Beruflich Dokumente
Kultur Dokumente
Copyrights
Copyright 2001-2008 Orchestria Limited. All rights reserved. US Patent 7,333,956. Other US and international patents granted or pending. Orchestria and the conductor device are registered trademarks of Orchestria Corporation. Copyright in and ownership of this manual is and shall at all times remain in Orchestria. No part of this manual may be reproduced without the prior written permission of Orchestria and the contents of this manual are and shall remain confidential. The delivery of this manual shall in no circumstances imply that the information contained herein about Orchestria Active Policy Management (APM) is in the public domain. Accordingly, disclosure of the contents of this manual or any part thereof to a third party will constitute a breach of the confidentiality provisions of any agreement for the use of Orchestria APM. Optional Content Search and Agent technology used under license from and Copyright 2007 FAST Search and Transfer International AS. Outside In Content Access Copyright 1991, 2007 Oracle Corporation.
Disclaimer
Every effort has been made to ensure that this document accurately describes the operation of Orchestria APM. However, Orchestria does not accept any responsibility for the consequences of any discrepancies between the description of Orchestria APM contained in this manual and the Orchestria APM system as implemented. Orchestria also reserves the right to make amendments to the contents of this manual from time to time to reflect changes made to the specification of Orchestria APM or for any other reason.
Trademarks
Adobe and FrameMaker are registered trademarks of Adobe Systems Incorporated. Bloomberg is a registered trademark of Bloomberg L.P. ZANTAZ Enterprise Archive Solution and Exchange Archive Solution (EAS) are trademarks of ZANTAZ Inc. Lotus and Notes are trademarks of IBM Corporation. Netscape is a registered trademark of Netscape Communications Corporation. Solaris is a trademark of Sun Microsystems, Inc. Windows, Microsoft, Hotmail, Outlook, and PowerPoint are trademarks or registered trademarks of Microsoft Corporation. WordPerfect is a trademark of Corel Corporation. All other marks are owned by their respective companies.
Contents
Contents
Chapter 1
Chapter 2
Administration console
Overview ........................................................................... 25 User Administration screen .................................................. 26 Machine Administration screen ............................................. 27 User Policy Editor screen .................................................... 28 Machine Policy Editor screen................................................ 29 Administration search ....................................................... 30 Logfiles screen ................................................................ 31 Statistics screen ............................................................... 32 Content Agents screen ....................................................... 33 Administration console shortcuts................................................ 34
Find items ...................................................................... 34 Console hyperlinks ............................................................ 35 Administration console tools ..................................................... 36 Console options ............................................................... 36 License files ................................................................... 36 Replicate CMS changes to client machines ............................... 36 Account import wizard ....................................................... 37 Primary user database credentials ........................................ 37 Search user database credentials ......................................... 37 Install system definition file ............................................... 38 Define a dynamic address list .............................................. 38
Chapter 3
User administration
Groups ............................................................................... 41 Managing groups .............................................................. 42 Move groups .................................................................. 42 Special groups ................................................................. 43 Group policies ................................................................. 45 Analyzing group activity ..................................................... 45 Users ................................................................................. 46 New users ..................................................................... 46 New users and Microsoft Windows authentication ...................... 46 Recreate users ................................................................ 47 Manage user accounts ........................................................ 47 User policies ................................................................... 48 User properties................................................................ 48 Exporting the user hierarchy .................................................... 52 Export via the Administration console..................................... 52 Export from a command line ............................................... 52 Exporting to XML format ..................................................... 53 Export issues................................................................... 53 Importing users .................................................................. 54 Synchronizing e-mail addresses............................................. 54 Import methods ............................................................... 54 Import sources................................................................. 54 Controlling what users can see and do ......................................... 55 Ordinary users ................................................................. 55 Managers and administrators................................................ 56 Administrative privileges ................................................... 57 Roles ........................................................................... 59
Contents
Chapter 4
Machine administration
Overview ............................................................................ 61 Machine hierarchy ............................................................ 61 Machine icons.................................................................. 62 Console-only and utility machines.......................................... 62 Orchestria APM infrastructure .................................................. 63 Running the infrastructure as a named user ............................. 63 Stopping and restarting the infrastructure .............................. 63 Data replication across the network ............................................ 64 Notification periods........................................................... 64 Disable replication ........................................................... 65 Replication failures .......................................................... 65 Slow network connections .................................................. 65 CMS .................................................................................. 66 Rename a CMS ................................................................. 66 Editing the CMS policy........................................................ 66 Suspend a CMS ................................................................. 66 Enable single sign-on ........................................................ 67 Backing up and restoring the CMS .......................................... 67 Connecting to a CMS .......................................................... 67 Multiple CMSs .................................................................. 68 Gateways ............................................................................ 69 Adding a new gateway ....................................................... 69 Managing gateways ........................................................... 69 Common (or default) gateway policies .................................... 69 Rename a gateway............................................................ 69 Client machines .................................................................... 70 Adding new client machines................................................. 70 Moving client machines or gateways to a new parent server .......... 70 Deleting client machines..................................................... 70 Editing machine policies ..................................................... 71 Common (or default) machine policies .................................... 71 Suspend a client machine.................................................... 71 Rename a client machine .................................................... 71 Exporting the machine hierarchy ............................................... 72 Export via the Administration console ..................................... 72 Export from a command line ............................................... 72 Re-importing exported hierarchies......................................... 73 Importing machines ............................................................... 73 Command file format ........................................................ 73
Monitoring free disk space ....................................................... 74 Disk space policy settings.................................................... 74 Suspended machines ............................................................. 75 Manual suspensions .......................................................... 75 Automatic suspensions ....................................................... 75 What operations are still available on suspended machines? .......... 76 Disabling e-mail, file and browser integration ................................ 76 Responding to an infrastructure failure .................................. 76 When installing with msiexec.exe ......................................... 76 Data encryption .................................................................... 77 Encrypting replicated data .................................................. 77 Encrypting stored data ....................................................... 77 Data compression .................................................................. 79 Compress stored data ........................................................ 79 Compress transmitted data ................................................. 79 Event purging ...................................................................... 80 Purging strategies............................................................. 80 What data is purged? ........................................................ 80 Minimum retention period ................................................. 81 Purge SPs ...................................................................... 81 Configure purges in the machine policy ................................... 81 Selective trigger-based purging ........................................... 82 Turn off event purging ...................................................... 83 Purge policy settings ........................................................ 83 Machine diagnostics .............................................................. 85 Diagnostic machine searches................................................ 85 Diagnostics policy settings................................................... 85 Replication checkpoints ..................................................... 87 Checkpoint policy settings .................................................. 88 Log files ............................................................................ 89 Types of log file .............................................................. 89 Configure logfiles ............................................................ 90 Copy log entries to the Windows event log .............................. 91 View logfiles .................................................................. 91
Contents
Chapter 5
Administration searches
Searching for administration data .............................................. 94 Run an existing search ....................................................... 94 Predefined searches ......................................................... 94 Run a new search ............................................................. 95 Saved searches ............................................................... 96 Copy search results to clipboard ........................................... 96 Administration search filters ................................................ 96
Chapter 6
Editing policies
What is a policy? ................................................................... 97 Policy icons and toolbar buttons ................................................ 98 Editing policies ..................................................................... 99 Policy navigation ................................................................. Hyperlinks .................................................................... Back and Forward buttons ................................................. Find policy folders or settings............................................. Controlling policy changes...................................................... Policy privileges ............................................................. Management groups ........................................................ Disable and enforce attributes............................................ Policy list settings ............................................................... Define a list .................................................................. Default and custom list items ............................................. List item icons ............................................................... Included, excluded and ignored lists..................................... Searching listed files for key text ....................................... Copying and importing list items ......................................... Multiple message list settings ............................................. Policy lists and wildcards .................................................. Triggering on e-mail addresses ............................................... Spaces in e-mail addresses ............................................... Matching all address formats.............................................. Internal e-mails ............................................................. Display names ............................................................... SMTP .......................................................................... EX ............................................................................. Domino ....................................................................... Bloomberg alias addresses ................................................ X.400 .........................................................................
100 100 100 100 101 101 101 101 102 102 103 103 103 105 105 107 108 109 109 109 109 109 109 110 110 110 110
Triggering on key words or phrases ..........................................111 Basic rules.....................................................................111 Search text wildcards ......................................................111 Subexpressions and OR operators .........................................111 Search text variables .......................................................112 Detect Far Eastern characters ............................................112 Punctuation matching ......................................................112 Hyphenated words ..........................................................113 Using backslashes to search for special characters ...................113 Searching listed files for key text ........................................113 Searching zip files ...........................................................115 Searching embedded e-mails ..............................................115 Searching archive files .....................................................115 Folders and settings .............................................................116 Disabled folders and settings ..............................................116 Enforced folders and settings ..............................................117 Hidden folders and settings ................................................118 Policy inheritance ................................................................119 Policy branch inheritance ..................................................119 Parent-child inheritance ....................................................119 Policy reports......................................................................121 Generate policy reports.....................................................122 Save policy reports as files .................................................122 Available actions .............................................................123 Report filters .................................................................123 Policy versions.....................................................................125 Format .........................................................................125 Reported and assigned policy versions ...................................125 Policy version example......................................................126 Captured passwords and credit card numbers ...............................127 Which screens display these details? .....................................127 Obscuring credit card numbers or passwords............................127 Avoiding the capture of credit card numbers or passwords ...........128 Exporting, importing and copying policies....................................128 User policy settings...............................................................129 Capture settings..............................................................129 Control settings ..............................................................133 Transaction settings .........................................................138 System settings...............................................................140 Extensions.....................................................................142 User policy triggers ..........................................................143
Contents
Machine policies ................................................................. Infrastructure ................................................................ Policy Engines ............................................................... Central Management Server .............................................. Client File System Agent ..................................................
Chapter 7
Chapter 8
Transactions
What data is captured?.......................................................... 183 Manual captures.................................................................. 184 Automatic captures.............................................................. 184 Cancel a transaction............................................................. 185
10
Transaction exceptions ..........................................................186 Transaction icons .................................................................186 Spending limits ....................................................................187 Set up spending limits.......................................................187 Can I set up period or aggregate spending limits? ......................187 Transaction detection............................................................188 Transaction Detector triggers..............................................188 How do Transaction Detector triggers work? ............................188 Transaction validation ...........................................................189 Show Dialog? setting............................................................191 Show Dialog? Never ..........................................................191 Show Dialog? Unless transaction matches................................192 Show Dialog? If necessary...................................................192 Show Dialog? Always .........................................................192 Transaction matching ............................................................193 Matching process.............................................................193 Transaction trigger refinements................................................196 Unreadable uploaded files or e-mail attachments .....................196 Selective trigger-based purging ...........................................196
Chapter 9
Capturing data
Capture strategies ................................................................197 Example .......................................................................197 Capturing Web pages ............................................................198 Manual Web captures .......................................................198 Automatic Web captures ...................................................198 Web page issues..............................................................199 Capturing e-mails .................................................................201 Manual e-mail captures .....................................................201 Automatic e-mail captures .................................................201 Attachments ..................................................................202 Importing e-mails ...........................................................204 E-mail issues ..................................................................204 Importing IM conversations......................................................205 Capturing application usage ....................................................205 Capture triggers..............................................................205 Application events ..........................................................206 Timeouts for application events...........................................206 Zero activity events .......................................................206
Contents
11
Turning off application monitoring....................................... 206 Capturing files ................................................................... File triggers .................................................................. What file information is captured? ....................................... File sources .................................................................. When are files captured? .................................................. What do file triggers look for? ............................................ How are captured files associated with Orchestria APM users?...... Defining the file archive list .............................................. Capture trigger exemptions and refinements .............................. Data Lookup.................................................................. Disabling e-mail, file and browser integration ......................... Prevent trigger details being captured ................................ Unreadable uploaded files or e-mail attachments .................... Encrypted e-mails........................................................... Digital signatures............................................................ Selective trigger-based purging...........................................
207 207 207 207 208 208 209 209 210 210 210 211 212 212 212 213
Chapter 10
12
Option: Replace Silently ..................................................229 Option: DoD overwrite and replace silently ............................229 Option: Warn ................................................................230 Option: Warn, but allow users to designate as Personal ..............231 Control action precedence .....................................................232 Intervention action behavior...............................................232 Quarantine control actions ................................................232 Controlling Web activity .........................................................233 How control actions operate ...............................................233 Which settings are applicable?.............................................233 Trigger exemptions and refinements .....................................234 Browser requirements when exempting secure Web sites ............234 When are users redirected to alternative Web pages?.................235 Controlling e-mails ...............................................................236 How the control action operates ..........................................236 Which settings are applicable?.............................................237 Account requirements for recipients of forwarded e-mails ...........238 Forwarding e-mails to multiple addresses ...............................239 Sending forwarded e-mails to someone else ............................239 E-mail address matching....................................................239 Modifying recipient fields ..................................................239 Identifying the e-mail that triggered an automatic reply .............240 Trigger exemptions and refinements .....................................240 E-mails in Public Folders are excluded from policy ....................240 Blocking a Webmail .........................................................241 Controlling application usage ..................................................242 How control actions operate ...............................................242 Application Monitor control triggers ......................................243 What data is captured by Application Monitor triggers? ...............243 Controlling files ..................................................................244 File triggers ..................................................................244 When do file triggers activate? ............................................245 File sources ..................................................................246 How are files events associated with Orchestria APM users? .........247 Printed files...................................................................247 Files copied to USB devices ................................................248 Files entering or leaving your corporate network ......................249 Imported files ................................................................249 Scanned files .................................................................249
Contents
13
User notifications ............................................................... Notification dialogs ......................................................... Notification e-mails ........................................................ Notification messages in replacement files .............................
Variables in notification dialogs and e-mails .............................. 253 User definitions .................................................................. 258 Set up a user definition .................................................... 258 Copying text from notification dialogs .................................. 259 Control trigger exemptions and refinements ................................ Data Lookup.................................................................. Disable integration for specific e-mail triggers ....................... Unreadable uploaded/imported files or e-mail attachments ........ Digital signatures............................................................ Encryption.................................................................... Selective trigger-based purging........................................... Integration with e-mail servers ............................................... Monitoring e-mail activity that would be missed by client agents .. Fewer intervention options for the server agents ..................... Outgoing e-mail triggers only on Exchange Server and Domino ..... Intervention options and e-mail server agents ........................ Automatic notifications and e-mail server agents .................... Interactive warning e-mails and Exchange Server ....................
260 260 260 261 261 262 262 263 263 263 263 264 265 266
Chapter 11
Data lookup
Overview ......................................................................... Data Lookup commands and True-False tests ......................... Adding Data Lookup commands to e-mail triggers..................... About Data Lookup Failure Mode ........................................ User Attribute lookup syntax and configuration ...................... Address Book lookup syntax ............................................. Message Attribute lookup syntax ........................................ XML Attribute lookup syntax ............................................ Data lookup variables .......................................................... <who> ....................................................................... <attribvalue> ................................................................ labeled <variable> ......................................................... <msgvar> .................................................................... <msgvalue>................................................................... <numericoperator> ......................................................... <stringoperator> ............................................................
272 272 273 273 274 275 275 276 277 278 279 280 282 283 283 284
14
<text> .........................................................................286 <type> ........................................................................286 <uservar>......................................................................287 <xpath> ........................................................................290 Advanced Data Lookup Commands ............................................291 Command evaluation ........................................................291 Examples of data lookup syntax ...........................................291 Complex True-False test ...................................................293 Composite True-False test .................................................294 Complex Composite True-False test ......................................296 OR and <fallguy> handling .................................................296 User Attribute lookup examples ...............................................297 Address Book lookup examples ................................................298 Message Attribute lookup examples ...........................................299 XML Attribute lookup examples ................................................300 Counting unique domains ......................................................301 Long domain example .......................................................301 List of known long domains ................................................301 Adding to the list of long domains ........................................301 XML metadata example .........................................................302
Chapter 12
Contents
15
Chapter 13
Content agents
Overview .......................................................................... 315 Why use Content Agent triggers? ......................................... 316 Before you start .................................................................. 316 Deployment .................................................................. 316 Content agents ................................................................... Content agent icons ........................................................ Training documents......................................................... Test documents ............................................................. Default test documents .................................................... Define content agents ...................................................... Managing content agents ..................................................
317 317 317 317 318 318 323
Chapter 14
Troubleshooting
Searching for events ............................................................ 325 E-mails ............................................................................. 326 iConsole ........................................................................... 330 Web pages......................................................................... 331 User Administration ............................................................. 333 Policy .............................................................................. 334 Machine administration ......................................................... 335 Replication ........................................................................ 336 Database problems .............................................................. 337 Far Eastern characters ........................................................ 338 Dial-up connections ............................................................ 338
16
chapter 1
Background
Internet communication has empowered employees as never before. Every day, informal unstructured business communications flood in, out and across organizations. The proliferation of e-mail, instant messaging and Web-based forums have bought new fluidity and flexibility to the workplace, enabling organizations to operate in real-time and leverage the business value hidden in these communications. But there is a price to pay. A new regulatory landscape for business communications has emerged, obliging organizations to retain these communications for subsequent auditing by regulators and, equally important, to control the content of these communications to prevent regulatory violations. It is these twin challenges, archiving and content supervision, that must be addressed by organizations wishing to avoid the penalties for non-compliance. Orchestria APM has been explicitly designed to meet these challenges, combining industrial-strength archiving and retrieval capabilities with pioneering real time communication filters.
18
Enforces information boundaries by intervening at the desktop, highlighting non-compliant user behavior as it occurs. Educates users to modify their own behavior by recommending or forcing remedial action (in the form of contextualized advisory dialogs). Does not disrupt workflow, because it does not interfere with normal routing of e-mail traffic (unless explicitly configured to do so).
Intelligent Pre-Review: Preventing communications that violate corporate policy or industry regulations. Panoramic Post-Review: Implementing an industrialstrength and legally compliant archiving and auditing solution.
For example, you can enforce information boundaries by blocking e-mails sent between specific teams and covering particular subjects.
Intelligent Pre-Review
Pre-review is commonly used now to describe the practice of filtering communications at source to detect potential regulatory violations. Organizations need to protect themselves against individual malpractice and the unauthorized exposure of sensitive financial or business data, intellectual property and competitive information. They must ensure that non-compliant communication is detected and blocked before it can be sent and archived. Failure to do so means that the archive becomes, in effect, a repository of regulatory violations waiting to be discovered by scrupulous regulators. However, the unstructured, informal, nature of these communications makes them extremely difficult to analyze and control. A preventative solution is needed that can intelligently understand the nature any correspondence as it occurs, eliminating the risk of regulatory violations but without disrupting workflow. Orchestria APM provides exactly this. Specifically, it:
Example Orchestria APM intervention A user attempts to send a non-compliant e-mail. As soon as they click Send, Orchestria APM detects the potential violation, suspends the transmission and displays an advisory dialog.
Analyzes message content and recipient details, identifying and preventing non-compliant activity (e-mail, instant messaging and Web) in real time.
19
Panoramic Post-Review
Post-review refers to the practice of searching for and auditing e-mails and instant messages after they have been sent, and reviewing Web activity after it has been detected and recorded. Organizations need a scalable archiving solution that meets regulatory requirements on the storage, retention and on-demand retrieval of historical communications. Such archiving and data retrieval systems must encompass both internal and external e-mail, personal Web-based e-mail accounts (for example, Hotmail or Yahoo!) and instant messaging. Orchestria APM has been explicitly designed to meet the post-review requirements of large organizations. It provides industrial-strength archiving, retrieval, auditing and reporting features. Easy-to-use, fine granularity search tools enable managers and regulators to zero in on targeted events, and to create event audit trails. Ancillary utilities even enable Orchestria APM to integrate with your existing e-mail archive and emerging next-generation storage devices such as EMC Centera. i The Orchestria APM search and auditing features
are demonstrated in chapter 12 Configuring event audit options.
2a
Example e-mail retrieval You search for, review and audit captured communications in the Orchestria APM Data Management console. 1 You specify which captured events you want to retrieve in the search definition. This example shows the Advanced search definition screen.
2 When you run the search. All events matching the search criteria display in the search results screens. Event icons and titles are hyperlinked to individual event screens (2a). 3 Finally, you can zero in on individual events to see their full details in the event screens. In this example, the Mail tab shows the actual captured e-mail and plus its attachment.
20
Architecture
Orchestria APM deployments can be complex, and vary from one organization to the next. This section shows the architecture for a simple deployment to client machines. This enables you to install Orchestria APM client agents on users desktops to monitor and control their e-mail and Web activity. Here, Orchestria APM machines are organized into hierarchical branches, with the central management server (CMS) as the top level server. Below the CMS, each branch of the hierarchy is optionally managed by a gateway, and each gateway can serve multiple client machines and/or further gateways. You manage Orchestria APM using consoles. You can deploy consoles on any machine in your Orchestria APM installation. For technical details about Orchestria APM, see the Deployment guide and the Technical and Functional Overview, available from the Orchestria service desksee page 24.
3 4
2 4
3a
1 4
3a
3a
5 4
Orchestria APM example architecture 1 CMS: This is the central repository for your Orchestria APM installation, holding all policy details and captured data. 2 Gateway: These are data-routing servers, operating between the CMS and client machines. They provide resilience and network load balancing. Each gateway can server multiple client machines or even child gateways. 3 Client machines: These run Orchestria APM e-mail and Web integration features (the client agents). If required, client machines can connect directly to the CMS (3a) with no intermediate gateway. 4 Console: Any Orchestria APM machine can run any combination of Administration console, Data Management console, and Executive console. 5 Console-only machine: No Orchestria APM server software or client integration features are installed on this machine.
21
Administrator responsibilities
As an Orchestria APM administrator, your primary responsibility will be to translate real business issues into effective (user) policy. However, your responsibilities will also cover such areas as deployment and user administration. Typically, these responsibilities will include:
Real time administration of user policies User administration Machine administration Extracting business intelligence from captured data
22
User administration
This involves a number of post-deployment tasks, before you deploy Orchestria APM across your organization, and also routine maintenance of your user accounts to reflect changing business needs. Finally, you also need a strategy for creating and managing other administrators, and ensuring that the extent of their administrative authority is sufficient and appropriate.
Managing administrators
To share the administrative workload, you can promote ordinary users into administrators or managers by granting them administrative privileges. You can limit the scope of their administrative authority by withholding specific privileges and controlling which groups they can manage. For full details, see page 56.
Machine administration
As with user administration, machine administration involves a number of post-deployment tasks, before you deploy Orchestria APM across your organization, and also routine maintenance of your machine accounts to reflect changing business needs.
Post-installation tasks
Before rolling out Orchestria APM across your organization, you must determine how it handles new users: can new users enroll themselves, or are new accounts created solely by administrators? Or do you want to import user details into Orchestria APM from an existing source such as your Microsoft Exchange server? You must also define an appropriate default policy for new users. This policy will be fairly restrictive to ensure that new users adhere to your corporate guidelines governing acceptable Web and e-mail usage. i These issues are fully described in the
Deployment guide; see chapter 3, 'Before you start using Orchestria APM'.
Post-installation tasks
Before rolling out Orchestria APM across your organization, you need to configure your CMS policy, and the common client and gateway policies (these common policies are applied automatically to new machines). Key policy areas that you must consider include database purging and the management of free disk space. i These issues are fully described in the
Deployment guide; see chapter 3, 'Before you start using Orchestria APM'.
Routine maintenance
You need to ensure that all Orchestria APM machines are running the current versions of the software and that their individual machine policies are appropriate for your network environment. For example, you will need to ensure that replication, database purging and free disk space settings have sensible values. To optimize data flows across your network, you may also need to occasionally reorganize the allocation of client machines to each gateway.
23
Data security
You also need to consider data security. This covers encryption, database backups, and database purging.
Encryption: All user data captured by Orchestria APM (Web pages, e-mails and so on) is replicated across your network and stored on the CMS. You must ensure that these data transfers and the stored data itself are secure. You can do this by configuring the machine policy to encrypt this data. These policy settings are described on page 145. Backups: We recommend that you make a full backup of your Orchestria APM database on the CMS at least once per week, and incremental backups on a daily basis. For further details, see page 67. Database purging: We also strongly recommend that you turn database purging on in both the common gateway and common client policies to prevent free disk space falling to dangerously low levels on your Orchestria APM machines with the attendant risk of the infrastructure being suspended. For details, see page 80. i On a suspended client machine, control
triggers and actions continue to operate but the resulting control events are not saved. For example, you cannot search for blockings that occurred while a client machine was suspended.
First, you may need to configure the Orchestria APM statistics required by managers and other senior decision makers in your organization. For example, you may need to amend time slot intervals for real time statistics or supply the fixed values used by fixed statistics for budgeting or forecasting purposes. i For full details, see chapter 3 of the Executive
Console guide.
Second, you may need to configure the Executive console display for individual managers. The block import/export feature is particularly useful and lets you quickly roll out identical configurations to multiple Executive consoles. i For full details, see chapter 2 of the Executive
Console guide.
24
Contact us
To contact the service desk, go to:
http://support.orchestria.com
If you do contact the service desk, they may ask you to supply the following log files:
The infrastructure log file, wgninfra.out. Any relevant system log files. These take the format: stderr_200201200945.log.
Post-deployment tasks
After deployment, there are several things you must do before you start using Orchestria APM. These mainly involve changes to the default policies for key user groups and new machines. You also need to edit the account properties of any new administrators and managers. Finally, you may need to amend your browser security settings if you intend using any Web page control triggers. As before, you can find the full range of post-deployment tasks in the Deployment guide.
License files
After installing Orchestria APM, you may need to install a license file before you can start using the product. Your license file unlocks the Orchestria APM policy modules available to your organization. Details about obtaining and installing your license file are given on page 36. Alternatively, you can contact the service desk for advicesee the next section.
2. Administration console
Administration console
T
his chapter provides an introduction to the Administration console and gives an overview of its main features.
chapter 2
Policy administration: You can define policies for Orchestria APM users and machines. User policies let you capture and control user activity. Machine policies cover such areas as database management, data replication, encryption, and cache management. Event auditing setup: Full auditing features are available in the iConsole, but you must first use the Administration console to configure audit status labels and the contents of the auditing dialogs. Statistics: You can configure statistics for display in the Executive console. Real time statistical data is compiled for each group and includes event counters based on user activity. Content agents: Content agents can detect specific types of document based on their text content (for example, e-mails, Web pages and files). You can train and publish content agents and incorporate them into content agent triggers. Administration searches: You can run administration searches to search for users, groups and machines. For example, you can search for user accounts with out-of-date policies or machines that have missed one or more replication checkpoints.
` Data Management console guide ` Executive Console guide ` iConsole user guide
Overview
You use the Administration console for these tasks:
User administration: Organize your Orchestria APM users into hierarchical groups to streamline user administration. Machine administration: Organize your Orchestria APM machines into a hierarchical tree for optimum network performance and load-balancing. Logfiles: You can view log files covering a range of user and machine activity, including logon activity, data replication and infrastructure errors.
26
4 5 7 1 User hierarchy Shows the hierarchy of user groups and individual users. You can right-click or drag-and-drop to quickly reorganize users and groups. 2 User or group details Shows the properties and attributes of the current user or group. For groups, a List tab also shows summary details for all users in the group. 3 Hyperlinks Some details shown here are hyperlinks to other console screens. For example, the Policy field is hyperlinked to the current users policy in the User Policy Editor. 6 4 Logon Sessions For users only, this section shows current and historical logon sessions. 5 Parent server, User name The parent server is either the CMS or a gateway. The user name is the Orchestria APM logon name for the current console user. 6 Policy version numbers These allow you to track local and inherited policy updates. 7 Hide Sessions Click to hide logon session details.
27
4 1 Machine hierarchy The CMS is at the root, with a gateway optionally serving each branch of client machines. From here, you can add or delete Orchestria APM machines. 2 Detail tab This shows the properties and attributes of the current machine. List tab Available for gateways and the CMS only. See 3 for further details.
3 Machine details This shows summary details for all child machines attached to the gateway or CMS. 4 Parent server This is either the CMS or a gateway. 5 User name This is the Orchestria APM logon name for the current console user.
28
1 10 9 3 8
5 1 Toolbar Each screen has its own set of tools and features. 2 Policy root. This indicates which user or group the current policy applies to. 3 Policy folders pane Shows all the folders available for viewing or editing in the current policy. Icon variations show the folder status (disabled, enforced or hidden). You can also double-click a folder to view or edit its attributes. 4 Policy path Shows the location of the current folder or setting within the policy. 5 Parent server This is either the CMS or a gateway. 6 User name This is the Orchestria APM logon name for the current console user.
7 Policy version Shows the current policy version number. This enables administrators to track policy updates. 8 Policy explanations Hover your mouse pointer over any folder or setting to see a tooltip explanation. Help is also available when you double-click a policy item. 9 Contents pane Shows the settings or subfolders in the current policy folder. Icon variations show the status of each setting or subfolder (disabled, enforced or hidden). You can also double-click a setting to view or edit its value. 10 Hyperlink Many settings are hyperlinked to a dependent setting. Click the hyperlink to jump to the specified setting.
29
2 3
4 5 1 Toolbar Each screen has its own set of tools and features. 2 Policy root This indicates which user or group the current policy applies to. 3 Policy folders pane Shows all the folders available for viewing or editing in the current policy. Icon variations show the folder status (disabled, enforced or hidden). You can also double-click a folder to view or edit its attributes. 4 Policy path Shows the location of the current folder or setting within the policy. 5 Parent server This is either the CMS or a gateway. 6 7
6 User name This is the Orchestria APM logon name for the current console user. 7 Policy version Shows the current policy version number. This enables administrators to track policy updates. 8 Policy explanations Hover your mouse pointer over any folder or setting to see a tooltip explanation. Help is also available when you double-click a policy item. 9 Contents pane Shows the settings or subfolders in the current policy folder. Icon variations show the status of each setting or subfolder (disabled, enforced or hidden). You can also double-click a setting to view or edit its value.
30
Administration search
Administration searches let you search for user, group and machine accounts. For example, you can search for user accounts with out-of-date policies or machines that have missed one or more replication checkpoints. A range of predefined searches are available. These include information and health searches, for both users and machines. Information searches typically retrieve basic details about existing accounts; health searches identify problematic accounts, or accounts which require your attention, such as machines which cannot be contacted or users with out-of-date policies. You can also define and save your own administration searches, and copy search results to the clipboard. Existing searches (predefined and custom) are listed in the left. When you select a search, all users, groups or machines matching the search criteria are shown in the right pane. Administration searches are discussed in chapter 5, Administration searches.
2 1 Search list Lists all predefined administrative searches plus any custom searches saved on the current machine. 2 Results list Displays items matching the search criteria. 3 Search button Click to define a custom search (4). 4 Administration Search dialog Use to define your own searches. For details about the available search filters, see the online help.
31
Logfiles screen
The Logfiles screen displays logs of all significant events on the local machine. The Administration console supports four types of Orchestria APM logfile:
Activity logs record when users and machines log in or out, and each time policies are created or updated. Replication logs record any database changes that were made on a remote machine and copied to the local machine, for example, policy updates. System logs record any infrastructure errors that occur while the Orchestria APM service is running. Account Import logs record the outcome of any operations using the User Import wizard.
Available log files are listed in the left pane and the logged events are shown on the right pane. Note that log files are saved in Orchestrias \data\log subfolder of the Windows All Users profile; see page 89. Settings in the local machine policy determine the maximum size of each log file and, by implication, how often new log files are created. You can also view the log files on remote machines. To do this, expand the Machine Administration branch and select the machine you want. Then right-click and choose View Logfiles. For further details about Orchestria APM logfiles, see page 87.
3 1 Machine Administration To view the log files on a remote machine, expand this branch and select the machine you want. See 4 for further details. 2 Local log files All available log files on the local machine are listed here. File names show when the log file was created. 3 Log pane All events in the current log file are listed here. From here, you can copy the contents of any log file into a text editor such as Microsoft Notepad. 4 Logfile viewer for remote log files This has the same layout as the standard logfiles screen. To launch the viewer, right-click the machine you want and choose View Logfile. See 2 for details.
32
Statistics screen
The Statistics screen lets you configure summary statistics for e-mail, Web and transaction activity across your organization. You can view the actual statistics, in graphical or tabular format in the Executive console. Statistic folders are listed in the left pane and configurable statistics in the right pane. Statistic properties apply globally across your Orchestria APM installation, but statistical data is compiled for each user group. Orchestria APM compiles three main types of statistic: event lists, currency statistics and counter statistics. Event lists are simply lists of events triggered by user activity, such as blocked e-mails. Currency statistics include real time values based on captured transactions and static values defined by users for, say, forecasting purposes. Counter statistics are similar to currency statistics but relate only to non-transaction data such as e-mail traffic. The Statistics screen and the Executive console plus all the associated tasks and features are discussed in the Executive Console guide.
1 Toolbar Each screen has a unique set of tools and features. 2 Statistics folders Shows folders containing the available statistics. Select a folder to display its statistics in the Statistics pane.
3 Statistics pane Shows basic details about each statistic. From this pane, you can configure statistic properties. For static statistics, you can also enter fixed time-series values. 4 Properties dialog You configure statistic properties in a dialog similar to this one. The available fields depend on the statistic type (such as currency or event list) and whether it is real time or static.
33
The Content Agent screen lets you train and publish content agents. These agents can detect specific types of document based on their text content. A document can be any Web page, e-mail, attachment, or file. After you have trained and published an agent, you can incorporate it into a content agent trigger. These triggers let you capture or control any attempt by users to browse,
upload, print, copy to removable drives, send or receive documents, that match the specified type. For example, you could train a content agent to recognize the login page of any Web-based e-mail provider. This would allow you to display a warning, or even block the user, if they attempted to send or read a message. Alternatively, you could train an agent to identify customer e-mail enquiries. The Content Agents screen and all associated tasks and features are discussed in chapter 13, Content agents.
1 6
2 3 4
1 Toolbar Each screen has a unique set of tools and features. 2 Published content agents These agents have been tested and are available for inclusion in content agent triggers. 3 Unpublished content agent These agents may not have been tested and are not available for inclusion in content agent triggers. 4 Default test documents A common set of test documents that you can use to calibrate any content agent.
5 Agent Testing dialog This shows the scores for individual training and test documents. These scores indicate how well individual documents match the document type targeted by the content agent. 6 Example positive training documents When choosing your training documents, you can add any file types supported by Orchestria APM, including event link files.
34
Examples
These show the outcome if you use Find to locate the user frankschaeffer.
Enter the item name in the Find Items dialog. You do not need to enter the whole name. You can search on the first few letters of any word in the name, and you do not need to match the case. For example, type 'schaef' to find the first occurrence of fschaeffer. Specify whether to search up or down from your current location in the Browse tab. You can quickly search the Browse tree to find other occurrences of this name:
Find succeeds because frankschaeffer was previously visible in the Browse tree, even though it is not currently visible. 1
Users Management frankschaeffer spencerrimmel Marketing
35
Console hyperlinks
In the Administration console, when you select a user, group or machine, their attributes are listed in the right pane. Some attributes are hyperlinked to other console features. For example, if you view a user, you can double-click their Group Name attribute to immediately locate this user group in the left. Or you can double-click their Policy attribute to view their current policy. 1
Management Groups
When you select an item in the browse tab, the right pane contains these hyperlinked attributes: For users
Policy Click to open the current user's policy in the Policy Editor Click to highlight the parent group for the current user. Click to highlight the management groups assigned to the current user.
Parent Group
For groups 2 3
Parent Group Policy Click to open the current group's policy in the Policy Editor. Click to highlight the current group's parent group.
For machines Console hyperlinks 1 Left pane 2 Example hyperlinks 3 Attributes list
Policy Click to open the current machine's policy in the Policy Editor.
36
License files
After installing or upgrading Orchestria APM, you may need to install a license file before you can start using the product. Your license file unlocks the Orchestria APM policy modules available to your organization. Separate license files control access to user policies and machine policies.
agreement includes the Content Services feature. See chapter 13, Content agents. Select a Content Proxy server to use when training content agents or running a content search. For further details, see either the iConsole user guide, or the Data Management console guide; search the index for content searches, before you start.
37
When running event searches, the Data Management console must connect to your database using its own search user account, not the account used by the Orchestria APM infrastructure. This ensures that reviewers cannot see events associated with users outside of their management groups. You create this account when you deploy the CMS; search the index for Search User database account. To change the user name or password for the search user account: 1 Choose Tools > Set Database Search User Credentials. i Your Orchestria APM user account must have the Admin: Change database credentials privilege to
continue beyond this point.
database credentials privilege. See page 57. 2 In the Set Database Primary User Password dialog, enter the new password:
In the Set Database Search Database Credentials dialog, enter the new user name and password for the Orchestria APM database search user account.
Set Database Primary User Password dialog ! You must change the password on your
database server before setting the new password in the Administration console. See also page 337.
38
Click the Add button to display the Address List dialog (the screenshot is on page 39):
From the File Type list box, choose US Social Security High Group file. Browse to where you saved the text file and click Install. The file is installed to the CMS where it can be referenced for %SSN% confirmation.
2.3 You can iteratively test the SQL query to ensure that it retrieves users as intended. Click Test to test your query. Any users found by the test are appended to the Address List dialog.
39
Address List dialog 1 Define your database SQL query to identify the recipients for a legal hold notification (or a notification follow-up). 2 Click Test to test the query. 3 Users retrieved by the query test are appended to the dialog here.
40
3. User administration
User administration
he task of managing e-mail and Web activity for a diverse, ever-changing user base is a major challenge. You need user administration with unlimited scalability and flexibility. Orchestria APM provides a streamlined solution based on hierarchical user groups. You manage users and groups in the User Administration screen. This chapter introduces the main tasks and features associated with this screen.
chapter 3
You manage users and groups in the User Administration screen. This screen uses the standard tree layout, and its hierarchical structure also enables you to control your administrators by restricting their management authority to specific branches of this tree:
Users Management Directors Finance
Groups
A user group is a collection of associated users that share a common policy (though customized policies are permitted). You can create as many groups as you need and arrange them in any way you want. For example, you can organize users into groups based on location, job, or purchasing permissions. Most importantly, user groups provide a vehicle for quickly rolling out policy changes to control Web and e-mail activity across your organization. Each group has its own customizable policy, providing you with a centralized but highly flexible method of user administration.
Qi Xaopeng
N America User Administration screen User groups are organized using the familiar tree layout.
42
Managing groups
In the Administration console, you must first expand the User Administration branch. You can then perform these actions. i You can also right-click any group to perform
the actions.
Move groups
To move groups you need to enable the Allow Groups to be Moved policy settingsee page 150. You can easily rearrange groups by moving them into different parent groups. Simply drag-and-drop a group onto a new parent. Or select a group and choose Edit > Move To. !
You need to be aware that moving groups can
cause row level security issues and unintended changes to policysee the following sections.
X Rename groups
Select a group and choose Edit > Rename.
X Delete groups
Select a group and click Delete ( ). Or choose Edit > Delete. When you delete a group, any users in the group are also deleted.
43
Special groups
Users group
This is the top-level group in the User Administration tree (see the illustration on the previous page). You cannot move or delete this group, though you can rename it. Directly or indirectly, all user groups derive their policy from the Users group. Changes to a single group policy are automatically inherited by all its child groups, and by all users in these child groups. So you need only make a policy change in one place, and Orchestria APM automatically applies this change to affected users.
Users
Parent
Management Directors Finance Legal Marketing Sales Asia Europe
Default group
! When you use Orchestria APM for the first time
after installation, we strongly recommend you edit the default group policy. See page 45.
Children
You can make any group the default group. When new users add themselves to Orchestria APM (page 46), they are automatically assigned to this group. The default group is shown in bold in the User Administration screen:
Users New Users Management Directors Finance Legal
Children
N America Parent and child groups For example, changes to the policy of the Sales group are copied automatically to all users in the Asia, Europe and N America groups. i Policy inheritance, and how to enforce or override it, is discussed in chapter 6, Editing policies.
Default group All self-enrolled new users are added to this group. i If an administrator creates an account for a new
user, they can assign the user to any existing group.
Management groups
The management group is the name given to the highest level group in any branch of the user hierarchy that an administrator is permitted to manage. If required, an administrator can have multiple management groups. In effect, management groups limit the administrators authority to the management groups themselves, plus any groups that they contain. You can assign any existing group as a management group for a particular administrator. Assigning multiple management groups enables an administrator to manage separate branches of the user hierarchy.
Parent group This is any group that contains another group. Each new group inherits the policy defined for its parent. Child group This is any group contained within a parent group. By default, a child group inherits its parent group policy. Of course, a child group can also be a parent if it contains other groups.
44
Each management group represents a management branch of the user hierarchy. Within each management branch, an administrator can manage user accounts, edit policies, view captured data and so on. Any groups that lie outside this branch are hidden in the console, and cannot be managed by the administrator. In the example below, if group 3 is assigned as a management group, the administrator can only view data captured on behalf of users belonging to groups in branch B. 1 2 3 A B
Management groups If a management group is 1, 2 or 3, the administrator can manage: 1 Any group in the organization. 2 Groups in branch A ( ), incorporating branch B ( ). 3 Groups in branch B only ( ). i You specify the management group when setting
user properties. For details, see page 48.
45
Group policies
Group policies are one of the most powerful features of Orchestria APM, and provide the basis for centralized highly-flexible user administration. Settings in a group policy are inherited by all users (and all subgroups) in the group. In effect, the group policy is a default policy for all users added to the group. This policy inheritance is the vehicle for fast and flexible policy rollout across your organization. By customizing key policy settings for targeted groups, you can quickly and selectively enforce preferred Web and e-mail behavior across your organization. i Policy inheritance is discussed on pages 119 to 120. Why is this necessary? The default group is effectively a holding group until you can move new users into more appropriate groups. But when you use Orchestria APM for the first time, there is only one existing group. This is the 'Users' group and so it is automatically set to be the default group. Of necessity, 'Users' hasand must have a non-restrictive policy: no settings are disabled, enforced or hidden. This means any new user who inherits this policy has complete freedom to change any setting in their policy. In other words, they could potentially define their own policy to dodge the rules in your organization governing acceptable Web and e-mail usage. But you can easily prevent this by choosing or creating a default group that does have a restrictive policy. That is, key settings in the policy for the default group are enforced, hidden or disabled. This ensures that new users adhere to the rules governing acceptable Web and e-mail usage. For details about policy settings, see page 100.
, or
Right-click and choose Edit Policy, or Click the policy hyperlink in the right pane. See page 34 for details.
This opens the User Editor. This is discussed in detail in chapter 6, Editing policies. ! After editing a group policy, click Save to save
any policy changes. This displays a summary dialog listing all the policy items that you have modified. The summary dialog allows you to confirm, cancel or modify the changes.
46
Users
The section describes how to add new users, manage user accounts, edit user policies, and control what users can see and do.
New users
There are three ways to add users:
` Note the special requirements for administratorcreated new accountssee next section.
47
Recreate users
Sometimes it is necessary to re-create a user that was previously deleted. For example, an employee may have left the company and then rejoined at a later date. When a user account is deleted, Orchestria APM marks that user as deleted, but does not remove their user account from the Orchestria APM enterprise. In practice, this means that the user is no longer visible, and no new events can be associated with them. If a user is then created with a user name that matches a single deleted user account, Orchestria APM will automatically recreate that deleted user and add an entry to the Activity log. To do this, you need to configure the CMS machine policy to allow user accounts to be undeletedsee page 150. When a user is recreated, all user attributes and e-mail addresses are set to their previous values, and links to associated events are restored. All privileges, passwords and management groups are set to the default values for a new user. i Users can be recreated in any of the ways
described on page 46.
X Move a user
! Moving a user can cause unintended changes
to their policy!
To move a user to a different group, right-click the user and choose Move Item. Although users normally retain any customized policy settings or attributes when they are moved to a new parent group, it is possible that these will be overwritten if the corresponding settings or attributes inherited from the new parent group are already enforced. To avoid unintended policy changes, you can configure the Administration console to display a warning before you confirm a move. To do this, choose Tools > Options, then go to the User Administration tab. See page 36.
X Delete a user
Select a user and click Delete ( ). Or choose Edit > Delete. This removes the user account from the User Administration screen. The CMS database is updated to show the account is no longer active, but the account itself is not deleted from the database. This enables you to search for any deleted user accounts using the Administration Search feature (see page 93). It also allows you to recreate the user at a later datesee the previous section.
X Rename a user
Right-click a user and choose Rename. Be aware that renaming individual users can be complicated, and depends entirely on how your CMS policy handles new users. You must be especially careful if your Orchestria APM uses Microsoft Windows user authentication to automatically generate new user accounts. For a full description of user renaming, see page 333.
48
User policies
This section describes the basic policy tasks. For full details, refer to chapter 6, Editing policies.
User properties
Together, these properties define the scope of a users administrative authority (if any). They also include a users attributes. i You can find full details about creating managers
and administrators, and restricting the scope of their authority on page 56.
, or
` Right-click and choose Edit Policy, or ` Click the policy hyperlink in the right pane. See
page 35 for details. ! After editing a policy, click Save to save any
policy changes. This displays a summary dialog listing all the policy items that you have modified. The summary dialog allows you to confirm, cancel or modify the changes.
Account history
Sometimes, an administrator will need to change the name or group of a user, for example, if that user gets married, or moves to a different department within the company. To view a users name or group history: 1 2 3 Right-click a user and choose Properties. In the Properties dialog, click the Details tab. Click the Name History or the Group History button to display the date and details of any name or group changes for the current user.
Passwords
You need to supply a password to run some Orchestria APM utilities and the consoles. As a security precaution to prevent unauthorized access to data on the CMS, you cannot set blank passwords.
3 In the Properties dialog, go to the Details tab and click Set Password. 4 There will be a short delay before the user can log in using the new password. This is because the new password must first be replicated to the user's console machine.
49
Roles
Each user in Orchestria APM is assigned a role, for example, Administrator, Manager, or User. Roles determine the default privileges assigned to a user.
` If
assigned to a role, Orchestria APM automatically updates the privileges of all users with that role assigned. For example, if you add a privilege to the Managers role, all users with the Manager role are automatically granted the new privilege.
` If Management groups
These define which branches of the user hierarchy an administrator is permitted to managesee page 56. i You cannot set or change the management group
of a user who has the 'Admin: Disable management group filtering' privilege.
new privileges to a default role, these will be granted automatically to all users with that role when you run the upgrade.
` You
` After
change the privileges granted to that user, Orchestria APM changes the users role to
50
Custom. For example, if you grant a Manager the complete set of privileges, that users role changes from Manager to Custom because their privileges no longer match those associated with the Manager role.
Administrative privileges
Users are granted a default set of privileges based on their role (see opposite). After assigning a role to a user, if you then change the privileges granted to that user, Orchestria APM changes the users role to Custom. For example, if you grant a Manager the complete set of privileges, that users role changes from Manager to Custom because their privileges no longer match those associated with the Manager role.
User Properties, Privileges tab Some privileges may be grayed out because: 1 Creating a new user role 1. New role name. Type a name for the role you are creating. 2. Copy from existing role. Select a suitable role from this list to base the new role on. 3. New. Click to create a new role based on the one currently selected. 3 Type a new name for the role you are creating. 4 If necessary, you can change the role to base the new role on using the Copy from existing role list. i You can create as many roles as required, but
once created, roles cannot be deleted.
` Either you do not have these privileges yourself. You cannot grant privileges to other users unless you have the privilege yourself. ` Or you are viewing your own privileges. You cannot
change your own privileges.
51
E-mail addresses
! It is critical that user e-mail addresses are kept
up to date. This is because key Orchestria APM features (Event Import, policy engines and User Attribute lookup) rely on e-mail address mapping to associate e-mails with specific Orchestria APM users. For details on synchronizing user e-mail addresses in the CMS database with addresses in an external source (for example, Active Directory), see the Deployment guide; search the index for Account Import.
You can associate multiple e-mail addresses with a single Orchestria APM user. This tab enables you to add or modify e-mail addresses for the current user. It is important to keep these addresses up to date as many Orchestria APM features reference them.
3 Assigning customized user attributes 1 Options dialog, User Attributes tab. This is where you name the attribute. 2 Example customized attribute. 3 User Properties dialog, Attributes tab. This is where you assign attribute values to the user.
