 unhiding policy items, 118 Unicode characters detected by triggers, 112 failure to display, 338 unique domains, identifying, 301 Unknown Internal Sender policy setting, 149 unlimited searches, required privilege, 58 unpublishing
V
validation, of transactions, 189 variables categorization smart tags, 167 data lookup, 277 document classifications, 180 for file events notification messages, 253 notification messages, 253 search text, detected by triggers, 112 smart tag values, 172, 173 templates for interactive warning e-mails, 267 user definitions, 258
A B C D E F G H
354
A B C D E F G H
vCards, searching content, 114 VCF files, searching content, 114 version numbers, of policies, 125 checking with wgnpol.exe, 128 viewing policies in read-only mode, 99 viruses, and captured e-mails, 328
wgninfra.exe, usage, 63 wgninfra.out logfile, 147 contacting the service desk, 24 wgnpol.exe, 128 Which Files Sources? setting, 246 <who> lookup variable, 278 wildcards document classifications, 180 policy list items, 108 search text, detected by triggers, 111 Windows authentication for new users, 46 Windows event logs, 91 Windows Explorer, disabling browser integration, 331 wizard, Account Import machines, importing, 73 users, importing, 54 WKS files, searching content, 114 Word files, searching content, 114 WordPerfect files, searching content, 114 words, detected by triggers, 111 variables in notification messages, 256 Works files, searching content, 114 WPS files, searching content, 114 XML documents, capturing, 199 XML files, searching content, 114 xmlattr, data lookup command, 276 xpath lookup operator, 290
Z
zero activity events, 206 zip files policy settings, 141 searching content, 115
W
W0078 log entries, 336 W0078 log file entry, 336 Warn, but allow users to designate as Personal option, 231 Warn option, 230 warning level, free disk space, 74 warnings configuring a control action, 230 disregarded, 217 heeded, 217 Warn, but ... Personal option, 231 Warn option, 230 Warning (Personal) dialog, 231 Warning dialog, 230 when browser starts up, 55 when e-mail starts up, 55 Web integration See browser integration Web pages buffer size overview, 200 policy settings, 141 JavaScript files not captured, 199 manual captures, 198 triggers, 143 Webmail, blocking, 241 Wgn.Group lookup variable, 287 Wgn.GroupParent lookup variable, 287 wgninfra script (Solaris only), 63 wgninfra.exe service, 63
X
X.400 addresses, 110 x-headers, generated from smart tags, 174 requirements and limitations, 175 XLS and XLW files, searching content, 114 XML Attribute lookup examples, 300 syntax, 276 XML metadata schema, 302
A B C D E F G H

CA Total Defense Admin Guide

Hochgeladen von

Dokumentinformationen

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

CA Total Defense Admin Guide

Hochgeladen von

Copyright:

Verfügbare Formate

Administrator guide

Orchestria Active Policy Management Version 6.0

Welcome to Orchestria APM

Orchestria Active Policy Management Administrator guide

Orchestria Active Policy Management Administrator guide

Orchestria Active Policy Management Administrator guide

145 145 149 150 151

Categorizing, tagging and classifying events

Orchestria Active Policy Management Administrator guide

Controlling user activity

Orchestria Active Policy Management Administrator guide

251 251 252 252

Orchestria Active Policy Management Administrator guide

Configuring event audit options

Index ............................................................................ 339

Orchestria Active Policy Management Administrator guide

1. Welcome to Orchestria APM

Welcome to Orchestria APM

Orchestria Active Policy Management Administrator guide

Why choose Orchestria APM?

Chapter 1 Welcome to Orchestria APM

Orchestria Active Policy Management Administrator guide

Chapter 1 Welcome to Orchestria APM

To minimize business risks

To maintain the trust of your workforce

Real time administration of user policies

To meet changing business needs

To control policy changes

Orchestria Active Policy Management Administrator guide

Maintaining the user hierarchy

Chapter 1 Welcome to Orchestria APM

Extracting business intelligence from captured data

Orchestria Active Policy Management Administrator guide

Before you start

These are all located in Orchestria's \data\log subfolder of

the Windows All Users profile; see page 89.

i For details about other Orchestria APM

Orchestria Active Policy Management Administrator guide

User Administration screen

Chapter 2 Administration console

Machine Administration screen

Orchestria Active Policy Management Administrator guide

User Policy Editor screen

Chapter 2 Administration console

Machine Policy Editor screen

Orchestria Active Policy Management Administrator guide

Chapter 2 Administration console

Orchestria Active Policy Management Administrator guide

Chapter 2 Administration console

Content Agents screen

Orchestria Active Policy Management Administrator guide

Administration console shortcuts

Find fails because frankschaeffer is not visible in the Browse tree.

Find succeeds because frankschaeffer is visible in the Browse tree.

` To find the previous occurrence of this name,

` To find the next occurrence of this name, click

Users Management Marketing

Chapter 2 Administration console

Orchestria Active Policy Management Administrator guide

Administration console tools

` General tab: Display the assigned policy version in

Obtain a license file

` User Administration tab: Request warnings before

` User Attributes tab: Define custom attributes for