52
53
Export parameters
i You must enclose the entire parameter value in
"double quotes" if that value contains a space.
-b Defines the base group path. That is, the starting point for the export process. -s Specifies Spreadsheet Data File as the destination file type. This can be opened in applications such as Microsoft Excel. -x Specifies XML Data File as the destination file type. This XML file can be edited and re-imported using Account Import. For details, see page 53. i If you do not specify the -s or -x parameter,
Orchestria APM exports the data to a command file. This file is compatible with Account Import.
Create an accessible backup of your user hierarchy. You can roll back your user hierarchy by re-importing the hierarchy backup file using Account Import. Make changes to the user hierarchy quickly and efficiently using an XML editor. The updated user hierarchy can then simply be re-imported using Account Import. i
For details on importing users, see page 54.
Export issues
When you export a user hierarchy, you need to be aware of the following issues.
Use these parameters to: -g Export group names, with groups organized hierarchically in the exported file. -u Export user names. -a Export the attributes assigned to each user. These correspond to the attributes listed in the User Properties dialog. -r Export the role assigned to each user. -m Export the management group assigned to each user. -e Export the e-mail addresses assigned to each user. -p Specifies that the full group path is preserved in the exported file. -n Writes the export file using Unicode character sets. Any non-ASCII names (such as names with Japanese characters) are then preserved in the exported file.
54
Importing users
To simplify mass deployments, you can use the Account Import feature to import user details into Orchestria APM from an external Lightweight Directory Access Protocol (LDAP) directory or a source file. Account Import can:
Import methods
You can import user details by running:
Import new users and groups into the existing Orchestria APM user hierarchy. Reorganize existing Orchestria APM users to synchronize them with an external user hierarchy, for example, an LDAP directory structure. Create new Orchestria APM accounts for unknown users. These are imported users who have no corresponding account in Orchestria APM. Add a domain as a prefix to all imported user account names, such as UNIPRAXIS\frankschaeffer. Update Orchestria APM user accounts with imported attributes such as e-mail addresses and employee IDs.
Account Import wizard: This is the simplest method of importing user details. The wizard can import data from any supported sourcesee below. Launch the wizard from the Administration console. Command line import operations: These enable you to schedule regular import operations, for example, to ensure that your LDAP directory and Orchestria APM user hierarchy stay synchronized. From a command line, you can import data from any supported sourcesee the next section.
Import sources
Account Import can import user information directly from an LDAP directory, data file or command file:
LDAP directory: The Lightweight Directory Access Protocol (LDAP) enables directory services to manage directory objects. Objects and attributes in an LDAP directory are exposed to any other application that uses the LDAP protocol. Orchestria APM can import user details from the following LDAP directories:
` Microsoft Active Directory ` Novell eDirectory (NDS) ` Netscape/Sun ONE Directory Server ` Domino Server
Data files: These are structured files of user data, in XML or spreadsheet-compatible format. Data files contain encoded versions of an external user hierarchy and include the user details necessary for Orchestria APM to create, or re-create, this external hierarchy on the CMS. Command files: These are import configuration files containing Orchestria APM user and machine import commands (for example, create new user or set user attribute). Typically, you use import command files to make specific changes to your existing Orchestria APM user hierarchy.
One of the most important uses for Account Import is to synchronize users e-mail addresses in the CMS database with addresses in an external source, typically an LDAP directory such as Active Directory. Such synchronization is essential for Orchestria APM features that rely on e-mail address mapping (that is, policy engines, user attribute data lookup and Event Import). During synchronization, any addresses in the CMS database that are not present in the LDAP database are deleted from the CMS. That is, if you have manually added an e-mail address to a user in the CMS database, or if an e-mail address has been removed from the LDAP source since the last synchronization, it will be deleted.
55
In their browser
If you install the Orchestria APM browser integration software on a client machine, you can configure a users policy to display an acceptable usage message when the user starts up their browser and a set of Orchestria APM capture lights in the browser taskbar. The purpose of the acceptable usage message is to remind the user that their Web activity may be monitored; you can configure both the content of the message and how often it is shown. In the browser, the taskbar capture lights come on to indicate when page captures are in progress. They also give users access to other Orchestria APM features. For example, these capture lights allow users to manually capture pages or transactions. But you can prevent these capture lights from displaying so that users are unaware when Orchestria APM is monitoring their Web activity. 1 2 3
Orchestria APM capture lights 1 Capture in progress. 2 Transaction detected. 3 XML detected. To configure the warning message and hide the taskbar capture lights, you must edit the Extensions settings in the users policy.
56
To prevent administrators and managers from editing their own policies and reversing these settings, you must enforce the relevant settings in their parent policy, and ensure that the parent policy falls outside the scope of their management groups. For details about enforcing policy settings, see page 117.
Primary administrator
Orchestria APM creates a Primary Administrator account when you install a CMS. The primary administrator has full administrative privileges and full management group coverage. Furthermore, the administrative privileges and management groups assigned to the primary administrator can never be changed. This means it is not possible to withdraw a privilege from this account, or to assign a management group that excludes some groups or users. i You must use this account to configure Orchestria
APM after deployment. For further details, see the Deployment guide.
57
Administrative privileges
For individual administrators and managers, you can assign administrative privileges. These control which features are available to users in the iConsole, Administration console and Data Management console. For example, you can grant or withhold privileges to edit the user hierarchy. Choose from:
Admin: Allow administration searches: Allows a user to search for user, group or machine accounts in the Administration console. Admin: Allow unrestricted SQL searches: Allows a user to edit the raw SQL search expression generated in the SQL tab when they define a search. Without this privilege, users can view but cannot edit the SQL tab. ! Only the primary administrator is granted this
privilege by default. Because this privilege permits users to write unrestricted SQL queries, we strongly recommend that it is granted to other users only when absolutely necessary.
Admin: Edit customizable console text: Allows a user to define audit status descriptions and customized user attributes. Admin: Edit user roles: Allows a user to edit the default set of administrative privileges assigned to each role. Admin: Install license file: Allows a user to install a license file on the CMS. The license file determines which policy modules are available in your Orchestria APM installation. Admin: Install System Definition Files: Allows a user to install a System Definition file on the CMS. i In the current version of Orchestria APM, you
can only install a definition file for social security numbers. That is, the US Social Security High Group File.
Admin: Assign Undefined Privileges: Allows a user to acquire any new privilege added to Orchestria APM after an upgrade. ! Only the primary administrator and users with
the administrator role are granted this privilege by default. Because this privilege assigns potentially unknown privileges, we strongly recommend that it is granted to other users only when absolutely necessary.
Admin: Manage iConsole: Allows a user to access the Manage Searches section in the iConsole, and install and publish search definition files. i This privilege was previously known as
Admin: Manage iConsole searches.
Admin: Change database credentials: Allows a user to reset the credentials for the database accounts (primary user and search user) that Orchestria APM uses to access the CMS database. For details, see the Database guide; search the index for primary user and schema owner. i This privilege is not connected to the Users:
Reset user passwords privilege.
Admin: Use single sign-on: Allows a user to log on with Single Sign-on (see page 67), even if the CMS machine policy setting Allow single sign-on? is set to False. Agents: Edit content agents: Allows a user to create and edit content agents. If a user has neither this privilege nor View content agents (see below), the Content Agents branch is hidden from the user in the Administration console. i
This privilege does not affect a users ability to configure Content Agent triggers.
Admin: Disable management group filtering: Allows a user to bypass inbuilt security measures and search for events outside of their management group.
58
Agents: View content agents: Allows a user to view content agent details. i This privilege does not affect a users ability to
configure content agent triggers.
Events: Allow download in original message format: Allows a user to download an e-mail event in its original message format (MSG). Events: Allow event import: Allows a user to run the Event Import utility. For details, see page 204. Events: Allow event searches: Allows a user to search for captured Web, e-mail and application data in the iConsole and Data Management console. Events: Allow export: Allows a user to export search results to a self-contained Web site, a Microsoft Personal Folder (PST file), or a Notes Database (NSF file). Events: Allow searches of unlimited size: Allows an iConsole reviewer to run unlimited event searches. That is, the iConsole will return all events that match the search criteria, disregarding any result limits defined in the registry. i For this privilege to take effect, the iConsole
must be configured for unlimited searches. For details, see the Deployment guide; search the index for iConsole: search results, configuring.
Audit: Allow auditing without viewing the event: Allows a user to change the audit status of and event without needing to view it. This also makes it possible to change the audit status of multiple events in a single operation. Audit: Always suppress automatic auditing: Allows a user to view events without adding a Viewed Event entry to the audit trail. Other audit activities, such as changing an event status or forwarding a copy of the event via e-mail will create an audit entry. Audit: Always suppress automatic export logging: Allows a user to export events (to either a self-contained Web site, or a Microsoft Personal Folder) without adding a Exported Event entry to the audit trail. Audit: Choose to suppress automatic auditing: Allows a user to choose whether to view events without adding a Viewed Event entry to the audit trail. See page 308 for details. i For full access to auditing features in the Audit tab, the user also needs the Audit: Update audit trail privilegesee below.
Events: Change expiry dates: Allows a reviewer to edit the expiry date and 'do not delete' flag for an event. Events: Control quarantined events: Allows a reviewer to either release or reject an e-mail from quarantine. Events: View captured data: Allows a user to view captured data associated with any user in any of their management groups. This privilege also allows users to use the Content Indexer utility (a necessary task before using content agents or running content searches). Events: View expiry dates: Allows a user to view the expiry date and 'do not delete' flag for an event. Machines: Edit the machine hierarchy: Allows a user to access the Machine Administration screen and manage accounts for any Orchestria APM machine. This privilege also permits users to suspend and resume machines. Machines: View log files: Allows a user to access the Log Files screen.
Audit: Update audit trail: Allows a user to update the audit trail for an individual event. Audit: View audit trail: Allows a user to view, but not update, the audit trail for an individual event. Events: Allow bulk session management: Allows a user to access multiple user accounts. i This privilege must be granted to the user
account the policy engine hub uses to log on to the CMS.
Events: Allow content searches: Allows a user to search for captured events based on their text content. Content searches are available in the iConsole and Data Management console.
59
Machines: View the machine hierarchy: Allows a user to access the Machine Administration screen and view accounts for any Orchestria APM machine. Policies: Edit policy: Allows a user to view and edit any machine policy and any user policy that falls within any of their management groups. Policies: Edit the CMS policy: Allows a user to edit the machine policy for the CMS. If you clear this check box, access to the CMS policy is denied but users can still edit other machine policies. Policies: Replicate changes to clients: Allows a user to replicate any policy changes down to client machines immediately. If a user does not have this privilege, any changes they make will replicate automatically at intervals defined in the CMS policy. Policies: View policy: Allows a user to view any machine policy and any user policy that falls within any of their management groups. Stats: Access statistics: Allows a user to view statistics in the Executive console. Stats: Administer statistics: Allows a user to access the Statistics screen of the Administration console. Stats: Disable statistics: Allows a user to disable individual statistics in the Statistics screen of the Administration console. Users: Edit the user hierarchy: Allows a user to access the User Administration screen and manage accounts for any user in their management groups. Users: Reset user passwords: Allows a user to set a new Orchestria APM password for another user without knowing their existing password. i This privilege does not apply to database logon
passwords. These are governed by the Change database credentials privilege.
Roles
Roles provide a quick method of assigning administrative privileges. Each Orchestria APM user is assigned a role, which in turn defines a default set of privileges. To assign roles to users, see page 49. After assigning a role, you can still grant any combination of privileges to an individual user. If you do change the privileges granted to a user, Orchestria APM changes that users role to Custom. For example, if you grant a Manager the complete set of privileges, that users role changes from Manager to Custom because their privileges no longer match those associated with the Manager role.
Default roles
These roles are provided by default. You can choose from:
Administrator: These administer Orchestria APM. By default, these have the full range of privileges. i If future versions of Orchestria APM introduce
new privileges, these will be granted automatically to all users with an Administrator role when you run the upgrade.
Manager: These manage your organization. Their privileges focus on searching for captured data. Policy administrator: These are permitted to view and edit policies, but not to manage user or machine accounts or search for captured data. Reviewer: These have the same privileges as Managers but can also view and edit the audit status of captured events. User: These are ordinary Orchestria APM users with no administrative privileges. UserRole1 and UserRole2: These are existing custom roles (see below) that you can customize to suit the needs of your organization.
Users: View the user hierarchy: Allows a user to access the User Administration screen and view accounts for any user in their management groups.
i Instructions for assigning administrative privileges are on page 50. Also, roles provide a shortcut method
for assigning privilegessee below.
Custom roles
You can create custom roles and assign default privileges to them. For details, see page 50.
60
4. Machine administration
Machine administration
his chapter introduces the Orchestria APM central management server (CMS), gateways and client machines. It describes the principal functions of these machines, and explains how to administer machine accounts. i Installation, upgrade and uninstallation procedures
are described in the Deployment guide.
chapter 4
Machine hierarchy
Orchestria APM machines are organized into hierarchical branches, with the CMS as the top level server. Below the CMS, each branch of the hierarchy is managed by a gateway. Each gateway serves multiple client machines. This type of distributed deployment provides resilience, and network load balancing. 1
Overview
Orchestria APM installations comprise three main types of machine: a CMS, gateways and client machines.
2 3
CMS is the central database for your Orchestria APM installation. This database contains the policies for all your users and machines, plus all the captured transactions, Web pages and e-mails. Gateways are intermediate servers, providing resilience and data-routing services between the CMS and client machines. Each gateway can serve multiple client machines or even child gateways. Client machines are computers used by Orchestria APM users. Each has its own machine policy held in a local database. This database also contains policy details and captured data associated with the current user (this captured data is periodically replicated up to the parent server).
Example machine hierarchy 1 CMS 2 Gateways 3 Client machines i Your Orchestria APM machines are organized in a
virtual hierarchy. This does not necessarily relate to your actual network topology or to the hierarchy of users and groups.
62
Machine icons
A single Administration console can connect to multiple CMSs. The CMS tree view and the Machine Administration screen uses these icons: CMS tree icons
CMS group. By default, the top level CMS group is called My Servers. CMS - disconnected. The Orchestria APM user account currently logged on to the Administration console is not logged on to the CMS. CMS - connected CMS - suspended
Console-only machines: You manage your Orchestria APM installation using an Administration console. Normally, you would install the console at the same time as you install the Orchestria APM infrastructure. But if required, you can install a console on any computer that can communicate with the CMS, even if that computer is not running the Orchestria APM infrastructure. Console-only installations are described in the Deployment guide; search the index for console-only installations. Utility machines: These are host machines for the Orchestria APM Content Proxy server and iConsole application servers. Utility machines enable you to run these components without overloading your existing Orchestria APM servers. They inherit the common client machine policy.
` The iConsole application server (sometimes referred to as the back-end server) provides the Web service that connects to the CMS. It enables all event search and auditing activity conducted in the iConsole to be written to the CMS. That is, it allows iConsole users to search for, retrieve and audit events stored on the CMS.
63
A CMS or gateway, if you specify a remote \Data folder then the local infrastructure must log on as a domain user with administrative rights to read and write to the remote folder. The Remote Data Manager (RDM), the infrastructure must log on as a named user account. Also, this account must have the Log on a service security privilege and permissions to retrieve data from an third party archive. See the Deployment guide for details; search the index for RDM.
Security settings control whether Orchestria APM encrypts network data transfers and records in the local database, and whether login credentials for Orchestria APM users are cached. Data Management settings cover data compression, data file block sizes, event purging, and free disk space handling.
Replication settings determine how often the local machine notifies its parent server of newly captured data or local infrastructure changes. These notifications act as triggers for data replication. Logging settings control which infrastructure operations are logged. You specify which operations are logged and the maximum size of log files.
Windows machines
You can stop or restart the infrastructure using the wgninfra service. Run the following commands: Stop infrastructure: net stop wgninfra
i For further details about Infrastructure settings in the machine policy, see page 145.
Solaris servers
You can stop, start or restart the infrastructure using the wgninfra script. Find this at /etc. The syntax is: Stop infrastructure: Start infrastructure: /etc/wgninfra stop /etc/wgninfra start
64
Notification periods
All data replication across an Orchestria APM installation is driven by notification messages:
From the CMS to client machines The CMS database holds policy and administration details for each Orchestria APM user, group and machine. Database changes (for example, policy or account updates) are copied automatically from the CMS, via the gateway servers, to local databases on the client machines.
From client machines to the CMS Each client machine manages a database of locally captured e-mails and Web pages, plus copies of its own machine policy and the user policy for the current user. The local machine policy determines how often captured data and local policy changes are replicated up to the CMS via gateways. i Replication failures are described on page 65.
Captured data: Newly captured events are replicated as soon as possible from client machines to the CMS. The Captured Data Notification Period in the machine policy determines how often a client machine sends notification that it has captured new data. When the CMS receives this notification, it transfers the captured data from the client to the CMS and the client stops sending notifications. Infrastructure data: The Infrastructure Notification Period in the machine policy determines how often client machines and the CMS notify each other of new infrastructure changes such as policy edits or user account updates. When the recipient machine receives this notification, it determines if it needs the update; if so, it requests the details. As soon as the recipient machine has processed the notification, the sender machine stops sending notifications.
If required, you can also encrypt and compress replicated data: data encryption is described on page 77; data compression is described on page 79.
Data transfers from the CMS Data transfers such as policy changes pass from the CMS database (1) to the gateway databases (2) and finally to databases on client machines (3).
Data transfers from client machines to the CMS Data transfers can include captured Web pages and e-mails, and locally-generated policy changes. This data passes from the client machines (1) via gateways (2) to the CMS database (3).
65
Disable replication
If required, you can disable replication to and from individual machines. For example, you may want to temporarily stop the CMS sending policy change notifications to all Orchestria APM machines. To disable replication, you can either suspend a machine or server, or you can set the replication period to zero.
Replication failures
If a parent server is unable to store a replicated event for any reason, it reports the failure back to the child machine, which writes an entry for the failed event to the replication holding cache. For details, see the Deployment guide; search the index for holding cache.
Suspend a machine
When an Orchestria APM machine is manually suspended, it can neither send or receive replicated data. For client machines, this means they can neither replicate captured data to their parent server or receive policy changes from the CMS. For details about suspending a machine, see page 75. i If a machine is suspended automatically (for
example, because of a critical shortage of free disk space), under certain circumstances events captured locally before the suspension are still replicated up to the parent server.
Remember, you will still need to periodically replicate any captured data that accumulates on the laptop. This will require regular (albeit temporary) policy changes to ensure that replication occurs. Alternatively, the laptop will need to make regular connections to its parent server over a LAN. For example, this could happen whenever the laptop user visits the office. i If you are unable to turn off replication, see
Troubleshooting on page 335.
66
CMS
The CMS maintains the central database for all your Orchestria APM client machines, and has its own unique, machine policy. This policy includes the standard settings common to all Orchestria APM machine policies, but it also determines how the CMS handles new user and machine accounts, and how it manages multiple concurrent client connections.
Rename a CMS
! We strongly recommend that you do not
rename your CMS. For details, see page 335.
, or
Suspend a CMS
If necessary, you can manually suspend a CMS. You may want to do this because, for example, you want to run a cold backup of your Oracle database. Note also scheduled backups will complete faster on a suspended CMS. You can also manually resume a suspended CMS. See page 76 for further details. i A CMS may be suspended automatically if free
disk space falls to dangerously low levels, or database problems arise, or if a disk failure occurs. For details, see page 74.
67
Connecting to a CMS
Icons in the CMS tree indicate the status of each CMS:
1 2 3 4 CMS tree 1 My Servers icon. 2 Disconnected CMS. 3 Connected CMS. 4 Suspended CMSsee the next section.
X Connect to a CMS
1 In the CMS tree, select a disconnected CMS 2 Right-click the CMS and choose Connect. 3 Supply your logon user name and password. .
68
Multiple CMSs
If necessary, you can deploy multiple CMSs, each serving a separate cluster of Orchestria APM machines. You can even connect to any CMS from the Administration console on any client machine, for example, to browse captured data or edit user policies. CMSs are organized in a tree view in the Browse screen of the Administration console:
Orchestria Active Policy Management London
X Add a CMS
Choose File > Add CMS or click in the toolbar. Then specify the server you want in the Connect to CMS dialog.
69
Gateways
Gateways are data-routing servers, operating between the CMS and client machines. Each gateway serves multiple client machines and is connected to a single parent server, either the CMS or another gateway. This hierarchical, distributed deployment provides resilience and network load balancing.
Managing gateways
In most cases, the procedures for managing gateway serversediting policies, suspending, moving to a different parent server, and so onare identical to those for managing client machines: To do this
Edit a gateway policy Move a gateway to a different parent Delete a machine
Suspend a gateway
Page 76
3 In the New Machine dialog, enter the computer name (or click Browse to search your network) and choose Gateway.
Choose Edit > Edit Common Gateway Policy, or Right-click any gateway Common Gateway Policy. and choose Edit
New Machine dialog 4 Click OK to create a new account and add the gateway to the Machine Administration screen. i You can edit the gateways machine policy
immediately, but the new account is not activated until you install the Enterprise Server software on the gateway computer.
Rename a gateway
! We strongly recommend that you do not
rename gateways. For details, see page 335.
70
Client machines
Each client machine manages a database of locally captured e-mails and Web pages, plus copies of its own machine policy and the user policy for the current user. Settings in the machine policy determine how often captured data and local policy changes are replicated to the CMS via gateways, and how often redundant database information is purged. In addition to acting as a local agent for capturing or controlling user activity, you can use client machines to manage every aspect of your Orchestria APM installation. To do this, you need to install the Administration, Data Management or Executive console on the relevant client machines (but see also Console-only and utility machines on page 62. For information about installing consoles, see the Deployment guide. 3 In the New Machine dialog, enter the computer name (or click Browse to search your network) and choose Client. 4 Click OK to create a new account and add the client machine to the Machine Administration screen. i You can edit the clients machine policy
immediately, but the new account is not activated until you install the Orchestria APM infrastructure on the client machine.
71
` Choose Edit > Edit Common Client Policy, or ` Right-click any client machine
Common Client Policy. i In the common client policy, database purging is
turned off. It is essential that turn this setting on for each new machine. See page 80 for an explanation.
, or
` Right-click and choose Edit Policy, or ` Click the policy hyperlink in the right pane. See
page 34 for details. ! After editing a policy, click Save to save any
policy changes. This displays a summary dialog listing all the policy items that you have modified. The summary dialog allows you to confirm, cancel or modify the changes.
72
<filename> <parameters> Where: <filename> defines a name for the destination file. <parameters> defines the export parameters. Available parameters and parameter rules are described in the next section.
Export parameters
i You must enclose the entire parameter value in
"double quotes" if that value contains a space.
-b Defines the base machine. That is, the starting point for the export process. Use these parameters to configure Orchestria APM to: -g Export gateways, organized hierarchically in the command file. -u Export client and utility machines. Export Hierarchy to File dialog i If you only export client and utility machines,
then the command file is organized in a flat, non hierarchical structure.
-n Writes the export file using Unicode character sets. Any non-ASCII names (such as names with Japanese characters) are then preserved in the exported file.
73
Importing machines
To simplify mass deployments, you can bulk create new machine accounts and pre-assign client machines to parent servers in advance of the Orchestria APM rollout. This enables you to deploy multiple client machines using a single source image (which identifies a single parent server) whilst ensuring that each client machine automatically connects to its 'correct' parent server immediately after installation. You can also bulk move (or reparent) existing client machines and gateways to new parent servers. To bulk create new accounts, you import the gateway and client machine details from a command file. You can do this using the Account Import wizard (launched from the Administration console) or you can run a command line import operation. Command files for machine import operations are briefly described in the next section.
74
1 Warning level
3 Error level
Machine Policy: Data Management For each Orchestria APM machine, these policy settings monitor free disk space on the drive hosting the Data folder (this folder, which may be remote, contains configuration data and captured data for the local Orchestria APM installation). You can specify disk space warning and error levels, and how often free disk space is checked. If free space falls below the warning level, warnings are written to the Audit log file. If it then falls below the error level, the Orchestria APM infrastructure is suspended. Note that the infrastructure restarts automatically when free disk space recovers to the warning level.
Changing levels of free disk space 1 Free disk space falls below the Warning level. 2 During this period, warnings are added to the log file. 3 Free disk space falls below the Error level. 4 During this period, the Orchestria APM infrastructure is suspended. 5 Free disk space recovers above the Warning level and the Orchestria APM infrastructure resumes automatically.
75
Suspended machines
When a CMS, gateway or client machine is suspended, all notification activity ceases. That is, the machine is unable to receive data such as policy updates or (for the CMS and gateways) newly captured data. For details about which operations are still available on suspended machines, see page 76. 1 2 3 4 5
Automatic suspensions
The infrastructure on Orchestria APM machines is suspended automatically if:
Free disk space falls below the Error Level. This level is defined in the Infrastructure > Data Management folder of the machine policy. See page 145 for details. Database problems arise. For example, Orchestria APM suspends a machine if there is a communication failure with the local database, or if the local database becomes full (that is, it fills its allocated space quota). A disk failure occurs. If a parent server is unable to replicate data because of a disk failure on a child machine, Orchestria APM suspends the child machine. The replication holding cache becomes full. Events that fail to replicate successfully are stored in a holding cache. If the caches maximum event limit is exceeded, Orchestria APM suspends the child machine. For details, see the Deployment guide; search the index for holding cache.
Machine Administration tree 1 Machine Administration icon. 2 Active CMS. 3 Suspended CMS. 4 Gateway server. 5 Client machine.
Manual suspensions
If necessary, you can manually suspend Orchestria APM names. For example, you may do this to carry out machine maintenance. Similarly, a scheduled backup will complete faster on a suspended CMS because data transfers to the CMS are discontinued until it resumes data processing.
76
Replication: If a client machine is suspended automatically due to a lack of free disk space or because the local database is full, data captured on the client machine before the suspension occurred is still replicated up to the parent server. i If a client machine is suspended for other
reasons (for example, a manual suspension), captured data is not replicated up to the parent server until the client machine resumes.
Policy: If the machine was suspended manually, you can still edit user and machine policies on suspended machines. For example, even if you suspended the CMS you can still amend the policy of any machine or any user in your management groups. i These policy changes are not replicated to the
relevant client machine until the CMS resumes.
Control triggers and actions: On a suspended client machine, control triggers and actions continue to operate but the resulting control events are not saved. For example, you cannot search for blockings or warnings that occurred on suspended machines. i Capture and transaction triggers do not
operate on a suspended machine.
77
Data encryption
You can optionally encrypt data stored on Orchestria APM machines plus data transfers between these machines. Encryption is controlled by settings in the machine policy. There is also a command line method for manually changing the master encryption key on each machine.
Encryption keys
Each Orchestria APM machine has a unique encryption key that is used when writing blob files to disk. Further settings in the machine policy determine how often the local key is changed. By default, regular key changes occur automatically to reduce your exposure to security risk. Limiting the volume of data encrypted with a single key means it is harder for an intruder to crack the key. It also means that in the unlikely event they succeed, they will only gain access to a small part of your total data store. Note that superseded keys are retained so that older files can still be read. In normal situations, it is not necessary to edit these policy settings because the default values have been carefully chosen. But if you need to strengthen security on the CMS (or a gateway), you can modify two key replacement thresholds:
Time interval: The key is changed after the specified number of days. For example, you can specify a key change every seven days. Volume of data: The key is changed after it has encrypted the specified volume of data. For example, you can specify a key change after every 1GB of captured data. (On the CMS, this threshold measures how much data has been captured and encrypted across your entire Orchestria APM installation.)
These thresholds operate in parallel. The encryption key is changed as soon as either threshold is exceeded, and both threshold counters are immediately reset to zero.
78
and choose
Prevents the automatic creation of new blob file encryption keys while the master key change is underway or when a machine is starting up. Scrupulously records each stage of the process in key change recovery files to enable automatic rollback if the key change fails.
Machine Policy, Security folder 4 Edit the two Data Store Encryption Key Change settings. The Volume threshold is defined in megabytes; the Interval threshold is defined in days. Save the machine policy.
Orchestria APM provides a command line method for manually changing the master encryption key. The command syntax is: wgninfra -exec wigan/infrastruct/database/KeyServices ManageKeys -m Where: wigan/infrastruct/database/KeyServices is the Java Class path. You must type this path exactly as shown here. ManageKeys identifies the command as an encryption key operation. -m specifies that the operation applies to the local master key.
79
Data compression
Machine policy settings allow you to compress data stored on the local server and data replicated between Orchestria APM machines.
The receiving machine is not configured to store compressed data (that is, its Compress Stored Data? setting is set to False), or The sending and receiving machines use differing block sizes (that is, the Data File Block Size settings on the two machines are set to different values).
80
Event purging
Settings in the machine policy control how often events are purged. By default, purging is turned off on Orchestria APM machines, but we recommend that you enable purging, especially on your gateways and client machines. i For details about what data is purged, see below. The simplest strategy is to implement purging after replication. Under this strategy, individual items of captured data are automatically excluded from purges until they have been replicated to the parent server. Only items that have already been replicated can become eligible for purging. To roll out a purging strategy across all of your gateways and client machines, simply edit the Common Gateway Policy and Common Client Policy. If required, you can still specify a custom purge strategy for individual machines by editing their machine policy directly.
Purging strategies
You need a separate purging strategy for your CMS, which holds captured data for your entire organization, and one or more strategies for your gateways and client machines. To implement these strategies, you need to configure the CMS, common gateway and common client machine policies. Instructions are given on page 81.
Partition-based purges
Applicable to Oracle databases only. The Orchestria APM database schema includes support for Oracle database partitioning based on event time stamps, and for partition-based purging. For full details, see the Database guide; search the index for partition-based purging.
CMS purges
Compliance-seeking organizations need to implement an event purging strategy that meets regulatory requirements on the storage and retention of historical communications. Typically, this strategy requires scheduled purges. These run at regular intervals and are configurable in the CMS machine policy. If you set up scheduled purging, you must also specify the minimum retention period for captured items before they become eligible for purging. For example, you may be required to retain e-mails for a minimum of three years. For details about the minimum retention period, see page 81.
A database entry contains the event metadata. For example, database fields specify an e-mails delivery date, 'envelope' details, what policy triggers were applied, and so on. Later sections in this chapter focus on purging these database entries. A blob file contains the e-mail content and any attachments, or the Web page plus any uploaded files, stored in Orchestria APM format. The blob file is written to disk and saved in the \Data folder (or migrated to EMC Centera, if required).
81
Purge SPs
For both SQL Server and Oracle databases, Orchestria APM supports stored procedures (SPs). Public SPs, supplied with Orchestria APM, provide default purging functionality and can be overridden your own custom SPs, if required. When the Orchestria APM infrastructure runs a database purge, it invokes the required public or custom purge SPs. Before a purge runs, the infrastructure also checks for any pre-purge SPs; when the purge completes or terminates, it checks for any post-purge SPs. For full details, see the Database guide; search the index for SPs.
A captured event, that is, an e-mail or Web page captured by an Orchestria APM client or server agent, its age is calculated from the time the trigger activated. Imported e-mails, the age is determined by the EMail.EventDateFromEMail parameter. This specifies whether the e-mails capture date is set from the date in the e-mail itself or the date when it was imported. This parameter is described in the Deployment guide; search the index for parameters: Event Import.
` All gateways, right-click the CMS and choose Edit Common Gateway Policy. ` All client machines, right-click the CMS and choose
Edit Common Client Policy.
A reviewer may need to put an unauthorized e-mail on litigation hold. They can do this in the Review dialog of the Data Management console by overriding the expiry date of that e-mails retention period. For example, they can specify that the retention period never expires. See page 303. Policy administrators can set a custom retention period for all events captured by a specific trigger. For example, they may want to retain events captured by an Application Monitor trigger for one month only, but retain events captured by an e-mail trigger for three years. For details, see page 82.
82
Set the purge frequency: You can configure purges to run immediately after the data has been replicated, or you can schedule purges to run at regular intervals.
3 4
In the User Policy Editor, browse to the trigger you want and display the trigger settings. For any Capture or Transaction trigger, edit the Minimum Retention Period (Days) setting as required.
83
Scheduled purges
To schedule regular purges, edit these settings in the Data Management folder of the local machine policy.
Edit the policy for the machine or machines on which you want to turn off purging. For example, to turn off purging on all gateways, right-click the CMS and choose Edit Common Gateway Policy. In the Machine Policy Editor, browse to the Data Management folder. Set Purge Events on Replication? to False (clear the check box). Set Event Purge Frequency (Days) to 0 (zero) days. Save the policy. Event purging is turned off enabled as soon as the new settings replicate to the target Orchestria APM machines.
Minimum Retention (Days) Confirm or reset this setting. It defaults to 1,095 days, ensuring that the next purge removes all items more than three years old (see Minimum retention period on page 81). i You can override this default minimum
retention periodsee page 81 for details.
Event Purge Frequency (Days) By default, this is set to zero. Reset this to one day to schedule daily purges.
Event Purge Time (Minutes) Specify at what time the purge runs. Particularly for gateways, you may want to run purges when there is little or no user activity to minimize the impact on machine performance. To specify the purge time, enter the number of minutes after midnight (local time). For example, enter 180 to specify a 03.00 am purge. By default, this setting corresponds to 01.00 am i If you are editing the Common Client or the
Common Gateway policies, you can enforce a setting for all client machines and gateways by clicking Enforce Items .
84
Purge performance
The following settings provide further control over purge operations:
Event Purge Temporary Storage Size You can specify the maximum number of database rows that can be stored in a temporary table at one time. For efficient purge processing, Orchestria APM retrieves events flagged for purging and stores them in a temporary database table. When the temporary table has been fully purged, Orchestria APM refills it with the next batch of events flagged for purging. This process repeats until the purge completes or times out. This setting prevents the temporary table becoming too large and adversely affecting performance. i This setting applies only to the default purge
process. It may not apply to custom purge processes.
Suspend Infrastructure During Purge? You can choose whether to suspend the infrastructure during scheduled purges. Select this setting (set it to True) to automatically suspend the infrastructure while the scheduled purge runs (unless the infrastructure is already suspended). Typically, you may want to suspend the infrastructure while performing other purge-related database activity or for performance reasons. For example, purging may be faster with foreign key constraints removed from certain tables. In this situation, we recommend that you pause replication activity while the purge runs to prevent new data being written to the database while these constraints are removed; suspending the infrastructure guarantees that all replication activity is paused for the duration of the purge.
Event Purge Timeout (Minutes) In addition to specifying when a purge starts, you can also specify the maximum time (in minutes) that a database purge can run for. You may want to limit the purge duration so that, for example, it does not coincide with replication or import operations. When the timeout expires, the purge is terminated.
Event Purge Batch Size When purging a database, Orchestria APM can delete a batch of rows in a single operation. You can specify how many rows are included in each batch deletion. Larger batch sizes mean bigger database transactions and more DBMS locks. Note that a single purge operation typically includes multiple batch deletions.
85
Machine diagnostics
The CMS collects machine diagnostic data from all Orchestria APM servers and client machines in the machine hierarchy. This data underlies the diagnostic machine and user searches available in the Administration console. To minimize network impact, you can configure when and how this diagnostic data is collected.
Collection Time: Defaults to 720 (12 hours or 12.00 pm). This setting specifies when, or how often, diagnostic data is collected. This is dependent on the Collection Frequency setting (see below). If the Collection Frequency is:
Collection Frequency: Defaults to 1. This setting indicates how often (in days) diagnostic data is collected. If the Collection Frequency is zero, data is collected more frequently than one a day; this depends on the Collection Time settingsee above. If the Collection Frequency and Collection Time are both zero, automatic scheduled collections are disabled.
86
Collection Period: Defaults to zero. This setting determines how long (in minutes) the CMS or gateway spends collecting diagnostic data. For example, if the Collection Frequency is 1 and the Collection Period is 120, then diagnostics will be collected daily over a two-hour period. If the Collection Period is zero, the server automatically calculates an appropriate collection period.
Session Record Expiry Period: Defaults to seven days. This setting is used to rectify inaccurate session records identified when processing the diagnostic data. That is, a user account is logged out of Orchestria APM, but the session record on the parent server indicates the user is still logged in. For example, this may happen if problems occur when uninstalling a client machine. How does this setting work? If diagnostic data from a child machine indicates the machine has not been running for longer than this expiry period, all open machine and user sessions for this machine are updated to the Logged Out state. If the Session Record Expiry Period is zero, session records are never cleared by this method.
Number of Collection Threads: This setting is only invoked if there has been no communication between the parent and child machine. To minimize network impact, diagnostic data is collected as part of the normal communications between a parent and its child machines. But if there has been no communication between these machines during the collection period, additional threads are created specifically to actively collect this diagnostic data. This Collection Threads setting specifies the maximum number of additional threads used simultaneously to collect and process diagnostic data from child machines. It defaults to 10. You can increase concurrency by raising the number of collection threads. This reduces the time needed to collect the data but also has a greater impact on your network. Alternatively, you may choose to reduce the number of collection threads so that data trickles back to the parent server, lengthening the collection time but reducing network load.
87
Replication checkpoints
Checkpoints enable administrators to check child machines are up-to-date in terms of policy updates and other infrastructure data (that is, user and machine details). The CMS generates a checkpoint record and adds this to the replication queue, from where it is subsequently sent to all child machines. Each child machine then returns a checkpoint acknowledgment. This is a confirmation that the child machine has received all infrastructure updates sent prior to this latest checkpoint. Note that acknowledgments are fast-tracked back to the CMS to allow rapid diagnosis of your Orchestria APM deployment. Checkpoints can be generated automatically, for example, at 01.00 am every day or after every 1,000 infrastructure updates. You can also manually generate checkpoints and configure how long checkpoints and their acknowledgment are retained in the CMS database.
Manual checkpoints
If required, you can manually set checkpoints. For example, you may want to send a custom checkpoint after making changes to your user hierarchy or after running a major Account Import job. To set a manual checkpoint: 1 In the Administration console, choose Tools > Generate Checkpoint. In the resulting dialog, specify a description of the checkpoint and click Generate. A checkpoint ID appears in the dialog. i The checkpoint ID can be copied to the
Windows clipboard for use when running a custom administration search for machinessee page 95.
Automatic checkpoints
You can configure the CMS to generate checkpoints automatically, at regular intervals or after a specified number of infrastructure updates. To do this, or to disable automatic checkpoints, you edit the CMS machine policy. For details, see page 88. Automatic checkpoints are assigned a checkpoint ID and description, both of which can be used when running a custom administration search for machinessee page 95. Automatic checkpoints are assigned one of two checkpoint descriptions:
Scheduled: Specifies a regular checkpoint generated using the Checkpoint Time and Checkpoint Frequency machine policy settings. Triggered by update count threshold: Specifies a checkpoint generated by the Update Count Threshold machine policy setting.
88
Checkpoint Time: Defaults to 1140 (19 hours or 7.00 pm). This setting specifies when checkpoints are generated, or how often they are generated. This is dependent on the Checkpoint Frequency setting. If the Checkpoint Frequency setting is:
Checkpoint Frequency: Defaults to 1. This setting indicates how often (in days) checkpoints are generated. If the Checkpoint Frequency is zero, then scheduled checkpoints are either disabled or generated more frequently than one a day; this depends on the Checkpoint Time settingsee above.
Checkpoint Retention (days): Defaults to 60. This setting specifies how many days checkpoints and their acknowledgments are retained on the CMS. Set this value to zero to permanently retain checkpoints and acknowledgments.
89
Log files
Orchestria APM keeps a log of all significant activity and replication events, for example, when a new user account is created or when a user policy is edited. Event logs are saved in .log files. You can print the contents of any logfile using a text editor such as Microsoft Notepad. Log files are typically saved locally in Orchestria's \data\log subfolder of the Windows All Users profile. The example below shows this location within a typical folder structure: All Users Application Data Orchestria Active Policy Management data log s cache Default User srimmel lsteele fschaeffer
Activity logs These record general activity by all machines. For example, each time users or machines log in or out, and each time policies are created or updated. They are saved in Orchestria's \data\log subfolder of the Windows All Users profile. Logfile names take the format: activity_200201200945.log. You can configure this log file to also record user administration changes using a machine policy settingsee page 90. Replication logs These record any database changes that were made on a remote machine and copied to the local machine. These typically include changes to a machine or user policy, and changes to user accounts and user groups. These changes are recorded in the replication log on each machine. Logfiles are saved in Orchestria's \data\log subfolder of the Windows All Users profile. Logfile names take the format: repl_200201200945.log. You can configure this log file using machine policy settings, see page 90. System logs These record any infrastructure errors that occur while the Orchestria APM service is running. Under normal conditions, this logfile is empty. Logfiles are saved in Orchestria's \data\log subfolder of the Windows All Users profile. Logfile names take the format: stderr_200201200945.log. You can configure this log file using machine policy settings, see page 90. i Any errors detected when the Orchestria APM
service starts up are written to the file wgninfra.out. Find this file in the \data\log subfolder in the Orchestria APM installation folder.
Log entries are not replicated up to the CMS. Logfile names indicate the type of log, and incorporate the date and time when the file was created. For example, activity_200201200945.log is an Activity log created on 20 January 2002 09:45. You use the Administration console to view logs on any machine in your Orchestria APM enterprisesee page 91.
User Administration logs These record any changes made to user accounts or groups. These typically include changes to user accounts and user groups. Logfiles are saved in
90
Orchestria's \data\log subfolder of the Windows All Users profile. Logfile names take the format: useradmin_20050120945.log.
Configure logfiles
You configure logfiles in the machine policy. In the Machine Policy Editor screen, go to the Infrastructure > Logging foldersee page 147. Settings in this folder determine:
You can configure this log file using machine policy settings, see page 90.
Event Import logs These record the outcome of Event Import operations, including details of all successful and unsuccessful events, plus details of any system errors (for example, when a user cannot be created). An Event Import parameter determines the level of logging detail. Logfiles are saved in Orchestria's \data\log subfolder of the Windows All Users profile. Logfile names take the format: evtimport_20050120945.log.
Which events are recorded in the logfile, for example, policy changes and logins. The maximum size for a logfiles. New logs are created when the current log exceeds its maximum size. The maximum number of logfiles. When this number is exceeded, the oldest logfile is deleted. Whether user administration entries in Orchestria APM logfiles are: diverted from the Activity logfile to the User Administration logfile; recorded in both logfiles; or not recorded in either logfile. For example, to log administration entries:
iConsole logs These record the outcome of iConsole operations, including details of any errors incurred performing iConsole operations. iConsole logfiles are saved in Orchestria's \data\log subfolder of the Windows All Users profile. Logfile names take the format: iconsole_2005120945.log.
` Only in the User Administration logfile, configure the User Administration Changes setting in the Activity folder to False and the same setting in the User Administration folder to True. ` In the Activity and User Administration logfiles, configure the User Administration Changes setting in the Activity folder to True and the same setting in the User Administration folder to True. ` In neither logfile, configure the User Administration Changes setting in the Activity folder to False and the same setting in the User Administration folder to False.
Content indexer logs These record the outcome of content indexer operations, including all significant connection and job events. Content indexer log files are saved in Orchestria's \data\log subfolder of the Windows All Users profile. Logfile names take the format: index_job001_200501241500.log. i Content indexer log files are not listed in the
Administration console.
Account Import logs These record the outcome of any operations using Account Import (see pages 54 and 73). Log entries typically include changes to the user or machine hierarchy, such as the addition of new users, groups or client machines. Logfiles are saved in Orchestria's \data\log subfolder of the Windows All Users profile. Logfile names take the format: ldap_200201200945.log.
Whether entries in Orchestria APM logfiles are also copied to the NT Event Log. You can specify which categories of message are copiedsee page 91.
91
View logfiles
By default, the Administration console lists logfiles on the local machine. But you can also view logfiles on remote machines.
2 Browse the available logfiles and choose the one you want to view: indicates a closed logfile. indicates the current logfile. i You can only view logfiles if you have been
granted the Machine: View Logfile privilege.
2 3
92
5. Administration searches
Administration searches
his chapter focuses on administration searches for user, group and machine accounts. For example, you can search for user accounts with out-of-date policies or machines that have missed one or more replication checkpoints. A range of predefined searches are available in the Administration console. These include information and health searches, for both users and machines. Information searches typically retrieve basic details about existing accounts; health searches identify problematic accounts, or accounts which require your attention, such as machines which cannot be contacted or users with out-of-date policies. You can also define and save your own administration searches, and copy search results to the clipboard. In all cases, Orchestria APM generates a SQL search expression. If required, experienced users can edit this expression directly.
chapter 5
Searching for users and machines From the Administration console (1), the Administration Search feature (2) lets you search for user (3) and machine (4) accounts. All searches for user accounts are limited in scope by your management groups (5); you cannot search for users associated with groups outside your management groups.
94
Predefined searches
The Searches screen in the Administration console includes a wide range of predefined searches:
User Information: These focus on user accounts that are active or currently logged in, or which have had policy changes since the account was created. User Health: These searches focus on:
` User accounts with no parent group, and user or group policies with no parent policy. Both situations can potentially arise if the user hierarchy becomes corrupted in the CMS database.
Machine Information: These searches identify current machine accounts (separate searches are available for each machine type) and machines currently connected to the CMS. Machine Health: A wide range of diagnostic searches are available. For example, you can search for:
` Machines running the latest version of Orchestria APM, or machines running an out-of-date version. ` Machines that have missed one or more replication
checkpoints.
95
` To edit an existing search, expand the Searches branch in the left-hand pane (see page 94). Right-click the search you want and choose Edit.
2 Fill in the fields in the Administration Search dialog:
2.2 Look For: Choose your search items. These are the items you want to look for: Users, User Groups or Machines. 2.3 View: Only available for machine searches. The view determines which data is returned by a database query. In effect, it determines which columns are shown in the right-hand pane. Choose:
6 Administration Search dialog 1 CMS list. 2 Look for options. 3 Database view. 4 Search description. 5 Search Now button. 6 Search filters.
` Diagnostics View to include various status columns, in addition to the usual machine details. For example, these indicate the connection status, replication status (including missed checkpoints), and whether a machine needs resynchronizing. You use this data to identify machines that which require your attention.
2.4 Search filters: Define your search using the
search filters. For example, if looking for users you can search by user group or last logon date. Search filters are displayed on search tabs. The range of available filters depends on what items you are looking for. See page 96 for filter details. 3 As you define your search filters, Orchestria APM generates a SQL search expression. If you have the Events: Allow unrestricted SQL searches administrative privilege (see page 57), you can click the SQL tab to edit this expression directly. 4
If required, you can save your search definitionsee page 96. Saved searches are listed under the Custom Searches folder in the Administration console. Click Search Now to run the search. Or choose Search > Search Now. Items matching the search criteria are shown in the Search tab.
96
Saved searches
You can save searches for users, groups or machines as .QDF files. This allows you to run repeat searches and share search expressions with your colleagues.
Group name Active or deleted group accounts Groups containing users with a specific name Groups containing users with a specific role
X Save a search
In the Administration Search dialog, define your search as normal. Then choose Search > Save or Save As. i These menu items are not available in the
main console menu bar!
For example, you can search by group for groups containing administrators or groups containing managers.
User account name or user full name Parent group name User role Active or deleted user accounts When the account was created Last connection date and time
For example, you can search for users in a specific group or who have not logged in for more than seven days. i
Be aware of the limitations when filtering
searches by user group; see the Data Management Console guide for details; search the index for user groups.
When the account was created Last connection date and time Parent server name Current logon state Date and time of last connection Active or deleted accounts Diagnostic status. These filters include time of last replication, outstanding replication updates, time of latest checkpoint acknowledgment, checkpoint description and so on.
For example, you can find all the Orchestria APM machines connected to a specific gateway, or you can identify all machines that have failed to acknowledge the last five checkpoints.
6. Editing policies
Editing policies
his chapter examines machine policies and user policies. Orchestria APM uses these policies to manage machine and user behavior. Both types of policy work in the same way. The chapter describes how to edit policies, introduces the concept of policy inheritance, and summarizes the main policy settings.
chapter 6
credit card numbers; other settings may have a simple true-false value; finally, some settings take a userselected menu item as their value. Related settings are grouped into policy folders. Each folder can have attributes such as Hidden, Disabled, or Enforced. Settings within the folder inherit these attributes. These attributes let you tailor the scope of any custom policies that may be needed lower down your hierarchy of user groups or machines. In all, cases, an administrator can override the default settings to create custom policies for a specific user, group, client machine, gateway or CMS. User policies 1 Machine policies 5
What is a policy?
A policy is simply a collection of settings applied to a user, a group of users, or a machine.
A user policy controls Web, IM, and e-mail activity, and monitors application usage for an individual user or a group of users. User policies are also used to monitor specified files (typically text-based documents). Users inherit their policies from the group they belong to. In turn, the group inherits its policy from its parent group. A machine policy determines how an Orchestria APM computer manages its database of captured data and communicates with other Orchestria APM computers. By default, new client machines inherit the common client policy and new gateways inherit the common gateway policy.
4 Policy 2 3 Policy types User policies apply to: 1 User. 2 Users groups. Machine policies apply to: 3 Client machines. 4 Gateways. 5 CMS.
Each setting controls a specific aspect of user or machine behavior, and each setting has a value. For example, some settings have numeric values; for others, the value is actually a list of items such as URLs or
98
Find Finds a named policy item. Find Previous Finds the previous occurrence.
Policy setting - disabled, enforced
99
Editing policies
By default, users inherit the policy defined for the group they belong to. But you can create a custom policy for an individual user. For example, if user policies throughout your organization block certain Web pages, you can exempt a user from these restrictions by redefining the blocking triggers in their policy. Orchestria APM provides shortcuts for fast editing of user and machine policies:
X Edit a policy
` For user policies, see page 48. ` For group policies, see page 45. ` For CMS policies, see page 69. ` For gateway policies, see page 69. ` For client machine policies, see page 71.
X Disable folders
This is described on page 116.
, or
` Right-click and choose Edit Policy, or ` Click the policy hyperlink in the right pane. See
page 34 for details. 2 In the Policy Editor, browse the policy folders to find the setting you want. 3 Double-click the setting to edit its value or attributes. i When editing list settings, you can import existing lists of e-mail addresses or Web sites. See page 121 for details. 4 Click to save the updated policy. A summary dialog lists all policy items that you have modified. This dialog allows you to confirm, cancel or modify the changes.
X Reset a policy
This restores the inherited default values for all settings in the policy and the inherited attributes for all folders in the policy. In a Policy Editor screen, choose Edit > Reset.
100
Policy navigation
In the User Policy Editor, you can quickly navigate around a policy using hyperlinks, the Back and Forward buttons, and the Find feature.
Hyperlinks
Many settings are hyperlinked to a dependent setting or folder. For example, each capture trigger has a setting that specifies the capture action; click the hyperlink to jump to the specified action.
Click Back to go back to the policy setting or folder that you previously selected. Click Forward to return to the policy item you selected before you clicked Back.
Enter the setting or folder name in the Find dialog. You do not need to enter the whole name. You can search on the first few letters of any name, and you do not need to match the case. For example, type 'use' to find the first 'Message To Users' setting. You can quickly search the policy tree to find other occurrences of this name:
101
Management groups
After assigning the appropriate privileges to your policy administrators, you need to set their management groups to control which user policies they can manage. Administrators cannot view or edit user policies that fall outside their management groups. See page 43.
Policy privileges
Certain administrative privileges permit users to view and edit policies, and to replicate policy changes to client machines. These are:
Policies: Edit policy Policies: Edit the CMS policy Policies: Replicate changes to clients Policies: View policy
102
To edit the list so it only includes inherited (default) items or custom items added by the current user, see page 103.
` `
as AND operators. See page 109. You cannot add multiple items into a single row of
Copying and importing: When editing these list settings, you can copy and paste items from other lists, and import items from other files or applications. For example, you can import URLs from a table in Microsoft Word. See page 105. Wildcards: You can also use * and ? wildcards to define list items. Included and Excluded lists: For each policy list setting, you can specify an Included list of items or an Excluded list. You specify which list is checked for matching items. You can even set up trigger exemptions for specific URLs or e-mail addresses by specifying combination list checking. See page 103. E-mail address formats: When defining lists of e-mail addresses, you can search for display names or you can define addresses based on the protocols used by your e-mail server. See page 109.
the list box. You must add items to separate rows. For example, you cannot add this as a single entry:
file1.txt;file2.txt;file3.txt
1 6 2 3 7 8 9 10
Define a list
To define a list of trigger items, you edit the associated policy list setting. These settings use a special version of the Policy Setting Properties dialogsee opposite. 1 Open the User Policy Editor and locate the trigger with the list setting you want to change. Example list settings include Excluded Addresses and Included Search Text. Double-click the list setting or right-click and choose Properties. This opens the Properties dialog. Use the Add, Exclude and Remove buttons to define your list. Policy Setting Properties dialog: list settings 1 List source options: Use inherited value and Override inherited value. 2 Default list items, inherited from the parent policy. 3 Custom list items, added to the current policy. 4 List box. Right-click here to copy, paste or import list items. 5 Dashed line. Separates default items from custom items. 6 Add button. 7 Include or Exclude button. Available only when you select a default item. 8 Remove button. Available only when you select a custom item. 9 Edit button. 10 Enforce button.
103
Included lists
In effect, included items are 'forbidden' items. If a trigger uses an Included list, any single item in the list can activate the trigger. If a trigger fails to detect any items in the Included list, the trigger does not activate. For example, if a Web page capture trigger uses an Included URL list, any URL on this list will trigger a capture when the user browses to it.
Excluded lists
In effect, excluded items are 'allowed' items. If a trigger uses an Excluded list, any items can activate the trigger except items in this list. If a trigger fails to detect any items in the Excluded list, the trigger always activates. For example, a control trigger for incoming e-mails uses an Excluded Address list. The trigger always activates when it detects an incoming e-mail unless the e-mail is from a sender on the Excluded list. If it is from an Excluded sender, the trigger does not activate. Multiple items in Excluded list ! Excluded lists containing multiple items require special attention. For these lists, Web pages or e-mails are only exempted if all listed items are detected. For example:
An outgoing e-mail sent to multiple recipients is only exempted if all recipients are on the Excluded address list. If any recipient is absent from the Excluded address list, the trigger will activate as normal! A Content Search Text trigger for Web pages that specifies multiple excluded words will always activate unless every word on the Excluded text list
104
is detected on the Web page. If any listed words are missing, the trigger activates as normal. If all listed words are detected, the trigger will not activate.
Ignored lists
Available only for e-mail address and top level file name lists.
If a trigger has e-mail addresses or top level file names in an Ignored list, these addresses and files are ignored by the trigger and cannot cause the trigger to activate. In effect, Ignored Addresses and Top Level File Names lists enable you to exempt specific e-mail addresses and files from normal control trigger operations. i For details on Top Level File Names, see page
page 245.
This allows you to set up general capture, control or transaction triggers, but exempt specific URLs or e-mail addresses. For example, combination list checking allows you to block e-mails sent between the Research and Sales departments unless a copy has also been sent to a particular manager (for example, your regulatory compliance officer). How does this work? First, the detected URL or address is compared against the Included list. If a match is confirmed, the URL or address is then compared against the Excluded list. If it also appears in the Excluded list, the URL or address is exempted and the trigger does not activate. To illustrate the required policy settings in the earlier example, the group policy for the Sales department could include a control trigger for outgoing e-mails with the following list settings: Policy setting
Which address list? Included list Excluded list
For example, a control trigger for outgoing e-mails blocks e-mails sent between the Research and Sales teams, but the Research manager is exempted from this rule and so added to the Ignored Addresses list. When the trigger detects e-mails sent by any member of the Sales team to the Research manager, the trigger infers that it must ignore the e-mail and does not activate.
Value / list items Use Included list, but exempt if recipient in Excluded list research.unipraxis.com compliance.officer@unipraxis.com
In this situation, Orchestria APM would detect an e-mail sent to, say, frankschaeffer@research.unipraxis.com and trigger a control event (for example, to block the e-mail) unless the recipients also included compliance.officer@unipraxis.com.
105
Copying a list
This section describes how to copy list items from various sources.
Semi-colon1
Tab
1
*.bmp
*.gif
*.jpg
*.png
106
Pasting a list
1 To paste copied items into a list setting, open the User Policy Editor. Right-click the target list setting and choose Properties. Right-click the list box choose Paste. This adds the copied items to the target list.
Importing a list
This section describes how to import list items from various sources.
4 In the User Policy Editor, right-click the target list setting and choose Properties. 5 Right-click the list box choose Import.
107
Example messages
For example, a single trigger may include the following items of key text with separate messages defined for each item: Key text
Company X
Example message
This e-mail has been blocked. Corporate guidelines do not permit you to send e-mails to Company X. This e-mail has been blocked. We no longer have a contractual agreement to support Company Y. This e-mail has been blocked. Company Z are currently renegotiating their license agreement with us.
Company Y
Submitted Search Text n (Web pages only) Content Search Text n (Web pages only) Search Text n (e-mails only) Attachments n (e-mails only) Content Agent n (Web pages and e-mails)
For each trigger, multiple messages are supported only for the Included Search Text setting. For obvious reasons, you cannot define multiple messages for the Excluded Search Text setting (that is, a list of absent words and phrases). i Content agent triggers are available only if
explicitly included in your license agreement. See chapter 13, Content agents.
108
Text wildcard
Trigger text can apply to the content of a Web page, e-mail, e-mail attachment, imported file, uploaded file or data submitted to a Web site using an HTML form.
URL wildcards Note that * characters are added are automatically to start and end of these items. For example:
unipraxis Interpreted to be the same as *unipraxis*. The trigger detects sites such as unipraxis.com, unipraxis.co.uk or even sales.unipraxis.com. sales.*.com Detects Web sites such as sales.unipraxis.com.
If part of an Included list, the trigger activates whenever Orchestria APM detects words such as Unipraxis or ref328. If part of an Excluded list for an e-mail content trigger, the trigger activates for all e-mails except those that contain phrases such as 'holiday request'. If part of an Excluded list for a submitted data trigger, the trigger activates for all data submissions except when, say, a user selects 'Photocopier paper' from a form menu.
photocop*
plan??? or *.xls
If part of an Included list, the trigger activates whenever Orchestria APM detects a file such as plan_13.xls. If part of an Excluded list, all imported files, uploaded files, or attachments activate the trigger unless they involve files such as cute_kittens.jpg.
*.jpg
unipraxis.com
frank unipr*
i For further details about e-mail address matching, see page 109.
i Most triggers that use file lists are activated when a listed file is detected; you can specify any file types in these list settings. But other triggers attempt to search the content of the listed files; for these triggers, only certain file types are supported in the file list. See page 113 for details.
109
Internal e-mails
Orchestria APM uses the same methods of address matching for internal and external e-mails. That is, the guidelines below also apply when you define internal address patterns in the user policy. See the Data Management Console guide for details; search the index for e-mails, internal.
Display names
Orchestria APM automatically searches for e-mail display names, so you can add items such as these to your list of included or excluded addresses: To match against
A specific person, for example, Spencer Rimmel
SMTP
Arguably the most commonly used protocol for sending and receiving e-mail, SMTP addresses take this form: spencer.rimmel@unipraxis.com To match against
A specific organization A specific person
For incoming e-mails in Microsoft Outlook, SMTP addresses may be converted to EX addresses (see the next section) if the sender's address already exists in an Outlook address book. In this situation, to ensure that policy triggers activate as expected, you may need to include both SMTP and EX versions in your list of included or excluded addresses or define a list that matches all e-mail address formatssee the previous column.
110
EX
This protocol is used internally by Microsoft Outlook. You may need to specifically include EX addresses when defining e-mail triggers, for example, to capture e-mails sent internally within your organization. EX addresses use this format: /o=unipraxis/ou=uk/cn=spencer/cn=rimmel To include EX addresses in a policy list, you need to amend this format by inserting spaces between each address element (spaces are interpreted as AND operators). This ensures the policy trigger will always activate, regardless of how the e-mail address elements are ordered. For example: To match against
A specific organization A specific person
Domino
This protocol is used internally by Domino. You may need to specifically include Domino addresses when defining e-mail triggers, for example, to capture e-mails sent internally within your organization. Domino addresses use this format: /o=unipraxis/ou=uk/cn=spencer/cn=rimmel To include Domino addresses in a policy list, you need to amend this format by inserting spaces between each address element (spaces are interpreted as AND operators). This ensures the policy trigger will always activate, regardless of how the e-mail address elements are ordered. For example: To match against
A specific organization A specific person
X.400
This is a widely-used protocol in Europe and Canada and an international standard. X.400 addresses take the following format: c=uk;a= ;p=Unipraxis;o=Exchange; s=rimmel;g=spencer To explicitly include X.400 addresses in a policy list, you will need to amend the above format by inserting spaces between each address element (Orchestria APM interprets spaces as AND operators). This will ensure that the policy trigger always activates, regardless of how the e-mail address elements are ordered. For example: To match against
A specific organization A specific person
111
Basic rules
When a trigger detects key words or phrases:
It matches only whole words. So unipr will not match Unipraxis. Matching is not case-sensitive. So unipraxis will match Unipraxis. Spaces between words create a single, composite search term. So if the search text is unipraxis solutions, the trigger confirms a match if it detects the phrase Unipraxis solutions. Any differences in punctuation or capitalization are ignored. By default, a trigger ignores the hyphen in hyphenated words. So e-mail will match e-mail and email. By default, a trigger matches punctuation but ignores spacing (including tabs and line breaks). For details on punctuation matching, see page 112. Some characters and symbols require special handling, for example: _ * % ?. See page 113.
Company {X|Y|Z}
i When defining the list items, Orchestria APM interprets a space between keywords as a literal character.
112
Punctuation matching
By default, Orchestria APM matches punctuation when searching for key words or phrases. However, you may want to disable punctuation matching if you require more flexible matching. This can arise if your key words or phrases are frequently used with incorrect or inconsistent punctuation.
Example
For example, consider an e-mail control trigger that detects all references to the 'security: breach'. However, some e-mails omit the colon and refer to the 'security breach'. To detect both variations, use the punctuation variable %-matchPunct% to specify the search text: %-matchPunct%Security: Breach Note that this variable returns 'Security: Breach' even if it detects 'security breach'. This ensures that Orchestria APM triggers ignore all punctuation characters when looking for references to security breaches. For full details about punctuation matching and using variables to qualify your search textsearch the Administration console online help for punctuation variables. i Orchestria APM ignores the hyphen in hyphenated
words when searching for key words or phrases. See the next section.
113
Hyphenated words
By default, Orchestria APM ignores the hyphen in hyphenated words when searching for key words or phrases. This provides built-in flexibility to detect variations of words that are inconsistently hyphenated. For example: This search text: e-mail email Matches:
e-mail or email email or e-mail
Orchestria APM does not ignore other occurrences of hyphens. For example, the search text Recruitment May 2003 only detects an exact match of this phrase, that is, "Recruitment - May 2003". In some cases, normally hyphenated words or phrases can occur as two separate words. But Orchestria APM does not treat hyphenated words and space-separated words as synonymous. You must be aware of this distinction when defining trigger search text and you may need to use the | operator (logical OR) to detect both hyphenated and space-separated occurrences of your key words or phrases. For example: This search text: Matches: But does not match:
long-term or longterm long term
Attachments n (e-mails only) File Upload n (Web pages only) Document Classifier n (Web pages and e-mails) Content Agent n (Web pages and e-mails) File n (files only)
long term
File formats
Orchestria APM can search these files:
FrameMaker MIF files Maker Interchange Format files are created from Adobe FrameMaker documents. They have a .MIF extension. Orchestria APM can only search the text content of these files.
long term
{long term}|{long-term}
long term or long-term or longterm
HTML files These are documents that can be viewed on the Web. They typically have an .HTM extension. Orchestria APM supports HTML 3.0 or earlier.
114
Lotus 1-2-3 files These typically have a .WKS extension, or a variation such as .WK4. Orchestria APM can search spreadsheets created with Lotus 1-2-3 up to version 5.0, and Lotus 1-2-3 for SmartSuite up to edition 9.6.
PDF files These typically have a .PDF extension. Orchestria APM can search documents created with Acrobat 4.0 or later. It cannot search PDF files that have document security turned on (typically, this applies to files that are password-protected).
Microsoft Office documents These include Word, Excel and PowerPoint files:
Rich text format file These typically have an .RTF extension, but Orchestria APM can search text files with any file name or extension.
Text files These are typically .TXT files, but Orchestria APM can search text files with any file name or extension.
vCards These are electronic business cards, used for sending contact information over the Internet. They have a .VCF extension.
WordPerfect files Orchestria APM can search files created with WordPerfect 2002 or later.
` Microsoft PowerPoint presentations: These typically have a .PPT extension. Orchestria APM can search presentations created with PowerPoint 97 or later. Files must be unencrypted (that is, not password-protected) and uncompressed.
XML files These typically have a .XML extension. Orchestria APM can search text between XML tags, not XML tags themselves.
Microsoft Project 98 documents These typically have an .MPP extension. Orchestria APM can only search the text content of these files.
Zip files These typically have a .ZIP extension, but can include any archive of one or more compressed files. These include files created with compression tools such as WinZip and gzip. Policy settings let you specify a maximum depth of zip file nesting and a maximum size for decompressed zip filessee the next section for details.
Microsoft Works documents These typically have a .WPS extension. Orchestria APM can search files created with Works up to version 4.0.
MP3 files These typically have a .MP3 extension. Orchestria APM can extract and search the properties and metadata of MP3 files.
115
For example, if you set a maximum depth of 2, then Orchestria APM will drill down two levels of nesting to analyze archived documents. In practice, this means it will search the text content of documents archived inside a zip file that is itself included in a master zip file. If Orchestria APM detects a further level of nesting, it does not search the documents archived inside this further zip file. i This policy setting also covers e-mails embedded
inside a master e-mail.
116
again.
Conceal disabled items: By default, disabled folders are shown in the Policy Editor. Choose View > Show Disabled Items to conceal these folders. Or press Ctrl+D. Show disabled items: If disabled folders are concealed in the Policy Editor, you can undo this by choosing View > Show Disabled Items. Or press Ctrl+D. 2
Disabling a folder
When you disable a folder in a parent policy, this attribute is fixed in any child policies and can only be undone in the parent policy. 1 Select a folder and click choose Disabled. . Or right-click and
and
117
Unenforcing items
Naturally, you cannot unenforce folders or settings in a child policy. You can only unenforce items by editing the policy in which the attribute was set. To unenforce:
Enforcing items
1 Select a single folder or setting then click right-click and choose Enforced. . Or
To enforce subfolders, right-click a folder and choose Enforce Branch. This has the same effect as enforcing an individual folder, except it applies to all subfolders in the policy branchsee page 119. Folder and setting icons change to and .
118
Hiding items
If you hide a folder, its subfolders and settings are also hidden. Likewise, if you hide a folder in a parent policy, the equivalent folder in any child policies is also hidden. 1 In the Policy Editor, select a folder or setting, then click . Or right-click and choose Hidden. Folder and setting icons change to and .
Conceal hidden items By default, hidden items are shown in the Policy Editor. To conceal these items, choose View > Show Hidden Items. Or press Ctrl+H. Show hidden items To show (that is, unconceal) hidden items in the Policy Editor, choose View > Show Hidden Items. Or press Ctrl+H. 2
2 3
You can now choose to show or conceal these hidden itemssee the following section.
Unhiding items
To unhide a folder or setting, click again. Hidden policy items 1 Hidden items shown. 2 Hidden items concealed. i You cannot unhide individual settings within a
hidden folder. Also, you cannot unhide folders in a child policy if they have inherited this attribute from a parent policy.
119
Policy inheritance
You will probably need many different policies to support the diverse needs of your users. For example, different departments and various levels of management may each require their own, customized policy. To streamline policy administration, Orchestria APM uses automatic policy inheritance. Policy inheritance is the mechanism by which attributes and values cascade down the policy tree and from one policy to another. It provides a fast, flexible means of updating policies for large numbers of users or machines. It operates in two dimensions. First, attributes are inherited within a policy branch. Second, there is inheritance from parent to child policies. that has been hidden directly the attribute check box is Hide from users. selected in the Properties dialog: Conversely, for setting that are disabled simply because their parent folder is disabled the check box is clear in Hide from users. the Properties dialog: i The Enforce attribute is exempt from automatic
policy branch inheritance. When you enforce a folder, this only enforces settings within the current folder and within the equivalent folder in any child policies. See page 117.
Parent-child inheritance
This means that a child policy inherits its values and attributes from a parent policy. That is, the value for any setting passes automatically from a parent policy to the equivalent setting in a child policy. Likewise, the attributes defined for any folder are inherited automatically by the equivalent folder in a child policy.
1 3
3 Custom policies and parent-child policy inheritance 1 All settings in the parent policy use default values. 2 In the first-level child policy, one setting has a custom value. Other settings use inherited (default) values. 3 In the second level child policy, one setting has a custom value. Other settings (one default and one custom) are inherited from policy 2.
Policy branch inheritance If you hide (1) a folder (2), all subfolders and settings in its policy branch are also hidden (3).
120
This allows you to quickly administer large numbers of users and machines. For example, changes to a group policy are copied automatically to all lower-level groups, and to all users in these groups. So you need only make a policy change in one place, and Orchestria APM applies this change automatically to all affected users. Parent-child inheritance also lets you quickly roll out custom policies. All you do is specify those settings that differentiate a child policy; all other settings are inherited, unchanged, from the parent policy. For example, a user regularly purchases items from a Japanese Web site. To create a custom policy to capture these Yen transactions, the only setting you need to change is the Default Currency.
Machine policies
Policy inheritance for new gateways and client machines does not operate in the same way as the hierarchical policy inheritance for new users and groups. Instead, new machines inherit a common gateway policy or a common client policy. For all gateways, there is a single parent policythe common gateway policyinherited by all gateways. Likewise, there is a single parent policy for all client machinesthe common client policy. Of course, you can customize these common policies to suit your network conditions, and you can also customize the policies for individual gateways and client machines. Note that the CMS has a unique policy. New gateways and client machines do not inherit this policy. 1
User policies
For users and groups, parent and child policies derive from the hierarchy of user groups defined in the User Administration screen. A separate policy is attached to each user and each group. A master policy is attached to the top level Users group. Settings in the master policy cascade down to group policies, and group policy settings cascade down to user policies. Of course, at any level in this hierarchy you can create a customized policy of any individual user or group. 1
2 3 Parent-child inheritance for machine policies 1 CMS policy. This is not inherited by any other Orchestria APM machine. 2 Common gateway policy, inherited by all gateways. 3 Common client policy, inherited by all client machines.
Parent-child inheritance for user policies 1 Master policy for Users group. 2 Policy changes are applied to this group. 3 These users each inherit the changes to their group policy.
121
Policy reports
Editing policies can involve extensive changes to similar-sounding settings. For example, you may want to quickly compare the Search Text words and phrases used by your Web and e-mail capture triggers. Or you may want to re-enable various triggers but you cannot remember which ones are explicitly disabled. These are typical problems facing policy administrators, especially where policy editing privileges have been granted to multiple administrators. Policy reports eliminate these problems and allow you to keep track of changes to individual policies. Policy reports gather the settings or folders that interest you into a single list and let you make instant changes to values and attributes. You can even copy report items into external documents or spreadsheets. This can be useful, for example, if you want to compare settings in different policies. Policy reports are available for both user and machine policies. The scope of each report is shaped by the report filters. For example, you can quickly pinpoint items that have been edited in the current session or which do not use default (inherited) values or attributes. You can further refine the report to include only particular types of settings (for example, list settings or
9 2
10 3 Policy Report dialog 1 Report filters. Pinpoint the policy items you want using the report fields: Select, Show, From, and Where name contains. These filters are described in full on page 123. 2 Report items. Right-click items to edit values, change attributes, locate or copy. 3 Type column. Icons identify settings and folders and also indicate the item status (hidden, enforced or disabled). 4 Item name. Shows the full name and policy path of the setting or folder. 5 Setting value. Shows the current value of each setting. 4 5 6 7
6 Attributes. Shows the current attribute status (Disabled, Enforced, Hidden) of each setting and folder. 7 Using Inherited Value. A No value indicates that the value has been customized and differs from the value that the setting inherited. 8 Find Now button. Click to generate a policy report based on the current report filters. 9 Customized setting or attribute. Highlights identify items that have been customized. That is, the current value or attribute differs from the inherited value or attribute. 10 Parent server and User name. The user name is the Orchestria APM logon name for the current console user.
122
True/False settings) or policy items with specific names. Finally, you can choose which parts of the policy to report on; you can generate a report for the entire policy, or you can limit it to a specific branch. So, with reference to the earlier examples, if a policy report reveals that your e-mail triggers are using different Search Text values to your Web triggers, you can immediately edit your e-mail settings in situ without returning to the Policy Editor screen. Likewise, you can run a single report to identify all explicitly disabled triggers and instantly re-enable them (this feature is exclusive to policy reports; you cannot do this in the Policy Editor itself; for example, if you re-enable a parent folder in the Policy Editor this does not re-enable any subfolders which have been disabled directly).
` Enter a name for the report file. ` Specify the report layout, that is, plain, commaseparated or tab-separated. These last two formats can be easily parsed in to a spreadsheet.
` The whole policy, click or right-click the policy root and choose Report. ` A policy branch, right-click the policy folder you
want and choose Report. The resulting report only covers items in the current folder and its subfolders. i You can easily change the report scope by
re-selecting the From filter. See step 3.
In the Policy Report dialog, select the report filters to retrieve the folders and settings that you want. Report filters are described on page 123. Click Find Now to run the report. You can right-click report items to edit their values, change their attributes (Hide, Enforce, or Disable), locate them in the Policy Editor, copy them to the clipboard, or even save them as spreadsheetcompatible files. See the next section for details. To select multiple items, hold down the Ctrl key while clicking with the mouse to select the items you want. For example, you can hide or reset multiple items in one go.
Policy report file: plain layout 1 Report header. 2 Table sections correspond to individual folders and settings in the policy report.
4 5
123
Available actions
When you generate a report, various actions are available. For example, you can change the attributes of a folder or setting, or locate the actual item in the Policy Editor. The available actions are listed below, but note that some actions are only available for specific types of report item. Right-click any report items then: Choose
Edit
Report filters
Report filters determine the scope of the policy report. You can filter the reports by item status, item type, policy branch and search text. i Search the index of the online help for policy
reports to find full details about the available filters.
By item status
These correspond to the Select filters in the Policy report dialog. The following filters are available:
To do this
Open the Properties dialog and directly edit the folder or setting. You can also double-click a report item to edit it. Disable or re-enable the selected folders.
All items Extends the report scope to include all folders and settings.
Items modified since the policy editor was opened Limits the report to folders or settings that you have edited in the current session of the Policy Editor.
Enforce or unenforce the selected items. Hide or unhide the selected items. Restore the selected setting to use the value inherited from its parent policy. Restore the values and attributes inherited from the parent policy. Locate and display the selected item in the Policy Editor screen. This helps you to understand the general context of a folder or setting. Copies the selected items into text files or spreadsheets. This can be useful, for example, if you want to compare settings in different policies. To select multiple items, see step 5 on page 122. Select all items in the report.
Items with a non-inherited state or value Limits the report to settings and folders whose values or attributes have been edited directly and which no longer match those in the parent policy. It excludes items that use values or attributes inherited, unchanged, from the parent policy.
Locate
Folders that are explicitly disabled Limits the report to folders that have been disabled Disable check box directly. For these folder, the is selected in the Properties dialog. This filter excludes folders that are disabled simply because their parent folder is disabled; for folders which Disable inherited their disabled attribute, the check box is clear in the Properties dialog. Items that are explicitly hidden Limits the report to folders or settings that have been hidden directly. For these items, the Hide From Users check box is selected in the Properties dialog. This filter excludes items that are hidden simply because their parent folder is hidden; for items which inherited their hidden attribute, Hide from users check box is clear in the the Properties dialog.
Copy
Save the report as a text file. See page 122 for details.
124
Items that are enforced Limits the report to all folders and settings that Enforce check box is have been enforcedthe selected in the Properties dialog. i The Enforce attribute is exempt from
automatic policy branch inheritance. Subfolders and settings do not automatically inherit this attribute from a parent folder. See page 117.
List settings Limits the report to settings that require a list of trigger items. For example, the Included Card Numbers setting takes a list of credit card numbers. Other list settings require lists of key words and phrases, Web site URLs or e-mail addresses.
By policy branch
This corresponds to the From filter in the Policy report dialog. This filter enables you to fix the root level for the policy report; you can generate a report for the entire policy of the selected user, group or machine, or you can limit the report to a specific policy branch (page 119). Expand the policy tree and select the folder you want. The resulting report only covers settings in this folder and its subfolders. i You can also determine the root level for the
report while still in the Policy Editor, before you open the Policy report dialog. See Save policy reports as
By item type
These correspond to the Show filters in the Policy report dialog. The following filters are available:
All folders and settings Extends the report scope to include all folders and settings.
All folders Limits the report to policy folders, excluding all policy settings.
files, step 2.
All settings Limits the report to policy settings, excluding all policy folders.
By name
This corresponds to the Where name contains filter in the Policy report dialog. This filter enables you to limit the report to items with specific names or, more usefully, items whose name contains specific words or phrases. Enter the name of the settings or folders that you want. You do not need to enter the whole name. You can enter the first few letters of any word in the name, and you do not need to match the case. For example, type mess to find all folders and settings with 'Message in their name. i
Explicit wildcards * and ? are not supported.
True/False settings Limits the report to settings that take a True or False value. For example, if the Capture Mail Detail? setting is set to False, this ensures that an e-mails content and attachments are not captured.
Numeric settings Limits the report to settings that take a numeric value. For example, the Maximum Transaction Value setting takes a value such as 99.99.
Menu-Item settings Limits the report to settings that offer a menu of possible values. For example, in each control action the Intervention setting offers a menu of items such as Block Quietly, Warn and so on.
Also, this filter applies to the entire name and policy path. For example, Control Triggers would return all control trigger folders and settings, for both e-mails and Web pages.
Text settings Limits the report to settings that require a text value. For example, all Trigger Name settings fall into this category. Similarly, the Message To Users settings require a brief text message that will seen by users when a control trigger activates.
125
Policy versions
Policy version numbers allow administrators to track local and inherited policy updates. Each time a policy is edited, the relevant value in its version number increments by +1. See the example on page 126.
Format
When you select a user, group or machine in the console, the attributes in the right-hand pane show the policy version. Version numbers contain a series of dot-separated values, for example 1.2.5.3. Each value represents the policy version at a specific level in the user or machine tree.
1st value This shows the version of the policy licensed for your organization. When you install a new license file, this value increments by +1 (1.2.5.3 to 2.2.5.3). 2nd value This shows the version of the master policy for your organization. When you upgrade Orchestria APM, this value increments by +1 (1.2.5.3 to 1.3.5.3). 3rd value For user groups, this shows the policy version for the top level 'Users' group. For machines, it shows the policy version for the CMS. These policy edits increment the value by +1 (1.2.5.3 to 1.2.6.3). 4th and subsequent values For users and groups, this shows the policy version of a next-level user group or user. For machines, it shows the policy version of a next-level gateway or client machine. These policy edits increment the value by +1 (1.2.5.3 to 1.2.5.4).
126
Initially, this gives the following policy versions: Group: Users Group: Directors User: frankschaeffer User: spencerrimmel 1.2.4 1.2.4.1 1.2.4.1.1 1.2.4.1.3
If you then edit only the Directors group policy, the version numbers are: Group: Users Group: Directors User: frankschaeffer User: spencerrimmel 1.2.4 (no change) 1.2.4.2 1.2.4.2.1 1.2.4.2.3
Example policy versions for users and groups * Corresponds to the master policy for your organization.
Finally, if you then edit the policy for spencerrimmel, the version numbers are: Group: Users Group: Directors User: frankschaeffer User: spencerrimmel 1.2.4 (no change) 1.2.4.2 (no change) 1.2.4.2.1 (no change) 1.2.4.2.4
127
To respect your users privacy, you can choose not to capture these details at all. However, this can only be achieved through a blanket exclusion on capturing e-mail content or data submitted to a Web site. A more satisfactory approach is to capture the entire content of targeted e-mails or all data submitted to specified Web sites, but then to obscure passwords and credit card numbers so they are not readable when shown in the Data Management console.
Credit card numbers: For a credit card number captured in an e-mail, the number is shown in the Match field of the Summary tab and, if the capture action is set to capture full e-mail details, in the Mail tab. For a credit card number submitted to a Web site, the number is shown in the Match field of the Summary tab, in the Form Data tab and, if the capture action is set to capture full Web page details, in the Page tab. Passwords: For passwords submitted to a Web site, the password is shown in the Form Data tab. Note that the password it is never shown in the Page tab (because it is obscured automatically when the user types it in).
User Policy: Sensitive Information Handling 2 Edit the Credit Card Numbers and Passwords settings as required. You can choose whether or not Orchestria APM stores these details. Save the policy changes.
! When viewing captured events in the Data Management console, be aware that:
` Orchestria APM cannot obscure passwords when displaying captured e-mails in the Mail tab. ` Orchestria APM may, in rare situations, inadvertently expose submitted passwords in the Form Data tab. For details, see the Troubleshooting section on page 326.
128
For e-mails: The Mail Details subfolders determines whether to capture the e-mail body text and attachments. Set Capture Body? to False. For Web pages: The Page Details subfolder determines whether to capture details submitted in HTML forms. Set Captured Submitted Form Data? to False.
names correspond to Orchestria APM account names for users, groups or machines.
wgnpol.exe, please see wgnpol.htm in the \Software\Win32\Support folder on your Orchestria APM distribution media.
129
Capture Triggers
You define the triggers that kick off a capture. You define separate sets of triggers for Web pages, incoming e-mails, outgoing e-mails, applications and files. For example, triggers can be content-based, maybe a word or phrase in the subject or an e-mail, or navigationbased, such as a Web site URL. Each trigger includes these features:
Capture settings
Capture triggers determine when Orchestria APM captures Web pages, e-mails, application metrics and files; capture actions determine what data is captured.
User Policy [UNIPRAXIS\Spencer Rimmel] Capture Web Pages Capture Triggers Capture Actions Incoming e-mails Capture Triggers Capture Actions Outgoing e-mails Capture Triggers Capture Actions Application Monitor Capture Triggers Capture Actions Data At Rest Capture Triggers Capture Actions Data In Motion Capture Triggers Capture Actions
Multiple versions: There are multiple numbered versions of each capture trigger (for example, URL 1, URL 2 and so on). This allows you maximum flexibility to configure your triggers and target the Web pages, e-mails, applications and files that you want to capture. Unique trigger name: You can give a unique name to each capture trigger. Trigger names enable you to quickly recognize the reason for the capture. These names appear in the Summary tab. Policy class: You can associate each capture trigger with a policy class. When a trigger activates, the policy class is saved in the trigger record attached to the resulting event. Reviewers can then search for events by their policy class in the iConsole. Smart tags: These settings enable you to categorize captured events. You can assign smart tags such as Privileged content or Employment solicitation to all triggers. When the trigger activates, the assigned tag is saved with the event metadata in the CMS database and can be viewed subsequently in the iConsole by reviewers. Minimum retention period: You can set a unique minimum retention period for each capture trigger. This determines how long captured events are retained in the local database before they are eligible for purging.
User Policy: Capture Settings For help on individual settings, right-click the setting in the Policy Editor and choose Edit. This displays a dialog containing an explanation of the setting.
The key characteristics of Web, e-mail, Application Monitor, Data At Rest and Data In Motion capture triggers are summarized on pages 130 to 131. The complete range of individual triggers is on page 143.
130
Web page capture triggers Some triggers activate when a user browses to a specified Web page. Other triggers activate when a user tries to upload a file or submit data (for example, a password or credit card number) to a Web site. E-mail capture triggers E-mail triggers can activate when a user tries to open or send an e-mail that contains prohibited or sensitive information. Others can activate because the e-mail contains an unauthorized attachment, or because it appears to be transaction-related. Each trigger includes:
Application Monitor capture triggers Application Monitor triggers are a special category. They can capture application metrics (key presses and mouse clicks for targeted applications over specific time periods). These triggers are based on two criteria, both of which must be confirmed for the trigger to activate:
Encryption exemptions: The Encryption Filter setting lets you exempt encrypted or non-encrypted e-mails. For example, you can capture non-encrypted e-mails but ignore encrypted e-mails. Digital signature exemptions: The Digital Signature Filter setting lets you exempt signed or unsigned e-mails. For example, you can capture unsigned e-mails but ignore signed e-mails. Disable integration with specific e-mail sources: The Which E-mail Source? setting lets you disable Orchestria APM integration with specific e-mail applications or import sources. That is, Orchestria APM ignores e-mails sent or opened using specific applications or imported from specific sources. Data Lookup exemptions: The Data Lookup Command setting lets you target e-mails with particular characteristics. This setting supports three types of data lookup:
Application: You can define applications by the executable name and path or by executable properties such as Version Information or Product Name. This lets you identify applications by their familiar name rather than their less familiar executable name (such as Netscape rather than netscp.exe). Window title: Triggers can detect when the application window uses a specific window title, indicating that a specific document or screen has been opened. For example, you can specify Hotmail - Compose to detect whenever a user writes a message on the Hotmail web site.
Data At Rest capture triggers These triggers are used to capture files scanned by the File Scanning Agent (FSA) or imported onto the CMS by an Import Policy job. The triggers activate if a file has a specific format (for example, a Microsoft Word document) or file name, or because its text content matches the specified trigger criteria. Each trigger includes:
` User Attribute lookup: Triggers can selectively capture e-mails based on the account attributes of the Orchestria APM sender or recipients (for example, a Department attribute; see page 51). ` Address Book lookup: These lookups examine the Outlook Address Book properties of the recipients or sender. For example, they can capture e-mails sent to users in a particular office. ` Message Attribute lookup: These lookups assess each e-mail for its potential impact on network traffic. For example, they can capture e-mails if the number of recipients is excessive.
Document Classification: The Use Document Classification? and Which Document Classifier? settings let you make the trigger dependant on a specific document classification. Search Text: The Search Files? setting determines whether Orchestria APM searches the text of the file. Files lists, for top level files and embedded files: The Which Top Level File List? setting lets you check for names of normal files or zip files. The Which Individual or Embedded File List? setting lets you check for named files contained within a zip file or embedded in a master file.
131
Unreadable Text: The Activate Trigger if Text Content Unreadable? setting lets you configure Orchestria APM to detect files with unreadable text (for example, because the file is encrypted or password-protected). File Sources: The Which File Sources? setting lets Orchestria APM monitor specific file sources:
Search Text: The Search Files? setting determines whether Orchestria APM searches the text of the file. Files lists, for top level files and embedded files: The Which Top Level File List? setting lets you check for names of normal files or zip files. The Which Individual or Embedded File List? setting lets you check for named files contained within a zip file or embedded in a master file. Unreadable Text: The Activate Trigger if Text Content Unreadable? setting lets you configure Orchestria APM to detect files with unreadable text (for example, because the file is encrypted or password-protected). File Sources: The Which File Sources? setting lets Orchestria APM monitor specific file sources:
` File Scanning Agent: The File Scanning Agent (FSA) can scan designated folders (including Microsoft Exchange Public Folders) and allows policy engines to apply Data At Rest triggers to files in those folders. ` File Importer: You can import files into the CMS using Event Import or Import Policy. ` External Agent API for File: You can use the External
Agent API to extract files from third party archives and import them into the CMS via Event Import.
Data Lookup exemptions: The Data Lookup Command setting supports XML Attribute data lookup and lets you target files with particular attributes:
` Network Boundary Agent For File: The Network Boundary Agent (NBA) monitors files leaving your corporate network or arriving from the Internet. ` Client File System Agent: This agent detects files or
documents being copied to USB devices (removable drives).
` XML Attribute lookup: Triggers can examine and capture files based on their metadata attributes (this metadata is stored in XML format). For example, file metadata includes details about the file creation and modified dates, and its name, path and title.
Data In Motion capture triggers These triggers are used to capture files being printed or copied to a USB device (removable device), and files entering or leaving the corporate network. Specifically, these triggers are used by the Client Print System Agent (CPSA), Client File System Agent (CFSA), and the Network Boundary Agent (NBA). For the CPSA and CFSA, the triggers can activate if the user tries to use a specific printer or USB device. Other trigger criteria can check the file name and analyze its text content. Each trigger includes:
Document Classification: The Use Document Classification? and Which Document Classifier? settings let you make the trigger dependant on a specific document classification.
132
Capture Actions
Capture actions determine how much data is captured when a capture trigger fires. For example, you can choose whether to capture Web page images or e-mail attachments. There are multiple capture actions, allowing you maximum flexibility to configure the actions associated with any capture. You can also give unique names to capture actions, enabling you to quickly recognize the nature of the capture event when viewing them in the iConsole or Data Management console. Web page capture actions Each capture action can be specified by any capture trigger and, in addition to capturing Web data, also covers the following areas:
Application Monitor capture actions Each capture action covers the following areas:
Event timeout: This determines how often events are closed if an application is continuously active. Key presses: You can record how many key presses a user makes while running the specified executable in the specified window. Mouse clicks: You can record how many mouse clicks a user makes while running the specified executable in the specified window.
Data At Rest capture actions Each capture action can be specified by any capture trigger and can capture:
Browser Light: You can switch on or off the Orchestria APM capture light in the taskbar of the users browser. This indicates to users when a Web page has been captured. Capture Page Detail? You can specify how much page detail is captured. For example, you can capture or ignore images and uploaded files.
Capture File Details? You can specify how much file detail is captured. For example, you can capture the file itself, or just its metadata (file attributes), or both.
Data In Motion capture actions Each capture action can be specified by any capture trigger and can captured:
E-mail capture actions Actions listed here can be specified separately for both incoming and outgoing e-mail capture triggers. In addition to capturing e-mail data, each action also includes the following settings:
Capture File Details? You can specify how much file detail is captured. For example, you can capture the file itself, or just its metadata (file attributes), or both.
Capture Mail Detail? You can specify how much e-mail detail is captured. The To, From, Cc and Subject fields are always captured, as are details such as the capture date and user name. But you can also capture the e-mail content, attachments, and Internet Mail Header.
133
Control settings
Control triggers define when e-mail, file, Web, or application activity, cause a control event to be generated; control actions determine the nature of the control event (for example, a blocking or warning) plus any associated event handling (for example, automatic replies to incoming e-mails or redirecting Web users to alternative URLs).
User Policy [Spencer Rimmel] Capture Control Web Pages Control Triggers Control Actions Incoming e-mails Control Triggers Control Actions Outgoing e-mails Control Triggers Control Actions Application Monitor Control Triggers Control Actions Data At Rest Control Triggers Control Actions Data In Motion Control Triggers Control Actions
Unique trigger name: You can give a unique name to each control trigger. This lets you quickly recognize the nature of any control events listed in the iConsole or Data Management console. Multiple versions: There are multiple numbered versions of each Control trigger (for example, URL 1, URL 2 and so on). This allows you maximum flexibility to configure your triggers and target the Web pages, e-mails, applications and files that you want to control. Policy class: You can associate each control trigger with a policy class. When a trigger activates, the policy class is saved in the trigger record attached to the resulting event. Reviewers can then search for events by their policy class in the iConsole. Smart tags: This enable you to categorize control events. You can assign smart tags such as Privileged content or Employment solicitation to a trigger. When the trigger activates, the tag is saved with the event metadata in the CMS database and can be viewed subsequently in the iConsole or Data Management console. Severity: These enable you to group policy triggers into bands based on their severity scores. By default, the severity bands are Low, Medium or High. For example, you may want to assign a high severity score to a trigger that detects serious violations of corporate rules. When the trigger activates, the severity score is saved with the resulting event. You can then search for events by severity in the iConsole or Data Management console. Sampling Rate: Only available for e-mails. This enables you to capture a sample of events. For example, you may want to know how often a user sends an e-mail to an external e-mail address, such as 'hotmail'. To do this, you do not need to capture every single e-mail, but perhaps just 1 in 10. You will then know that for each captured event, the user has actually sent 10 e-mails. This saves valuable space on the CMS and ensures that reviewers' time is used efficiently.
Control triggers
The range of possible control triggers is the same as the range of capture triggers. You can define triggers that cause Orchestria APM to block an e-mail, Web page, uploaded file, or data submission, remove a file, or to warn or inform the user, or even silently record the users behavior. Each trigger includes:
134
Minimum retention period: You can set minimum retention periods for each control trigger. This retention period determines how long the respective events are retained in the local database before they are eligible for purging. Advisory message to users: For each control trigger, you can define a unique message that appears in the Blocking, Warning or Inform dialog or, for Data At Rest triggers, in replacement stub files. For example, this message can explain to users why a particular application or e-mail triggered a warning.
` Message Attribute lookup: These lookups assess each e-mail for its potential impact on network traffic. For example, they can block e-mails if they are too big.
Encryption exemptions: The Encryption Filter setting lets you exempt encrypted or non-encrypted e-mails. For example, you can use this filter to block non-encrypted e-mails but ignore encrypted e-mails. Digital signature exemptions: The Digital Signature Filter setting lets you exempt signed or unsigned e-mails. For example, you can use this filter to block unsigned e-mails but ignore signed e-mails. Disable integration with specific e-mail sources: The Which E-mail Source? setting lets you disable Orchestria APM integration with specific e-mail applications or import sources. If Orchestria APM detects e-mails sent or opened using the specified application or imported from the specified source, the trigger cannot activate. Categorization: You can configure the Message To Users setting to specify one or more categories. If the trigger activates and invokes a categorize control action, the categories are stored with the e-mail on the CMS.
The key characteristics of Web, e-mail, Application Monitor, Data At Rest and Data In Motion capture triggers are summarized on pages 134 to 134. The complete range of triggers is summarized on page 143. Web page control triggers Some triggers activate when a user browses to a specified Web page. Other triggers activate when a user tries to upload a file or submit data (for example, a password or credit card number) to a Web site. Each trigger also includes:
Keystrength exemptions: The Keystrength Exemptions setting lets block users from accessing insecure Web sites. If you set a keystrength exemption for each control trigger, Web sites or data submissions are blocked only if they use a keystrength lower than the minimum value specified by this setting.
E-mail control triggers Some triggers activate when a user tries to open or send an e-mail that contains prohibited or sensitive information. Others activate because the e-mail contains an unauthorized attachment, or because it appears to be transaction-related. Each trigger also includes:
Application Monitor control triggers Application Monitor triggers activate when Orchestria APM detects that a user is running a particular application. You can define applications by their executable name and path or by the Version Information
Data Lookup exemptions: Each e-mail control trigger includes a Data Lookup Command setting. This lets you target e-mails with particular
135
in the executable properties (this lets you identify applications by their familiar product name rather than their less familiar executable namefor example, Netscape rather than netscp.exe). Data At Rest control triggers These triggers analyze files scanned by the File Scanning Agent (FSA) or imported onto the CMS by an Import Policy job. The triggers activate if a file has a specific format (for example, a Microsoft Word document) or file name, or because its text content matches the specified trigger criteria. Each trigger includes:
Data Lookup exemptions: The Data Lookup Command setting supports XML Attribute data lookup and lets you target files with particular attributes:
` XML Attribute lookup: Triggers can examine and capture files based on their metadata attributes (this metadata is stored in XML format). For example, file metadata includes details about the file creation and modified dates, and its name, path and title.
Replacement stub files: You can configure triggers to replace deleted files with an explanatory stub file. This stub file contains an explanatory message, specified in the Message To Users setting. Categorization: You can also configure the Message To Users setting to specify one or more categories. If a trigger activates and invokes a categorize control action, the categories are stored with file event on the CMS.
Search Text: The Search Files? setting determines whether to search the text content of the file. Document Classification: The Use Document Classification? and Which Document Classifier? settings let you make the trigger dependent on a specific document classification. Files lists, for top level files and embedded files: The Which Top Level File List? setting lets you check for names of normal files or zip files. The Which Individual or Embedded File List? setting lets you check for named files contained within a zip file or embedded in a master file. Unreadable Text: The Activate Trigger if Text Content Unreadable? setting lets you configure Orchestria APM to detect files with unreadable text (for example, because the file is encrypted or password-protected). File Sources: The Which File Sources? setting lets Orchestria APM monitor specific file sources:
Data In Motion control triggers These triggers can detect files being printed or copied to a USB device (removable drive), and files entering or leaving the corporate network. Specifically, these triggers are used by the Client Print System Agent (CPSA), Client File System Agent (CFSA), and the Network Boundary Agent (NBA). For the CPSA and CFSA, the triggers can activate if the user tries to use a specific printer or USB device. Other trigger criteria can check the file name and analyze its text content. Each trigger includes:
` File Scanning Agent: The File Scanning Agent (FSA) can scan designated folders (including Microsoft Exchange Public Folders) and allows policy engines to apply Data At Rest triggers to files in those folders. ` File Importer: You can import files into the CMS using Event Import or Import Policy. ` External Agent API for File: You can use the External Agent API to extract files from third party archives and import them into the CMS via Event Import.
Document Classification: The Use Document Classification? and Which Document Classifier? settings let you make the trigger dependant on a specific document classification. Search Text: The Search Files? setting determines whether to search the text content of the file. Files lists, for top level files and embedded files: The Which Top Level File List? setting lets you check for names of normal files or zip files. The Which Individual or Embedded File List? setting lets you check for named files contained within a zip file or embedded in a master file.
136
Unreadable Text: The Activate Trigger if Text Content Unreadable? setting lets you configure Orchestria APM to detect files with unreadable text (for example, because the file is encrypted or password-protected). File Sources: The Which File Sources? setting lets Orchestria APM monitor specific file sources:
A control action can be invoked by any control trigger. There are multiple control actions, allowing you maximum flexibility to configure the actions associated with any blocking or warning. You can also give a unique name to each action, enabling you to quickly recognize the nature of the control event in the iConsole or Data Management console. Each control action automatically captures basic details such as the type of control event (for example, a blocking), when the event was captured and the user associated with the event. But you can also specify simultaneous capture actions to fully capture the associated e-mail, file, or Web page, or to record application usage details. i Control events are described in full on page 217. Web Page control actions Web page control actions determine how Orchestria APM handles attempts to browse particular Web pages, upload specific files, or submit data to a Web site. In addition to the Intervention setting, each Web page control action can:
` Client Print System Agent: This agent detects files or documents sent to a local or network printer.
Data Lookup exemptions: The Data Lookup Command setting supports XML Attribute data lookup and lets you target files with particular attributes:
` XML Attribute lookup: Triggers can examine and capture files based on their metadata attributes (this metadata is stored in XML format). For example, file metadata includes details about the file creation and modified dates, and its name, path and title.
Categorization: You can also configure the Message To Users setting to specify one or more categories. If a trigger activates and invokes a categorize control action, the categories are stored with file event on the CMS.
Redirect users: If a control action results in a blocking or heeded warning, any user trying to browse an unauthorized Web page is automatically sent to an alternative URL such as your intranet. Capture Web activity: When a control trigger activates, Orchestria APM automatically records the basic event details, but you can specify a capture action to capture the Web page content, images, uploaded files or submitted form data.
Control actions
Settings in the control action determine what type of control event is generated. Specifically, the Intervention setting determines whether to: block an instance of e-mail, file, Web or application activity; simply warn or inform the user; silently record the users behavior; categorize e-mails or files; or in the case of Data At Rest file events, silently remove or replace the users files. The Intervention setting is the pivotal determinant in the control action. For full details, see page 220.
E-mail control actions E-mail control actions determine how Orchestria APM handles e-mails and attachments. Separate actions are available for incoming and outgoing e-mails. In addition to the Intervention setting, each control action covers:
Forwarding e-mails: If required, you can forward any e-mail that activates a control trigger to another address. For example, you can forward copies of inappropriate e-mails to a manager. The alternative recipient receives a standard notification with the original e-mail included as an attachment.
137
Capturing e-mails and attachments: When a control trigger activates, Orchestria APM automatically records the basic event details (the user name, the time of the blocking, and so on). But you can also specify a capture action to capture the e-mail body text and any attachments plus, for incoming e-mails, the Internet mail header. Deleting or replacing e-mails: For incoming e-mails only. If an e-mail is blocked or canceled by the user (by clicking Cancel in a warning dialog), you can delete the e-mail from the recipients Inbox. Or you can keep the e-mail in the recipients Inbox, but replace its body text with a standard notification. Automatic replies: For incoming e-mails only. If an e-mail is blocked or canceled by the user (by clicking Cancel in a warning dialog), you can send an automatic reply to the sender, using a customizable explanatory message. Address Modification of Authorized E-mails: For
outgoing e-mails only. If required, you can move all
Data At Rest control actions Data At Rest control actions use the Intervention setting to silently remove, replace, or categorize targeted files. Each control action also covers:
Copying files: When a control trigger activates, you can configure Orchestria APM to save a copy of the file in another location. i If a file with the same name already exists in
the given location, Orchestria APM takes the action specified below.
` Copy Conflict Resolution: This defines what action Orchestria APM takes if a file with the same name already exists in the location where the file will be copied to. Orchestria APM can discard the new file and retain the existing file, or overwrite the existing file with the new file, or create an additional copy of the new file but with a numeric suffix in the file name.
Data In Motion control actions These control actions apply to files being printed or copied to a USB device (removable drive), and files entering or leaving the corporate network. They use the Intervention setting to block or categorize targeted files, or (if a user tries to print a file or copy it to a USB device) inform or warn the user.
recipients (or even just the external recipients) to the Bcc field of an outgoing e-mail before it is sent, to ensure it complies with your organization's regulations. i If you move recipients to the Bcc field, the
e-mail is flagged accordingly and this information can be seen when reviewing the event in the iConsole, or Data Management console.
Application Monitor control actions Application Monitor control actions determine how Orchestria APM handles attempts to start up particular applications. In addition to the Intervention setting (which determines whether to block the application, or warn or inform the user), each control action also contains a setting that lets you capture application usage details (key presses, mouse clicks, and so on).
138
Transaction settings
Triggers determine when Orchestria APM captures a transaction. The sole action determines how Orchestria APM handles any captured transactions.
User Policy [Spencer Rimmel] Capture Control Transactions Web Page Triggers Incoming e-mail Triggers Outgoing e-mail Triggers Transaction Action
Typically, these triggers display a Confirm Transaction dialog. This dialog prompts users to supply the relevant details, but one trigger type, Transaction Detector, explicitly identifies transactions in progress and can extract data such as the transaction total and supplier reference. ! If the Transaction Detector trigger is disabled, you cannot automatically capture transaction details. The complete range of triggers is summarized on page 143. Web page transaction triggers Some triggers activate when a user browses to a specified Web page. Other triggers activate when a user tries to upload a file or submit data (for example, a password or credit card number) to a Web site. E-mail transaction triggers Some triggers activate when a user tries to open or send an e-mail that contains prohibited or sensitive information. Others activate because the e-mail contains an unauthorized attachment, or because it appears to be transaction-related. Each trigger includes:
Transaction Triggers
You define the triggers that kick off a transaction capture, based on Web page or e-mail characteristics. For example, you can base triggers on automatic analysis of Web page content or automatic detection of credit card numbers. Each trigger includes:
Unique trigger name: You can give a unique name to each Transaction trigger. Trigger names let you quickly recognize the reason for the capture. Policy class: You can associate each Transaction trigger with a policy class. When a trigger activates, the policy class is saved in the trigger record attached to the resulting event. Reviewers can then search for events by their policy class in the iConsole. Smart tags: These settings enable you to categorize transactions. You can assign smart tags such as Personal shopping or IT purchase to all triggers. When the trigger activates, the tag is saved with the event metadata in the CMS database and can be viewed subsequently in the iConsole. Minimum retention period: You can set a unique minimum retention period for each Transaction trigger. This determines how long captured events are retained in the local database before they are eligible for purging.
Encryption and trigger exemptions: The Encryption Filter setting lets you exempt encrypted or nonencrypted e-mails. For example, you can use this filter to block non-encrypted e-mails but ignore encrypted e-mails. Digital signatures and trigger exemptions: The Digital Signature Filter setting lets you exempt signed or unsigned e-mails. For example, you can use this filter to block unsigned e-mails.
139
Transaction Action
There is a single transaction action that determines how Orchestria APM handles captured transactions. It covers the following areas:
Transaction items The full range of transaction items supported by Orchestria APM is shown below. Transaction Items
Total The total value of the transaction, including any taxes and applicable shipping costs. The currency in which the transaction was conducted. The shipping amount (included in the Total). The tax amount (included in the Total). The method of payment. Examples include credit card, bank transfer, and so on. Supplementary payment details such as a credit card number or a bank account number. The transaction reference code provided by the supplier, such as an order number or invoice number. Your own reference code for the transaction. A brief, user-supplied description of the transaction. Additional, user-supplied comments about the transaction.
Name You can give a unique name to this action. This names enables you to quickly recognize the nature of the transaction event. It appears in the Summary tab. User input You can make the capture process wholly automatic or you can allow users to manually change or confirm transaction details that were captured automatically. Cancelations and exceptions You can allow or prevent users from canceling captured transactions. Or you can allow users to mark a captured transaction as an exception. If marked as an exception, its details are captured but the transaction is excluded from all statistical analysis in the Executive console. Transaction items You can configure how Orchestria APM handles individual items of captured transaction data (see below). For each item, you can:
Currency
Supplier reference
Comments
i You can define maximum transaction values when you configure the control triggers for Web pages and outgoing e-mails. See pages 143 and 144.
140
System settings
This policy folders contains various settings to control how Orchestria APM operates.
User Policy [Spencer Rimmel] Capture Control Transactions System Settings Extensions
Application Monitor: This controls the timeout for application events, which in turn determines the interval at which application usage details (mouse clicks and key presses) are recorded. Initialization: These settings control initialization of Orchestria APM when users log on. In particular, the Infrastructure Failure setting controls how Orchestria APM responds when the infrastructure fails to start. You can specify that only Orchestria APM is disabled (for example, capture and control triggers stop working) or you can disable Orchestria APM plus all browser and e-mail applications integrated into Orchestria APM (this prevents users running their browser or e-mail applications until the infrastructure restarts). User Notifications: These settings determine the titles for notification dialogs, for example, when user activity triggers a blocking, warning or inform event, or when Orchestria APM detects a transaction. They also determine the subject and body text for notification e-mails containing a forwarded e-mail. Definitions: These settings enable you to specify the following definitions:
Document Classifications: These settings enable Orchestria APM to detect specific types of document, for example, sales proposals, contract agreements, or airline Web sites. Generic classifications use parameter settings to identify document types defined by you. For full details, see chapter 7 Categorizing, tagging and classifying events. Sensitive Information Handling: These enable you to conceal captured passwords and credit card numbers so they are not readable in the Data Management console. Transactions: These settings enable Orchestria APM to identify and group together all e-mails or Web pages that collectively make up the full context of a single transaction. For example, a single transaction may include catalog and checkout Web pages, plus a subsequent e-mail receipt. Policy settings cover the following areas:
141
` Additional Long Domain Endings: Orchestria APM uses e-mail address patterns to identify 'long domains' when extracting the domain element from an SMTP address. Long domains are defined as comprising three segments after the @ symbol, for example, lsteel@unipraxis.co.uk. You can also supplement this list in the user policy; to do this, edit the Additional Long Domain Endings setting in the Definitions folder. ` Archive File Extensions: Files whose names match
any of the values in this list are recognized by Orchestria APM as archive files and therefore included in the %allarchives% variable, if used. For example, the file Sales Figures.zip matches a value of *.zip in this setting.
Decompressed zip files: This setting can alleviate performance slowdowns when searching the text content of zipped files. It specifies the maximum total size for decompressed zip files. Orchestria APM does not analyze files that would, if decompressed, take the cumulative total size of the decompressed zip file above this limit. E-mail distribution lists: This setting can alleviate processing delays when sending e-mails to very large distribution lists or large numbers of recipients. It can limit the volume and type of recipient information retrieved from the e-mail server. For details, see page 329. File size: This setting can alleviate processing delays when processing files. It can specify the maximum size of files to be processed. Process e-mails on arrival: This setting can alleviate operating delays when new e-mails arrive. It can prevent Orchestria APM from processing incoming e-mails until the user tries to open them. Retrieve full sender and recipient details: These settings can alleviate processing delays when receiving and reading e-mails, or when sending e-mails to large numbers of recipients. They can specify that Orchestria APM only retrieves basic information for each recipient or recipient from the user directory and does not retrieve other details such as e-mail address aliases. i
The term user directory is used to mean directories such as Active Directory and Domino Server. These directories hold e-mail address information for the organization.
` User Definitions: Orchestria APM enables you to set up custom variables. Also known as replaceable strings, user definitions are variables that can be referenced by any settings in the current user policy that have a text value (for example, trigger names, address lists, search text lists, messages to users). For example, you can define a 'Version' user definition and reference this as %Version% in any Trigger Name setting.
Enable application integration: This setting can enable or disable integration with specific applications. If integration is disabled, Orchestria APM does not monitor that application and the associated capture and control triggers will never activate. For example, if you disable integration with Microsoft Outlook in the policy for a specific user group, Orchestria APM does not monitor Outlook inboxes or outboxes for members of that group.
Web page buffer size: This setting can prevent a performance slowdown when capturing Web pages. It specifies a maximum buffer size for each user. See page 200. Nested zip files and embedded e-mails: These settings can alleviate performance slowdowns when searching the text content of zipped files or e-mails embedded inside another e-mail. They specify the maximum depth of nesting; Orchestria APM does not analyze nested files or embedded e-mails beyond this depth.
Store e-mail class: This setting determines specifies whether Orchestria APM extracts and stores the message class of captured e-mails. Doing so enables reviewers to search for or, more importantly, exclude from searches specific categories of e-mail such as delivery receipts or meeting requests. Data lookup command time-outs: To ensure that e-mails are not delayed unnecessarily, you can specify lookup time-outs for e-mail control triggers that use User Attribute lookup commands.
142
Extensions
These settings determine what Orchestria APM functionality is available or visible in a user's browser or e-mail application.
User Policy [Spencer Rimmel] Capture Control Transactions System Settings Extensions
E-mail You can show or hide the capture button in the toolbar of a Microsoft Outlook message window. In effect, this allows or prevents users from manually capturing e-mails. You can also choose when to warn users that their e-mail activity may be monitored. i Manual e-mail captures are only available to
Microsoft Outlook users. They are not available in other e-mail applications.
Browser You can show or hide the Orchestria APM capture lights in the status bar. These indicate to users when, for example, a capture is in progress. They also allow access to a context menu that permits users to manually capture Web pages. You can also choose when to warn users that their Web activity may be monitored. 1 2 3 4 Orchestria APM capture lights These light up to indicate: 1 Capture in progress. 2 Transaction detected. 3 XML detected. 4 Right-click to view the Orchestria APM context menu.
143
Document Classifier n These triggers capture Web pages and uploaded files if they match a particular document classification. You select the classification, and you specify which Web sites and uploaded files are checked against this classification. Content Agent n These triggers activate when a content agent identifies a specific type of document based on its text content. Specifically, they activate if the agent detects a Web page or uploaded file whose text content matches a predefined categorization. i Content agent triggers are available only if
explicitly included in your license agreement. For details, see chapter 13, Content agents.
URL n These triggers activate if a user browses to a specified URL (these include trigger URLs based on wildcardssee page 108). Secure Sites n These triggers activate if a user browses to a secure Web page, that is, a page that uses HTTPS. Submitted Credit Card n These triggers activate if a user submits a specified card number to a specified Web page. Submitted Search Text n These triggers activate if a user submits specified text to a specified Web page. This includes text that a user types in an HTML form, items selected in a form menu, or any text associated with a form control. HTML Password n These triggers activate if a user submits a password in an HTML form. File Upload n These triggers activate if a user uploads a file containing specified text to a specified Web site. You specify which file types are checked. These triggers can also be configured to activate automatically if the uploaded file is encrypted or password-protected. Content Search Text n These triggers activate when key words or phrases are detected on a specified Web page.
Transaction Detector n These triggers are activated by automatic analysis of the page content to detect possible transactions. You define which Web sites are analyzed. You can also restrict the trigger so it activates only if the Web page matches a specified document classification.
` In the Control folder, you can also specify maximum transaction values for these triggers. If a detected transaction exceeds this value, a blocking or warning is triggered. ` In the Transaction folder, these triggers can
automatically extract items of transaction data, such as the transaction total or the supplier reference.
Manual This is a Capture trigger only. It activates when a user manually captures a Web page.
E-mail triggers
This sections lists the full range of triggers for both incoming and outgoing e-mails. Unless stated otherwise, all are available in the Capture, Control and Transactions policy folders.
Sender n Incoming e-mails only. These triggers activate if an incoming e-mail is sent from a specified address. If required, you can filter the triggers for encrypted or digitally signed e-mails. Recipient n Outgoing e-mails only. These triggers activate if an outgoing e-mail is sent to a specified address. If required, you can filter these triggers for e-mails that are encrypted or digitally signed.
144
Credit Card n These triggers activate if an e-mail contains specified credit card numbers. You specify which sender or recipient addresses trigger a check for these numbers. Search Text n These triggers activate if an e-mail contains specified text or omits specified text (for example, a disclaimer omitted from an outgoing e-mail). You specify which sender or recipient addresses trigger a check for this text. Attachments n These triggers detect e-mail attachments. The trigger can look for attachments with specific file names, or which contain specific words or phrases. You specify which sender or recipient addresses trigger a check for attachments. Triggers can also be set to fire automatically if an attachment is encrypted or password-protected. Content Agent n These triggers activate when a content agent identifies a specific type of document based on its text content. Specifically, they activate if the agent detects an e-mail or attachment whose text content matches a predefined categorization. i Content agent triggers are available only if
explicitly included in your license agreement. For details, see chapter 13, Content agents.
Control triggers for outgoing e-mails also let you specify maximum transaction values. You can then block transactions that exceed this value. i These triggers do not search attachments. They
only look for transaction evidence in the e-mail body.
Manual This is a Capture trigger only. It determines which action is invoked when an Outlook user manually captures an e-mail. i Manual e-mail captures are only available to
Microsoft Outlook users. They are not available in other e-mail applications.
Application n These triggers activate when Orchestria APM detects a specific application running in a window with, optionally, a specific title. For details, see page 130.
Document Classifier n These triggers activate if an e-mail or attachment matches a particular document classification. You select the classification, and you specify which e-mails and attachments are checked against this classification. For control triggers only. If an e-mail matches the document classification, you can block the e-mail or display a warning based on the presence or absence of specific words or phrases. For example, you can block outgoing e-mails if they do not contain your corporate disclaimersee page 177.
File n These triggers activate when Orchestria APM detects a file that meets specified conditions. These include files with specific names or formats, files whose text content matches the specified trigger criteria, or files with specific attributes.
Transaction Detector n These triggers activate if they detect transaction-related correspondence, such as an e-mail receipt. You define which sender or recipient addresses trigger a check for transaction evidence. You can also restrict the trigger to only fire if the e-mail matches a specified classification.
File n The triggers can activate if the user tries to use a specific printer or USB device. Other trigger criteria can check the file name, analyze its text content and look for files with specific attributes.
145
Machine policies
Settings in the machine policy determine how Orchestria APM computers manage their database of captured transactions, e-mails and Web pages.
Machine Policy [CMS-HARDY] Infrastructure Security Data Management Replication Logging E-mail User Identification Policy Engine Central Management Server Client File System Agent
On client machines, this applies only to policy data. You cannot encrypt captured data such as transactions, e-mails, or Web pages. These settings also determine whether user logon credentials are cached. This enables a user to skip the console logon dialog if that user has already successfully logged on to the CMS during the current session.
Data Management
These settings cover database management on Orchestria APM machines. They determine whether data compression is used, how often the local databases is purged, and how Orchestria APM handles free disk space.
Machine Policy Client File System Agent triggers are only available on the Common client machine.
Centera Integration: These settings cover the optional parameters to configure the integration of your Centera device. For example, they determine the number and size of BLOB files stored in a Centera device, and the method used to calculate the Content Address from BLOB files. Compression: If required, you can compress stored data on Orchestria APM servers and client machines. Specifically, you can compress the blobs (Binary Large Object files), containing policy data and, on the CMS and gateways, captured data. Event purging: For each machine, you determine the frequency and time of each purge, plus the minimum period that captured events are retained before they are earmarked for purging. Other settings provide further control over purge operations. For example, you can choose to suspend the Orchestria APM infrastructure during purge operations or you can specify a purging timeout. See page 83. i The purge settings are particularly important,
and are closely linked with the Replication settingssee below. The significance of these settings is discussed on page 80.
Infrastructure
The Orchestria APM infrastructure is a collection of software components that enable Orchestria APM computers to operate, communicate with each other, and protect confidential data. The infrastructure policy folder includes the following subfolders.
Security
These settings determine when Orchestria APM uses encryption. They apply to records in the machines database and data transfers across the network. You can also specify the thresholds (the volume of encrypted data or an elapsed time period) that trigger an automatic change to the encryption key. On the CMS and gateways, you can cause all database records to be encrypted. These include user and machine account and policy details for each user and machine, plus all captured data.
Free disk space: For each machine, you can specify a warning level and an error level of free disk space. You can also specify how often free disk space is checked. When free disk space falls below the
146
warning level, Orchestria APM adds a series of warnings to the Audit log file. When free disk space falls below the error level, the Orchestria APM infrastructure is suspended. For details, see page 74.
Remote Data Management: These settings cover the optional parameters to configure the integration of the temporary object store. For example, you can configure how long events remain in the object store before being deleted. For details, see the Deployment guide.
Notification of infrastructure changes: You determine how often client machines and the CMS notify each other of new infrastructure changes such as policy edits or user account updates. When the recipient machine receives this notification, it determines if it needs the update; if so, it requests the details. As soon as the recipient machine has processed the notification, the sender machine stops sending notifications. Compression: If required, you can compress policy data and captured data before transmitting it across the network between Orchestria APM machines. Replication over slow links: You can disable the replication of captured data when the connection to the CMS or Gateway is over a Wide Area Network or dial-up (modem) connection. Logging of replication failures: You can specify how soon Orchestria APM begins logging failures by a source machine to contact its target machine. Batch size of captured data and infrastructure data: When a child machine replicates captured data to its parent server, or when a parent server replicates infrastructure changes (such as policy updates) to a child machine, the data is sent in batches to conserve network bandwidth. These settings specify the maximum number of KBytes in each batch. i It is very unlikely that you will ever need to
change the default batch sizes.
Replication
These settings determine how often Orchestria APM machines send notification of newly captured data or local infrastructure changes. These notification messages act as triggers for data replication between Orchestria APM machines. These settings also cover connection management on CMSs and gateways, logging of replication failures, and replication over a WAN or dialup connection.
Connection management: Available for CMSs and gateways only. These settings cover connection management on a CMS or gateway server. They determine the maximum number of simultaneous connections to client machines, and the maximum number of days that infrastructure changes intended for offline client machines are retained in the CMS cache (the 'cache timeout') before being purged. i
Any offline client machines that fail to reconnect to the CMS and retrieve the latest infrastructure changes before the cache timeout expires are flagged as 'out-of-sync'. When an outof-sync machine next reconnects to the CMS or gateway, it automatically resynchronizes all of its infrastructure data.
Replication holding cache: You can set up scheduled operations to automatically move events out of the replication holding cache at regular intervals. For details, see the Deployment guide; search the index for reset the replication holding cache.
When configuring the Replication settings, it is
Notification of captured data: You determine how often a client machine notifies the CMS about newly captured data. When the CMS receives this notification, it transfers the captured data from the client to the CMS and the client stops sending notifications.
important that you take account of the purge settings in the Data Management foldersee page 145.
147
Logging
Orchestria APM can generate Activity, Replication, System, User Administration, Event Import, Account Import and Content Services logfiles. These settings control which infrastructure operations are logged. You can specify:
Filter
This setting is for Event Import operations.
Which operations are logged, for example, policy changes and logins. The maximum number and size of logfiles. The maximum number applies separately to each type of logfile (that is, for each type of logfile you can generate files up to the maximum number). Whether entries in Orchestria APM logfiles are also copied to the NT Event Log. You can specify which categories of message are copied. For example, you can choose to only copy errors and warnings.
User filter: This setting enables you to modify Event Import operations to exclude or only include users with specific account attributes. For example, if your user accounts include a Country attribute, you configure import jobs to only import e-mails owned by users in a specific country. i
For full details about filtering Event Import operations, please refer to the Deployment guide; search the index for filtering event import operations.
Account Import
This setting is for Account Import operations.
Further configuration is possible for Activity, Replication, System and User Administration logfiles:
Activity logs: Logged events include user and machine logins, the creation of any new policies, plus updates to policies currently active. System logs: These record any infrastructure errors while the Orchestria APM service is running. Under normal conditions, this log file is empty. i Any errors detected when the Orchestria APM
service starts up are written to the file
Maximum Number of Threads: This setting specifies the maximum number of concurrent 'worker' threads used by Account Import. Auto-commit threshold: This setting specifies the total number of database operations that can be performed by all transactions before they are all committed to the database. i When a transaction is successfully completed,
it releases any DBMS locks.
Replication logs: Logged events include incoming infrastructure changes and captured data, replicated to the current machine from another Orchestria APM machine. You can log either or both event types.
Retry count for aborted transactions: This setting specifies the maximum number of times Account Import will try to roll back and retry an aborted transaction. If this limit is reached, Account Import fails and an error message is written to the log file. i An error message is also written to the Account
Import log file at the time the transaction aborts.
` Infrastructure log entries include changes to user and machine accounts or general policy updates. ` Captured data log entries include any captured or
imported e-mails, Web pages or IM events, plus any blockings or warnings.
User Administration logs: These record any changes made to user accounts or groups. Previously, these entries were added to the Activity logfile, but now you can specify where they are loggedsee page 90.
148
Diagnostics
These settings determine how Orchestria APM servers collect diagnostic data from child machines and how often replication checkpoints are sent to child machines. They allow you to configure operations to minimize network impact.
Disable Caches: You can specify that details retrieved from the CMS database for Data Lookup operations are not cached. Disable Preload: Orchestria APM can start to preload the Data Lookup cache with information from the CMS database before running any lookup operations. This can speed up subsequent Data Lookup operations, as the information is already stored locally. You can specify that this preload be disabled. Maximum Entries: Specify the maximum number of entries in the Data Lookup caches. Maximum JVM Memory (Percent): Specify the maximum percentage of JVM memory that each individual cache will use.
Checkpoints: These settings determine when and how often Orchestria APM generates replication checkpointssee page 87. You can also specify how many days checkpoints and their acknowledgments are retained on the CMS. Data Collection Time: You can specify when, or how often, data is collected, and how long the CMS or gateway spends collecting diagnostic data (this enables you to limit the network impact). Number of Collection Threads: To minimize network impact, diagnostic data is collected as part of the normal communications between a parent and its child machines. But if there has been no communication between these machines during the collection period, this setting creates additional threads to actively collect this diagnostic data. Session Record Expiry Period: This setting is used to rectify inaccurate session records identified when processing the diagnostic data. If diagnostic data indicates a machine has not been running for longer than this expiry period, all open machine and user sessions for this machine are updated to the Logged Out state.
149
Policy Engines
These settings configure the local policy engine. Before running a policy engine, you need to specify how many policies it can hold at one time, how many events it can process simultaneously, and how it handles unrecognized users.
Default Policy for Files This setting specifies the name of an Orchestria APM user. A policy engine will apply this user's policy to scanned, captured or imported files if no other means are available to determine the policy participant. For example, if an Import Policy job for FSA scanning job omit to specify the policy participant, or if the specified user account does not exist, the policy engine applies the Default Policy for Files to the imported or scanned files.
Unknown Internal Sender: Policy engines use this setting to apply policy to e-mails sent from unrecognized users within your organization. For example, this can happen if a new recruit has an account in Active Directory but no Orchestria APM account has been created for them yet. The setting specifies the name of an Orchestria APM user. It defaults to UnknownInternalSender; this account is created automatically when you install a CMS. The policy engine applies this users policy if the senders address is internal (that is, it matches an Internal E-mail Address Patternsee below) but no corresponding Orchestria APM user account exists.
Other settings
Maximum Number of Loaded Policies: You can optionally define the maximum number of user policies that the policy engine can hold in its memory at one time. Because each policy requires a significant amount of memory, this setting can prevent excessive memory usage. Maximum Number of Concurrent Operations: You can optionally define the maximum number of e-mails that can be processed simultaneously by a policy engine. This can prevent a performance slowdown on heavily loaded policy engines. Perform LDAP directory lookups? This setting is provided for diagnostic purposes only. It specifies whether the policy engine can retrieve e-mail address details and distribution list members from an LDAP directory. We strongly recommend that you
do not change this setting!
External Sender: Policy engines use this setting to apply policy to external e-mails. That is, e-mails sent from someone outside your organization. The setting specifies the name of an Orchestria APM user. It defaults to ExternalSender; this account is created automatically when you install a CMS. The policy engine applies this users policy if the senders address is external (that is, it does not match an Internal E-mail Address Patternsee below).
Internal E-mail Address Pattern: This setting specifies a list of internal e-mail address patterns. If a user is not recognized, policy engines use this setting to determine whether to apply the Unknown Internal Sender or External Sender policy. Similarly, Address Book (MAPI) lookup operations are only performed for recipients with internal addresses.
150
Embedded Message Identification: This setting enables policy engines to detect embedded content e-mails (that is, EML e-mails contained embedded IM conversations, Bloomberg messages or other communications such as eFaxes). It enables policy engines to set the event type as embedded IM, Bloomberg, or eFax and, for IM conversations, to extract or set the IM network. Retention Period for Unused Policies: This setting defines the frequency of policy timeouts. That is, the amount of time a policy engine retains a policy that has not been used. After this period of time, the policy is unloaded. Deadlock Detection Timeout: This setting is designed to maintain processing capacity. It specifies how long a thread must be inactive before the policy engine considers the thread to have stalled and creates a new processing thread.
New user accounts: These settings determine how the CMS handles logon attempts by new users who have no account on the CMS. i
See the domain prefix requirement for
New machine accounts: These settings determine how the CMS handles the Orchestria APM infrastructure starting on machines that are not registered with the CMS. Default group for new users: You can specify whether client machines are permitted to specify a default parent group for new Orchestria APM users created automatically on the client. Single sign-on: This setting determines whether users skip the logon dialog when they start up an Orchestria APM console. For details, see page 67. Undelete user accounts: This setting determines whether a previously deleted user account can be recreated if a new user is created with a matching user name. For details, see page 47. Move groups: This setting defaults to False and determines whether user groups can be moved within the group hierarchy. ! Changing this setting to True can potentially
cause management group security issues! For details, see page 42.
Prohibit password characters: This setting determines which characters are not allowed as part of a user-created password within the Administration console, Data Management console, or iConsole.
151
Default Action for Listed USB devices This setting determines how the CFSA handles attempts by a user to copy files to any USB device included in the USB Device List. The available actions are: Allow write access: The user is permitted to save or copy files directly to unlisted USB devices. Policy is not applied. Read only: The user is not permitted to copy files to unlisted USB devices (unless they are using a trusted application). Policy is not applied. Apply User Policy To File: If the user attempts to copy or save a file to a listed USB device using:
Trusted Applications List These are applications that are exempted from CSFA control. That is, users are always permitted to copy files to USB devices (removable drives) using these applications. i Trusted applications override any device filters.
That is, a user can copy a file directly from a trusted application to a USB device, even if the default action for that device blocks such copy operations or applies policy to the file content.
USB Device List This is a list of USB devices (removable drives) that require specific handling by the CSFA. You can either list the devices you want the agent to control or the ones you want it to ignore.
Default Action for Unlisted USB devices This setting determines how the CFSA handles attempts to copy files to unlisted USB devices (that is, any other devices not in the USB Device List). The available actions are exactly the same the default actions for listed USB devices (see below).
152
chapter 7
events
his chapter describes the categorization, smart tagging, and Document Classification features in Orchestria APM.
E-mail and file categorization is a policy-based feature that enables Orchestria APM to assign a e-mail or file to one or more categories. Categories are specified in e-mail, Data At Rest and Data In Motion triggers and stored with the event as smart tags (see below). The categorization process can be automatic, assisted or manual. See page 154 for details. Policy classes enable Orchestria APM to categorize an event captured when a specific trigger activates. Specifically, you can configure a trigger to capture or detect all e-mails (or attachment, file, or Web page) with a particular theme and categorize them using a pre-defined hierarchy structure of 'solutions', 'classes' and 'policies'. The policy class is stored with the event metadata in the CMS database and can be used by reviewers searching for events in the iConsole. For details, see the Administration console online help; search the index for policy class.
Smart Tags enable Orchestria APM to tag an event when a trigger activates. Specifically, you configure a trigger to detect all e-mails or files with a particular theme and tag them accordingly, for example, as Personal Communication or Client-Attorney Privilege. Smart tags are saved with the event metadata in the CMS database and can be viewed subsequently in the iConsole by reviewers. See page 170 for details. Severity scores enable Orchestria APM to group policy control triggers into bands based on their severity scores. By default, the severity bands are Low, Medium or High. For example, you may want to assign a high severity score to a trigger that detects serious violations of corporate rules. When the trigger activates, the severity score is saved with the resulting event. You can then search for events by severity in the iConsole or Data Management console. For details, see the Administration console online help; search the index for severity bands. Document classifications enable Orchestria APM triggers to detect documents (e-mails, attachments, files and Web pages) with specific themes. For example, you can configure classifications to detect sales proposals or airline Web sites. Document classifications are configured in the user policy. See page 176 for details.
154
Selective archiving. Irrelevant communications such as out-of-office notifications and e-mail newsletters can be categorized accordingly and excluded from archiving, reducing storage requirements and increasing search performance. Optimized storage. Precise categorization by, for example, purpose (business or personal) or regulatory implication, can allow archives to assign much more precise retention dates, eliminating the risk that a message is prematurely moved to offsite storage or even deleted. Faster, more accurate event retrieval. With accurate categorization, the task of monitoring communications is transformed from a lottery based on random review to a process with pinpoint targeting. Now, reviewers can rapidly filter event searches to focus on events that truly merit individual attention.
Automatically assign the e-mail or file to the most appropriate category, or Only available for e-mails and files or documents detected by client agents: Display the categories in a Categorize dialog. The user can manually choose the most appropriate category(ies). You can configure Orchestria APM to list all the possible categories, or only the most likely ones. 1
Categorize dialog
This dialog is displayed when a client agent detects an e-mail, file or document that needs to be categorized. The user can select the most suitable category(ies). 1 Configurable explanatory message. 2 Available categories.
155
Categorization methods
Orchestria APM will either select the most appropriate category automatically or allow the user to select a category, depending on the categorization method:
Fully automated categorization: Orchestria APM automatically assigns an e-mail or file to a single category or, if applicable, to multiple categories.
You can configure the Categorize dialog to allow the user to choose multiple categories (multi-select) or force them to choose a single category (single-select).
Manual categorization: Available only for e-mails, files or documents detected by a client agent. The e-mail sender, or the user attempting to print a document or save a file to a USB device, is permitted to choose from the full range of possible categories listed in a Categorize dialog. As for assisted categorization, you can configure the Categorize dialog for multi-select or single-select.
Assisted categorization: Available only for e-mails, files or documents detected by a client agent. A Categorize dialog permits the sender of an e-mail, or a user attempting to print a document or save a file to a USB device, to choose from a short list of categories deemed most plausible by Orchestria APM, or to confirm a category automatically selected by Orchestria APM.
Note that all categorization methods can be operational at the same time within a single user policy. That is, different triggers and control actions can specify different categorization methods, and the actual method used depends on which triggers activate.
156
also determine the order in which categories are listed in the Categorize dialog. Briefly, if you set a category score to:
100 or higher: This indicates certainty. Such scores indicate to Orchestria APM that an e-mail or file definitely fits the associated category. Such categories are always stored with the associated event in the CMS database. 50 to 99: This indicates likeliness. Such scores indicate to Orchestria APM that an e-mail or file is likely to fit the associated category. If the highest scoring category is between 50-99:
Capture method: The first critical determinant is how the e-mail, file or document was captured:
` Client Agent Captures: For e-mails captured by an Outlook or Notes client agent, and files or documents captured by the Client Print System Agent or the Client File System Agent, then Orchestria APM can display the Categorize dialog and allow the user to manually choose the most appropriate category(ies). ` Other Captures: For e-mails captured by an Exchange or Domino server agent or the NBA, and files captured by the FSA or NBA, or imported as part of an Import Policy job, Orchestria APM must either categorize the file or e-mail automatically or assign no category. It cannot allow the user or sender to manually choose the category.
Less than 50: These scores indicate some uncertainty (or possibility). If the highest scoring category is less than 50:
Category score: The second critical determinant is the category score. Each category specified in a trigger must have a category score (set by the policy administrator). Orchestria APM uses these scores to choose the most appropriate categories. Category scores are discussed below.
` For e-mails or files captured by a client agent, all categories are listed in the Categorize dialog. This is because, with all categories scoring less than 50, Orchestria APM cannot confidently determine the most likely categories. ` For e-mails or files captured by any other method,
all categories are discarded. The event is saved on the CMS without an associated category because Orchestria APM cannot confidently determine what the category should be. Note that we recommend you include a None of the Above fallback category if all your categories score less than 50. For details, see page 160. A summary table showing how category scores are handled is shown on page 158.
Category scores
Each category specified in a trigger must have a category score (set by the policy administrator). There are no upper or lower limits, but typical scores range from zero to 100. The category score is an indication of confidence; the higher the score, the greater the confidence that an e-mail fits the associated category. Orchestria APM uses these scores when assigning categories automatically or when assisting the sender to manually choose a category (or categories). The scores
157
Fully automated categorization: For e-mails or files imported in an Import Policy job or detected by a server agent, the FSA or the NBA, Orchestria APM automatically chooses the highest scoring category, but only if the highest scoring category is 50 or above. If multiple categories score 100 or above, each of them is stored with the event. For e-mails or files detected by a client agent, categorization is automatic and the Categorize dialog is not shown if:
In all cases, to assist the user categories are listed in descending order (of score) in the Categorize dialog. That is, the most likely categories are listed first and the top scoring category is pre-selected. Manual categorization: Available only for e-mails, files or documents detected by a client agent. If no category scores over 50 (that is, all are low scoring), all are listed in the Categorize dialog. For example, when specifying categories in your policy triggers, you may deliberately set very low category scores if you want to force users to choose a category manually. Note that we recommend you include an None of the Above fallback category if all your categories score less than 50. Setting the category score to zero for the None of the Above category ensures that it is always listed last in the Categorize dialog. For details, see page 160. Category Score Listed in Categorize dialog?
Yes Yes Yes Yes Yes
Assisted categorization: Available only for e-mails, files or documents detected by a client agent. Orchestria APM automatically lists all categories scoring between 50 and 99 in the Categorize dialog and omits from the dialog any categories scoring less than 50. This is because Orchestria APM infers that the higher scoring categories are the more likely and restricts the users choice accordingly. Category Score Listed in Categorize dialog?
Yes; Preselected Yes No No No No No
40 20 20 20 0
ISDA Confirmation OTC Contract Internal Memo Expenses Claim Personal Humorous None of the Above
90 80 40 20 20 20 0
158
E-mails or files detected by: Outlook or Notes client agent CPSA or CFSA
E-mails or files detected by: Exchange or Domino server agent, FSA, NBA, or Import Policy job
No categorization: The category is not stored.
0-49
1 only
Manual categorization: The Categorize dialog is shown and the user must manually choose the only available category.
2 or more
Manual categorization: The Categorize dialog is shown and the user manually chooses the category. Note that these low-scoring categories are not shown in the dialog if any other category scores 50 or higher.
50-99
1 only
Automated categorization: The Categorize dialog is not shown and the category is stored automatically. Assisted categorization: If multiple categories assigned, the dialog is shown and the user manually chooses the category. Note that any category scoring less than 50 is omitted from the Categorize dialog.
2 or more
Automated categorization: The highest scoring category or categories are stored automatically.
100+
1 only
Automated categorization: The Categorize dialog is not shown and the category is stored automatically. Automated categorization: The Categorize dialog is not shown. The highest scoring categories are stored automatically.
2 or more
Automated categorization: The highest scoring category or categories are stored automatically.
159
Guidelines for categorization triggers and control actionssee below. Using a None of the Above categorysee opposite. Guidelines for control action numberssee page 160. What happens if both a single-select and a multiselect control action are triggeredsee page 161.
If you want to automate categorization, you can set up separate triggers for specific categories. If you then define very stringent trigger criteria, this will allow you to set a high category score (100 or higher). For example, you may have a customer complaint e-mail trigger. If any e-mail does cause this trigger to fire, you can be confident that it really is a customer complaint and the high category score ensures that this complaint category is stored automatically with the e-mail. If you want to allow manual categorization, you may prefer to define a single trigger that specifies multiple possible categories, each with a low categor, y score (below 50). In this case, the trigger criteria will be much less stringent in order to detect a wider range of e-mails. The low category scores ensure that all categories are listed in the Categorize dialog (if the e-mail is detected by a client agent), permitting the sender to choose the most appropriate category. But see the following None of the Above section for our recommendation in this situation. Note also that you can explicitly set up e-mail triggers for Outlook or Notes client agents (which permit manual categorization) and for Exchange or Domino server agents (which do not). To do this, you configure the Which E-mail Sources? trigger setting; this setting is included in all e-mail triggers. Similarly, you can explicitly set up Data In Motion triggers for CPSA and CFSA client agents (which permit manual categorization) and for the NBA (which does not). To do this, you configure the Which File Sources? trigger setting; this setting is included in all Data In Motion triggers.
Trigger guidelines for files captured by the FSA, NBA or an Import Policy job
File events captured by the FSA or NBA, or imported in an Import Policy job, can only be categorized automatically. Orchestria APM does not support manual categorization of these files. Consequently, when specifying file categories in your Data At Rest or (for NBA file events) Data In Motion control triggers, do not
assign category scores lower than 50. Such low scoring categories are always discarded!
160
Always set the category score to zero. This ensures that the None of the Above category is always at the bottom of the category list in the Categorize dialog, below the other categories! You do not need to add a smart tag. This is because, with no definite category, there is no point storing the category information on the CMS so there is no need for a category smart tag.
Full syntax details for the Message to Users setting are listed on page 165.
If you use both multi-select and single-select categorize actions, the multi-select categorize action must have a lower number than the single-select action. See the next section for details. You must ensure that your categorize action has a lower control action than your quarantine action. This ensures that quarantined e-mails are categorized before they are quarantined (e-mails are immune from further control actions once they enter quarantine). It is for this reason that we recommend that you configure the highest control action as your quarantine control actionsee page 232.
161
Multi-select category list (also from Control Action 1) Multi-select Categorize dialog This example assumes two control actions: Control Action 1 specifies multi-select categorization; Control Action 2 specifies single-select categorization. In the dialog above, the explanatory message and multi-select list both derive from Control Action 1, but the list of categories jointly derives from both Control Action 1 and Control Action 2.
162
Now you can set up your categorization trigger(s). These can be any e-mail or file control triggers. Set up the triggers to detect the e-mails or files you want to categorize. How you set up the triggers depends on various factors. For example, if you are using Outlook or Notes client agents to detect e-mails and you want to permit users to manually categorize their e-mails, you can set up a single trigger that specifies multiple possible categories, each with a low category score. For trigger guidelines, see page 159.
Next, you must configure the Smart Tags trigger setting to save the final e-mail or file category or categorieswhether selected automatically by Orchestria APM or chosen by the useras smart tags. ! You must add a smart tag to store the
category, otherwise the category details will not be saved on the CMS.
Smart Tags Properties dialog In this example, the smart tag name and value include categorization variables and a text prefix.
163
Next, you must specify the associated category or categories. To do this, you edit the Message To Users trigger setting. For full syntax details, see page 165. Briefly, the message must include the following elements:
<message text> specifies the explanatory message
shown in the Categorize dialog or (for files detected by the FSA) replacement stub files.
<category> specifies a category name that is listed in the Categorize dialog. <score> is the category score. <smart tag> specifies a category label that gets converted to a category smart tag.
As with smart tags in step 3, if you have multiple triggers that specify the same category, you must specify the category name and label identically in each trigger. This prevents variations in spelling or capitalization being stored as separate category smart tags for the same event.
User Policy Editor, Message To Users Properties dialog This message must conform to the required syntax to ensure that categories and the Categorize dialog are configured correctly.
Finally, each categorization trigger must point to the same control action. Set the Control Action trigger setting to point to the categorize control action you specified in step 1 on page 162.
164
Now you can amend your existing triggers to support categorization. For each applicable trigger:
2.1 Edit the Message To Users setting so that its existing message is retained (for example, a warning that the current e-mail may be non-compliant, or a notification that the original file has been replaced) but appended with a relevant category. For syntax details, see page 166. For example:
Finally, you must add a single new control trigger that explicitly invokes the categorize control action. Without this new trigger, categorization will not work.
3.2 Edit the Smart Tags setting to include a categorization variablesee step 3 on page 162. 3.3 Skip this step if adding a Data At Rest trigger.
If adding an e-mail or Data In Motion trigger, edit the Message To Users setting to include an explanatory message. You do not need to specify any categories; these are now specified in your existing triggers (step 2.1). In terms of syntax, you need only add the <message text> but without double quotes and without a trailing = symbol. For syntax details, see page 165. User Policy Editor, Message To Users Properties dialog In this example, a category definition has been appended to the original warning message.
User Policy Editor, Message To Users Properties dialog For this trigger, the explanatory message to users is not appended with any category definitions.
165
Where:
<message text> specifies the explanatory message
recommend you include a None of the Above fallback category with a score of zero if all your e-mail or Data In Motion categories score less than 50. For details, see page 160.
<smart tag> specifies a category label that gets converted to a category smart tag. You must set <smart tag> to a text string (for example, Customer Acknowledgment. This text string is written to a category variable, which in turn is included in the smart tag definition. The resulting smart tag is saved with the event metadata in the CMS database. Category variables and smart tags are discussed on page 167. Note also:
shown in the Categorize dialog (for e-mail and Data In Motion triggers) or replacement stub files (for Data At Rest triggers). You must enclose the message in double quotes. If amending an existing trigger, see page 166. For e-mail and Data In Motion control triggers, note the following:
` You do not need a <smart tag> category label if defining a None of the Above category. This is because, with no definite category, there is no point storing the category information on the CMS so there is no need for a category smart tag.
166
Multi-select example: This example Message to Users setting defines the same five categories as above to display in a multi-select Categorize dialog. This time, the explanatory message states explicitly that the user can choose multiple categories.
"Please select one or more categories for your e-mail from the list below. Categories are listed in descending order of likelihood, and the most likely category is highlighted."= { "Internal Memo"={"40","Memo"}, "Expenses Claim"={"20","Expenses"}, ""\"Humorous\""={"20","Funny"}, "Personal"={"20","Personal_mail"}, "None of the Above"={"0"} }
167
%categoryscore% As for %category%, but the category score is appended to the category. The resulting smart tag takes this format: Complaint (50) If an e-mail or file was assigned to multiple categories, a separate smart tag is generated for each category. %closestcategories% The three near miss categories in a comma separated list. These are the three highest scoring categories that did not 'win' and which each scored 50 or above. When the smart tags are generated, this variable is replaced by a comma separated list of up to three near miss categories. These can be useful additional indicators about an e-mails or files content. If a smart tag value configured with an insertion variable (for example, %closestcategories%) is empty after that variable has been substituted (because there were no closest categories available), then the smart tag is not stored on the CMS.
Category variables
When setting up your categorization triggers, you can specify these variables as smart tag names or values. For guidelines on whether to add these variables to the smart tag name or value, see page 169. Variable Replaced with
%scoredclosestcategories% As for %closestcategories%, but the category score is appended to each near miss category. The resulting smart tag takes this format: Expenses (70), Hotels (60), Travel (60)
%category% When the smart tags are generated, this variable is replaced by the selected category. If an e-mail or file was assigned to multiple categories, a separate smart tag is generated for each category.
168
Smart tag names and values 1 iConsole Search Results screen. Smart tags are listed in the Summary pane for each event. 2 User Policy Editor, Smart Tags Add Item dialog. This is where you add smart tags to a policy trigger. 3a Smart tag name. 3b Smart tag value.
169
The examples below show the effect of different approaches. For optimum clarity and searchability, we recommend you use example 1. iConsole Search Results screen
We recommend this configuration. Smart tags are readily identifiable in the iConsole. You can also search by category because individual categories are stored as smart tags names.
Although individual smart tags are readily identifiable in the iConsole, you cannot search for specific smart tags because this information is stored as smart tag values.
Smart Tag Name: Category Smart Tag Value: %category% Smart Tag Name: Category Score Smart Tag Value: %categoryscore%
Do not use this configuration. It splits an events category and category score into two separate smart tags, making it impossible to identify an individual categorys score in the iConsole.
170
Smart tags
Smart tags are an innovative feature that enables Orchestria APM to accurately categorize events at the time of capture. The Smart Tags setting in each policy trigger defines the tag associated with that trigger. For example, you can assign to any trigger a tag such as Privileged Content or Employment Solicitation. When the trigger activates, this tag is saved with the event metadata in the CMS database. Each smart tag has a name. As an optional level of sub-categorization, each tag can have multiple values (see page 172). When defining smart tag values, you can also use variables to represent certain types of information (see page 172). 4 1
2 3
5 User Policy Editor, Smart tag dialogs 1 Smart Tags Properties dialog. 2 Tag name. This example is named Privileged content and will be used to identify e-mails subject to client-attorney privilege. 3 Tag value. This example value is set to %To%, a variable that returns the e-mail address of the recipient. 4 Add button. 5 Add Item dialog. You define the smart tag name and value here.
171
Smart tags are stored in the file events metadata on the CMS database. They can also be stored as a file system property, document property, or MAPI property, depending on the type of data being scanned. That is, if the FSA is scanning:
Recipient-based trigger: The first trigger activates when it detects an e-mail sent to a specific attorney. For example, in the Recipient 1 trigger, you can set the Included Addresses list setting to include the various e-mail addresses of the relevant attorneys. Classification-based trigger: The second trigger activates when it detects an e-mail that appears to be subject to client-attorney privilege. For example, in the Document Classifier 1 trigger, you can set the Which Document Classification? setting to a predefined Privileged content document classification.
Microsoft Office documents, then each smart tag is added as a document property, and can be viewed within the file itself. Microsoft Exchange Public Folders (for example an e-mail), then each smart tag is stored as a MAPI property of the e-mail itself. i The FSA can read these MAPI properties in
subsequent scanning jobs using the captureProperties attributesee Deployment
In this way, the recipient-based trigger should detect e-mails that are subject to client-attorney privilege but which do not match the specified Privileged content classification, while the classification-based trigger should detect e-mails that are also subject to clientattorney privilege but which are not addressed to one of the listed attorneys.
172
Notes
This displays the e-mail address, or addresses, that caused the trigger to activate. For outgoing e-mails, this is the recipient address(es); for incoming e-mails, it is the sender address. This displays the original sender of an e-mail. This displays the words or phrase detected by Orchestria APM and which activated the trigger. This displays any recipients listed in the To: field of an e-mail.
Document Classifier 1
Privileged content
%To%
173
2 1 Setting the Smart Tag value Shows where to set the smart tag name and value in user policy. 2 Invalid Smart Tag value Shows that the value of the smart tag (in this case %URL%) could not be resolved because it is not a valid value for that trigger. In other words, the %URL% variable cannot return a value for an e-mail trigger.
Resolves to The recipient of the e-mail. In this example, Spencer Rimmel. The subject of the e-mail. In this example, Corporate Restructuring. ? Variable cannot be resolved, as it is not valid for e-mail triggers.
174
3.1 In the Smart Tags Properties dialog, click Add. 3.2 Set the smart tag name to the name you agreed in step 1. The name can be any text string, but see
the requirements on page 175!
175
X-header requirements
Be aware that any x-headers generated from your smart tags must adhere to the requirements below. Note also the limitations imposed by Exchange 2003see the next section.
X-header names must start with X Your x-header names must start with X or x. Orchestria APM specifically checks for x hyphen smart tags when generating x-headers.
Although an x-header value is unlikely to be constrained by this limit, it may become relevant in future Orchestria APM releases. For example, if future releases permit users to generate x-header values from tokens or variables (such as a distribution list variable), this could potentially result in very long text strings. i These x-header name and value limits are
imposed by the technologies underlying the e-mail systems (such as Outlook or Exchange). They are not inherent restrictions in the specification of Internet Mails.
X-header names must be strong: This is crucial. When agreeing the x-header name with a third party, you must choose a strong name that will not conflict with other x-headers. Specifically, avoid names that are generic or too short. Notes and Domino users must also take care to choose x-header names that (when they have been stripped of the x prefix) do not conflict with object names used internally by Domino. An example of a strong x-header name is: X-Unipraxis-MessageEncryptionRequest
X-header limitation
Problems in Exchange 2003 cause the following x-header limitation for outgoing e-mails processed by an Orchestria APM Outlook client agent and subsequently sent via Exchange. Do not include periods in x-header names If your x-header name includes a period character (such as XCase.ID), Exchange 2003 will fail to insert the x-header into the e-mail. In detail, although the Outlook client agent successfully sets the appropriate e-mail property, Exchange 2003 will subsequently fail to convert this property to an x-header when this e-mail is sent as an Internet Mail. This limitation has been fixed in Exchange 2007. Likewise, this limitation only applies to outgoing e-mails processed by the Outlook client agent; it does not apply to e-mails processed by Orchestria APM Exchange or Domino server agents or the Notes client agent.
Outlook and encrypted or digitally signed e-mails: The Orchestria APM Outlook client agent cannot add x-headers to e-mails that have been marked to be sent as encrypted or digitally signed. (This limitation does not affect the Exchange server agent, though any policy triggers configured to detect e-mail content may be unable to process encrypted e-mails anyway).
` X-header names cannot be longer than 125 characters. Therefore, your smart tag name is similarly restricted. That is, the name you supply when editing the Smart Tags setting (step 3.2 on page 174) cannot be longer than 125 characters. ` X-header values must not exceed 2,000 characters.
(Values are appended to the x-header name as described in step 3.3 on page 174.)
176
Document classifications
Document classifications are a pioneering feature that enable Orchestria APM to detect specific types of document, for example, sales proposals, contract agreements, or airline Web sites. This section describes how to configure the parameters (that is, the policy settings) used to define a classification. Orchestria APM can detect and analyze various file types. For details, see page 113.
Classification types
In the user policy, each document classification has a configuration setting. This broadly determines the type of document. At present, you can configure a classification to identify Travel or Generic documents.
Generic classifications
Generic classifications enable Orchestria APM to identify specific types of document defined by you, for example, airline reservation Web sites or customer complaints. These generic classifications are based on parameter settings. These parameters contain the rules that enable Orchestria APM to identify specific types of document, for example, sales proposals or customer complaints. The classification parameters are described on page 178. Orchestria APM uses these parameters to calculate a document score that quantifies the probability that, for example, an e-mail really is a customer complaint. Various adjustment functions are also available to modify the score to prevent false confirmations, especially for long documents such as e-mail attachments or uploaded files. An example generic document classification is shown on page 181. i For the purposes of classification, the Subject and
Body are taken together as a single document. Each attachment is also considered a single document. All documents are classified separately.
Classification in e-mails
Document classification works slightly differently with e-mails than with other targeted items (Web pages, or uploaded files). In terms of classification, each part of an e-mail is treated as a separate document, that is, the subject and body text are treated as one document and any attachments are also treated separately. The Document Classifier and Transaction Detector triggers are then applied to each 'document'. The trigger will only fire if one whole document contains all the criteria in the trigger. If all parts of the e-mail meet the classification then the score is based on the document that scored the highest.
Travel classifications
These identify any travel-related documents, for example, Web sites for hotel or airline reservations, e-mail bookings and e-mail confirmations. Travel classifications do not use parameter settings.
177
classification, and you specify which items are checked against this classification. Versions of the Document Classifier trigger are available in the Capture, Control and Transaction folders. When Orchestria APM detects that a Web page, uploaded file, e-mail or attachment matches a document classification:
Capture triggers cause the item to be captured. Control triggers generate a control event such as blocking or warning. Transaction triggers cause the Transaction dialog to appear, allowing the user to supply details about the detected transaction.
1.2 Expand the Classification folder you want. 1.3 Enter a name for the classification and set the
Configuration setting to Generic or Travel.
178
Parameter 1: This defines a list of compulsory words or phrases. All must be present for Orchestria APM to confirm a document classification. If validated, this parameter raises the document score by +1. In effect, this parameter specifies a logical AND condition. Parameter 2: This defines a list of required words or phrases, one of which must be present for Orchestria APM to confirm a document classification. If validated, this parameter raises the document score by +1. In effect, this parameter specifies a logical OR condition. Parameter 3: This defines a list of preferred words or phrases. These are positive-indicators. If any are present, this increases the probability that the document matches the specified classification. Orchestria APM raises the document score by +1 for each occurrence of a listed word or phrase. Parameter 4: This defines a list of words or phrases that imply a possible non-match. These are negativeindicators. If any are present, this lowers the probability that the document matches the specified classification. Orchestria APM reduces the document score by -1 for each occurrence of a listed word or phrase. Parameter 5: This defines a list of words or phrases that indicate a definite non-match. If any are present, the document classification fails. If none are present, Orchestria APM raises the document score by +1. In effect, this parameter specifies a Boolean NOT condition. Parameter 6: You can include functions to modify the document score handling. For example: MinScore(n) and MaxScore(n) specify respectively the minimum and maximum scores necessary to confirm document classification. For details of all available functions, see page 179.
Parameter 7: This defines a list of key words or phrases that you can use to search for events captured by a Document Classifier trigger. If a word is found in the document when the trigger activates, the word is saved as an attribute of the capture or control event. You can then run searches that focus exclusively on documents containing this word or phrase. For example, if you define a document classification for sales proposals, you can add a list of products to parameter 7. If Orchestria APM detects one of these product names (say, Product X), in a captured sales proposal, the term 'Product X' is saved as an attribute of this event. This enables you to generate a report focusing on all sales proposals for Product X. i For details about the extensive search text
variables available when defining parameter 7, see page 112.
Parameter 8: This defines a list of 'definite match' words or phrases. If any are present, this confirms the document classification. This parameter is useful if you need to detect specific types of Web site, typically those with limited text content. For example, a Web-based e-mail site may contain very little text except for the term 'webmail'. i In technical terms, this parameter overrides
the Boolean conditions of Parameters 1, 2 and 5 and adds 100 onto the document score.
Parameters 9 and 10: These are not currently used in generic classifications.
179
Parameter 6 functions
You can add the following functions to parameter 6 to modify document handling.
NotSmallerThan(x) This function defines a minimum document length. Orchestria APM does not attempt to classify documents with fewer than x characters (excluding white spaces and characters such as carriage returns). This is useful if you know the typical size of your target documents. For example, to ignore documents smaller than 500 characters, enter: NotSmallerThan(500) You can use this function in conjunction with its NotLargerThan(y) counterpartsee belowto define the permitted size range for target documents.
Extract(1,2,3,4,8) This function causes key text found using the classification parameters 1, 2, 3, 4 and 8 to be extracted and saved as an attribute of the capture or control event. You can extract the text found using any or all of these classification parameters. For example, if you are only interested in the text found using parameters 1, 2 and 8, enter: Extract(1,2,8)
MinScore(n) / MaxScore(n) These define the minimum and maximum document scores needed for Orchestria APM to confirm a document classification. They can be used individually: Enter MinScore(n) where n is the value. For example, type MinScore(10) to set a minimum score of 10. Enter MaxScore(n) where n is the value. For example, type MaxScore(10) to set a maximum score of 10. Or, used together, MinScore(n) and MaxScore(n) can specify a set of ranges for document classification scores, or severity bands. For example: Classifier
1 2
NotLargerThan(y) This function defines a maximum document length. Orchestria APM does not attempt to classify documents with more than y characters (excluding white spaces and characters such as carriage returns). This is useful if you know the typical size of your target documents. For example, to ignore documents larger than 2000 characters, enter: NotLargerThan(2000) You can use this function in conjunction with its NotSmallerThan(x) counterpartsee aboveto define the permitted size range for target documents.
Parameter 3
%CCN% %CCN%
Parameter 6
MaxScore(10) MinScore(11), MaxScore(100) MinScore(101)
Severity
Low Medium
Normalize(m) This function adjusts the document score downwards in order to prevent false confirmations. It is an alternative method to ReduceBySize(n). Enter Normalize(m) where m determines the multiplier used to lower the document score; typically, m matches the average size (in characters) of the documents you want to classify, for example, 10,000. The formula for this function is:
New document score = Old document score
%CCN%
High
Where: Classifier 1 specifies that detecting less than 10 credit card numbers qualifies as low severity. Classifier 2 specifies that detecting 11-100 credit card numbers qualifies as medium severity. Classifier 3 specifies that detecting more than 100 credit card numbers qualifies as high severity.
m ( Characters )
180
Where Characters is the number of characters in the document. For example, if the original document score is 45, and the document size is 25,000 characters, then setting m to 8,500 would lower the document score to around 15:
15.3 = 4 5
8,500 25,000
Wildcard characters * and ? are supported For example, 'unipr*' would match any occurrence of 'Unipraxis'.
Use the | symbol to represent a logical OR For example, the expression: motel|hotel matches motel' or 'hotel'.
Use { } brackets to define sub-expressions For example, the expression: {room|hotel} reservation matches 'room reservation' or 'hotel reservation'.
ReduceBySize(r) This function also adjusts the document score downwards in order to prevent false confirmations, especially for long documents such as e-mail attachments or uploaded files. Enter ReduceBySize(r) where r determines the value subtracted from the document score; r is typically a very small value, say, 0.3. The formula for this function is:
New document Old document = score score
Use %MONEY% to match any monetary value. For example, this matches $25, $25.99 or even 25.99. It detects $, and currency symbols, and these currency codes: USD, GBP and EUR.
Search for special characters To search explicitly for the characters { } | * or ?, prefix them with a backslash. For example, add \? to match any occurrence of '?'.
( Characters
* (r / 100)
Where Characters is the number of characters in the document. For example, if the original document score is 45, and the document size is 10,000 characters (a typical score for a four or five page document), then setting r to 0.3 lowers the document score to 15:
15 = 45
( 10,000
* (0.3 / 100)
181
Parameter 3 This specifies words such as unsuccessfully and return. If present, such words raise the probability that the e-mail is a complaint. Parameter 4 These words imply a non-match. If the e-mail contains words such staffing or web site, then this lowers the probability that the e-mail is a complaint about products such the UXLogiCard. Parameter 5 These words indicate a definite non-match. If the e-mail contains words such as catalog request, the classification is rejected. Parameter 6 This parameter contains a score adjustment example. In this example, it specifies that a minimum score of 5 is needed to confirm a Customer complaint classification. Parameter 7 Words listed here can be used as a filter for running a search. That is, you can run a search on any e-mail containing words such as UXLogiCard or UXProPack. Parameter 8 This specifies words that indicate a definite match. Here, if the word complaint is detected, the document classification is confirmed.
Parameter 1 This defines Unipraxis as a compulsory word. This word must be present to confirm a Customer complaint classification. Parameter 2 This specifies words such as criticism or a specific product such as the UXLogiCard. At least one term must be present to confirm a complaint.
1 3
2 Example document classification 1 User Policy Editor. 2 Policy path for the document classification. This shows the location of the Document Classification folder. 3 Parameter settings for the document classification.
182
8. Transactions
Transactions
his chapter shows how Orchestria APM captures online transactions. It also describes how to set spending limits for individual transactions. A transaction can be any purchase from a Web site, plus any associated e-mails such as order confirmations or receipts. You can then use the captured data for analysis, or to keep track of corporate purchasing, or simply to store as provision against future disputes. Orchestria APM supports both manual and automatic transaction captures. The ability to manually capture Web transactions is determined by settings in the user policy. Automatic captures are triggered by Web page or e-mail characteristics; you define these triggers in the user policy. For automatic transaction captures, you define the conditions that trigger a capture (based on content analysis of a Web page or e-mail), how captured items are matched to existing transactions, and how Orchestria APM extracts specific transaction details such as the currency or monetary value. A sophisticated transaction validation process ensures that these details are accurate; you can control the stringency of this validation process by adjusting settings in the user policy. You can also set spending limits for individual transactions and allow users to cancel transactions.
chapter 8
Transactions folder To capture payment details automatically, you configure Transaction Detector triggers in the Transactions folder. These details can include the total amount, taxes, the supplier reference number, and so on. Alternatively, you can configure other transaction triggers to display a Confirm Transaction dialog; this dialog prompts users to supply the relevant details. Transaction triggers do not capture the associated Web page or e-mail. Capture folder If you want to capture the underlying Web pages or e-mails, for example to resolve possible supplier disputes, you must set up triggers in the Capture folder. Capture triggers do not capture any payment details associated with a transaction.
This chapter focuses on Transaction triggers, with particular emphasis on Transaction Detector triggers. Capture triggers are discussed in chapter 9, Capturing data.
184
Manual captures
The ability to manually capture Web transactions is determined by settings in the Extensions > Browser folder of your user policy. i You cannot manually capture e-mail transactions. 1 Right-click anywhere on the Orchestria APM capture lights in your browser and choose Transaction. The Transaction Detected light switches on to indicate a capture is in progress: 1 2 Orchestria APM capture lights 1 Transaction Detected light. 2 Browser status bar. 2 Enter the details in the Create Transaction dialog. Note that some fields may be grayed out if your user policy specifies that these details are not required. When you quit the Web site, Orchestria APM checks whether you have supplied all the compulsory transaction items, for example, the transaction total and supplier reference. It then displays the Confirm Transaction dialog and prompts you to confirm the details. Typically, any compulsory details are highlighted in the dialog. i The full range of possible items are listed in
the Transactions >Transaction Action folder of the user policy.
Automatic captures
This section describes how to automatically capture transactions (that is, how to capture the payment details such as the amount, supplier reference, and so on). It does not describe how to capture the underlying Web page or e-mail. i To capture the underlying Web page or e-mail,
you must configure a Transaction Detector trigger in the Capture foldersee page 188.
To automatically capture online transactions: 1 Define the transaction triggers You can find these in the Transaction folder of the user policy. A trigger condition may be as simple as a Web page URL or it may be more sophisticated. For example, you can base triggers on automatic analysis of e-mails to detect credit card numbers. For full details see page 143. In particular, you must configure a Transaction Detector trigger. This explicitly identifies transactions in progress and can extract data such as the transaction total and supplier reference. If this trigger is disabled, you cannot automatically capture the payment details of a transaction. See page 188 for details about these triggers. 2 Define the transaction action This comprises a series of settings that determine how Orchestria APM handles the captured transaction. For example, you can specify how much input is required or permitted from users and whether users are permitted to cancel transactions captured automatically. For full details, see page 139. 3 Configure the compulsory transaction items You can also configure the handling for individual items of transaction data such as the transaction total and supplier reference:
Chapter 8 Transactions
185
Cancel a transaction
If permitted by their policy, a user can manually cancel a transaction capture by clicking the Not a Transaction button in the Confirm Transaction dialogsee above. This flags the transaction as an exception (page 186). You may want to let users cancel a transaction if, for example, a policy trigger incorrectly detected a transaction, or the user chose to cancel the purchase after the trigger had activated. To do this, you must configure the Allow Cancellations setting in the Transaction Action folder of the user policy. This determines whether a user is permitted to manually cancel a transaction capture by clicking the Not A Transaction button in the Confirm Transaction dialog (see the previous section). If Allow Cancellations is set to:
Allowed, the transaction is deleted when the user clicks Not A Transaction. Exception, the transaction is saved as an exception when the user clicks Not A Transaction. For further details, see the next section. Disallowed, users cannot cancel the transaction. They must provide the necessary transaction details.
Confirm Transaction dialog 1 Click OK to validates the transaction. 2 Click the Not a Transaction button to mark the transaction as an exception. 3 Missing or uncertain details, if flagged as compulsory in the user policy, are highlighted in red.
186
Transaction exceptions
When a captured transaction is flagged as an exception, it is excluded from statistical analysis in the Executive console. Exceptions can arise in two ways:
Transaction icons
When searching for captured transactions in the Data Management console, the Search Results screen uses icons to indicate the type of transaction item. For example, you can quickly identify captured blocked Web page transactions or e-mail transactions. Transaction type
E-mail - captured
Manual exceptions: If the Allow Cancellations setting in the user policy is set to Exception, a user can manually flag a transaction as an exception. For example, a policy trigger may have incorrectly detected a transaction, or the user chose to cancel the purchase after the trigger had activated. To do this, the user clicks the Not a Transaction button in the Confirm Transaction dialog.
E-mail - blocked
Automatic exceptions: A transaction may also be flagged as an exception automatically. This happens if the policy excludes user input (the users do not see the captured values and cannot override captured values), but one or more captured values do not meet the required level of confidence. For example, this could happen if the supplier reference is a key item of data but Orchestria APM is unable to detect this information with sufficient confidence and the policy precludes user input.
E-mail - quarantined
Chapter 8 Transactions
187
Spending limits
Orchestria APM allows you to enforce maximum transaction values each time a user conducts a Web transaction. If the user tries to confirm a transaction total that exceeds this value, Orchestria APM either blocks the transaction or warns the user. 5 If you configured the control action to warn the user or block the user with a notification, return to the Transaction Detector trigger and edit the Message To Users setting so that the users see an appropriate message when their transaction exceeds the permitted maximum value. Save the policy.
4.1 Select an action, for example Action 1. 4.2 Edit the settings in the action to specify whether
an attempted overspend triggers a blocking or warning.
188
Transaction detection
To automatically detect transactions, you must configure the Transaction Detector triggers. These activate when they detect a transaction in progress, based on content analysis of a Web page or e-mail. only the Transaction Detector trigger can automatically extract these details; if this trigger is disabled, you cannot automatically capture the payment details of a transaction. i Triggers in the Transaction folder do not cause
Capture folder Transaction Detector triggers in the Capture folder cause the associated Web page or e-mail to be captured when Orchestria APM detects a transaction. They do not cause the transaction details (the amount, supplier reference, and so on) to be captured!
Control folder Transaction Detector triggers in the Control folder generate a control event (typically a blocking or warning) when Orchestria APM detects a transaction. These too, like the Capture triggers, do not cause the transaction details (the amount, supplier reference, and so on) to be captured!
Transaction folder Only the Transaction Detector triggers in the Transaction folder itself cause transaction details the amount, supplier reference, and so onto be captured when Orchestria APM detects a transaction. A sophisticated transaction validation process ensures that this data is accurate (you control the stringency of this validation by adjusting settings in the user policy). Note that other triggers in the Transaction folder, (such as the 'Submitted Credit Card' trigger) can cause the Confirm Transaction dialog to display, prompting the user to supply any missing details. But
Transaction detection process Steps 1 through 4 are described below. TP = Transaction Probability 1
Examine specified Web pages and e-mails First, Orchestria APM examines each specified Web page for transaction evidence. Its analysis is based on page content, HTML metatags, and any monetary values that it detects. For example, text such as 'order confirmation' and buttons such as 'Proceed to checkout' are usually evidence of transactions.
Chapter 8 Transactions
189
Analyze contents and quantify evidence It then quantifies the available evidence and estimates the probability that the Web page or e-mail is a transaction. In technical terms, Orchestria APM calculates a transaction probability (TP).
Transaction validation
In an ideal world, Orchestria APM would capture a transaction and successfully extract all the items of transaction data. The data could then be used to calculate spend rates and so on. But in practice, the presentation of online transactions is so diverse across the Web that problems can arise. Orchestria APM must therefore validate the transaction data to ensure that the values are accurate. This is a six-step process: Specify compulsory transaction items
Compare calculated transaction probability with the trigger sensitivity level Next, Orchestria APM compares the calculated TP with the minimum TP needed to activate the Transaction Detector trigger. The minimum TP is determined by the Transaction Detector Sensitivity setting, found in the Transactions subfolder of the System Settings folder. Separate sensitivity settings are available for triggers in the Capture, Control, and Transaction folders. See page 140 for further details. In each case, you can set the level of sensitivity needed to activate the trigger. For example, you can choose to activate the trigger for all suspected transactions, or you can demand certainty or nearcertainty before it is activated. (In technical terms, each sensitivity level equates to a minimum TP.)
Activate the trigger? If the calculated TP is equal to or greater than the minimum TP, Orchestria APM infers that the current Web page or e-mail is a transaction and activates the Transaction Detector trigger.
Transaction Validation Steps 1 through 6 are described on the following pages. RCL Required Confidence Level for item of transaction data. CCL Calculated Confidence Level for item of transaction data.
Which items of transaction data are compulsory? In the user policy, you can specify whether individual items of transaction data are needed. For example, you may need a supplier reference but not a buyer reference. Items which you do need are known as 'compulsory items'.
190
Set the Required Confidence Level (RCL). In the user policy, you set the RCL for each compulsory item of transaction data. If all compulsory items meet the required level confidence, then the transaction is validated. If the confidence level for any item falls below the RCL, then the entire transaction is flagged as an exception and excluded from all transaction statistics. You can set the RCL to:
If CCL >= RCL, that is, the CCL is the same or greater than the RCL, the item is validated. If CCL < RCL, that is, the CCL is less than the RCL, the item is not validated. Either the transaction is flagged as an exception, or the user must supply the value or confirm a captured value. For example, the policy requires a medium level of confidence that the supplier reference is correct, but Orchestria APM is able to capture this item with a high level of confidence. Here, the CCL exceeds the RCL so the supplier reference is validated. 5 Are users permitted to override captured values? Orchestria APM checks the policy to determine what input, if any, is required from the user. If the policy specifies that users do not see the Confirm Transaction dialog, Orchestria APM handles the transaction based on only the CCL-RCL comparisons for compulsory items (see step 4). If users are shown the Confirm Transaction dialog, Orchestria APM checks whether they are permitted to override valid captured values:
` Zero: Any value is valid. ` Manual: Values are only valid if they are entered
or confirmed by the user. Go to step 5.
Chapter 8 Transactions
191
Show Dialog? Never Show Dialog? Always Show Dialog? Unless transaction matches Show Dialog? If Necessary
These values operate in conjunction with other settings in the transaction action to steer the transaction validation process. For example, the transaction action includes a setting that permits users to cancel transactions captured automatically by clicking a button in the Confirm Transaction dialog. Other settings define the compulsory items of transaction data and the required confidence levels for these items. Compulsory items are highlighted in the Confirm Transaction dialog if Orchestria APM lacks confidence in their accuracy. See the following pages for details of how the Show Dialog? settingin conjunction with other settings in the transaction actionaffects transaction validation. i The following descriptions assume that the
Transaction Detector triggers for Web pages and e-mails are enabled in the Transaction folder. If you disable these triggers, Orchestria APM cannot automatically extract transaction details such as the total amount or the supplier reference.
The Show Dialog? setting is set to: Never The Confirm Transaction dialog is never shown. If CCL >= RCL for all compulsory items The transaction is validated and saved, using the captured values. If CCL < RCL for any compulsory item The transaction is saved as an exception, using the captured values.
Validated Exception CCL Calculated Confidence Level RCL Required Confidence Level
192
The Show Dialog? setting is set to: Always, Unless transaction matches, or If necessary When the Confirm Transaction dialog appears: User clicks OK If CCL >= RCL for all compulsory items 1 Is the user allowed to override these captured values? Yes: Transaction validated and saved with captured values or values supplied by the user. Transaction validated and saved with the captured values.
No:
If CCL < RCL for any compulsory item If Allow Cancellations? is set to: Allowed or Disallowed The user must confirm or amend all uncertain values. Transaction validated and saved with user-supplied values. Exception Has the user confirmed or amended all uncertain values? Yes: Transaction validated and saved with user-supplied values. Transaction saved as an exception.
If Allow Cancellations? is set to: Allowed Exception Transaction is not saved. Transaction saved as an exception.
Validated Exception Not saved CCL Calculated Confidence Level RCL Required Confidence Level 1 If Show Dialog? is set to If necessary, the Confirm Transaction dialog is never shown when CCL >= RCL for all compulsory items. 2 If Allow Cancellations? is set to Disallowed, this button is not available.
Chapter 8 Transactions
193
Transaction matching
A complete transaction typically includes various 'partial transactions': the purchase itself , plus various catalog and checkout Web pages and a subsequent e-mail receipt . Orchestria APM attempts to identify and gather together all e-mails or Web pages that jointly make up the entire context of a transaction. This process is called transaction matching.
Matching process
If a Web or e-mail event activates any trigger in the Transaction folder of the user policy, Orchestria APM automatically attempts to match that item to an existing transaction . If it is unable to do so, it deems that the item represents a wholly new transaction. This topic describes how this automatic matching process works. i You can also manually add captured items to a
transaction.
As soon as a Transaction trigger is activated, Orchestria APM compares the newly captured item with each existing transaction. For each itemtransaction pair, it then calculates a Transaction Matching (TM) score. Next it compares the TM score against a critical range of score values. This range is based on a Confidence Level setting which defines a deviation around the minimum acceptable value. This process eliminates any transactions where there is clearly no possible match. For a technical description, see page 194. Orchestria APM then considers the remaining transactions and adds the captured item to the transactions yielding the highest TM score. For an example of how Orchestria APM compares three potential matches, see page 195.
The transaction timeout and sensitivity settings in the Transactions subfolder of the System Settings folder. For a summary, see page 140. The required confidence level for individual items of transaction data in the Transaction Action folder. See page 139.
194
Technical description
Orchestria APM compares the captured item against each existing transaction and looks for evidence of a match. Such evidence can include common supplier reference numbers, matching transaction amounts, or a common Internet domain. 1 Orchestria APM then weighs this evidence and calculates a TM score. For each transaction, Orchestria APM calculates a TM score with a value between 0 and 1, where 0 is a null match and 1 is a perfect match. This allows Orchestria APM quantify and compare the strength of each possible match. Next, Orchestria APM calculates a critical range of TM score values, defined by the Transaction Matching Sensitivity and Confidence Level settings in the current user policy: Transaction Matching Sensitivity This setting dictates how well a captured item must match an existing transaction. In technical terms, each sensitivity level defines the minimum TM score value needed for a positive match. This prevents Orchestria APM choosing a target transaction simply because it seems the least unlikely. 3 0.0 S3 1.0 defines a deviation around the minimum TM score value as defined by the Transaction Matching Sensitivity setting (S1, S2 or S3):
0.0
S1
S2
S3
1.0
` 0.0 to 1.0 is the range of possible TM score values. ` Transaction Matching Sensitivity settings (S1, S2 or S3)
represent actual TM scores.
S1
S2
Transaction Matching Sensitivity levels 0.0 to 1.0 is the range of possible TM score values. Each sensitivity level equates to a minimum acceptable TM score value. S1 Reduced Sensitivity S2 Medium Sensitivity S3 Raised Sensitivity Confidence level This setting dictates how confident Orchestria APM must be before choosing the target transaction automatically. If it lacks confidence, it asks the user to choose. In technical terms, each confidence level
Chapter 8 Transactions
195
The diagram below illustrates how Orchestria APM compares the captured item against three existing transactions (1, 2 and 3), rejecting or accepting the match, or prompting the user for assistance, based on the TM score calculated for each item-transaction pair:
R 0.0 S1 1 2 S2 3 S3 1.0
Example: matching an event to existing transactions Transaction 3 yields the highest TM score, so the newly captured item is allocated to this transaction.
` 0.0 to 1.0 is the range of possible TM score values. ` S2 is the minimum TM score necessary to confirm a match.
It is defined by the Transaction Matching Sensitivity setting. S1 and S3 are not used in this example.
Ask when confidence is moderate Ask only if confidence is low Transaction Matching Sensitivity levels S1 Reduced Sensitivity S2 Medium Sensitivity S3 Raised Sensitivity
The TM score is above range R. Orchestria APM confirms the match and assigns the captured item automatically to transaction 3.
196
` Search
period expires on a particular date (the Expiry Date search filter). See the Data Management console online help; search the index for expiry date.
` Override
9. Capturing data
Capturing data
his chapter shows how to capture e-mails, Web pages, files and application usage metrics. Orchestria APM lets you capture as much data, or as little, as you need. At one extreme, you can simply record the bare details of every e-mail, file, or Web page. For example, you might simply record the URL of every Web page accessed by your users in order to discourage time wasting or visits to inappropriate Web sites. Alternatively, you can capture in full any Web pages, files, or e-mails that match a set of precise conditions. The key to managing data captures is the user policy. Each user policy defines the triggers that cause automatic captures and the settings to allow or deny manual capturing. You can then use the captured data for analysis, or simply store it as provision against future disputes. You define what data is captured and the conditions that trigger a capture.
chapter 9
the user that a capture is in progress. Typically, you will need to set up several complementary actions.
Example
In this example, your strategy uses three complementary capture actions: 1 First, you set up Action 1 for selective, full-detail captures, focusing on a narrow range of triggers, such as visits to Web sites during an HTTPS session. This action causes Orchestria APM to capture all the available information. For Web pages, this includes all text, images and submitted data. For e-mails, this includes the body text, attachments, and Internet header information. For files, this includes the file itself and file attribute details. Next, you set up Action 2 for general, high-volume, minimum-detail captures. For example, you could use this action for Web sites not covered by Action 1. For these sites, you capture the URL but no other details. For e-mails, you may capture only the senders or recipients address plus the subject. For files, you may capture only the file attribute details. Finally, you set up Capture Action 3 for special situations. For example, this action may be identical to Action 1, except that it conceals from users when captures are in progress. This may be useful in situations where particular discretion is needed.
Capture strategies
Orchestria APM lets you set up multiple strategies for automatically capturing data. To set up these strategies, you configure the capture triggers and capture actions in the user policy. Each capture triggerwhether for Web pages, files, e-mails, or application eventsspecifies a capture action. This action defines what data is captured and, for Web pages, whether Orchestria APM indicates to 3
198
Capture Page to capture the current page only. Start Capturing to capture the current Web page, plus all Web pages visited subsequently. Page captures continue until you quit the browser or rightclick the capture lights and choose Stop Capturing. 1 3 2 Orchestria APM capture lights 1 Capture light 2 Browser status bar 2
Trigger settings
Action settings
When you capture a Web page manually, you activate the 'Manual capture trigger. In the user policy, you can specify the capture action associated with this trigger.
or
199
200
User Policy: System Settings 4 Now specify the Web Page Buffer Size setting as required.
201
Capturing e-mails
As with Web pages, Orchestria APM supports manual and automatic e-mail captures. i Orchestria APM does not indicate to users when
an e-mail has been captured. Unlike the capture lights in the browser status bar (page 142), there is no equivalent indication for e-mail users.
Permission to manually capture e-mails is granted by settings in the Extensions > Browser folder of the user policy. If permitted, you can manually capture incoming and outgoing e-mails by clicking the Capture button in the toolbar of your message window:
1 2 Trigger settings
Manual e-mail captures 1 Capture button. Click to capture the current e-mail. When you capture an e-mail manually, you activate the 'Manual capture trigger. Separate Manual triggers are available for incoming and outgoing e-mails. In the user policy, you can specify the capture action associated with these triggers.
Action settings
E-mail capture triggers and capture actions Each trigger (1) includes a capture action setting (2). For each trigger, you can choose from a range of available actions (3). Action settings (4) define what data is captured.
202
Attachments
Display options for e-mail attachments
By default, when you view captured e-mails Orchestria APM includes any attachments as icons within the body text of the e-mail, for example:
203
Access denied to Outlook plug-ins In exceptional circumstances, idiosyncratic interactions between Outlook and the Messaging API combine to deny full message access to third-party plug-ins such as the Orchestria APM Outlook Integration feature. In these circumstances, Outlook users may still be able to manually capture the e-mail attachment by clicking the Capture button in the toolbar of the message window. (Manual e-mail captures are only available to Microsoft Outlook users. They are not available in other e-mail applications.)
The Orchestria APM Outlook client agent is designed to capture e-mail activity. Therefore, it only captures directional embedded objects, such as messages, draft messages and meeting requests; by design, it does not capture non-directional objects. For example, the Outlook client agent is not designed to capture all the data needed to reconstitute and display an Outlook calendar event in the Data Management console. However, all e-mails containing embedded message objects are represented in the Search Results screen of the Data Management console by e-mail with attachment icons. This includes e-mails with non-directional embedded items because it would be misleading to imply that such e-mails did not contain an attachment:
E-mail with attachment icons i Draft messages, even though they have no
recipients, are classed as directional items by Orchestria APM.
Attachment is a non-directional embedded message object In Microsoft Outlook, users can send various items to colleagues as e-mail attachments, including messages and draft messages, meeting requests, tasks, contacts and calendar events. These items are actually embedded message objects. Some, such as messages and meeting requests, are directional (that is, the object itself is explicitly addressed to specific users); others, such as tasks and calendar events, are non-directional.
204
Importing e-mails
If required, you can import existing e-mails from an external source, for example, an e-mail archive or Microsoft Exchange mailbox, into your CMS using the Event Import utility.
Event Import utility: Event Import automatically associates imported events with their correct 'owners'. If required, it can even create new users to 'own' imported events. You can then search for these e-mails as normal in the Data Management console. For full details about Event Import, see the Deployment guide; search the index for Event Import utility. Integration with e-mail archives: For full details about the archive integration and event import process, see the Deployment guide; search the index for e-mail archive integration. i For the current release, Orchestria APM only
provides integration support for Educom Exchange Archive Server (EAS).
E-mail issues
Captured e-mails and viruses
If your organization suffers a virus attack, your cleanup operations after the attack must target any infected e-mails that were captured and saved in your Orchestria APM database. See page 328 for details.
If your organization suffers a virus attack, there is a risk that infected e-mails or attachments may be captured and saved in your Orchestria APM database. If this happens, you must delete any infected e-mails or attachments from all affected Orchestria APM databases (on the CMS plus any gateways or client machines that may also be at risk) as part of your cleanup operations after the attack.
Alleviate delays when sending e-mails to many recipients or large distribution lists
By default, Orchestria APM extracts full details for each recipient from the e-mail server when capturing outgoing e-mails. But if a e-mail is sent to many recipients, or to a very large or heavily nested distribution list, delays can occur while these details are retrieved from the e-mail server. To alleviate these delays, you can limit the volume and type of information that is retrieved. See page 329.
205
Importing IM conversations
Orchestria APM uses two utilities to extract archived IM conversations and import them into a CMS, as it cannot capture these conversations directly. The IM Import utility, IMFrontEnd.exe, is a standalone utility that extracts IM conversations from log or dump files. It then saves the extracted IM conversations to CNV files, which can be accessed by the Event Import utility. IM Import is dependent on various parameters to configure the extraction and conversion process. Event Import then uses its own parameters to determine how the individual CNV files are segmented into chapters and how to identify those participants who are internal to your organization. For more details about IM Import or Event Import, see the Deployment guide; search the index for IM Import and Event Import, parameters respectively. i Currently, IM Import can extract data from the
following archive file formats: Instant Bloomberg, IB Inet, IB Bloomberg, IB Unified, MindAlign and FaceTime.
Capture triggers
To capture application usage details, you must configure the Application Monitor capture triggers in the user policy. These triggers activate when Orchestria APM detects that a user is running a particular application. These triggers are based on two criteria, both of which must be confirmed for the trigger to activate:
Window title: You can restrict the triggers so they only activate when the window in which the application is running has a specific title. A trigger setting lets you specify a list of windows titles that activate the trigger. For example, if you specify Netscape then window titles such as 'Unipraxis Netscape' will activate the trigger. You can also use this feature to modify the trigger so it only activates when the window title indicates a specific document or screen has been opened, for example, Hotmail - Compose. Application: You can define applications by the executable name and path (for example, msimn.exe) or by the executable properties. Specifically, when checking executable properties Orchestria APM looks for specified text in these Version Information fields: Company, Internal Name, Original File Name and Product Name. This lets you identify applications by their familiar product name rather than their less familiar executable name (for example, Netscape rather than netscp.exe).
When a trigger activates, it invokes a capture action. This action determines whether to record key presses, mouse clicks, or both. It also determines the event timeout (see page 206).
206
Application events
As soon as a capture action is invoked, Orchestria APM starts counting the key presses and mouse clicks. It records these metrics in an application event. These events are generated automatically when:
The user closes an application, or The user switches to another application, or The event timeout expires (see below).
15
30
45
60 67
82
9 9 8 8
1 2 3 Timeouts and No Activity events Key presses or mouse clicks detected?
9
4
1, 2 All key presses or mouse-clicks detected during the first two timeout periods are added to events 1 and 2. But these are followed by two periods when no activity is detected. 3 Eventually, a key press in the 67th minute causes Orchestria APM to create a single zero activity event 3. This covers the entire period of inactivity between the 30th and 67th minutes. 4 The 15 minute timeout sequence resumes immediately. Any further key presses or mouse-clicks are added to event 4. This event is closed after 82 minutes (that is, 67+15 minutes).
9 8
Yes.
No.
Exceptions
But under certain conditions, monitoring continues for targeted applications until:
The application is changed, or The window title changes. For example, this may happen if the user opens a new document.
This is because, if you edit a policy to disable a capture trigger or change a capture action setting to False, the updated policy only applies to new sequences of captured application events. To ensure database integrity, Orchestria APM is unable to apply these policy changes to sequences that it is already capturing. i Closing an application or a change of window title
will automatically close a sequence of captured application events.
207
Capturing files
Using Data In Motion and Data At Rest file triggers and Orchestria APM file agents, you can capture files that users are trying to print, save to a USB device, or upload to or download from a Web site. You can also capture file attachments in Webmails or IM conversation and files scanned by the File Scanning Agent (FSA).
File sources
Orchestria APM provides various file agents and ingestion mechanisms to capture files. To specify which file sources Orchestria APM will monitor, you set configure the Which File Sources? setting in each file trigger:
File triggers
Orchestria APM supports two types of file trigger:
Data In Motion triggers can capture files being printed or copied to a USB device. They can also capture files entering or leaving the corporate network. These triggers are used by the Client Print System Agent, Client File System Agent, and the Network Boundary Agent; see the next section. i Data In Motion capture triggers and actions
are summarized on page 131 and page 132.
Client File System Agent (CFSA): Also known as policy on save or PoS, this agent enables you to capture files being copied to USB devices. Client Print System Agent (CPSA): This agent enables you to capture files being printed. Network Boundary Agent (NBA): The NBA analyzes individual data packets crossing the boundary between your organization and the Internet. It can reassemble these packets into e-mails and files.
Data At Rest triggers are used to capture items scanned by the File Scanning Agent (see the next section) or files imported onto the CMS. i Data At Rest control triggers and actions are
summarized on page 130 and page 132.
File Scanning Agent (FSA): The FSA can scan, analyze and apply policy to files saved in designated folders, items in Microsoft Exchange Public Folders, and items hosted on SharePoint sites. File Importer: This option enables policy engines to capture files imported onto the CMS as part of an Import Policy job. External Agent API for File: This option enables policy engines to capture files received from the External Agent API, allowing integration with third party archives.
File attributes only: Orchestria APM captures various file attributes but not the file itself, such as: the file name and path; the host machine; the created and last modified dates; the document title and author (if available); plus other details in XML format. Please contact the Orchestria service desk for details; see page 24. Attributes and file data: Orchestria APM captures the attributes described above plus the file itself. None: You can optionally set up the capture action to not capture any file details. You may choose this option if you only want to capture trigger details, say, for testing purposes.
For further details, see the corresponding section on file sources for control triggers on page 246 in chapter 10 Controlling user activity.
208
Files copied to USB devices: When a user tries to copy a file to a removable USB device, the CFSA applies machine policy to determine whether the copy action is permitted. You can also optionally channel users into using Windows Explorer or a DOS command to copy their files (by blocking copy operations from other applications); the CFSA can then apply Data In Motion capture triggers to capture the file being copied. For details, see the corresponding section on Data In Motion control triggers on page 248 in chapter 10 Controlling user activity.
Printers and USB devices: Data In Motion triggers can activate if the user tries to use a specific printer or USB device. File properties or text content: All file triggers can detect specific file formats (such as Microsoft Word documents). They can also analyze a files text content and even analyze nested files contained within a zip file or embedded in a master file. File lists: All file triggers can detect specific file names (defined in the Top Level File Lists), or names of nested files contained within a zip file or embedded in a master file (defined in the Individual/Embedded File Lists).
Printed files: When a user tries to print a file, the CPSA can apply Data In Motion capture triggers to monitor or exempt specific printers and to capture the documents being printed. For details, see the corresponding section on Data In Motion control triggers on page 247 in chapter 10 Controlling user activity. Scanned files: Using Data At Rest capture triggers, the FSA can scan, analyze and capture files saved in local and remote file systems, and files stored in Microsoft Exchange Public Folders. For further details, see the corresponding section on Data At Rest control triggers on page 249 in chapter 10 Controlling user activity. Files entering or leaving your corporate network: The NBA can detect and capture files entering or leaving your corporate network. These include FTP file transfers, files sent as attachments to Webmails or IM conversations, and files uploaded to or downloaded from Web sites. For further details, see the corresponding section on Data In Motion control triggers on page 250 in chapter 10 Controlling user activity.
For further details, see the corresponding section on file control triggers on page 245 in chapter 10 Controlling user activity.
209
For documents captured by the CPSA or CFSA, Orchestria APM applies the policy of the user currently logged on to the client machine. For files captured by the NBA, Orchestria APM applies the default user policy. For imported files or files scanned by the FSA, the job definitions typically specify which user policy gets applied.
For further information, see the corresponding section on page 247 in chapter 10 Controlling user activity.
User Policy: System Settings 4 Specify the list of file extensions in the Archive File Extensions setting as required. For example, *.zip, *.pst, *.gz.
210
Data Lookup Disabling e-mail and browser integration Unreadable uploaded or imported files, or e-mail attachments Encrypted e-mails E-mails with digital signatures
Data Lookup
Data Lookup settings provide highly flexible extensions to e-mail capture and control triggers. These settings enable control triggers to selectively detect or exempt e-mails based on: the attributes of an Orchestria APM recipient or sender; the Outlook Address Book properties of the recipients or the sender; or the potential impact on network traffic. For maximum flexibility, Data Lookup settings take the form of user-defined commands. Full details about the required command syntax, plus extensive examples, see chapter 11, Data lookup.
211
2.2 Edit the Which E-mail Sources? setting and select only the Microsoft Exchange Server (Mailbox) option. 2.3 Set any other trigger settings as required. For
example, configure the trigger to only activate when it detects e-mails sent to members of the Research department. 3 Save the policy. The same policy now captures all e-mails imported from archive files, but only captures unauthorized e-mails passing through your Exchange server.
Re-enabling integration
To re-enable integration with a specific application or import source that has previously been disabled: 1 Open the User Policy Editor and locate the System Settings folder. In the 'Enable Application Integration?' setting, select the check boxes of the sources you want to enable.
Example You may want to set up triggers to capture all e-mails imported from archive files (as part of an Import Policy job) but only capture unauthorized e-mails transiting through your Exchange server. This would require you to set up two complementary capture triggers: 1 Specify the import trigger: Set up a trigger to capture all e-mails imported from, say, PST files. 2
1.2 Edit the Which E-mail Sources? setting and select only the Archive File Importers option. 1.3 Set up other trigger settings to ensure that all
imported e-mails are captured. 2 Specify the Exchange trigger: Set up a second trigger to only capture unauthorized e-mails transiting through your Exchange server.
212
Encrypted e-mails
If required, you can always capture unencrypted e-mails, but exempt e-mails that are encrypted. Alternatively, you can set the trigger to always capture encrypted e-mails but exempt non-encrypted e-mails! Encryption exemptions are available for all incoming and outgoing e-mail capture triggers.
Digital signatures
If required, you can always capture e-mails if they do not have a digital signature, but exempt e-mails if they are digitally signed. Alternatively, you can set the trigger to always capture signed e-mails but exempt unsigned emails! Digital signature exemptions are available for all incoming and outgoing e-mail capture triggers.
4 To configure the trigger more precisely, you can also set the Conditions for Unreadable Text Content setting. This setting is ignored if the Activate Trigger if Text Content Unreadable? setting is set to False. If this is set to:
213
` Search
expires on a particular date (the Expiry Date search filter). See the Data Management console online help; search the index for expiry date.
` Override
214
chapter 10
Openly restrictive: If you prefer to openly restrict user activity, you can block inappropriate e-mails, Web pages or data submissions and display an explanatory message to users. Discretionary: If you trust users to respect your organization's guidelines on Web and e-mail usage, you can warn them that their Web or e-mail activity is inappropriate while allowing them to decide whether to continue or quit. Advisory: If you just want to inform users that a Web page, data submission or e-mail has been identified as potentially significant, you can display a notification dialog. Discreetly attentive: If you just want to monitor Web, file or e-mail activity, you can set up control actions that do not generate blockings or warnings, or remove or replace files, but which can still capture items of interest without alerting users to the presence of Orchestria APM.
i Data At Rest triggers are always silent. You can implement any combination of strategies. First, you define control triggers to trap any Web, file, or e-mail behavior that contravenes your organizations rules. Then you configure the control actions to handle this behavior in the manner you require. This procedure is summarized in the following section.
Discreetly restrictive: If discretion is essential, you can quietly block inappropriate e-mails, Web pages or data submissions, or delete and replace files without alerting users to the presence of Orchestria APM.
216
Control procedure
When a control trigger is activated, for example because an unauthorized e-mail is detected, Orchestria APM implements a chain of policy settings to control and (typically) capture this behavior. The diagram below summarizes key steps in the control procedure, with special emphasis on the role of the Intervention setting and how it determines the type of control event: i If using an Exchange server agent, see page 220.
1 Orchestria APM detects a trigger condition, for example, an e-mail lacking an official disclaimer. A trigger setting invokes a control action.
Control trigger
2 The control action defines how to handle targeted Web, or e-mail activity. It can also invoke separate capture actions for prohibited (3) and authorized (4) user activity.
Control action
5 Capture actions define what information is captured. 6 6 The Intervention setting in the control action determines whether to block or warn the user, or simply inform them. You can even set up silent monitoring. Warning dialogs (7) and some Inform dialogs (8) allow users to judge for themselves whether to continue or quit. Intervention Block
Warning
Inform
Notify
None
9 The final outcome is a control event, such as a blocking, warning or silent event. 10 Control events fall into two categories. The category determines which capture actions are applicable.
8
9 Blocking Heeded Warning Disregarded Warning Inform event Silent event
10 Prohibited activity
10 Authorized activity
217
Control events
Each control action generates a control event. Control event types fall into two categories: those for Web, e-mail, or application events and those for file events.
Disregarded warnings
These refer to occasions when a user is shown a warning dialog and consequently clicks Continue. That is, the user acknowledges the warning but, despite being explicitly warned against doing so, proceeds to: open or send the e-mail anyway; browse the Web page; submit the data to a Web site; or start up the application. The message in the warning dialog is fully configurable in the user policy.
Inform events
These occur when Orchestria APM detects user activity that is potentially significant and displays an advisory dialog (fully configurable in the user policy). This is useful if, say, you want to alert a user to corporate guidelines on browsing the Internet, or you want to remind a user to include some additional information in the e-mail they are about to send.
Blockings
These represent the severest form of intervention and refer to occasions when Orchestria APM blocks a users e-mail or Web activity, or prevents an application starting up. When you configure a blocking, you can choose whether or not to display an advisory dialog notifying the user about the blocking. The message in the optional advisory dialog is fully configurable in the user policy.
Notify events
Apply only to incoming e-mails. They are triggered when Orchestria APM detects an e-mail of interest arriving in a user's Inbox. Notify events use the same advisory dialog as Inform events, which is fully configurable in the user policy.
Quarantine events
These apply only to outgoing e-mails. They occur when a quarantine control action is triggered. Orchestria APM does not send the e-mail, but transfers it to a quarantine list for urgent review. You can choose whether or not to notify the user that their e-mail has been quarantined. The notification message is fully configurable in the user policy.
Silent events
When a silent event is triggered, Orchestria APM discreetly records a users e-mail or Web activity, or their use of a particular application. It does not block the user or display an advisory dialog leaving the user unaware that their activity has been recorded. Silent events are useful if you want to gauge the severity or frequency of a situation (such as disclaimers being omitted from e-mails) before taking further action.
Heeded Warnings
These refer to occasions when a user is shown a warning dialog and consequently clicks Cancel. That is, the user accepts the warning and quits trying to: open or send the e-mail; browse the Web page; upload the file; submit the data to a Web site; or start up the application. The message in the warning is fully configurable in the user policy.
File events
All file events are silent. That is, the user is completely unaware of any action as it occurs. The only control action that a user can become aware of is if they try to access a file that has been deleted.
218
Deleted
Web
219
Authorized activity: Disregarded warnings, Inform events, Notify events and Silent events. Prohibited activity: Blockings and Heeded Warnings.
Blocking
Warn, or Warn, but ... Personal Warn, or Warn, but ... Personal Inform Notify None
220
Intervention setting
The Intervention setting is the pivotal determinant in the control procedure. In the user policy, each control action, whether for Web pages, e-mails, files, or application monitoring, contains a version of this setting. In turn, this setting determines the type of control event (see page 217).
User Policy [Spencer Rimmel] Capture Control Web Pages Incoming E-mails Outgoing E-mails Control Triggers Control Actions Action 1 Intervention
Page
User policy control actions: Example Intervention setting An Intervention setting is contained within each control action Specifically, the intervention option you choose determines whether to block, warn or inform the user, or delete or replace a file. You can also configure this setting to quarantine e-mails, categorize events, remove or replace files detected by Data At Rest triggers, or silently monitor user activity. The available intervention options for each type of control action are summarized opposite.
222 224 225 225 226 227 228 228 230 231
221
Page
Page
None
Categorize DoD overwrite and delete silently DoD overwrite and replace silently
Delete silently No further actions
Block
Categorize
Warn
Inform No further actions
None
222
Web pages: The Block with Notification option is tied to the Redirect setting. This means that users trying to browse an unauthorized Web site are automatically sent to an alternative URL such as a page on your intranet when they click Go in their browser. i Redirection only occurs when a Web page is
blocked. You cannot redirect users if the control action was triggered by an unauthorized data submission or file upload.
Applications: For blocked applications, the application fails to start up. The mouse pointer temporarily changes to 'busy' then reverts to 'normal'.
E-mails: For intended recipients, you could combine this option with a Forward Incoming E-mail setting to effectively redirect the e-mailsee page 252. You can use the notification message in the blocking dialog to explain what action has been taken. For incoming e-mails, you can send an automatic reply to the sender and either delete the e-mail from the users Inbox or leave it in the Inbox but with its body text replaced by a standard notification message. i If using an e-mail server agent, see page 264.
Blocking dialog 1 The dialog message is configurable. Each control trigger allows you to supply a customized message for your users.
223
E-mails: For intended recipients, their awareness of the blocking depends on the Delete or Replace setting. If this deletes blocked e-mails from their Inbox, the user will normally be unaware that their e-mail has been blocked (in rare cases, the blocked e-mail may briefly appear then disappear in the Inbox). Conversely, you can configure the setting to allow blocked e-mails to arrive in the recipients Inbox, but with their body text replaced by a standard notification message. Web pages: The Block Quietly option is tied to the Redirect setting. This means that users trying to browse an unauthorized Web site are automatically sent to an alternative URL such as a page on your intranet when they click Go in their browser. For users trying to submit data to a Web page such as a credit card number, the Submit button (or its equivalent) will appear broken.
CFSA and CPSA: For files detected by the Client Print System Agent or Client File System Agent, Orchestria APM displays the Blocking dialog. For example, the Blocking dialog is shown if a user tries to print an unauthorized file or copy it to a USB device (removable drive). You can use the dialog's notification message to explain to the user why this action was taken. NBA: For files detected by the Network Boundary Agent, the blocking is silent. That is, no Blocking dialog is shown.
Applications: For blocked applications, the application fails to start up. The mouse pointer temporarily changes to 'busy' then reverts to 'normal'.
In all cases, you can capture the associated event. You can also forward e-mails to another address, send automatic replies to incoming e-mails, and redirect Web users to alternate URLs.
224
Data At Rest triggers: Use this option to categorize files in a local or remote file system, or in Exchange Public Folders. Data In Motion triggers: Use this option to categorize files sent to a printer, copied to a USB device, or detected by the Network Boundary Agent (NBA).
File events are always categorized automatically; the Categorize dialog is never shown. If an imported file causes multiple triggers to fire, Orchestria APM automatically chooses the category with the highest score (see page 156).
Categorize dialog
This dialog is displayed when an Outlook or Notes client agent detects an e-mail that needs to be categorized. The user can select the most suitable category(ies). 1 Configurable explanatory message. 2 Available categories.
225
Choose DoD Overwrite and Delete Silently to silently delete files, using DoD deletions (see below) to ensure deleted files cannot be recovered. These can be files located in a local or remote file system, or retrieved from the SharePoint Document Management System. From a user's viewpoint, they will only be aware that their file no longer exists when they next try to view it. You can still capture the associated file event and copy the file to an alternative location. You can combine this control action with a Copy action to effectively move files to a new location (see page 137).
Option: Inform
Available for: Web pages, incoming e-mails, outgoing e-mails, Application Monitor, Data In Motion Not available for: Data At Rest i For Data In Motion control actions, note that
Inform actions are not available for files detected by the Network Boundary Agent (NBA).
Choose Delete Silently to silently delete files. These can be files located in a local or remote file system, or retrieved from the SharePoint Document Management System. From a users viewpoint, they will only be aware that their file no longer exists when they next try to view it. You can still capture the associated file event and copy the file to an alternative location. You can combine this control action with a Copy action to effectively move files to a new location (see page 137).
Choose Inform to display an advisory dialog whenever Orchestria APM detects e-mail, Web, Data In Motion, or application activity that is potentially significant. This option is useful if, say, you want to remind users that their activity is being monitored, or you want to notify users when specified e-mails arrive in their Inbox, or you want to display a softer reprimand than that shown in the Warning dialog. You can specify customized notification messages for each control triggersee page 251.
226
For Web pages, incoming e-mails, and when specified applications start up, the dialog has a single OK button. Clicking this generates the inform event. i If using an e-mail server agent, see page 264.
For uploaded files, data submissions, and outgoing e-mails, the dialog also has a Cancel button. Clicking this cancels the dialog and allows the user to amend the e-mail or data submission before continuing. No control event is generated. For Data In Motion file events, the dialog displays when a user tries to print a file or copy it to a USB device (removable drive). The dialog has OK and Cancel buttons. Clicking OK allows the print or copy operation to continue and generates a control event. Clicking Cancel stops the print or copy operation, allowing the user to amend their file before continuing; no control event is generated.
2 Inform dialog 1 The dialog message is configurable. Each control trigger allows you to supply a customized message for your users. 2 Cancel button. Only available for uploaded files, data submissions to a Web page and outgoing e-mails.
227
Option: None
Available for: Web pages, incoming e-mails, outgoing e-mails, Application Monitor, Data In Motion, Data At Rest Not available for: Always available Choose None to generate a silent event whenever Orchestria APM detects unauthorized e-mail, Web, file, or application activity. This means that Orchestria APM silently records these events without blocking them or displaying a warning, or without deleting or replacing the original file. The user is completely unaware that their activity has triggered a control event. For example, a humorous but inoffensive e-mail attachment is circulating within your organization and your bandwidth is suffering. Configuring your control actions to generate silent events lets you discreetly trace the source of these e-mails without resorting to blocking users and the attendant risk of offending your workforce. Alternatively, an administrator is concerned about an inappropriate Web site and so decides to silently monitor site visits in order to assess the extent of the problem before officially blocking the site. In all cases, you can capture the associated event. You can also forward e-mails to another address and send automatic replies to incoming e-mails.
Option: Notify
Available for: Incoming e-mails Not available for: Outgoing e-mails, Web pages, Application Monitor, Data At Rest, Data In Motion Choose Notify to display an advisory dialog whenever an e-mail of interest arrives in a users Inbox. This is the same as the advisory dialog used by Inform events, but Notify events have some important differences. In particular, Notify events occur when an e-mail is received; Inform events (see page 225) occur when a user opens or previews the e-mail. The handling of Notify events also varies according to the e-mail system running on the machine receiving the e-mail:
Microsoft Outlook If Outlook is configured so that e-mails stay in your mailbox on the Exchange server, then any e-mails that arrive while Outlook is not running (for example, overnight) will not trigger a Notify event. If Outlook is configured to migrate e-mails down into your Personal Folders, Outlook must be running for the advisory dialog to appear. This means that if any advisory-triggering e-mails arrive while Outlook is not running (say, overnight or while you are on holiday), you may be greeted by a flurry of notifications when you next start up Microsoft Outlook!
Lotus Notes If you connect to your mail directly on a Domino Notes server, an incoming e-mail cannot trigger a Notify event. If you have a local mail file, with regular replication between the Domino Notes server and your local database, then a Notify event is triggered when the incoming e-mail is replicated to your local database.
228
The message in the quarantine notification e-mail only needs to inform the sender that their message has been quarantined pending approval by a reviewer. E-mail client agents: When a user sends an e-mail that is subsequently quarantined, the compose message window stays visible on their screen. Therefore, you must edit the message in the notification dialog so it:
Quarantine dialog 1 The dialog message is configurable. You can specify a customized message for each control trigger. But see the guidelines above.
E-mail server agent: When an e-mail is sent and subsequently quarantined, it initially appears to the sender as though their e-mail has been sent as normal. However, they will shortly receive a notification e-mail.
229
Choose Replace Silently to silently delete files and replace them with an explanatory stub file to alleviate any user concerns. This replacement file contains the message specified in the Message To Users setting in the Data At Rest trigger. For example, you can inform a user that their file was inappropriate and has been removed to a new location. These can be files located in a local or remote file system, or retrieved from the SharePoint Document Management System or Exchange Public Folders. You can combine this control action with a Copy action to effectively move files to a new location (see page 137).
Choose DoD Overwrite and Replace Silently to silently delete files using DoD deletion (see below) and replace them with an explanatory stub file to alleviate any user concerns. This replacement file contains the message specified in the Message To Users setting in the Data At Rest trigger. For example, you can inform a user that their file was inappropriate and has been removed to a new location. These can be files located in a local or remote file system, or retrieved from the SharePoint Document Management System. You can combine this control action with a Copy action to effectively move files to a new location (see page 137).
230
Option: Warn
Available for: Incoming e-mails, outgoing e-mails, Web pages, Application Monitor, Data In Motion Not available for: Data At Rest. Note also that Data In Motion warnings are not available for files detected by the Network Boundary Agent.
Cancel: If the user clicks Cancel, this generates a heeded warning. In effect, the user accepts the warning and quits what they were trying to do, for example, printing a file, sending an e-mail, or starting up a prohibited application. Continue: If the user clicks Continue, this generates a disregarded warning. The user is allowed to continue (for example, they can open or send the e-mail anyway, or copy a file to a USB device), but Orchestria APM records the fact that the user did this despite being explicitly warned against doing so. i A disregarded warning does not necessarily
imply any misconduct by the user. For example, a user may want to send a non-encrypted e-mail,
Choose Warn to display the Warning dialog whenever Orchestria APM detects unauthorized e-mail, Web, Data In Motion, or application activity. You can specify customized warning messages for each control trigger. The warning dialog lets the user choose whether to continue or not.
In all cases, you can capture the associated event, forward e-mails to another address and send automatic replies to incoming e-mails. For heeded warnings, you can also redirect Web users to alternate URLs. i If using an e-mail server agent, see page 264. Warning dialog 2 3
1 The dialog message is configurable. 2 Continue button. This generates a disregarded warning. 3 Cancel button. This generates a heeded warning.
231
Cancel: f the user clicks Cancel, this generates a heeded warning. In effect, the user accepts the warning and abandons the data submission or file upload, or quits trying to open or send the e-mail or browse the prohibited Web page. Continue: If the user clicks Continue, this generates a disregarded warning. The user is allowed to open or send the e-mail anyway, or browse the Web page, or complete the data submission or file upload, but Orchestria APM records the fact that the user did this despite being explicitly warned against doing so. i A disregarded warning does not necessarily
imply any misconduct by the user. For example, a user may want to send a non-encrypted e-mail, in breach of corporate guidelines, because it concerns a trivial matter.
Personal: Users can click this button to indicate that they are opening or sending a personal e-mail or that they are browsing the Web page for personal reasons. This overrides the warning, and allows the user to continue. It also generates a 'disregarded warning' event, though the event itself is identified as a personal e-mail or Web page in the Console. ! If the user clicks Personal, the Web page or
e-mail content is not recorded, even if the control action setting Capture Disregarded Warnings? is set to True.
In all cases, you can capture the associated event. You can also forward e-mails to another address, send automatic replies to incoming e-mails, and redirect Web users to alternate URLs. i If using an e-mail server agent, see page 264.
232
No other actions are invoked If the user clicks Cancel, no other actions are invoked If the user clicks Continue, the next control action is invoked No other actions are invoked The next action is invoked
Warning
Quarantine Silent
In this order
3rd 1st 2nd
In the above example, the only action invoked against the event will be Control Action 2. After an event is blocked, no other actions can be invokedsee the next section.
233
Intervention setting: available options Block Quietly Block With Notification Warn Warn, but allow user to mark as Personal None Inform
3 Blocking Heeded Warning Disregarded Warning applicable 8 No settings Disregarded Warning Silent event Inform event
Web pages, file uploads and data submissions: control actions and applicable settings 1 Intervention options These determine the control event type. 2 Buttons on the Warning dialog Note that the Personal button is only available if you choose the Warn, but allow user to designate as Personal option. 3 Buttons on Inform dialog Note that the Cancel button is only available for data submissions to a Web page.
4 Control events These fall into two categories: prohibited activity and authorized activity. 5 Applicable settings for prohibited activity You can invoke any of these settings when an e-mail triggers a blocking or heeded warning. 6 Applicable setting for authorized activity You can invoke any of these settings when an e-mail triggers a disregarded warning, inform event or silent event.
234
Capture
Applies to all control events, except Web pages marked as personal.
If you want to capture the Web page associated with a control event, you can specify two separate capture actions: one for blockings and heeded warnings; the other for disregarded warnings, inform events and silent events. The capture actions define which Web page details are captured. These can include the Web page content, images, any data submitted in an HTML form, and any uploaded files. i Both capture actions are optional.
Redirect user
Applies to Web page blockings and heeded warnings only. You cannot redirect users if the control action was triggered by an unauthorized data submission or file upload.
When the control action is triggered, Orchestria APM automatically redirects users to an alternative URL. For example, you can divert users to the Web site of a preferred supplier if they try to visit the site of a rival supplier. If you do not specify an alternative URL, the user is redirected to a default Orchestria APM screen that contains an explanation. For details about which triggers can cause a redirection, see page 235.
235
URL n Secure Sites n Content Search Text n Document Classifier n Transaction Detector n
Submitted Credit Card n Submitted Search Text n HTML Password n File Upload n
URL n Secure Sites n Content Search Text n Document Classifier n Transaction Detector n
If the Intervention setting is set to Block with Notification you can add a customized message to the blocking dialog, informing users that they are about to be redirected to an alternative URL.
236
Controlling e-mails
How the control action operates
Settings in an e-mail control action govern how Orchestria APM handles unauthorized attempts to open or send e-mails. You can also configure the control action to notify users when important incoming e-mails are detected. Whenever an e-mail control action is triggered, the first determinant is the Intervention setting (see page 220). This setting determines the event type, which in turn determines which settings in the control action are applicable (page 237). The procedure is summarized below:
Intervention setting: available options Block Quietly Block With Notification Warn Warn, but allow user to mark as Personal None Notify Inform Quarantine
3 Inform dialog OK Cancel control 8 No event Silent event Inform event Quarantine event
5 Prohibited e-mail activity Control action: Applicable settings Capture Forward Reply
6 Authorized e-mail activity Control action: Applicable settings Capture Reply Forward
Delete or replace
E-mail delivered
E-mails: control actions and applicable settings 1 Intervention options: These determine the control event type. i The Intervention options differ slightly in their effects when using the Exchange server agentsee page 220. 2 Buttons on the Warning dialog: Note that the Personal button is only available if you choose the Warn, but allow user to designate as Personal option. 3 Buttons on Inform dialog: Note that the Cancel button is only available for incoming e-mails. 4 Control events: These fall into two categories: prohibited activity and authorized activity. 5 Applicable settings for prohibited activity You can invoke any of these settings when an e-mail triggers a blocking or heeded warning. 6 Applicable settings for authorized activity You can invoke any of these settings when an e-mail triggers a disregarded warning, inform event or silent event. 7 Handling for quarantined e-mails: A reviewer determines whether to release or reject quarantined e-mails. Sender notifications are optional.
237
Capture
Applies to all control events.
If you want to capture the e-mail associated with a control event, you can specify two separate capture actions: one for blockings and heeded warnings; the other for disregarded warnings, inform events and silent events. The capture actions define which e-mail details are captured. These can include the e-mail body text and any attachments plus, for incoming e-mails, the Internet mail header. For example, you may set up one capture action to save the basic details of any e-mails that are not sent (because the user heeds a warning dialog), and set up a separate capture action to save the full details of any e-mails that are sent (when the user disregards the warning). i Both capture actions are optional.
` The
` Limitations ` If
e-mail to multiple addresses. See page 239. a recipient of a forwarded e-mail wants to
send the e-mail to someone else, the procedure depends on the type of e-mail system. See page 239.
Reply
Applies to incoming e-mails only.
Delete or replace
Applies to blockings and heeded warnings, for incoming e-mails only.
Whenever an incoming e-mail is blocked or canceled by the user (by clicking Cancel in a warning dialog), you can delete the e-mail from the recipients Inbox. Or you can allow the e-mail to arrive in the recipients Inbox, but with its body text replaced by a standard notification informing the user that a blocking has occurred.
For any incoming e-mail that triggers a control action, you can send an automatic reply to the sender. For example, you can use this feature to send automatic acknowledgements to your customers. To do this, you set up a control trigger to activate whenever an incoming e-mail refers to, say, one of your products. You can then configure the associated control action to send an automatic reply, thanking the customer for their interest. Remember to set the Intervention setting to None or Notify. To set up automatic replies, see page 252. You choose what information is included in the reply. You define the subject and body text of the reply message, and whether or not the original incoming e-mail is included as an attachment. You can even use variables to customize the text contentsee page 253. i For notes on using a variable to identify which
e-mail triggered the reply, see page 240.
Forward
Applies to all control events.
You can forward any e-mail that activates a control trigger to another address. For example, you can block suspicious incoming e-mails and divert them to a reviewer account. Likewise, if a user disregards a
238
Microsoft Outlook If Outlook cannot deliver an e-mail, it sends an 'Undeliverable' notification to the intended recipient. This notification message includes a Send Again button that enables users to read the original e-mail. In this case, a user will be able to read the forwarded e-mail.
Lotus Notes Orchestria APM configures the Notes delivery options so that delivery reports are turned off. This allows you to quietly block inappropriate incoming e-mails and forward them without any risk of alerting the intended recipient if the forwarding fails. (Delivery report inform intended recipients about a nondelivery and allow them to read the original e-mail.)
cannot be delivered to the target address because, for example, there is a network problem or the e-mail server is down.
Do make sure that you correctly specify the target account for forwarded e-mails. If you misspell part of the e-mail address, your e-mail server will be unable to deliver forwarded e-mails to this account and may send an Undeliverable notification to the intended recipient. This is clearly undesirable in the case of incoming e-mails that were blocked without notifying the intended recipient (see the Block Quietly option on page 223).
239
Lotus Notes: When you forward an e-mail in Notes, for example to a manager, it is included as a message thread in a notification e-mail. If the manager wants to send the e-mail to someone else, they can simply forward the notification e-mail in the normal way. Microsoft Outlook: When you forward an e-mail in Outlook, for example to a manager, it is included as an attachment in a notification e-mail. If the manager then wants to send the forwarded e-mail to someone else, they can forward the notification e-mail, with the original e-mail still included as an attachment, or open the attachment and forward the original e-mail.
None: Leaves recipients exactly where they are in the To or Cc field. All external addresses: Moves all external recipients from the To and Cc fields to the Bcc field. That is, any recipient not marked as 'internal'. All addresses: Moves all recipients from the To and Cc fields to the Bcc field.
240
Fix 1: Always attach the original e-mail in any automatic reply. To do this, set the Attach Original? setting to True in the user policy. i Use the Find feature
See page 99 for details. to locate this setting.
Fix 2: Include the %subject% variable when you configure the Reply Subject setting (this setting defines the subject for the automatic reply). The %subject% variable appends the original e-mails subject to the subject in the e-mail reply. So if the subject of a blocked e-mail was Job Opportunities! and you set the Reply Subject setting to: This e-mail is a reply to: %subject% This sets the subject in the e-mail reply to: This e-mail is a reply to: Job Opportunities! i For the full range of available variables that be
used in an automatic reply, see page 253.
241
Blocking a Webmail
The classic way to beat company e-mail rules is to send messages from work using Web-based e-mail services such as Yahoo! or MSN Hotmail. Organizations seeking regulatory compliance should regard these Webmail accounts as potential compliance loopholes. You can easily block these Webmails using Orchestrias Network Boundary Agent (NBA); contact the service desk for detailssee page 24. But if you are not using the NBA, this section shows how you can still close these loopholes using a range of Web Page control triggers.
242
Intervention setting: available options Block Quietly Block With Notification Warn None Inform
control 8 No event
6 Authorized applications Control action: Applicable setting Capture control event? Capture application usage data?
Application Monitor control actions and applicable settings 1 Intervention options These determine the control event type. 2 Warning dialog Cancel and Continue buttons. 3 Inform dialog OK and Cancel buttons. 4 Control events These fall into two categories: prohibited activity and authorized activity. 5 Applicable settings for prohibited activity You can capture summary details of the control event. No other settings apply. 6 Applicable setting for authorized activity You can capture the control event and also invoke a Capture action to record application usage details.
243
244
Controlling files
Using Data In Motion and Data At Rest file triggers and Orchestria APM file agents, you can apply policy when users try to: save a file to a USB device; print a file; send a file attachment in a Webmail or IM conversation; or upload or download a file. Likewise, you can apply policy to scanned files and files imported onto the CMS by an Import Policy job. This section covers the following:
File triggers
Orchestria APM supports two types of file trigger:
File triggers, including the available control actions (see next section), plus details about circumstances that cause file triggers to activate (see page 245). File sources. That is, the file agents and other file ingestion methods supported by Orchestria APM. See page 246 for details. The methods used to determine which user policy gets applied to file events. See page 247. Handling for files copied to USB devices. See page 248. Handling for printed files. See page 247. Handling for files entering or leaving your corporate network. See page 250. Handling for scanned files. See page 249.
Data In Motion triggers can control attempts to print files or copy files to a USB device. They can also control files entering or leaving the corporate network. In all cases, you can block and categorize the files. For files being printed or copied to USB devices, you can also warn or inform the user. These triggers are used by the Client Print System Agent, Client File System Agent, and the Network Boundary Agent; see the next section. i Data In Motion control triggers and actions are
summarized on page 135 and page 137.
Data At Rest triggers can control scanned (or imported) files or other scanned items. You can use these triggers to delete specified items, replace them with explanatory stub files, copy or move them to a new location, or simply categorize the files. These triggers are used to capture items scanned by the File Scanning Agent (see the next section) or files imported onto the CMS. i Data At Rest control triggers and actions are
summarized on page 135 and page 137.
245
Top Level File List When you specify the Top Level File Include or Exclude lists, you are, in effect, specifying the files, or types of file, that you want Orchestria APM to apply policy to. For example, you can specify:
` * to search all files ` *.doc to search all .doc files ` A list of specific .zip files to search. ` %allarchives% to search all archive files. That is,
all file types listed in the Archive File Extensions settingsee page 141. Use the Which Top Level File List? setting to configure Orchestria APM to only monitor files according to either the Included or Excluded list. In addition, you can also specify a list of top level files to be ignored. For example, you can configure Orchestria APM to search all .zip files, except those in a particular subfolder.
Individual/Embedded File List These are lists of actual files you want to search for. These can be either individual files in a subfolder, or files contained within another file. When you specify the Individual/Embedded Include or Exclude lists to specify which files to look for. Used in conjunction with the Which Top Level File list setting, you can feasibly search all subfolders or .zip files for a specific file. For example, set Included Top Level Names to *.zip and Included Individual/Embedded File Names to *.doc to search for all .doc files contained within .zip files.
246
File sources
Orchestria APM provides various file agents and ingestion mechanisms to control or categorize files on your network. To specify which file sources Orchestria APM will monitor, you set configure the Which File Sources? setting in each file trigger:
File Scanning Agent (FSA) The FSA can scan, analyze and apply policy to:
Client File System Agent (CFSA) Also known as policy on save or PoS, this agent enables you to control attempts to copy or save files to USB devices, such as removable flash drives. If Windows Explorer or a DOS command is used to copy files to USB devices, the CFSA can apply Data In Motion triggers in real time to the file being copied.
File Importer This option enables policy engines to process imported files as part of an Import Policy job.
Client Print System Agent (CPSA) This enables you to capture or control attempts by users to print files or documents on local or network printers. When the CPSA detects a specified print job, it applies Data In Motion triggers in real time to the document being printed.
External Agent API for File This option enables policy engines to process files received from the External Agent API. The External Agent can integrate with third party archives and pass files to Orchestria APM for policy processing. i Files from the NBA via the External Agent are
flagged accordingly and processed using Data In Motion triggers, not Data At Rest triggers.
Network Boundary Agent (NBA) The NBA runs on dedicated hardware and analyzes individual data packets crossing the boundary between your organization and the Internet. It is designed to prevent confidential information from leaving your corporate network. It can apply:
247
Printed files
When the CPSA detects a print job, it applies Data In Motion triggers in real time to the document being printed. You can configure these triggers to monitor or exempt specific printers and to analyze the files or documents being printed (see page 251). For full details about how the CPSA works, and how to configure the agent, see the Deployment guide; search the index for client print system agent.
Client File System Agent Client Print System Agent These client agents always apply the user policy of the Orchestria APM user currently logged on to the client machine.
Network Boundary Agent (NBA) The NBA typically saves the machine ID of the source and destination machines as event participants. When NBA-captured files are passed to policy engines for processing, the policy engines always apply the Default Policy For Files. See the NBA guide for full details, available from the Orchestria service desk; see page 24.
File Scanning Agent (FSA) Scanning job definitions can explicitly identify which users as associated scanned files and which user policy is applied. If the scanning job omits these details, policy engines always apply the Default Policy For Files. For full details, see the Deployment guide; search the index for FSA.
Imported files The following Event Import parameters associate imported files with participant e-mail addresses. For full details, For full details, see the Deployment guide; search the index for FSA. ImpFile.AssociatedParticipant ImpFile.PolicyParticipant
248
You must omit this appended text when you specify the USB device name in the machine policy or user policy. For example, if the Device Manager lists Unipraxis DataStick 2.0 USB Device Enter this in the machine policy or user policy as: Unipraxis DataStick 2.0
249
Scanned files
The FSA can scan, analyze and apply Data At Rest triggers to files saved in local and remote file systems, and files stored in Microsoft Exchange Public Folders. For full details about deploying the FSA and setting up scanning jobs, see the Deployment guide; search the index for FSA.
DoD deletion
This is forensic deletion, so called because the storage media are purged to guarantee that a file cannot be recovered and used to obtain evidence in legal discovery. DoD is a reference to Department of Defense approved methods for purging storage media.
Imported files
If you import files onto the CMS as part of an Import Policy job, policy engines apply Data At Rest triggers to those files. Be aware, however, that the standard Delete, Replace, and Copy control actions are not supported for these imported files. i Note also that files imported from the NBA are
subject to Data In Motion triggers when processed by policy engines (see the previous section).
250
To copy MyProject.mpp to a new location after it has been scanned, you need to edit the relevant settings in the Data At Rest control action as follows: Example target folders for copied files
Copy File to Location: C:\Evaluate
Copy File To Location: This setting specifies the target folder for copied files. It can be any valid UNC or local file system path. ! You must specify a path outside of the scan
location defined in the job file, otherwise the copied files will get scanned again! See example 5 opposite.
As above, the target location is a subfolder outside of the scan location defined by the <location> tag in the scanning job file. 1 If Copy Location Mode is set to Relative, the file gets copied to: C:\Evaluate\Projects\Q1sales.mpp If Copy Location Mode is set to Absolute, the file gets copied to: C:\Evaluate\Q1sales.mpp ..\Review
For this reason, we recommend a target location that begins ..\ such as ..\Review.
Copy Location Mode: Set this to either Relative or Absolute. This setting modifies the Copy File To Location folder.
This is the method we recommend. Here, the target location is a subfolder outside of the scan location defined by the <location> tag in scanning job file. 3 If Copy Location Mode is set to Relative, the file gets copied to: C:\Review\Projects\Q1sales.mpp If Copy Location Mode is set to Absolute, the file gets copied to: C:\Review\Q1sales.mpp Review
Copy Conflict Resolution: This setting determines what happens if a file with the same name already exists in the target folder. The options are:
` Discard the copied file ` Overwrite the file already in the target folder ` Rename the copied file (adding a numeric suffix) Example copied files
In this example, the FSA scans the C:\MyDocs\Temp folder. This contains the file Q1sales.mpp that you want to copy elsewhere. The scanning job definition is set up as follows:
<location path="C:\MyDocs"/> <folders subfolders="yes"> <include>Projects</include> </folders>
Avoid this situation! Here, the target location is interpreted as a subfolder below the original scan location and so the file gets scanned again! 5 If Copy Location Mode is set to Relative, the file gets copied to: C:\MyDocs\Review\Projects\Q1sales.mpp
251
User notifications
You can configure control actions to block, warn or inform users, and to display a notification dialog containing an explanatory message. E-mail control action also lets you forward e-mails to another address, with the forwarded e-mail included as an attachment or thread within a notification e-mail. In all cases, you can configure the notification text. Specifically, you can define the title and message in the notification dialog, and the subject and body text in the notification e-mail. i Options for the Intervention setting are described
in full on pages 220 to 227.
Dialog messages
You can customize the message that appears in notification dialogs or e-mails. To do this, edit the Message To Users setting in each control trigger. For example: Trigger
File Upload n
Document Classifier n
Notification dialogs
For each control trigger, you can define a message that appears in the notification dialog when the trigger activates. You can use variables to customize the text content so it reflects the condition that caused the control trigger to activate. You can also use delimiters to tag sections of the message as selectable, enabling users, for example, to copy missing disclaimers directly from the notification dialog into an e-mail or attachment. Some control triggers even allow you to define multiple messages, so that the message seen by users varies according to the key text detected by the trigger. Finally, you can configure the titles of the various notification dialogs.
Attachments n
Application n
i You can also use variables to customize the text content. These are described on page 253.
Dialog titles
You can configure the title that appears in the various Orchestria advisory dialogs. For example, you can define dialog titles for blockings and warnings (see page 230 for examples). You can find the relevant settings in the System Settings > User Notifications folder of the user policy.
252
Notification e-mails
Orchestria APM can generate three types of notification e-mails. These include:
Notifications generated by the Exchange server agent and sent to the original sender. Automatic replies and notifications forwarded to another recipient, both generated by the Outlook and Notes client agents.
notification e-mail and a single outgoing notification e-mail for each user policy. You can use variables to customize the subject and body text, for example, to include the original senders e-mail address. Some examples are shown below: Forwarded e-mail
Incoming
Incoming e-mail for %To% requires your attention Please authorize the attached outgoing e-mail
Outgoing
Forwarded e-mail
Incoming
The e-mail %Subject% may breach corporate guidelines. It has been forwarded to you for authorization. Review the attached e-mail sent by %From%. If the e-mail adheres to corporate guidelines, please forward it to the intended recipient, %To%. %default%
See page 255 for details.
Outgoing
Incoming or outgoing
i You can also use variables to customize the text content. These are described on page 253.
253
Notes
Available for
Imported files and files scanned by the FSA only All Microsoft Office documents (excluding CPSA file events) Files captured by the NBA only Imported files and files scanned by the FSA only Files scanned by the FSA only CFSA and CPSA file events All file events (excluding CPSA file events) Files captured by the NBA only Imported files and files scanned by the FSA only Imported files and files scanned by the FSA only Files captured by the NBA only All file events Files captured by the NBA only All file events Files captured by the NBA only
* *
%URL%
254
Case sensitivity
Message variables are not case-sensitive. So, for example, you can type %URL% or %url% when defining a notification message.
%ApplicationPath%
This displays the path and executable name of the application that activated an Application Monitor control trigger. For example, this message in the policy: Orchestria APM has detected the following program starting up: %ApplicationPath%. Displays like this in a notification message: Orchestria APM has detected the following program starting up: c:\program files\netscape\netscp.exe.
%Address%
This displays the e-mail address, or addresses, that caused the control trigger to activate. For outgoing e-mails, this is the recipient address(es); for incoming e-mails, it is the sender address. For example, these messages in the policy:
%BCC%
This displays any recipients listed in the Bcc: field of a forwarded e-mail. For example, if the user policy specifies this message for the body text of the notification e-mail: The attached e-mail has been forwarded to you for approval because the Bcc: addressees include %BCC%. It displays like this in a notification e-mail: The attached e-mail has been forwarded to you for approval because the Bcc: addressees include spencerrimmel@unipraxis.com.
%Application%
This identifies the application that activated an Application Monitor control trigger. For example, this message in the policy: You are not authorized to run %Application%. Displays like this in a notification message: You are not authorized to run Netscape.
%CC%
This displays any recipients listed in the Cc: field of a forwarded e-mail. For example, if the user policy specifies this message for the body text of the notification e-mail: The attached e-mail has been forwarded to you for approval because the Cc: addressees included %CC%. It displays like this in the actual e-mail: The attached e-mail has been forwarded to you for approval because the Cc: addressees included frankschaeffer@unipraxis.com.
255
%CCN%
This displays the credit card number detected by Orchestria APM and which activated a Credit Card control trigger. For example, this message in the policy: You are not authorized to procure goods using credit card number %CCN%. Displays like this in a notification message: You are not authorized to procure goods using credit card number ************1234. i The display of credit card numbers in notification
messages is subject to the same constraints as elsewhere in Orchestria APM. This is governed by the Sensitive Information Handling setting in the System Settings foldersee page 140.
%Default%
For the body text of notification e-mails only.
This displays summary details about the forwarded e-mail. For example, this body text in the policy: %default% Displays details like this in the notification e-mail: The original mail message is: From: lyndasteel@unipraxis.com To: Spencer Rimmel <EX:/O=UNIPRAXIS/OU=UK/ CN=RIMMEL/CN=SPENCER> Subject: Corporate Restructuring
%From%
This displays the original sender of an e-mail that was detected by a control trigger and forwarded to another address. For example, if the user policy specifies this message for the body text of a notification e-mail: An e-mail from %FROM% has been intercepted and forwarded to you for approval. It displays like this in a notification e-mail: An e-mail from lyndasteel@unipraxis.com has been intercepted and forwarded to you for approval.
%SSN%
This displays the social security number detected by Orchestria APM and which activated a classifier, keystring or attachment control trigger. For example, this message in the policy: An e-mail containing the social security number %SSN% has been intercepted for review. You are not authorized to send personally identifiable information. Displays like this in a notification message: An e-mail containing the social security number 123-45-6789 has been intercepted for review. You are not authorized to send personally identifiable information. Orchestria APM uses a sophisticated recognition process to cross-check against an imported system definition file listing currently available SSNs. To ensure that this data is accurate, we recommend you import an updated version of the file on a regular basis using the Administration consolesee page 38.
%Keystrength%
This displays the keystrength of the encryption algorithm used on a Web site. For example, this message in the policy: This site uses %Keystrength% encryption. You are only permitted to browse sites that use at least 256 bit encryption. Displays like this in a notification message: This site uses 128 bit encryption. You are only permitted to browse sites that use at least 256 bit encryption. i Note the following:
` %Keystrength%
used in a URL control trigger (because the trigger activates as soon as it detects the URL, before can check the encryption level).
` Be
256
%Subject%
This displays the Subject of the forwarded e-mail. For example, if the user policy specifies this message for the body text of the notification e-mail: The e-mail %Subject% has been intercepted and forwarded to you for approval. It displays like this in the notification e-mail: The e-mail Corporate Restructuring has been intercepted and forwarded to you for approval. Note the optional use of double-quotes to highlight the Subject reference in the notification e-mail.
This displays the words or phrase detected by Orchestria APM and which activated any control trigger that can search Web pages, e-mails and document contents for key text. For example, these messages in the policy:
%Site%
This displays the 'site' element of a Web site URL or the 'organization' element of an e-mail address. This can be useful if you want to make the notification message easier to read. For example, these messages in the policy:
` It is forbidden to browse the %site% Web site. ` It is forbidden to send e-mails to %site%.
Display like this in notification messages:
` It is forbidden to browse the Unipraxis Web site. ` It is forbidden to send e-mails to Unipraxis.
%MailDateTime%
This displays the time and date when an incoming e-mail was received and when outgoing e-mail was sent. For example, if the user policy specifies this message for the Subject of the notification e-mail: Unauthorized e-mail detected: %MailDateTime% It displays like this in the notification e-mail: Unauthorized e-mail detected: 16/05/2003 8:23 You cannot configure the date and time format from within Orchestria APM. The format shown in a notification e-mail is determined by the short date format defined for the local machine.
257
%To%
This displays any recipients listed in the To: field of a forwarded e-mail. For example, if the user policy specifies this message for the body text of the notification e-mail: The attached e-mail has been forwarded to you for approval because it was addressed to %To%. It displays like this in a notification e-mail: The attached e-mail was intercepted and forwarded to you because it was addressed to spencerrimmel@unipraxis.com.
%URL%
This displays the URL of the Web site that activated the trigger. For example, this message in the policy: You are not authorized to browse %URL% Displays like this in a notification message: You are not authorized to browse http:// www.unipraxis.com. Note that query strings are excluded from the URL displayed in the message. This is the part of a URL containing the search parameters when submitting data to a dynamic Web site. For example, id=LogiCard is a query string in this URL: www.unipraxis.com/solutions.cgi?id=LogiCard. In the actual notification message, this URL will therefore be represented as: www.unipraxis.com/solutions.cgi?
258
User definitions
User definitions, also known as replaceable strings, are variables that can be referenced by any settings in the current user policy that have a text value (for example, trigger names, address lists, search text lists, messages to users). For example, you can define a Disclaimer user definition and reference this as %Disclaimer% in any Trigger Name setting. 5 Enter a value for the definition, such as: Unipraxis distributes this document for informational purposes only. 6 This user definition can now be referenced as a string value in any other policy trigger, for example, in a Message To Users setting: "Your e-mail attachment has been blocked as it is missing the mandatory corporate disclaimer: %Disclaimer%" i Note the following:
` User
specified by other user definitions. Ensure that you do not create circular references. For example, if User Definition 1 references User Definition 2, User Definition 2 must not reference User Definition 1.
259
6 7
260
Data Lookup Disable integration for specific e-mail triggers Unreadable uploaded files or e-mail attachments E-mails with digital signatures Encrypted e-mails
` Disable ` Disable
individual capture triggers. See page 210. Orchestria APM, or you can specify that integration is disabled automatically if the Orchestria APM infrastructure fails to start. For details, see page 76.
For each control trigger, you can also specify minimum retention periods. These determine how long control events are excluded from database purges.
Example
You may want to set up control triggers to disregard unauthorized e-mails when imported from an archive file, but to block these e-mails when they transit through your Exchange server. To do this: 1 Specify the Exchange control trigger: Set up a control trigger to block unauthorized e-mails transiting through your Exchange server.
Data Lookup
Data Lookup settings provide highly flexible extensions to e-mail capture and control triggers. These settings enable control triggers to selectively detect or exempt e-mails based on: the attributes of an Orchestria APM recipient or sender; the Outlook Address Book properties of the recipients or the sender; or the potential impact on network traffic. For maximum flexibility, Data Lookup settings take the form of user-defined commands. Full details about the required command syntax, plus extensive examples, see chapter 11, Data lookup.
1.1 In the User Policy Editor and locate the e-mail control trigger that you want to use. 1.2 Edit the Which E-mail Sources? setting and
select only the Microsoft Exchange Server (Mailbox) option. This ensures that the trigger ignores other e-mail applications and imported e-mails.
261
1.4 Set up a control action to block and, if required, capture these e-mails.
2 Specify a capture trigger for imported e-mails: Set up a capture trigger to capture all e-mails imported from, say, PST files.
4 To configure the trigger more precisely, you can also set the Conditions for Unreadable Text Content setting. This setting is ignored if the Activate Trigger if Text Content Unreadable? setting is set to False. If this is set to:
2.2 Edit the Which E-mail Sources? setting and select only the Archive File Importers option. 2.3 Set up other trigger settings to ensure that all
imported e-mails are captured. 3 Save the policy. The same policy can now be used to block unauthorized e-mails as they transit through your Exchange server, and to capture such e-mails when imported from archive files but without generating an associated blocking event.
Digital signatures
If required, you can block or warn against sending e-mails if they do not have a digital signature, but exempt e-mails if they are digitally signed. Alternatively, you can set the trigger to detect signed e-mails but exempt unsigned e-mails! Digital signature exemptions are available for all incoming and outgoing e-mail control triggers. To set up digital signature exemptions: 1 Open the User Policy Editor and locate the e-mail control trigger that you want to change. This can be an incoming or outgoing e-mail trigger. Display the trigger settings. Edit the Digital Signature Filter setting and choose whether to target signed e-mails only or unsigned e-mails.
262
Encryption
Exempting secure Web sites
If required, you can block or warn against access to insecure Web sites but exempt secure Web sites so they do not trigger blockings or warnings. To do this, you specify a minimum keystrength for the encryption algorithms used by secure Web sites. This means that the control trigger activates only if the Web site uses a keystrength that is lower than the minimum value specified by the control trigger. Encryption exemptions are available for all Web control triggers. To set up keystrength exemptions: 1 Open the User Policy Editor and locate the Web page control trigger that you want to change. Display the trigger settings. Edit the Keystrength Exemptions setting and choose a minimum keystrength. But note the browser requirements on page 234.
2 3
` Search
expires on a particular date (the Expiry Date search filter). See the Data Management console online help; search the index for expiry date.
` Override
the Audit tab. See either the iConsole user guide, or the Data Management Console guide; search the index for expiry date, changing and expiry date, resetting in Audit tab respectively.
263
Outlook and Notes client agents run on client machines, that is, the end-users workstations. Each client agent monitors incoming and outgoing e-mails on a single workstation. Exchange and Domino server agents run on an e-mail server (that is, an Exchange Server or Lotus Domino host computer) and monitors all e-mail activity transiting through the e-mail server.
The main advantage of the Exchange and Domino server agents over the Outlook and Notes client agents is that they enable Orchestria APM to track corporate e-mail activity that would otherwise be missed. However, there are other important differences between the server agents and the client agents. These differences affect control triggers for outgoing e-mails. In particular, they affect how Orchestria APM interacts with the sender when a control trigger activates.
How the Exchange or Domino server agent affects the Intervention setting in a control action is described on page 264. Automatic notification e-mails generated by the server agent are described on page 265. Interactive warning e-mails generated by the server agent are described on page 266.
264
Intervention option
Quarantine quietly
Marks the e-mail for quarantine. The sender is unaware that the e-mail has not been sent. Marks the e-mail for quarantine and notifies the sender. See the next page for details about automatic notifications.
Allows the e-mail to be delivered. Sends a notification to the sender. The original e-mail is not included. For details about automatic notifications, see page 265.
Blocks the e-mail. Sends a notification to the sender, including the original e-mail as an attachment. See the next section for details about automatic notifications.
Categorize...
Automatically assigns a category to the e-mail. For details about e-mail categorization, see page 154. Allows the e-mail to be delivered. Sends a notification to the sender. The original e-mail is not included. See the next section for details about automatic notifications.
Retains the e-mail and sends a warning to the sender, enabling them to allow or disallow the e-mail. The e-mail is not sent unless the user actively allows it by responding to the warning. For details about interactive warnings, see page 266. The sender cannot designate the e-mail as Personal, see page 231.
Inform
None Notify
265
Subject text
You can define the subject for a notification e-mail in the senders policy. To do this, you edit settings in the System Settings/User Notifications folder:
Domino and the e-mail generates a blocking, warning, or inform event, Orchestria APM sends a notification e-mail to the sender. This is also the case for intercepted e-mails that have generated blocking events when using Exchange Server. Exchange and the e-mail generates a warning or inform event, Orchestria APM can automatically send a notification or interactive warning e-mail to the sender, depending on how it is configured. For details on interactive warning e-mails, see page 266. i Interactive warning e-mails are currently only
supported for use with Exchange Server.
Blockings: For blocked e-mails, you define the subject text in the Dialog Title - Blockings setting. Warnings: For e-mails that generate warnings, you define the subject text in the Dialog Title - Warnings setting. Inform: For e-mails that generate inform events, you define the subject text in the Dialog Title - Inform and Notify Events setting.
Body text
You can define the body text for a notification e-mail in the senders policy. To do this, you edit the Message to Users setting in the relevant control trigger. For example, if an e-mail is blocked when the Search Text 1 trigger activates, the notification e-mail includes this triggers Message to Users setting as its body text. This means that for each outgoing e-mail control trigger in a senders policy, the Message to Users text must reflect the Intervention option specified in the associated control action. For example: Your e-mail has been blocked. It refers to %Keystring% and such references violate corporate guidelines. Please contact the Compliance Officer for further details.
Global sender
When a user receives a notification e-mail from Orchestria APM, the From: field indicates the sender of the notification e-mail. However, the senders identity is configurable. For example, you can specify that the From: field in notification e-mails is always set to ComplianceTeam@Unipraxis.com. To define a global sender, you must edit the registry on the machine hosting the Exchange Server or Domino server agent. Specifically, you need to add the NotificationFromAddress registry value; see the Deployment guide for details.
266
If Orchestria APM intercepts an e-mail transiting through Exchange Server and the e-mail generates a warning or inform event, Orchestria APM can automatically send a notification or interactive warning e-mail to the sender. If the sender replies to this warning promptly (that is, before the warning timeout expires), then their e-mail is released and sent on to its intended recipients. Note that the sender does not need to add any comment or other text to their reply; clicking the Reply button is sufficient to release their e-mail if they still want it to be delivered. If they do not reply (or reply too late), then Orchestria APM deems that they have heeded the warning and the e-mail is not sent. For details, see the next section. 1
Warning message: This is the first message the user receives. It is sent automatically when the Exchange server intercepts an e-mail which has generated a warning or inform event. By default, the message has the users original e-mail attached and states that it has triggered one or more warnings. It lists the warnings and advises the sender that if they want the e-mail to be sent, they must reply to the warning message. Unmatched response message: This message is automatically sent when the user does reply to the warning message, but the original e-mail is no longer on the Exchange server. In this situation, the users reply cannot be matched to the original e-mail and so the e-mail cannot be released and sent. Replies are matched to their corresponding e-mails by a unique ID in the Subject.
Example interactive warning message This example is based on the default template for warning messagessee page 267. The sender of the original e-mail must reply to this warning if they still want the e-mail to be delivered. 1 Reply button. 2 Text generated by insertion variables.
267
%subject%
Warning message template: The variable is replaced by the subject of the original e-mail. Unmatched response message template: The variable is replaced by the subject of the users reply to the warning message. i This variable can be typed directly into the UnmatchedResponseTitle registry value.
%maildatetime%
Warning message template: The variable is replaced by the date and time of the original e-mail, relative to the time zone of the host server. Unmatched response message template: The variable is replaced by the date and time of the users reply to the warning message, relative to the time zone of the host server. The date and time is displayed in RFC 2822 format. For example, if the template file contains this text: You e-mail on %maildatetime% appears to breach corporate guidelines.
1 Default template for warning messages 1 Insertion text variablessee the next section. an example warning e-mail generated by this template is shown on page 266.
It displays like this in the warning: Your e-mail on Fri, 12 May 2006 16:22:10 +0100 appears to breach corporate guidelines. +0100 indicates that the time given is one hour ahead of UTC, in other words, BST. -0400 indicates EDT (Eastern Daylight Time) or four hours behind UTC, effectively 5 hours behind BST.
268
%formattedwarningtext1% Warning message: The variable is replaced by details of the warnings (or inform events) triggered by the e-mail. For each trigger that activates, this variable returns two text items: a title and message:
%formattedwarningtext2% Warning message: The variable is replaced by the details of the warnings (or inform events) triggered by the e-mail. For each trigger that activates, this variable returns a message, based on the Message To Users setting, included in each policy trigger. If the senders e-mail causes multiple triggers to activate, the %formattedwarningtext2% variable writes to the warning e-mail a message for each trigger, separated by a blank line: <warning #1 message> <blank line> <warning #2 message> i This variable is not suitable for use with the UnmatchedResponseTemplateFile registry value or the UnmatchedResponseTitle
message template.
` The title derives from the Dialog Title - Warnings setting in the \User Notifications policy folder (or for Inform events, the Dialog Title - Inform and Notify Events setting). ` The message is based on the Message To Users setting, included in each policy trigger.
If the senders e-mail causes multiple triggers to activate, the %formattedwarningtext1% variable writes to the warning e-mail a title and message pair for each trigger, with each pair separated by a blank line: <Warning dialog title 1> <Trigger 1 message> <Blank line> <Warning dialog title 2> <Trigger 2 message> For example, if two triggers activate the following text could be written to the warning e-mail: Orchestria Advisory You are not permitted to send e-mails to these teams: Equity Markets, Debt Markets. Orchestria Advisory This e-mail refers to Project Alpha. Such references are normally prohibited in corporate correspondence. i This variable is not suitable for use with the UnmatchedResponseTemplateFile registry value or the UnmatchedResponseTitle
message template.
%to% Warning message template: The variable is replaced by the address(es) in the To field of the original e-mail. For example, if the template file contains: Your e-mail to %to% breaches corporate rules. It displays like this in the warning: Your e-mail to srimmel@unipraxis.com breaches corporate rules. i This variable is not suitable for use with the UnmatchedResponseTemplateFile registry value or the UnmatchedResponseTitle
message template.
%cc% Warning message: The variable is replaced by the address(es) in the Cc field of the original e-mail. i This variable is not suitable for use with the UnmatchedResponseTemplateFile registry value or the UnmatchedResponseTitle
message template.
269
Policy checks
E-mails that generate warnings are subject to two policy checks. The first occurs when the e-mail is originally sent: this policy check triggers the warning message. The second occurs immediately before the Exchange server agent resumes processing the e-mail (either because the user has replied to the warning message, or because the Auto Heed warning timeout has expired). Normally, the policy engine detects that policy has not changed between the two checks. If the user:
Replied to the warning message (that is, the user disregarded the warning), the original e-mail is sent. Did not reply to the warning message (that is, the user heeded the warning), the original e-mail is deleted unsent.
Sometimes however, the policy engine may detect that policy has changed. If this is the case and the user:
Replied to the warning message (that is, the user disregarded the warning), the original e-mail is checked against the new policy. If the e-mail violates the new policy, the sender receives a new interactive warning message. If the e-mail does not violate the new policy, it is sent. Did not reply to the warning message (that is, the user heeded the warning), the original e-mail is deleted unsent.
270
Data lookup
his chapter introduces data lookup commands. Data Lookup settings provide highly flexible extensions to e-mail and Data At Rest capture and control triggers. These settings can incorporate data lookup commands to exempt particular e-mail or file events from the normal trigger coverage or, conversely, to refine the trigger to focus only on particular types of e-mail or file. This chapter provides an overview of data lookup True-False tests and describes how to add data lookup commands to these triggers. It also provides full details for all the available variables and syntax elements in a data lookup command, including various example commands. In particular, see:
chapter 11
Lookup command syntax, on pages 274 to 275. Available lookup command variables on pages 277 to 287. Advanced data lookup commands on page 291. User Attribute lookup examples on page 297. Address Book lookup examples on page 298. Message Attribute lookup examples on page 299. XML Attribute lookup examples on page 300. 6
8
7
Data lookup commands: e-mail example A user sends an e-mail (1). Orchestria APM detects the e-mail and invokes a data lookup command in the users policy (2). This can be a User Attribute lookup (3), Address Book lookup (4) or a Message Attribute lookup (5). If the lookup command evaluates to False (6), the trigger does not activate; if it evaluates to True (7), the trigger activates and a capture or control action is invoked (for example, a blocking).
272
Overview
Orchestria APM supports three types of data lookup:
User Attribute lookup: E-mail triggers can selectively detect (or exempt) e-mails based on the account attributes of the Orchestria APM sender or recipients. These are the customized user attributes defined for your organization (see page 51). For example, if you created a Department attribute for your organization, you could modify control triggers to warn against e-mails sent to Orchestria APM users who belong to specific departments. For an overview of the syntax, see page 274.
Address Book lookup: E-mail triggers can selectively detect (or exempt) internal e-mails based on Outlook Address Book properties of the recipients or the sender. For example, they can block e-mails sent to users in a particular office. Or they can exempt e-mails from being blocked if a manager is included in the recipients. For an overview of the syntax, see page 275. Message Attribute lookup: These lookups provide access to information contained in an e-mail that is not accessible through any other trigger test. They enable e-mail triggers to assess each message for its potential impact on network traffic. For example, they can block e-mails if the number of recipients is excessive or if the e-mail is too big. For an overview of the syntax, see page 275. i Message Attribute lookup exemptions are not
appropriate for Sender incoming e-mail triggers.
XML Attribute lookup: These lookups enable policy triggers to test targeted events for metadata attributes (this metadata is stored in XML format). For example, file metadata includes details about the file creation and modified dates, the file name and path, its title and author. The full range of available metadata varies according to the file type. For an overview of the syntax, see page 276; for an example of XML metadata, see page 302.
273
2 3
Fire trigger: The trigger is always activates. Do not fire trigger: Orchestria APM ignores the e-mail is ignored and the trigger does not activate. Block event (client only): Only available for outgoing e-mails. This option varies, depending on whether an Orchestria APM client agent or server agent is processing the e-mail. If a:
` User Attribute lookup: See page 274. ` Address Book lookup: See page 275. ` Message Attribute lookup: See page 275. ` File Attribute lookup: See page 276.
5 Edit the Data Lookup Failure Mode setting. If the Data Lookup command cannot run, this setting determines whether or not the trigger activates. Choose an action from the list of available options. For example, choose Fire trigger to specify that the trigger always activates if the Data Lookup command fails to run. Or you can choose Block Event. This simply blocks the e-mail with an advisory dialog. If you block the e-mail, you can configure the title and message in the advisory dialog; find the relevant settings in the System Settings > User Notifications policy folder. i Data Lookup commands can fail to run if, for
example, there is a syntax error or the computer is not connected to the network so Address Book details cannot be extracted from the Microsoft Exchange server. This last reason particularly affects laptop users.
` Server agent is processing the e-mail, Orchestria APM always activates the trigger. Note that the range of available control interventions is more limited for Orchestria APM server agents. See page 264.
274
Complex commands
More complex commands can include AND, OR and NOT operators to combine multiple True or False tests. For example, if Team and Rank attributes have been created for your organization, you can define a command to test whether an e-mails recipients include a senior manager in the equity markets team. For full details and examples, see page 291.
Full syntax details for the various command elements start on page 277. Examples of more complex User Attribute lookup commands start on page 297.
Simple commands
These commands test a simple True or False statement relating to a single user attribute of the e-mail recipients or sender. For example, if a Team attribute has been created for your organization, you can define a command to test whether any e-mail recipients are members of a specific team. The syntax is: userattr WITH <who> [labeled <fallguy>] WHERE <uservar> [labeled <offlimits>] <stringoperator> <text> The simple example below detects all outgoing e-mails where any of the recipients are members of the equity markets team: userattr WITH any %recipient% WHERE Team IS "Equity Markets"
275
Full syntax details for the various command elements start on page 277. Examples of more complex Address Book lookup commands start on page 298.
Simple commands
These commands test a simple True or False statement relating to a single Outlook Address Book property of the e-mail recipients or sender. For example, a command may test whether any e-mail recipients are members of specific e-mail distribution lists. The syntax is: mapi WITH <who> [labeled <fallguy>] WHERE <uservar> [labeled <offlimits>] <stringoperator> <text> The simple example below detects all outgoing e-mails where any of the recipients belong to the Sales or Marketing departments: mapi WITH any %recipient% WHERE Department IS ANY {"Sales","Marketing"}
Full syntax details for the various command elements are given in the next section. Examples of more complex Message Attribute lookup commands start on page 299.
Simple commands
These commands test a simple True or False statement relating to a message attribute. For example, a command may test whether the number of recipients exceeds the maximum permitted, or whether the total message impact (the message size multiplied by the number for recipients) exceeds a maximum threshold. The syntax is: msgattr WHERE <msgvar> <numericoperator> <msgvalue> The simple example below detects all outgoing e-mails where the total message impact exceeds 1MB:
Complex commands
More complex commands can include AND, OR and NOT operators to combine multiple True or False tests. For example, a command may test whether any e-mail recipients work in the London office and are in the Sales department. For full details and examples, see page 291. msgattr WHERE msgimpactkb > 1000
Complex commands
You can also combine multiple commands using AND, OR and NOT operators. For example, you can combine two commands to test, first, whether an individual message exceeds a maximum size and, second, whether it is addressed to, say, more than ten recipients. For full details and examples, see page 291.
276
Full syntax details for the various command elements are given in the next section. Examples of more complex XML Attribute lookup commands start on page 300.
Property sets
A files metadata can also include one or more property sets. These are collections of related file properties. For example, a Microsoft Word document includes a Summary property set that includes Total editing time and Word count properties. The <xpath> syntax for referencing a property is: apm/event/file /property_set[@name=<set name>] /property[@name=<property name>] Where <set name> and <property name> must be enclosed in double quotes. For an example, see page 300.
Simple commands
These commands test a simple True or False statement relating to an XML attribute. For example, a lookup command may test the file name of an imported file. The syntax is: xmlattr [WITH <xpath>] [labeled <offlimits>] WHERE <xpath> [labeled <offlimits>] <stringoperator|numericoperator> <attribvalue> Where <attribvalue> must be enclosed in double quotes. The simple example below detects all files created on or after 6am, 18 May 2007: xmlattr WHERE apm/event/file/created >= "2007-05-18T06:00:00"
Complex commands
More complex commands can include WITH, AND, OR and NOT operators to combine multiple True or False tests. For example, a command may look for files created after 14 May and before 18 May. For full details and examples, see page 291.
277
Variable
<xpath> The location of an element, or an attribute of an element, within the XML hierarchy of event metadata. AND, OR and NOT Operators used to define complex data lookup commands.
Page
290
Page
278
291
279
280
General notes
281
283
282
Syntax is case-insensitive: All syntax elements and variables are case-insensitive. This includes <text> search terms in double quotes. For example, to detect e-mails sent to the Sales department, you can set <text> to Sales, sales or SALES. All will return a True value if Orchestria APM detects a member of the Sales team. Command layout: When entering Data Lookup commands in the Policy Editor, you can add line breaks and extra spaces to make commands easier to read and maintain:
283
284
286
286
287
278
<who>
For userattr, msgattr, and mapi commands. <who> determines whether the e-mail recipients or the sender are tested for characteristics that match the Data Lookup criteria. The following formats are supported: %recipient% The trigger activates if the user attributes, Address Book properties, e-mail addresses, or display names for the recipients match the Data Lookup criteria. Specifically, there must be a match for any recipient, or every recipient, depending on whether the ANY or ALL operator is used. Data lookup commands that compare strings have either a positive or negative inference. The example below uses the IS operator and therefore has a positive inference: mapi with ANY %recipient% where department IS "Sales" The next example uses the IS NOT operator and therefore has a negative inference: mapi with ALL %recipient% where department IS NOT "Sales" To simplify matters, you can use %recipient% without actually specifying ANY or ALL. For example, in the positive mapi command, there is an implicit ANY before %recipient%: mapi with %recipient% where department IS "Sales" In the negative mapi command, there is an implicit ALL before %recipient%: mapi with %recipient% where department IS NOT "Sales" any %recipient% The trigger activates if the user attributes or Address Book properties for any of the recipients match the Data Lookup criteria. If none of the recipients have matching user attributes or Address Book properties, the trigger does not activate. all %recipient% The trigger activates only if the user attributes or Address Book properties of every recipient match the Data Lookup criteria. If any of the recipients have user attributes or Address Book properties that do not match the Data Lookup criteria, the trigger does not activate. %sender% Only the senders user attributes or Address Book properties can activate the trigger. i These formats can all be used in conjunction with <fallguy> subexpressionssee page 280.
279
<attribvalue>
For xmlattr commands. <attribvalue> is the value of the XML metadata attribute you are testing. It can be a text value, a number, or a date. For an XML metadata example, see page 302.
Text: For example, if <xpath> specifies the title attribute, then set <attribvalue> to Sales Q1 2007 to detect documents whose Title property includes that term: WHERE apm/event/file/title CONTAINS "Sales Q1 2007" Number: For example, if <xpath> specifies the file size attribute, then set <attribvalue> to 1,048,576 to detect files with a minimum size of 1MB. Note that the file size attribute is measured in bytes, not KB or MB. WHERE apm/event/file/size >= 1048576 i You do not need to enclose numeric values in
double quotes.
Date: For example, if <xpath> specifies the date modified attribute, then to detect all imported files that have been modified since 21 May 2007, set <attribvalue> to the following. But see the next section for date format details. WHERE apm/event/file/modified >= "2007-05-21"
Date formats
Note that dates must take the following format: 2007-05-21T18:00:00 If the time element (T18:00:00 in the example above) is omitted, the time defaults to midnight. For example: 20007-05-21 is equivalent to: 20007-05-21T00:00:00
For full details about specifying the <xpath> to a property set or an individual property within an XML hierarchy, see page 290.
280
labeled <variable>
For any lookup commands. This is an optional subexpression that can be used to identify a variable for which the data lookup command returned a True value. The next two sections describe two ways to use labeled <variable>. userattr WITH all %recipient% labeled %XYZ_interdicted_users% WHERE Team IS "Equity Markets" For example, a user attempts to send an e-mail to various people, including unauthorized recipient Frank Schaeffer. %XYZ_interdicted_users% is therefore set to, for example, Frank Schaeffer or fschaeffer@unipraxis.com. i Where possible, <fallguy> returns the users
e-mail display name.
labeled
<fallguy>
labeled <fallguy> can be used to identify the e-mail recipient (or sender) for whom the data lookup command returned a True value and who, as a consequence, caused the e-mail trigger to activate. The e-mail address of this recipient (or sender) is assigned to the <fallguy> variable for inclusion in a user notification message. This is especially useful if an e-mail is sent to lots of people, but only a small number of these are on the list of unauthorized recipients. <fallguy> permits you to identify these unauthorized recipients in a notification dialog, which in turn enables the sender to remove them from the addressees before resending the e-mail.
Likewise, if multiple unauthorized recipients are detected, the Data Lookup command writes all of their user names to %XYZ_interdicted_users%. These are displayed in the notification dialog as a comma-separated list:
fschaeffer@unipraxis.com,srimmel@unipraxis.com
Variable names: <fallguy> is a variable name chosen by you and, like all user notification variables, must be enclosed in percent marks. You must not choose a variable name already used by Orchestria APM (for a list of these, see page 253). For example, one way to ensure your chosen variable name is acceptable is to include your company in the variable name. For example: %XYZ_interdicted_user% For details about incorporating <fallguy> variables into a user notification message (for example, in a warning dialog), see page 257.
IS NOT example: If you use an IS NOT operator in a data lookup command, <fallguy> works as normal and returns the e-mail address of every recipient for whom the data lookup command returned a True value. But you need to remember that the command logic is reversed! For example, the command below returns a True value if none of the recipients are directors. In this case, the address of each recipient is written to the variable %XYZ_renotify_these_guys% (because in each case, the recipient is not a director and so the test returns a True value): userattr WITH all %recipient% labeled %XYZ_renotify_these_guys% WHERE Rank IS NOT "director" For example, if none of the recipients are directors then %XYZ_renotify_these_guys% will contain a list of addresses for all the intended recipients, for example:
fschaeffer@unipraxis.com,srimmel@unipraxis.com
IS example: <fallguy> subexpressions are most easily understood in terms of data lookup commands that use an IS operator. In the example below, if an unauthorized recipient in the Equity Markets team causes an e-mail trigger to activate, the address of that recipient is written to the variable, %XYZ_interdicted_users%:
281
labeled
<offlimits>
For example, if a user attempts to send an e-mail to members of the Equity Markets team. %XYZ_taboo_team% is set to Equity Markets. Likewise, if multiple unauthorized recipients are detected, the Data Lookup command writes all of their teams to %XYZ_taboo_team%. These are displayed in the notification dialog as a commaseparated list:
Equity Markets,Debt Markets,Securities Services
labeled <offlimits> can be used to identify the Address Book property or user attribute for which the data lookup command returned a True value and, as a consequence, caused the e-mail trigger to activate. The property or attribute is assigned to the <offlimits> variable for inclusion in a user notification message. This is especially useful if an e-mail is sent to lots of recipients, but only a small number of these have attributes or properties that disqualify them from receiving the e-mail. <offlimits>, when used in conjunction with <fallguy>, permits you to identify these recipients and highlight their disqualifying property or attribute. In turn, this enables the sender to remove them from the addressees before resending the e-mail.
Variable names: <offlimits> is a variable name chosen by you and, like all user notification variables, must be enclosed in percent marks. You must not choose a variable name already used by Orchestria APM (for a list of these, see page 253). For example, one way to ensure your chosen variable name is acceptable is to include your company in the variable name. For example: %XYZ_taboo_team% For details about incorporating <offlimits> variables into a user notification message (for example, in a warning dialog), see page 257.
IS NOT example: If you use an IS operator in a data lookup command, <offlimits> works as normal and returns the attribute or property of every recipient for whom the data lookup command returned a True value. But you need to remember that the command logic is reversed! For example, the command below returns a True value if none of the recipients are directors. In this case, the actual rank of each recipient is written to the variable %XYZ_too_junior% (because in each case, the recipient is not a director and so the test returns a True value): userattr WITH all %recipient% WHERE Rank labeled %XYZ_too_junior% IS NOT "director" For example, if none of the recipients are directors then %XYZ_too_junior% will contain a list of the ranks that were detected, for example:
Intern,Management trainee,Non-officer
IS example: <offlimits> subexpressions are most easily understood in terms of data lookup commands that use a CONTAINS operator. In the example below, e-mails sent to members of certain teams (Equity Markets, Debt Markets or Securities Services) cause an e-mail trigger to activate. For each disqualifying recipient, their team name is written to the variable %XYZ_taboo_team%: userattr WITH any %recipient% WHERE Team labeled %XYZ_taboo_team% IS ANY {"Equity Markets", "Debt Markets","Securities Serv"}
282
<msgvar>
For msgattr commands only. <msgvar> represents the message attribute whose numerical value you want to test. The following operators are supported:
Numeric values
Used with <numericoperator>; see page 283 msgsizekb
Message size, including attachments (in kilobytes) i This is useful for blocking large e-mails, for
example, to prevent a user sending a 25MB e-mail. The calculation methods used may not be accurate enough for blocking e-mails with a smaller impact.
msgimpactkb Total message impact (in kilobytes sent), calculated as Message Size * Number of Recipients. i This is useful for blocking large e-mails, for
example, to prevent a user sending a 5MB e-mail to 100 recipients. The calculation methods used may not be accurate enough for blocking e-mails with a smaller impact.
String values
Used with <stringoperator>; see page 284 %sender% Sender e-mail address(es) and display name. %recipient% Recipient e-mail address(es) and display name. i Results from these string values depend on the
expansion of the e-mail, which in turn is determined by the machine policy setting Perform LDAP directory lookups? and the user policy setting Retrieve Full Recipient/Sender details.
recipnum Number of recipients. internalrecipnum Number of internal recipients. See the following section for details about internal recipients. externalrecipnum Number of external recipients. See the following section for details about external recipients. tonum Number of 'To' recipients. ccnum Number of 'CC' recipients. bccnum Number of 'BCC' recipients.
List continues on next page.
283
toccnum Number of 'To' and 'CC' recipients. domainnum Number of unique domains in recipient list. For details about how Orchestria APM extracts the domain from an e-mail address, see page 301. externaldomainnum Number of unique external domains in recipient list. This domain count is based only on external recipients; see the following section for details about external recipients. For details about how Orchestria APM extracts the domain from an e-mail address, see page 301.
<msgvalue>
For msgattr commands only. <msgvalue> is always entered as a numbersee the numeric values supported by <msgvar> in the previous section. It defines the threshold for a particular message attribute. For example, to specify a maximum permitted message size of 25MB, set <msgvalue> to 25600. WHERE msgsizekb >= 25600 Note that numbers are always extracted as integers. For example, 25.5 is truncated to 25.
<numericoperator>
For msgattr and xmlattr commands only. <numericoperator> defines the comparison operator used to test whether the message equals, exceeds or falls below the threshold specified by the <msgvar> and <msgvalue> variables. The operator can be:
or numeric
Use these operators if the message attribute being tested has a numeric value, such as the number or recipients or message size. For example, use >= to whether the message size exceeds 25KB. WHERE msgsizekb >= 25 i Spaces before and after <numericoperator> are optional. For example, tonum>5 and tonum > 5
are equally acceptable.
284
<stringoperator>
For any lookup commands. <stringoperator> determines whether the specified text, or search term, must be present or absent. ! Search terms are defined by the <text> value. You must enclose the <text> search terms in
double quotes. This even applies to single-word search terms. See page 286 for details.
IS NOT ALL This defines multiple search terms, none of which must be present. The Data Lookup test returns a True value if Orchestria APM detects none of these terms for an individual sender or recipient. (If any of these terms are detected, the test returns a False value.) For example, you can use this to detect e-mails where, say, none of the recipients are in the Hong Kong, Kuala Lumpur or Tokyo offices: WHERE Office IS NOT ALL {"Hong Kong","Kuala Lumpur","Tokyo"} i
This operator is rarely used in practice.
The following operators are supported: IS or IS ANY These terms are interchangeable. They define one or more search terms that must be present exactly as specified (although * wildcards are permitted). The Data Lookup test returns a True value if Orchestria APM detects any of these terms for an individual sender or recipient. (If it detects none of the search terms, the test returns a False value.) For example, you can use this to detect e-mails, say, where a recipient is in the Securities Services team: WHERE Team IS "Securities Services" Similarly, you can use this operator to detect e-mails, for example, where a recipient is in either the London or Paris offices: WHERE Office IS ANY {"London","Paris"}
CONTAINS or CONTAINS ANY INCLUDES or INCLUDES ANY All of these terms are interchangeable. They define one or more search terms that must be present. Implicit leading and trailing * wildcards are added to any search terms specified by this operator. The Data Lookup test returns a True value if Orchestria APM detects any of these terms for an individual sender or recipient. (If none of these terms are detected, the test returns a False value.) For example, you can use the extract below to detect e-mails where a recipient belongs to a team such as Securities Services or Global Securities: WHERE Team CONTAINS "Securities" Similarly, you can use these operators to detect e-mails, for example, where a recipient is in either the Equity Markets, Debt Markets or Securities Services teams: WHERE Office CONTAINS ANY {"Equity","Debt","Securities"}
IS NOT This defines a search term that must not be present. The Data Lookup test returns a True value if Orchestria APM detects this term for an individual sender or recipient. (If this term is not detected, the test returns a False value.) For example, you can use this to detect e-mails where, say, none of the recipients are in the Equity Markets team: WHERE Team IS NOT "Equity Markets"
285
CONTAINS ALL or INCLUDES ALL These terms are interchangeable. They define multiple search terms that must be present. The Data Lookup test returns a True value if Orchestria APM detects all of these terms for an individual sender or recipient. (If it fails to detect any term, the test returns a False value.) For example, you can use this to block e-mails where a recipients team name contains the terms Equity and Markets. The trigger will not activate if the recipient is a member of, say, the Debt Markets team. WHERE Office CONTAINS ALL {"Equity","Markets"}
EXCLUDES ANY This defines multiple search terms that must not be present. The Data Lookup test returns a True value if Orchestria APM fails to detect any of these terms for an individual sender or recipient. (If all of these terms are detected, the test returns a False value.) This enables you to exempt e-mails if all of the listed terms are detected (because the test returns a False value so the trigger will not activate). For example, you can use this to block an e-mail unless one or more recipients is a Senior Manager. WHERE Rank EXCLUDES ANY {"Manager","Senior"}
EXCLUDES or EXCLUDES ALL These terms are interchangeable. They define one or more search terms that must not be present. The Data Lookup test returns a True value if Orchestria APM detects none of these terms for an individual sender or recipient. (If any of these terms are detected, the test returns a False value.) This enables you to exempt e-mails if a term is detected (because the test returns a False value so the e-mail trigger will not activate). For example, you can use this to block an e-mail unless one or more recipients is a Manager. WHERE Rank EXCLUDES "Manager" Likewise, you can exempt e-mails only if a manager or director is included in the recipient list: WHERE Rank EXCLUDES ALL {"Manager","Director"}
286
<text>
For userattr and mapi commands only. <text> represents the search term (or terms) whose presence or absence you want to test. For example, if <uservar> is set to Department, you may want to set <text> to Sales or Marketing.
<type>
For userattr, mapi, msgattr and xmlattr commands. <type> determines the type of Data Lookup command. The different types of command have slight differences in syntax and accept different variables. The following types are supported: userattr This defines a User Attribute lookup command. The basic command syntax is: userattr WITH <who> WHERE <uservar> <stringoperator> <text>
{"Equity","Debt","Securities"} Case-insensitive: Search terms are not case sensitive. For example, if <uservar> and <text> jointly specify the Sales department, then Sales, sales and SALES all return a True value if detected. Multiple search terms: If required, you can specify a list of multiple search terms as the <text>. For example, you can define multiple search terms if <operator> is set to IS ANY or IS NOT ANY. The format for multiple terms is shown in the example below: {"Manager","Director","Reviewer"} Note that search term lists are comma-separated and enclosed in {curly brackets}.
mapi This defines an Address Book lookup command. The basic command syntax is: mapi WITH <who> WHERE <uservar> <stringoperator> <text>
msgattr This defines a Message Attribute lookup command. The basic command syntax is: msgattr WHERE <msgvar> <operator> <msgvalue>
Wildcards: If required, you can use ? and * wildcards when defining search terms. For example, ma* would match both Marketing and Management.
xmlattr This defines an XML Attribute lookup command. The basic command syntax is: xmlattr WHERE <xpath> <operator> <attribvalue>
287
<uservar>
For userattr and mapi commands only. <uservar> is an Orchestria APM user attribute or group or an Outlook Address Book property. It is this attribute, group or property that is tested for a True or False match against the Data Lookup criteria. The supported formats are listed below; Outlook Address Book formats are described on page 288. i <uservar> properties and attributes also support the mandatory keywordsee page 289. Orchestria APM user attribute
For User Attribute lookup only. These are the customized user attributes defined for your Orchestria APM installationsee page 51.
Wgn.GroupParent Use this variable to specify a user group that heads a specific branch of the user hierarchy. Data Lookup tests whether the user belongs to a user group within this branch. For example, consider this user hierarchy:
USA New York
Directors Sales
Boston Legal
Sales
Specify the name of the user attribute that you want to test against. For example, if a Team attribute has been created for your organization, you can specify this as the <uservar> by typing Team. i User attributes are not case sensitive. Always
enclose the attribute name in double quotes, for example, Rank or Team Name.
To configure a trigger to block e-mails sent to members of the Boston Legal or Boston Sales groups, the command syntax is: WHERE Wgn.GroupParent IS "Boston" Both Wgn.Group and Wgn.GroupParent also support the CONTAINS operator. For example: WHERE Wgn.Group CONTAINS {"Sales","Legal"}
lookup commands to test which Orchestria APM user group a user belongs to. In effect, data lookup handles the users parent group as if it were a user attribute. Wgn.Group Use this variable to specify a specific parent user group that you want to test against. For example, to configure a trigger to block e-mails sent to members of the Sales user group, the command syntax is: WHERE Wgn.Group IS "Sales" If multiple groups exist with the same name in different branches of the user hierarchy, Data Lookup tests all matching groups.
288
user attributes created in Active Directory and used by Address Books in Outlook. Administrators can define up to 15 custom attributes per user. For example, you can type: ExtensionAttribute3 to specify <uservar> as Custom Attribute 3, as defined in the advanced Exchange user properties in Active Directory. In the examples on page 298, Custom Attribute 3 shows an employees hire date. i For details about custom user attributes, see
to your Active Directory documentation.
Address Book special property as the <uservar>, type: Title State Country Region City Department Office MemberOf
identify Address Book properties in the Active Directory schema. The correct <uservar> syntax is: MAPIID0x<n> Where <n> is the hexadecimal code. i You may need to calculate hexadecimal codes
from the decimal schema codes. For schema details, see your Active Directory documentation.
289
mandatory <uservar> The mandatory keyword ensures that e-mail triggers always activate when required, or equally important, do not activate unnecessarily. The example below specifies that the lookup command must detect a value for the Team attribute, otherwise the entire command will fail to run: WHERE mandatory Team IS "Equity Debt" Normally, <uservar> specifies an Outlook Address Book property or an Orchestria APM user attribute, the presence or absence of which determines whether the lookup command returns a True value. But if no value has been set for the attribute or property (for example, the Orchestria APM account for a new recruit has not been updated to show their Team), or the specified address book property does not exist (for example, the lookup command specifies Titel instead of Title), Orchestria APM ignores this omission and evaluates the remaining True-False tests within the data lookup command. In the worst case, this could mean that a trigger fails to activate, allowing an e-mail to be sent to a proscribed recipient. For example, you have configured a lookup command to block e-mails sent between the Research and Investment Banking (IB) teams. But a new member of the IB team has not been added to the IB mail group (that is, their MemberOf address book property is not up to date). Consequently, when a researcher sends an e-mail to this new IB member, the lookup command fails to identify him or her as a proscribed recipient, so the e-mail trigger does not activate and the e-mail is not blocked. To eliminate these risks, you can qualify <uservar> with the mandatory keyword. This ensures that if no value has been set for the specified attribute or property, or if the address book property does not exist, the data lookup command always returns an error, so invoking the Data Lookup Failure Mode setting (see step 5, page 273). i For userattr commands, if the specified
attribute does not exist (for example, the lookup command specifies Teem instead of Team), the data lookup command always returns an error, regardless of whether mandatory is used or not, so invoking the Data Lookup Failure Mode setting.
290
<xpath>
For xmlattr commands only. <xpath> specifies the location of an element (or node) within an XML hierarchy. Specifically, xmlattr lookup commands use <xpath> to locate the file attribute, stored as an XML element, whose value they need to test (where this value is specified by <attribvalue> see page 279). The examples below specify, respectively, a file events file name, file size, the date when the file was last modified, and a property set named ID (property sets are described in the next section). apm/event/file/filename apm/event/file/size apm/event/file/modified apm/event/file/property_set[@name="ID"] For full details about available elements, see the XML metadata example on page 302.
291
Subcommands linked with an OR operator. Here, Orchestria APM quits evaluating if any subcommand returns True (because this sets the entire command to True and activates the trigger).
Command evaluation
Orchestria APM evaluates lookup commands from left to right. This is particularly important if your lookup command contains three or more True-False tests and if you use brackets to set evaluation precedence. The examples in the table below show how three logical tests (A, B and C) combine to produce an overall result: Example tests 1 2 3 4 5 A AND B AND C A OR B OR C A OR B AND C A AND B OR C B AND (A or C) Results
False True True True False
In examples 2 and 3, if A, B and C represent linked commands, then commands B and C are not evaluated because, with command A returning True, the overall command must also return True. This is a deliberate optimization designed to minimize delays when processing outgoing e-mailssee page 296. i This optimization does not apply to multiple
True-False tests within a single lookup command. In this case, all tests are fully evaluated.
E-mail address
srimmel@unipraxis.com
lsteel fschaeffer
lsteel@unipraxis.com fschaeffer@unipraxis.com
When defining a complex data lookup command, you must use parentheses to separate the sub-tests. Note also that Orchestria APM quits evaluating as soon as it detects any subcommand that allows the overall command to be unambiguously resolved. Specifically, this affects:
oabassi
oabassi@unipraxis.com
Subcommands linked with an AND operator. Here, Orchestria APM quits evaluating if any subcommand returns False (because this sets the overall command to False, so the trigger does not activate).
292
With the same three recipients, this command requires the following three lookup operations: (mapi with srimmel@unipraxis.com where dept IS "sales") AND (mapi with lsteel@unipraxis.com where dept IS "sales") AND (mapi with fschaeffer@unipraxis.com where dept IS "sales") This time, for the test to be true, all three lookup commands must be true. That is, Spencer, Lynda and Frank must all be in the Sales department for the test to be true.
293
For the test to be true, all three lookup commands must be true. That is, Spencer, Lynda and Frank must all be in a department other than Sales for the test to be true. If you want to use ANY with the same lookup command, you need to add it explicitly, as shown below: mapi with ANY %recipient% where dept IS NOT "sales" With the same three recipients, this command requires the following three lookup operations: (mapi with srimmel@unipraxis.com where dept IS NOT "sales") OR (mapi with lsteel@unipraxis.com where dept IS NOT "sales") OR (mapi with fschaeffer@unipraxis.com where dept IS "sales") For the test to be true, only one of the lookup commands needs to be true. That is, if Spencer is not in the Sales department, then that lookup command is true and the details for Lynda and Frank are not checked.
294
The following is another example of a composite True-False test. It uses the positive operator IS with two sub-commands. (mapi with %sender% where dept IS "sales") AND (userattr with %recipient% where position IS "manager")
295
Bad example In contrast, the following is a bad example of a composite True-False test: (mapi with %recipient% where dept IS "sales") AND (userattr with %recipient% where position IS "manager") Like the previous composite true-false test, this test also uses the positive operator IS with multiple lookup operations and one sub-operations. This test is confusing however, because of its apparent intention. At first glance it appears to prevent e-mails from being sent to the sales manager. The actual behavior of the lookup is very different. It prevents e-mails from being sent if at least one recipient is in the Sales department, and also, if at least one recipient (possibly the same one) is a manager. If there are three recipients, this command requires the following nine lookup operations, each containing two lookup sub-operations. For each lookup operation to be true, both its suboperations must be true. For the test itself to be true, only one of the nine lookup operations needs to be true. Corrected version of bad example ((mapi with srimmel@unipraxis.com where dept IS "sales") AND (userattr with srimmel@unipraxis.com where position IS "manager")) OR ((mapi with srimmel@unipraxis.com where dept IS "sales") AND (userattr with lsteel@unipraxis.com where position IS "manager")) OR ((mapi with srimmel@unipraxis.com where dept IS "sales") AND (userattr with fschaeffer@unipraxis.com where position IS "manager")) OR ((mapi with lsteel@unipraxis.com where dept IS "sales") AND (userattr with srimmel@unipraxis.com where position IS "manager")) OR ((mapi with lsteel@unipraxis.com where dept IS "sales") AND (userattr with lsteel@unipraxis.com where position IS "manager")) OR ((mapi with lsteel@unipraxis.com where dept IS "sales") AND (userattr with fschaeffer@unipraxis.com where position IS "manager")) OR ((mapi with fschaeffer@unipraxis.com where dept IS "sales") AND (userattr with srimmel@unipraxis.com where position IS "manager")) OR ((mapi with fschaeffer@unipraxis.com where dept IS "sales") AND (userattr with lsteel@unipraxis.com where position IS "manager")) OR ((mapi with fschaeffer@unipraxis.com where dept IS "sales") AND (userattr with fschaeffer@unipraxis.com where position IS "manager"))
296
297
This example detects all outgoing e-mails where one or more recipients is in the Equity Markets team. If Orchestria APM detects such a recipient, that users name and team are written to the %which_guy% and %proscribed_team% variables respectively. You can then incorporate these variables in a user notification message: userattr WITH any %recipient% labeled %which_guy% WHERE Team labeled %proscribed_team% IS "Equity Markets" This example detects all outgoing e-mails where a recipient is a member of teams such as Equity Markets or Debt Markets: userattr WITH any %recipient% WHERE Team CONTAINS ANY {"Equity","Debt"} This example detects all outgoing e-mails where recipients include any junior ranking staff (in this case, Non-officers): userattr WITH any %recipient% WHERE Rank CONTAINS ALL {"non","officer"} This example detects all outgoing e-mails that do not include a director in the list of recipients: userattr WITH all %recipient% WHERE WgnUser.CfgProperty4 EXCLUDES "director" Where customized user attribute 4 is set to Rank.
This example detects all outgoing e-mails that do not include an executive director in the list of recipients. The command returns a True value (and activates the e-mail trigger) unless the recipients include a user whose rank contains both executive and director: userattr WITH all %recipient% WHERE "Rank" EXCLUDES ANY {"director","executive"} This detects all outgoing e-mails where the recipient list excludes an executive director in the Equity Markets team. That is, the command returns a True value (and activates the e-mail trigger) if no such recipient is detected. Note the NOT operator and the mandatory keyword! The NOT operator ensures that if an executive director in the Equity Markets team is detected, the command returns a False value (and the trigger does not activate). The mandatory keyword ensures that, if no Rank is specified, the data lookup command fails and invokes the Data Lookup Failure Mode setting (see step 5, page 273). userattr WITH all %recipient% WHERE (Team IS NOT "Equity Markets") AND (mandatory Rank IS NOT "executive director") This combines Message Attribute and User Attribute lookup commands to detect e-mails sent to members of any securities team where the total message impact exceeds 1MB: (msgattr WHERE msgimpactkb > 1000) AND (userattr WITH any %recipient% WHERE Team IS "Securities")
298
This example detects all outgoing e-mails where one or more recipients is in the Sales department. If Orchestria APM detects such a recipient, that users name and department are written to the %which_guy% and %proscribed_dept% variables respectively. You can then incorporate these variables in a user notification message: mapi WITH any %recipient% labeled %which_guy% WHERE Department labeled %proscribed_dept% IS "Sales" This detects all outgoing e-mails unless one or more recipients is in the London or Manchester offices: mapi WITH all %recipient% WHERE Office IS NOT ALL {"London","Manchester"} This example detects all incoming e-mails where the sender is a member of the Executive Management mail group: mapi WITH %sender% WHERE MemberOf IS "Executive Management" This example detects all outgoing e-mails where one or more recipients has a hire date of 2001. (In this example, Address Book custom attribute 3 is set to an employees hire date.) mapi WITH any %recipient% WHERE ExtensionAttribute3 IS "2001" This example detects all outgoing e-mails that do not include a supervisor in the list of recipients: mapi WITH all %recipient% WHERE Title IS NOT "Supervisor"
This example detects all outgoing e-mails that do not include a supervisor or team leader in the list of recipients. The command returns a True value (and activates the e-mail trigger) unless a supervisor or team leader is included in the To, Cc or Bcc lists: mapi WITH all %recipient% WHERE Title IS NOT {"Supervisor","Team Leader"} This detects all outgoing e-mails where the recipient list excludes a member of the Compliance Team mail group in the London office. That is, the command returns a True value (and activates the e-mail trigger) if no such recipient is detected. Note the NOT operator! This ensures that if any member of the London Compliance Team is detected, the command returns a False value (and the trigger does not activate). mapi WITH all %recipient% WHERE NOT ((MemberOf CONTAINS ALL {"Compliance","Team"}) AND (Office IS "London")) This combines Message Attribute and Address Book lookup commands to detect e-mails sent to the Santiago office where the total message impact exceeds 5MB: (msgattr WHERE msgimpactkb > 5000) AND (mapi WITH any %recipient% WHERE Office IS "Santiago")
This tests the Company attribute of the user, but specifies it by its MAPI numerical codesee page 288:
mapi WITH any %recipient% WHERE
MAPIID0x3A16 IS "Unipraxis"
299
This example detects all outgoing e-mails from specific users at Unipraxis to any user at Unipraxis. msgattr WHERE (%sender% IS ANY {srimmel@unipraxis.com, lstee@unipraxis.com}) AND (%recipient% labeled %which_recip% IS @orchestria.com) This example detects all outgoing e-mails sent to 20 or more recipients in the To list: msgattr WHERE tonum >= 20 This example detects all outgoing e-mails with no recipients in the Cc list: msgattr WHERE ccnum = 0 This example detects all outgoing e-mails that do not have one recipient in the Bcc list: msgattr WHERE bccnum <> 1 This example detects all outgoing e-mails where the total number of To and Cc recipients is over 20: msgattr WHERE toccnum > 20
This example detects all outgoing e-mails bigger than 50KB: msgattr WHERE msgsizekb > 50
This example detects all outgoing e-mails where the total message impact exceeds 1MB: msgattr WHERE msgimpactkb > 1000 This example detects all outgoing e-mails with 10 or more recipients: msgattr WHERE recipnum >= 10 This example detects all outgoing e-mails sent to more than ten internal addresses: msgattr WHERE internalrecipnum > 10 This example detects all outgoing e-mails sent to more than one external address: msgattr WHERE externalrecipnum > 1
300
This detects all imported files smaller than 10KB. Note that the file size attribute is measured in bytes, not KB. xmlattr WHERE apm/event/file/size < "10240" This example tests the path attribute to detect all files imported from the \Tips folder on the machine UX-RIMMEL: xmlattr WHERE apm/event/file/path IS "\\UX-RIMMEL\Personal\Tips" Note that you do not need to specify a UNC path. You can also specify a local drive path if your policy engine is running on the same machine as the source folder.
This example checks the Security property in Microsoft Word documents. This property is in the Custom property set. Here, the xmlattr lookup command detects documents that are not marked as Confidential: WHERE apm/event/file /property_set[@name="Custom"] /property[@name="Security"] IS NOT " Confidential" This example uses a WITH statement to check the Security and Status properties in Microsoft Word documents. Status, like Security in the previous example, belongs to the Custom property set. Here, the xmlattr lookup command detects documents marked as Confidential and whose status is Approved: WITH apm/event/file /property_set[@name="Custom"] WHERE ([property@name="Security"] IS " Confidential" ) AND ([property@name="Status"] IS "Approved") This example simply checks whether a Custom or Version property set is defined in the XML metadata: WHERE apm/event/file/property_set /@name IS ANY {"Custom","Version"}
This example detects all imported files that were modified between 21 and 25 May 2007: xmlattr WHERE (apm/event/file/ modified >= "2007-05-21") AND (apm/event/file/modified < "2007-05-26") Many files, particularly Microsoft Word documents, include an Author property. Orchestria APM always attempts to identify and store this as an attribute in the file events metadata. This example detects all files where the author name includes the strings Rimmel or Steel: xmlattr WHERE apm/event/file/author CONTAINS ANY {"Rimmel","Steel"}
301
All entries must start with a period and contain exactly two periods, for example: .ins.kr .fin.tz
If required, you can use a * wild card in place of an entire segment, for example: .*.pb However, we recommend you avoid using wildcards where possible because the scope of the resulting match may be greater than anticipated, causing in short domains to be inadvertently treated as long domains. This is particularly true if the domain element of an address includes a geographical subdomain. For example, adding .*.pb to the exceptions list would cause Orchestria APM to treat ny.unipraxis.pb and london.unipraxis.pb as separate domains.
302
Example XML metadata <?xml version="1.0"?> <apm schema_version="1" xmlns="http://www.orchestria.com" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.orchestria.com xmleventattributes.xsd"> <event> <file> <host>UX-RIMMEL</host> <filename>Sales_2007_Q1.doc</filename> <path>\\UX-RIMMEL\Personal\Tips</path> <created>2007-05-13T19:26:32</created> <accessed>2007-05-17T08:12:44</accessed> <modified>2007-05-16T21:05:54</modified> <size>41984</size> <title>Unipraxis Sales Q1 2007</title> <subject>Sales Revenue</subject> <author>Spencer Rimmel</author> <property_set name="Summary"> <property prop_id="1" name="TotalEditingTime" type="xs:string">01:26:35 </property> <property prop_id="2" name="WordCount" type="xs:string">824</property> <property prop_id="3" name="LastPrinted" type="xs:string"> 2007-05-17T08:14:36</property> </property_set> <property_set name="Custom"> <property prop_id="1" name="Security" type="xs:string">Confidential </property> <property prop_id="2" name="Status" type="xs:string">Approved </property> </property_set> </file> </event> </apm>
chapter 12
In order for reviewers to make full use of the iConsole and Data Management console event audit features, administrators need to configure the following features in the Administration console.
Audit fields: Audit field names and list items available in audit fields are fully configurable so that the terminology used and the available options can be customized to meet your organizations requirements. For example, administrators can define multiple 'audit status' labels, 'actions taken' labels and other predefined comments. They can also specify additional, mandatory updates to the audit trail when a reviewer changes an event's audit status. For more details about audit statuses, see page 304.
iConsole and Data Management console, please refer to the iConsole user guide and Data Management console guide respectively.
304
Audit e-mail templates: Administrators can define templates for audit e-mails and make them available to reviewers in the iConsole (in the Compose Mail dialog). These templates can include predefined recipient lists, plus predefined body and subject text to match your organization's terminology and requirements. Reviewers can use these templates, and change the predefined details if necessary, when composing audit e-mails. One-click review buttons: Administrators can customize the behavior of one-click review buttons in the iConsole toolbar. These buttons allow reviewers to instantly change specific audit details from one value to another. For example, they can configure a button to automatically change the audit status of the currently selected events, or to change the Action Taken from Reviewed to Referred to Compliance Officer. Up to five separate buttons can be configured. i If an administrator reconfigures the iConsole
one-click review buttons, these changes will only become effective the next time a user logs into the iConsole. Users currently logged on to the iConsole must log off and log back on before these changes become effective.
Audit status 0 is the default status for unreviewed events. Newly captured or imported events are automatically assigned to audit status 0. Events with this status are yet to be reviewed and we recommended that you define audit status 0 as Not reviewed. Audit status 1 is the default status for reviewed events. By default in the iConsole, the one-click review button automatically advances the audit status from 0 to 1. If you intend to use this button with its default configuration, we recommend that you define audit status 1 as Approvedsee page 306 for details.
Audit status 2 through 39 are standard status types. You can change or delete their status names as required.
305
Auditing privileges
Access to the Orchestria APM audit features is controlled by administrative privileges, permitting administrators to closely control the scope of a reviewer's authority. Your reviewers must have the necessary administrative privileges. i To assign administrative privileges, see page 50.
For the full range of privileges, see page 57. To do this Define audit status names, predefined comments and other audit fields. Change the audit status of an event without needing to view it. Change the audit status of multiple events in a single operation. View events without adding a Viewed Event entry to the audit trail. Audit: Always suppress automatic auditing You need this privilege Admin: Customizable console text Change the audit status of events and update the audit trail. View event audit trails. Search for captured Web, e-mail and application data. View captured data associated with any user in the users management group. Audit: Update audit trail To do this Choose whether to view events without adding a Viewed Event entry to the audit trail. You need this privilege Audit: Choose to suppress automatic auditing
306
Review dialog
Options dialog, Audit tab: All audit configuration tasks begin here. From this tab, you can configure:
Modify Value dialog: The names of the <Field 1>, <Field 2> and <Field 3> audit fields that appear in the iConsole Issue dialogs and DMC Review dialog. Audit Mail Templates dialog: Templates for audit mails, including recipients and default body and subject text. (Audit mails are sent by reviewers from the iConsole.) Audit Options dialog: The one-click review buttons in the iConsole Search Results screen, plus the list items available in audit fields in various iConsole auditing dialogs and the DMC Review dialog.
307
3 Options dialog, Audit tab: 1 Names of audit fields (Fields 1, 2, and 3). 2 Modify button. Click to define field names.
Comment: Use the Add, Remove and Modify buttons to create a list of comments, for example, Potential compliance violation or Satisfactory explanation provided by sender. This list of comments is also available in the Review dialog, which reviewers can access in the Data Management console and the Expiry Date dialog in the iConsole. i
The maximum length for a comment is 255
characters.
3 Allow multiple selection for Field 3 check box. Select if required. 3 Edit Audit Options button. Click to edit list items in audit fields. 4 Define Templates button. Click to define templates for audit e-mails.
308
In the Available '<Field 2>' Values list box, use the check boxes to modify the list of <Field 2> values you want to be available to reviewers when they select the current <Field 1> value. i By default, all audit field values are available.
Click Apply. Your changes will take effect with the next logon.
To configure <Field 2> to <Field 3> dependencies, follow the steps above, selecting the <Field 2> tab in step 3 to show the Available '<Field 3>' Values list box.
Audit: Always suppress automatic auditing: If a reviewer has this privilege, they can view events without Orchestria APM adding a Viewed Event entry to the audit trail. Audit: Choose to suppress automatic auditing: If a reviewer has this privilege, they can choose to view events without adding a Viewed Event entry to the audit trail each time they open an event. The reviewer is prompted to choose when opening the first event of a new search and that choice stands for all events in the current search results. If the same search is rerun, they are prompted again. i
If both privileges are set, Audit: Always
Both privileges permit the reviewer to view events without updating the audit trail. The reviewer can still update the audit trail manually, but Viewed Event entries are not added automatically. For a full list of audit privileges, see page 305.
309
In the Edit Template dialog, specify the recipient e-mail addresses, then type a default subject and body text. For full details, see the online help,
e-mail address(es) when using an e-mail template. For details, see the 'Compose Mail' topic in the iConsole help.
4.2 Still in the Edit Template dialog, click the Save Template button. Then close the Audit Mail Templates dialog and the Options dialog.
310
` Change column: Choose which audit field you want the tool to modify. In this example, that is, Status, Classification, or Action. ` From column: Select the field value that will be
changed. Only events that currently have this field value can be reviewed using this tool. That is, only valid events will be reviewed and have this issue added to their audit trail.
10
11
Administration console: Audit Options dialog 1 Button: These numbers correspond to the toolbar buttons. 2 Change: Defines which field to change in the event's audit trail for events reviewed using this button. Choose from <Field 1> (Status), <Field 2> (Classification), or <Field 3> (Action). 3 From: Defines which events this issue is valid for. That is, only events with this field value can be reviewed using this button. The contents of this list depends on which field is displayed in the Change column and the list is populated using the equivalent field tab. 4 To (Status): Defines the new status for events updated using this button. 5 To (Classification): defines the new classification for events updated using this button. 6 To (Action): Defines the new action for events updated using this button. 7 Comment: Defines which comment is displayed for events reviewed using this tool. It is optional and can be left blank. 8 Issue Name: This appears in the Issues pane of the iConsole Search Results screen for events associated with this issue. It is optional and can be left blank. 9 Enabled: Defines whether the button is enabled or disabled in the iConsole. A tool can be enabled for reviewing only single events, multiple events, or both. 10 Action if Invalid: When reviewing multiple events, the selection may include invalid events, that is, events with issues that are not valid for the tool button (3). This column defines what happens if an invalid event is reviewed using this button. 11 Tooltip: Type the label that displays when the mouse pointer hovers over the button in the toolbar.
311
Abort and warn: Abandon the bulk review, make changes to none of the events and warn the user via a warning dialog. Ignore silently: Review only valid events. Ignore any invalid events but do not warn the reviewer. Ignore and warn: Review only valid events. ignore any invalid events and warn the reviewer.
If an administrator reconfigures the iConsole one-click review buttons, these changes will only become effective the next time a user logs into the iConsole. Users currently logged on to the iConsole must log off and log back on before these changes become effective. After an event has been reviewed using one of these buttons, the corresponding issue is added to the event's audit trail. For more details on issues, refer to the Data Management console online help; search the index for event auditing, multiple audit issues.
` Action if Invalid column: Configure what happens if an invalid event is encountered in a bulk review using this tool. Choose from the following options:
312
Quarantined e-mails
SEC regulatory requirement 472 requires that certain categories of documents sent to multiple external recipients must be approved by an appropriate representative. The Orchestria APM quarantine feature enables your organization to enforce this requirement. This feature is implemented in the user policy as a new intervention option in control actions for outgoing e-mails. The quarantine procedure is summarized below.
8a
8b
9
4 6
98
Quarantined e-mails: Example based on Exchange server integration This example shows how the Quarantine feature operates in conjunction with the Exchange server agent. However, it can also operate in conjunction with Outlook and Notes client agents. An e-mail is sent (1) and monitored by Orchestria APM (2) as it transits through the Exchange server (3). A control trigger quarantines the e-mail. The CMS (4) maintains a queue of quarantined e-mails. A reviewer (5) checks quarantined e-mails in the iConsole or Data Management console. The reviewer can either release or reject a quarantined e-mail. The Quarantine Manager (6) regularly checks the quarantine queue on the CMS for e-mails that have been released or which have timed out (7). It then forwards these e-mails, either via the original Exchange server (8a) or, if so configured, though an alternative Exchange server (8b), to the intended recipient (9).
313
When the Orchestria APM Exchange server agent detects e-mails that match the specified criteria, it diverts them to a quarantine queue. At the same time, it can optionally send a 'quarantine notification' to the original sender. The reviewer can retrieve quarantined e-mails in the Data Management console or the iConsole and either approve or reject them. If the reviewer approves an e-mail, it is immediately released from quarantine and forwarded to its intended recipients; if the reviewer rejects the e-mail, it is effectively blocked, that is, it is not forwarded to its intended recipients and this 'quarantine rejection' is recorded in the event's audit trail on the CMS. To avoid unnecessary disruption to users' workflow, administrators can also configure a quarantine time-out. If a quarantined e-mail has not been reviewed before the time-out expires, it is automatically released. i Quarantined e-mails are not sent until released.
Any outgoing e-mail that triggers a control action can be marked for quarantine. To do this, you must first define a Quarantine control action. 1 For the control action that you want to use, specify the Intervention settingsee pages 220 to 227. You can configure the Quarantine control action to:
Mark e-mail for quarantine Set up Quarantine Control Action Set up Quarantine Control Triggers
number control action as the quarantine control action in order to give it the lowest priority. For example, if there are 10 control actions, configure Control Action 10 as the quarantine control action. An event is immune to other control actions, such as warnings or blockings after it is marked for quarantinesee page 232.
Set up quarantine alarm Define quarantine statistic in Administration console Set up Executive console alarm 2
Quarantine events: Setup procedure 1 Set up control actions to quarantine targeted e-mails. 2 Configure the registry settings for the Quarantine Manager. 3 Use the Executive console to alert you when new e-mails are added to the quarantine list.
Next, set up triggers to detect those e-mails that must be quarantined. Finally, for each of these triggers, you need to invoke the previously defined Quarantine control action.
314
To review a list of quarantined e-mail events, you need to run a search in either the Data Management console, or the iConsole. When viewing quarantined events in the Data Management console or iConsole, the following toolbar buttons become enabled:
Release From Quarantine: Click this to remove the quarantine status from the e-mail and allow it to be sent on to its intended recipient(s). Reject From Quarantine: Click this to remove the e-mail from the quarantine list and effectively block it. That is, it is not sent on to its intended recipient(s). This activity is recorded in the event audit trail.
Content agents
i Content Agents are available only if explicitly
included in your license agreement. The technology underlying these features is used under license from Fast Search and Transfer International AS. See
chapter 13
page 2 for copyright details. his chapter describes content agents. Based on innovative pattern-matching technology and intelligence contained in your Orchestria APM Content database, content agents give you the ability to capture and control Web, file and e-mail documents based on their text content.
1 3 4
Overview
In a typical installation, your store of captured data will grow quickly and unless you have the right tools it can be hard to keep track of user activity. In content searches and content agents, you have the right tools. Content Agents can identify specific types of document based on their text content. They form the basis of enormously flexible content agent triggers. These triggers let you capture or control attempts by users to browse, upload, print, copy to removable drives, send or receive documents that match the specified types.
Content searches and content agents 1 Orchestria APM Content database. 2 Content searches look for captured events (3) in the content database. 4 Content agents use intelligence in the content database to identify document types. When tested and published, they can be incorporated into user policies (5) as Content Agent triggers.
316
Smart detection: Document Classification triggers can examine targeted documents for keywords butas with database searchescannot contextualize these keywords. By comparison, Content Agent triggers can contextualize. This greatly improves their accuracy when categorizing or rejecting a targeted document. Adaptive, example-based training: The accuracy of Document Classification triggers depends heavily on the ability of administrators to define sophisticated classification parameters. You cannot train them to recognize specific categories of documents simply by exposing them to examples of documents. But this is precisely how you train content agents. You can even retrain your agents to reflect a better selection of example documents or an expansion of your Content database. This allows the agents to continually adapt their search algorithms to focus on the documents you want and reduce the number of false hits.
The diagram below shows how the content services components support the content search and content agent features. This example shows the components all installed on the same host machine. Alternative configurations may suit your organization better. See the Deployment guide for details. 1 5
Content services: a typical deployment 1 CMS. 2 Content Services host machine. Captured data is indexed by the Content Indexer (3) into a Content database (4). From an Orchestria APM console (5), users can run content searches or train content agents based on data in the Content database. All database queries are routed through the Content Proxy server (6).
317
Content agents
A content agent can detect a specific type of document based on its text content. A document can be any Web page, e-mail, attachment, or file. For example, you could train an agent to identify, customer e-mail enquiries, an airline reservation Web site or offensive e-mails. After you have trained and published an agent, you can incorporate it into a content agent trigger. These triggers let you capture or control any attempt by users to browse, upload, print, copy to removable drives, send or receive documents that match the specified type. For example, you could train a content agent to recognize reports produced by your research team. This would allow you to display a warning, or even block the user, if they attempted to send a report to unauthorized recipients or upload the report to a Web site. i Administrators require the Edit content agents
privilege before they can set up or edit content agents. See page 57 for details.
Training documents
These are example documents, similar to the ones you want to detect. The agent analyzes the content of these training documents and identifies their characteristic text patterns. To do this, it exploits the content databases sophisticated understanding of similar text patterns identifiable in the database. You can train an agent using positive and negative training documents:
Positive training documents are example documents that accurately portray the type of document you want to detect. Orchestria APM uses these documents to build a positive 'term pool', that is, a list of words and phrases that indicate a possible match. Negative training documents represent definite non-matches. Learning to recognize negative examples helps the agent exclude ambiguous documents and reduces the number of false hits. Orchestria APM uses these documents to build a negative 'term pool', that is, a list of words and phrases that indicate a possible non-match. Entries in the negative term pool are then subtracted from the positive 'term pool'.
For any agent, you need significantly more positive documents than negative documents. In fact, we recommend a ratio of no less than 5:1 in favor of positive training documents.
Test documents
You use these to calibrate content agents. When you have chosen your training documents, you can test the fledgling agent against a selection of test documents. For example, if you are training the agent to recognize customer enquiries about a specific product, include an actual customer e-mail as a test document.
318
When you test the agent, Orchestria APM displays a percentage score for each test document; your aim is train the agent so that each test document scores as accurately as possible (that is, 'realistic' test documents score high and deliberately non-matching test documents score low). To maximize training effectiveness, all agents are tested automatically against their own, dedicated test documents and against a set of default test documents see the next section.
319
Create an agent
In the Administration console: 1 If you have not already done so, select a Content Proxy server (see either the iConsole user guide, or the Data Management Console guide; search the index for content searches, before you start.). Right-click the Content Agent branch and in the toolbar. choose New Agent. Or click
Add your training and test documents When choosing your training documents, you can add any file types supported by Orchestria APM. For a list of file types with searchable content, see page 113. You can also add .EVL event link files to your training documents. These files point to Web or e-mail documents associated with the captured event. If you is added add an event link file, a sub-branch below the document branch. Expand this sub-branch to see copies of the documents associated with the event.
This adds a new, unpublished agent to the Content Agent branch. Give the agent a name that describes what type of documents it will be targeted at, such as Offensive e-mails or Product enquiries. You are now ready to train the agentsee the next section.
1 2 3
Inappropriate humor Airline reservations Product enquiries Positive Training Documents My_event_link Negative Training Documents Test Documents
, add
1.3 If you have not already done so, you can also set
up a set of default test documents. See page 318.
320
Adding agent training and test documents 1 Administration console. Select the target document branch. 2 Windows Explorer. Drag and drop your documents into the right-hand pane of the console. 2
1 Agent Testing dialog 1 Scores indicate how well training and test documents match the document type targeted by the agent.
Test the agent Now you must test the accuracy of the agent. Right-click the unpublished agent and choose Test to open the Agent Testing dialog. Orchestria APM calculates a percentage score for each training and test document. The score quantifies how well the document matches the document type targeted by the agent. You want the realistic test documents to score as highly as possible, ideally matching the scores of the positive training documents (conversely, you want any deliberately non-matching test documents to score as low as possible). By definition, positive training documents should score very highly because they embody precisely the type of documents you want the agent to detect. A negative training document naturally scores lower; its actual score depends on how subtle the differences are between it and the positive training documents.
The first time you test a new agent, it is likely that the test documents will not score highly enough. In other words, the agent is not accurate enough to detect your test documents. This means you must adjust the agent definition; either you extend the range of training documents, or you adjust the agent properties. Or you can do both. Adjusting the agent properties is described in step 3.
321
of a new agent, you may need to iteratively adjust its properties until you are satisfied with the scores awarded to your test documents. and choose Right-click the unpublished agent Properties to open the Agent Properties dialog. Here you can adjust the following:
` Required words: You can define a list of compulsory words or phrases. All must be present in a target document for the content agent to confirm a match. In effect, this property specifies a Boolean AND condition. ` Disqualifying words: You can define a list of words
or phrases that indicate a definite non-match. If any are present, the agent disregards the target document and does not confirm a match. In effect, this property specifies a Boolean NOT condition. 4 When you are satisfied with the scores for your test documents, you are ready to publish the content agentsee the next section.
322
User Policy: Example content agent triggers 2 3 Double-click the Agent Names setting. In the Properties dialog, click Add and choose from the agent you want. Only published agents can be used by a content agent trigger. Save the policy changes.
i For details about unpublishing and republishing agents, see page 323.
323
Unpublishing an agent
To unpublish an agent, right-click a published agent and choose Unpublish. This is useful if, for example, you are dissatisfied with an agents definition and you want to withdraw it from the user policy until it has been redefined. But see the policy trigger warning below.
Republishing an agent
In the future, you may want to republish an agent. For example, based on your experience of observing how the content agent triggers work, you may decide to alter the agent definition in order to improve its accuracy. To do this, you simply retrain the agent and then republish it. All triggers that use this agent will automatically start using the updated agent definition. When you are ready to do so, right-click a published agent and choose Republish. To undo any changes you make while retraining a published agent (for example, changes to the training documents or agent properties), right-click the agent and choose Undo Changes. This restores the agent to its original state.
Deleting an agent
Right-click an agent and choose Delete. But see the policy trigger warning below.
When you unpublish an agent, the policy will continue to operate, but:
If a trigger uses a single agent and that agent is subsequently unpublished, the trigger is effectively disabled. If a trigger uses multiple agents, only the unpublished agent will cease to operate; other agents are unaffected.
Cloning an agent
As a shortcut to creating a new agent, you can simply clone an existing agent and then amend its training documents or agent properties as required. Right-click any existing agent and choose Clone.
324
14. Troubleshooting
Troubleshooting
his chapter provides the information you need to solve problems that may arise when you use Orchestria APM. Note that you can also contact technical support if problems persistsee page 24 for contact details.
chapter 14
Although one of the users associated with a participant is in your management group, they were not when the event was captured or imported. Management group boundary enforcement is based a participants user group at the time of capture. For example, if an e-mail sender was not in your management group when the e-mail was captured, you cannot search for that e-mail at a later date,
even if the sender has subsequently been moved into your management group.
To override management group constraints, you can assign the Admin: Disable management group filtering privilege to an administrator. This is described on page 44. The events you are searching for have already expired. That is, their minimum retention period has expired and they have been purged from the CMS database. The event you are searching for has a capture date in the future. Such events are excluded from search results until after the capture date. This can only happen if the system clock is set to the wrong date on the relevant source machine (for example, a client machine hosting the Outlook client agent or, for imported e-mails, the senders machine).
No event participants are associated with Orchestria APM users. For example, this can happen if you import e-mails or IM data but fail to keep e-mail addresses for your Orchestria APM users up to date. In this situation, Orchestria APM may be unable to map event participants to existing Orchestria APM users. None of the Orchestria APM users associated with participants fall within your management groups. You can only retrieve search results for users belonging to groups within your management branches.
326
E-mails
E-mails are not captured by recipient-based policy if the user is offline
This problem can only occur with client integration when outgoing e-mail triggers are configured to perform recipient lookup operations.
This problem can only occur if a Web page has been designed so that passwords are submitted as hidden data. Normally, when Orchestria APM monitors data submitted to a Web page, it looks in the pages HTML source code for <INPUT type=password> input fields. It then infers that any value entered in this field is a password and must be obscured. But some Web pages submit passwords using other field types, such as <INPUT type=hidden>. Orchestria APM is unable to recognize these passwords and assumes that any information submitted using these input fields is not sensitive and does not need to be obscured. If this problem affects captured data on your CMS, the only solution is to turn off capturing of submitted form data. This is described on page 128.
Orchestria APM policy triggers can be configured to look up recipient details on an Exchange or Domino server in order to process outgoing e-mails. If this is the case and an e-mail is sent to a distribution list, Orchestria APM extracts details for each member of the list. But if a user sends an e-mail while disconnected from their organization's e-mail server, Orchestria APM cannot connect to Exchange or Domino and so cannot extract details for members of distribution lists saved in the local address book. As a result, e-mail triggers set up to detect specific recipients may not fire and the e-mail will not be captured or controlled. This problem applies to users working offline in Microsoft Outlook and running Lotus Notes in island mode. In Outlook, you cannot expand distribution lists when working offline. In Lotus Notes, you can expand distribution lists when working in island mode, but only if the local address books have been synchronized with those on the Domino server. To ensure that any policy triggers dependent on recipient details are correctly applied to e-mails sent under these conditions, we strongly recommend installing a hybrid client and server agent deployment. In practical terms, this means you must explicitly configure the Exchange or Domino server agent to reprocess e-mails already processed by an Outlook or Notes client agent. i If you do install both client and server agents, you must edit the ReprocessClientEmails
registry value on the Exchange or Domino serverfor details, see the Deployment guide.
Chapter 14 Troubleshooting
327
Outlook integration stops working for Outlook 2002 (XP), 2003, or 2007
The Office Safe Mode feature in Microsoft Outlook 2002 (XP), 2003 and 2007 can disable (sometimes silently) Outlook add-ins that are deemed to prevent Outlook from functioning correctly. This can result in the Orchestria APM Outlook Integration feature (wgnemol.dll) being disabled.
OutlookRepairDisabledExtension Type: REG_DWORD Data: Defaults to zero. Determines whether to re-enable the Outlook client agent if it is found to be disabled. If this registry value:
If you notice that e-mail triggers have stopped working for Outlook 2002 (XP), 2003 or 2007, we recommend that you first check the Outlook list of disabled items. If the Orchestria APM Outlook Integration feature is listed, try to re-enable the feature. There are two methods for doing this. i If these methods fail to fix the problem, please contact the Orchestria APM service desk (see page 24
for contact details).
Automatic re-enabling To set up automatic re-enabling, you must manually add certain values to the following registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Orchestria \Active Policy Management \CurrentVersion\Email Within this registry key, the registry values that you need to add are: OutlookMonitorIntervalInSeconds
Outlook had disabled the Outlook client agent but Orchestria APM has since re-enabled it (for example when Microsoft Outlook is restarted), it writes a Windows application log entry to that effect.
Manual re-enabling 1 On the affected machine, open Microsoft Outlook and choose Help > About Outlook. In the About dialog, click the Disabled Items button. In the Disabled Items dialog, enable the wgnemol.dll add-in (if listed). Restart Microsoft Outlook.
2 3
Type: REG_DWORD Data: Defaults to 5 seconds. While Orchestria APM is running, this value determines how often Orchestria APM checks whether the Outlook client agent is disabled in the current session. Specifically, it checks the registry for the wgnemol.dll name and path.
328
These restrictions do not apply to Lotus Notes. When you forward an e-mail in Notes, for example to a manager, it is included as a message thread in a notification e-mail. If the manager wants to send the e-mail to someone else, they can simply forward the notification e-mail in the normal way.
What happens if Orchestria APM captures an e-mail or attachment that has a virus?
If your virus scanners fail to prevent a virus attack, infected e-mails may be captured and saved in your Orchestria APM database.
If your organization suffers a virus attack, there is a risk that infected e-mails or attachments may be captured and saved in your Orchestria APM database. If this happens, you must delete any infected e-mails or attachments from all affected Orchestria APM databases (on the CMS plus any gateways or client machines that may also be at risk) as part of your cleanup operations after the attack.
If this user is in a distribution list, the user information in that list will not match parallel information in the Offline Address Book until both lists are synchronized. If the distribution list is then the recipient of an e-mail, the fact that its user information differs between the Active Directory and Offline Address Book may result in a trigger not firing. The Microsoft Knowledge Base has an existing workaround, which is also valid for this problem. For details, see article KB831124.
Instead, if the manager wants to forward the redirected e-mail to someone else, they can:
Forward the notification e-mail, with the redirected e-mail still included as an attachment. Open the attachment and forward the redirected
e-mail to its intended recipient (using the Forward
If Outlook is not running and you try to send an audit e-mail from the iConsole you may sometimes find that the e-mail remains unsent without your being notified. This is because there is temporarily no MAPI connection between Outlook and the Exchange Server. The e-mail is sent as soon as Outlook is running again.
Chapter 14 Troubleshooting
329
There are delays when sending e-mails to many recipients or large distribution lists
Processing delays before an e-mail is sent can occur when Orchestria APM extracts the full details for each recipient from the e-mail server. To alleviate these delays, you can limit the volume and type of information that is retrieved.
display name, e-mail address and the address format. It does not include a recipient's 'true' display name or e-mail address aliases. When using Exchange/Domino server integration, the recipient's true display name is retrieved, but e-mail aliases are not. i This may affect other triggers which include
display names or address aliases in, for example, an Included Addresses list.
By default, Orchestria APM extracts full details for each recipient from the organizations user directory when processing outgoing e-mails. But if the e-mail is sent to many recipients, or to a very large or heavily nested distribution list, delays can occur while these details are retrieved from the organizations user directory. The problem is exacerbated by slow connections between the senders Orchestria APM machine and the organizations user directory. For Microsoft Outlook users, the problem can be alleviated by editing the user policy or configuring the registry. Edit the user policy In the System Settings folder, edit these settings:
Configure the registry You can configure the registry to specify the maximum number of recipients that can be extracted from all distribution lists (excluding personal distribution lists) in a single e-mail. When Orchestria APM expands a distribution list and the cumulative number of extracted recipients reaches this maximum limit, no further recipients are extracted from that list or any other lists not yet expanded. The registry value you need to configure is located in the following registry key: HKLM\Software\Orchestria \Active Policy Management \CurrentVersion\EMail In this key, configure the following registry value: MaxNumExpandedRecipients
Maximum Size of E-mail Distribution Lists Specify a threshold number of list members. After expanding this number of recipients from a distribution list, or if Orchestria APM detects that expanding a nested distribution list would exceed this number, no further individual recipients are extracted from that list. Details for all extracted recipients are saved as attributes of outgoing e-mails and can be viewed in the Data Management console. Details of non-extracted recipients are not saved.
Type: REG_DWORD Data: Set this to the maximum number of recipients you want to extract from all distribution lists in a single e-mail. Set to zero to allow the extraction of an unlimited number of recipients.
Retrieve Full Information for Outgoing E-mail Recipients? If you set this to False, the Outlook plug-in only extracts basic information from the Global Address List for each recipient. This includes the recipient's
330
iConsole
Unable to download or forward .msg files
The iConsole permits you to download an .msg file containing a copy of the original e-mail, or to forward this .msg file to a colleague. When the application server is using IIS 5.x, users may encounter error messages when trying to download or forward original .msg files. In order for IIS 5.x to use MAPI services on the application server, the local IWAM_<machinename> user must have local administrator rightsfor details, see the Deployment guide. Typically, an audit e-mail contains the original .msg file as an attachment. If this is the case, and the e-mail failed to send, users will encounter the following error message on trying to resend the same e-mail: System.Reflection.TargetInvocationException: This error occurs because when the iConsole sends an e-mail with an attachment, it creates a temporary file for the attachment, which is then deleted when the e-mail is sent. If the SMTP server is not running or the connection is not configured correctly, then the temporary file is not deleted and the e-mail cannot be sent. To enable the iConsole to send audit e-mails with or without the original .msg file, you must first ensure that the SMTP server is correctly configured and running (see page 79), and then restart IIS.
Chapter 14 Troubleshooting
331
Web pages
Can I disable Windows Explorer integration?
Yes. You can configure this when you install Orchestria APM client integration features.
By default, the Microsoft Internet Explorer Integration feature enables capture or control of any Web activity in Internet Explorer or Windows Explorer. But you can use an Msiexec.exe variable to turn off integration with Windows Explorer. This is described in the Deployment guide; search the index for Windows Explorer.
When the Internet Explorer and Outlook integration features are installed on the same machine, Orchestria APM automatically integrates with the Microsoft Outlook browser. That is, if a user surfs the Web using Outlook as a browser, Orchestria APM can capture and control this activity. But you can use an Msiexec.exe variable to turn off integration with the Outlook browser. This is described in the Deployment guide; search the index for Microsoft Outlook. i If you disable integration with the Outlook
browser, this does not affect e-mail monitoring. Orchestria APM continues to monitor Outlook e-mail activity as normal.
This is caused by misconfigured security settings for Internet Explorer. By default, these settings cause Internet Explorer to cache each secure Web page browsed during a single session. So if a user revisits the page, the page is loaded from the cache instead of the Web server. As a consequence, Orchestria APM is unable to verify the security settings during subsequent visits to the page, effectively nullifying the keystrength exemption settings in your control triggers. To fix this problem, you must adjust the Internet Explorer security settings on each client machine in your Orchestria APM installation: 1 2 Open Internet Options in the Control Panel. Go to the Advanced tab and scroll down to the Security settings. Switch on the Do not save encrypted pages to disk setting. (By default, this setting is turned offthat is, the check box is not selected.)
332
The Web page shown in the console does not match the Web page I saw in my browser
This can arise when you capture Web pages while active scripting is enabled in your browser. It cannot occur if active scripting is disabled.
When Orchestria APM displays Web pages in the console, it does so with active scripting disabled. This prevents captured Web pages from behaving in a way that could be undesirable. For example, because scripting is disabled, you can safely click a Submit Order button in any captured page without risk of re-submitting your order. This means that, potentially, a Web page in the console can differ slightly from the page you saw in the browser. For example, animated adverts typically display as static adverts. In effect, the console displays Web pages as the site authors intended when browsed by users who have scripting disabled. Wherever possible, Orchestria APM uses intelligent processing to eliminate these differences. However, the degree of mismatch between Web pages in the console and in your browser depends on how the site authors have implemented the <SCRIPT> and <NOSCRIPT> tags in the HTML source code.
Typically, sites are designed so that important information always displays, regardless of whether the browser has scripting enabled. But some poorly designed sites effectively close down if scripting is disabled; instead, they simply show a message such as Sorry, you
don't have Javascript enabled on your browser. Please enable Javascript and refresh this page. In
this situation, the page versions in the console and browser will not match. i These problems can only affect browsers which
have active scripting enabled. You can eliminate this problem entirely by disabling scripting on your browser. Indeed, it is the policy of many organizations to disable active scripting because of the security risks posed by JavaScript. If your Windows administrator has granted you the necessary permissions, you can disable active scripting yourself:
1 2
In Internet Explorer, choose Tools > Internet Options. In the Security tab, select the Internet zone and click Custom Level. In the Security Settings dialog, scroll the list to find the Active Scripting settings.
Chapter 14 Troubleshooting
333
User Administration
Can I rename users?
Yes, but this can be a complicated area and depends entirely on how your CMS policy handles new users.
Windows user authentication is used If your Orchestria APM installation does use Microsoft Windows user authentication, you must synchronize any name changes for Orchestria APM users with identical changes for the corresponding native Windows users. This is because Orchestria APM generates and maintains a mapping between each Orchestria APM user account and its corresponding native Windows user account. This means that users do not have to log on to Orchestria APM each time they start up their browser or e-mail application. If you fail to synchronize these account name changes (that is, you rename one but not the other), the mapping will be broken. To restore this mapping, you must apply the missing name change as soon as possible. Specifically, you must do this before the user next logs on to Orchestria APM (when they start up their browser or e-mail application). If you fail to do so, the consequences depend on how the Account Handling for New Users setting is configured:
The key policy determinant is the Use Microsoft Windows User Authentication? setting:
If your Orchestria APM installation is configured to use Microsoft Windows user authentication, you must ensure that any changes to an Orchestria APM user name or its corresponding native Windows user name are closely co-ordinated. See the next section. If Orchestria APM is not configured to use Microsoft Windows user authentication, you must ensure that the renamed user is aware that their account name has changed! See page 334.
The second policy determinant is the Account Handling for New Users setting. This controls how the CMS handles new (or unrecognized) users. This setting becomes important if, after renaming a user, you fail to meet the requirements described above. The relationship between these policy settings when you rename a user are summarized below:
Account Handling for new users Create new user account Use Microsoft Windows User Authentication? Disable applications or Ignore
Scenario 1 - Create new account: Orchestria APM no longer recognizes the users native Windows credential and so creates a new Orchestria APM user account in the default user group. It is not possible to merge this new user account with the existing account. Scenario 2 - Disable applications or Ignore: Orchestria APM no longer recognizes the users native Windows credential and so either waives policy management and allows unrestricted Web and e-mail usage or disables the users browser and e-mail application.
True
Scenario 1
Scenario 2
How CMS policy settings affect user renaming Details about each scenario are given in the following sections.
False
Scenario 3
Scenario 4
Ideally, we recommend that you rename the Orchestria APM user account before renaming the native Windows user account. This minimizes the risk of suffering the consequences described above. In practice, the native Windows user name may have changed first, in which case you must rename the Orchestria APM user as soon as possible.
334
Windows user authentication is not used If your Orchestria APM installation does not use Microsoft Windows user authentication, Orchestria APM user accounts exist independently of any native Windows user account. This means you can safely rename any Orchestria APM user but you must ensure that the user knows their new account name (and password) before they next log on to Orchestria APM by starting up their browser or e-mail application. If the user attempts to log on to Orchestria APM using their old credentials (user name and password), then the consequences depend on how the Account Handling for New Users setting is configured:
Policy
A policy is no longer working or can no longer be edited
This is due to a corrupt policy. When you try to edit a corrupt policy, an error message indicates a failure to load a policy from the database.
Scenario 3 - Create new account: Orchestria APM no longer recognizes the users old credentials and so creates a new Orchestria APM user account in the default user group. It is not possible to merge this new user account with the existing account. Scenario 4 - Disable applications or Ignore: Orchestria APM no longer recognizes the users old credentials and so either waives policy management and allows unrestricted Web and e-mail usage or disables the users browser and e-mail application.
A corrupt machine policy causes all Orchestria APM operations to stop on that machine. For example, the infrastructure and any browser e-mail integration features will stop working. If a common client machine policy or a common gateway policy is affected, this will affect all client machines or all gateways respectively. If a user policy is corrupted, all policy settings stop working. In particular, triggers will not activate. It may also cause e-mail and Web applications to be disabled, depending on how the Infrastructure Failure setting is configured (see page 140). The position of the associated user or group within the user hierarchy is also important because any child policies will also be adversely affected.
As soon as the user logs on to Orchestria APM using their new user name (and password), their user policy resumes normal operation.
To overcome a corrupt policy: 1 First, you must identify the .BLB file containing the corrupt policy. To identify the corrupt policy, run: wgninfra -exec wigan/infrastruct /policy/PolicySetup PolicyCheck i These commands are case-sensitive. 2 This command forces Orchestria APM to examine each policy file on the CMS. If a corrupt policy is detected, an identifying entry is written to the latest System log (see page 31). When you have identified the corrupt policy and the associated file, please contact the service desk for further advice. For contact details, see page 24.
Chapter 14 Troubleshooting
335
Machine administration
Client machines and gateways are unable to connect to the CMS
A change to the CMS system clock can, in specific circumstances, prevent client machines and gateways from connecting to the CMS.
A change to the CMS system clock can sometimes cause subsequent connection attempts by client machines or gateways to fail. (This is because key service objects on the CMS are mistakenly deleted as a result of the unexpected time change.) The problem is very rare, but if it happens the following error message is written to the Orchestria APM system log on the client machine or gateway (you may also see it on-screen): java.rmi.NoSuchObjectException: no such object in table If you suspect that this problem has occurred, or you see this error message, you must restart the Orchestria APM infrastructure on the CMS (see page 63). i All logfiles are saved in the \data\log subfolder in
the Orchestria APM installation folder. For further details about finding and viewing log files, see the Administration console online help; search the index for logfiles.
CMS and gateways Renaming the CMS or a gateway can cause severe communication problems between the server and its child machines. This is due to the authentication mechanism used by Orchestria APM machines to ensure data security. Client machines You can rename client machines, but be aware that Orchestria APM handles the renamed client as though it were a new machine. That is, the renamed machine is given a new account and inherits the common client policy. If the local machine policy previously contained customized settings, these will be lost when the client is renamed. You will need to re-configure these settings in the policy for the new machine account.
336
Replication
Why cant I switch off replication when I connect to the CMS over a WAN or dial-up connection?
When an Orchestria APM machine is connected to its parent server over a WAN or using a dial-up connection, it continues to replicate captured data to the parent even if its machine policy specifies that it does not replicate data over slow links.
Normally, the ability to turn off replication over slow network links is controlled by the Replicate Captured Data on Slow Links setting in the machine policy (see the Infrastructure > Replication folder). But if the file sensapi.dll is missing, Orchestria APM handles this setting as though it were set to True (even if it is set to False in the actual policy). In other words, replication is continuous. It also adds an entry to the Audit log file once per session:
W0078 This machine cannot detect low-bandwidth network connections.
Under certain network conditions, a broken remote procedure call between Orchestria APM machines can trigger a communication timeout. Because the default timeout can be lengthy (hours, rather than seconds), it can appear as though replication has been permanently lost. In fact, if communication resumes between the machines, data replication will resume automatically when the timeout expires. But for usability purposes, you may want to configure a shorter timeout: 1 On both the Orchestria APM machines, go to the Orchestria APM installation. In the \System subfolder locate (or create) the file, jvm.properties. Add the following line to this file: jvm.define1=sun.rmi.transport.tcp. readTimeout=120000 This resets the idle connection timeout to two minutes (that is, 120,000 milliseconds), so eliminating the perception that replication has stopped completely. 4 On both machines, restart the Orchestria APM service. For details, see page 63.
To restore the ability to turn off replication over slow network links, you must install the Offline Browsing Pack on the affected machine, then restart the Orchestria APM infrastructure. i The Offline Browsing Pack is a component of Microsoft Internet Explorer. Sensapi.dll is part of
the Offline Browsing Pack.
Chapter 14 Troubleshooting
337
Database problems
I cannot connect to the CMS because the credentials for the Orchestria APM logon account have changed
When you attempt to connect to a CMS in the Administration console, you cannot do so. An error message indicates that The logon failed and the error description reads Unable to connect to the database. (Startup Error). machine with no capture lights visible in the browser taskbar, the only evidence of the problem may be that capture and control settings are no longer operative.
This is a known problem and only affects client machines running Microsoft Jet. To fix this, apply the latest Jet service pack and restart the Orchestria APM infrastructure service. For details, see article Q304536 on the Microsoft Product Support Services Web site. Diagnosis: System log You can diagnose whether a client machine is suffering from this problem or an unrelated issue by examining the contents of the System logfile in the Orchestria APM console. If this problem is indeed affecting the client machine, the System logfile will contain multiple error messages such as: Object invalid or no longer set Too many tables open Cannot open any more tables Fix: Apply Jet 4.0 service pack 6 If a client machine is affected by this problem: 1 Open Computer Management (Local) and select Services. Stop the Orchestria APM infrastructure. To do this, select the service Orchestria Active Policy Management Infrastructure and choose Action > Stop. 3 Apply Microsoft Jet 4.0 Service Pack 6. You can download this service pack from the Microsoft Product Support Services Web site. Restart the Orchestria APM infrastructure (see 2 for details of how to do this).
Orchestria APM uses a logon account to access the CMS database. You cannot connect to the CMS if the password for the logon account has been changed on your database server (say, for security reasons) and the Orchestria APM infrastructure has subsequently been restarted but Orchestria APM has not yet been supplied with the new password. (Under normal conditions, you would supply Orchestria APM with the updated system database credentialssee page 37before you restart the infrastructure.) The workaround is to run the following command from the \System subfolder of your Orchestria APM installation folder. This will update Orchestria APM with the new credentials: wgninfra -exec wigan/schema/Schema UpdateDBPassword "<DBpassword>" Where <DBpassword> is the new password for the Orchestria APM logon account on your database server. If the password includes spaces, remember to enclose it in quotes.
Orchestria APM suddenly stops working after a database operation such as running a search or updating a statistic
This problem affects client machines only and can manifest itself in various ways. For example, you may be unable to log on to an Orchestria APM console or use your browser. If a console is already running when the problem occurs, it may become disabled and generate numerous error messages. On a client
338
Dial-up connections
Why must I enter my dial-up details even if I connect to the CMS over a LAN?
Laptop users who normally connect to the CMS using a dial-up connection may be prompted for their dial-up connection details if they subsequently connect to the CMS over a LAN.
This problem typically affects machines running English versions of Windows. Orchestria APM consoles can display captured or imported events and user names that contain strings of Far Eastern characters. But first you must set up your console machines and (if required) your Oracle database to provide Unicode support.
This is caused by misconfigured dial-up settings for Internet Explorer. To prevent the Dial-up Connection dialog from appearing, laptop users must edit the dial-up settings in their Internet Explorer properties. To do this, they must: 1 2 3 Open Internet Options in the Control Panel. Go to the Connections tab. In the Dial-up Settings list, choose Dial whenever a network connection is not present.
Client machines: You need to implement Unicode support on all Orchestria APM client machines that are likely to capture e-mails and other events containing Unicode characters (for example, Far Eastern text captured on an English OS). To do this, you need to edit the startup.properties file. For details, see the Deployment guide; search the index for startup.properties: UTF-8. Oracle database: If your Orchestria APM installation uses an Oracle database, you must also set up the database for Orchestria APM to use UTF-8 encoding for the DBMS code page. For details, see the Deployment guide; search the index for UTF-8. i There is no equivalent requirement for SQL
Server databases. SQL Server databases automatically support Unicode characters.
This is caused by a missing file, sensapi.dll. You can find a full discussion of this issue in the Machine administration section on page 336.
Index
Index
A B C D E F G H Wildcards and variables
__ (double underscore) delimiters, in notification messages, 259 ? wildcard document classifications, 180 policy lists, 108 { } brackets document classifications, 180 * wildcard document classifications, 180 policy lists, 108 %Address% variable, 254 %Application% variable, 254 %ApplicationPath% variable, 254 %BCC% variable, 254 %category% variable, 167 %CC% variable, 254 %CCN% variable, 255 %Default% variable, 255 %From% variable, 255 %Keystrength% variable, 255 %Keystring%, %Keyword%, %Keywords% variables, 256 %MailDateTime% variable, 256 %MONEY% variable, 180 %Site% variable, 256 %SSN% variable, 255 install system definition file, 38 %Subject% variable, 256 %To% variable, 257
J K L M N O P Q R S T U V W X Y Z
%URL% variable, 257 < > operators data lookup commands, 283 | symbol (logical OR) document classifications, 180 control actions Application Monitor, 137 Data At Rest, 137 e-mails, 136 overview, 236 settings, 136 overview, 136 Web pages, 136 overview, 233 transactions, 139 Active Directory, 54 activity logfiles, 89 machine policy settings, 147 %Address% variable, 254 Address Book lookup, 272, 298 examples, 298 syntax, 275 address lists dynamic, 38 user properties, 51 address matching, e-mails and policy lists, 109 Administration console console only installations, 62 options, 36 overview, 25 tools, 36 administration searches, 30, 93 overview, 94 predefined searches, 94 running, 94
09
472 SEC requirement, 312
A
acceptable usage message, 55 Account Import data files, 54 LDAP, importing from, 54 machine policy setting, 147 machines, 73 Account Import wizard logfiles, 90 users, 54 actions capture actions, 132 Application Monitor, 132 Data At Rest, 132 Data In Motion, 132 e-mails, 132 Web pages, 132
A B C D E F G H
J K L M N O P Q R S T U V W X Y Z
340
A B C D E F G H
saving, 96 search filters, 96 administrative privileges See privileges administrators creating, 56 primary administrator, 56 responsibilities, 21 Adobe PDF files, searching content, 114 advisory dialogs See notification dialogs age of events, calculating, 81 agents content agents, 317 Domino server agent, 263 Exchange server agent, 263 AND operator spaces in e-mail addresses, 109 application events, 206 application integration, disabling system settings, 141 See also browser integration See also e-mail integration application monitor, 242 capture triggers, 205 capturing application usage, 205 control triggers, 243 icons, 218 System settings, 140 triggers, 144 turning off monitoring, 206 zero activity events, 206 %Application% variable, 254 %ApplicationPath% variable, 254 archive files searching for text content, 115 archive integration, 204 archive list for file events, 209 ASDL, troubleshooting, 336 assigned policy version, 125
J K L M N O P Q R S T U V W X Y Z
assisted categorization, 155 attachments Attachments triggers, 144 display options, 202 searching content for key text, 113 unable to capture, 203 unreadable capture triggers, 202, 212 control triggers, 261 transaction triggers, 196 viruses, 328 attributes policy folders and settings, 116 users, 51 data lookup commands, 274 filtering event import operations, 147 <attribvalue> lookup operator, 279 audit e-mails, 309 auditing privileges, 305 auditing See event auditing authorized activity, definition, 219 autoheed timeout, for interactive warnings, 269 automatic replies to e-mails identifying the source e-mail, 240 Reply overview, 237 setting up, 252 blob files purging, 80 Block with notification option, for Intervention setting, 222, 223 blocking Blocking dialog, 222 blocking user activity, 222, 223 control event, 217 Bloomberg alias addresses, 110 branch policy branch inheritance, 119 browser cannot access, 337 capture lights, 55 integration, disabling infrastructure failure, 76 msiexec.exe, 76 system settings, 210 Microsoft Outlook, 331 security settings, 234 Windows Explorer, 331 browser integration, disabling troubleshooting, 331 buffer size for captured Web pages, 200
C
cache, for replication failures, 146 caching logon credentials, 145 secure Web sites, 234 canned searches See predefined searches capture actions, 132 Application Monitor, 132 Data At Rest, 132 Data In Motion, 132 e-mails, 132 Web pages, 132 capture button, for e-mails, 55 capture lights, in browser, 55
B
Back button, in Policy Editors, 100 background captures, turning off See e-mail integration, disabling backing up the CMS, 67 backslashes, use to search for special characters, 113 backups (of CMS), 67 %BCC% variable, 254 blank e-mails detecting, 283
A B C D E F G H
J K L M N O P Q R S T U V W X Y Z
Index
341
A B C D E F G H
capture process browser diagram, 198 e-mail diagram, 201 capture strategies, 197 capture triggers Application Monitor, 130 Data At Rest, 130 Data In Motion, 131 detailed, 143 e-mails, 130 exemptions, refinements, 210 overview, 129 Web pages, 130 captured data e-mails, 201 files, 207 for groups, 45 overview, 197 Web pages, 198 categories See categorization categorization, 154 add to existing triggers, 163 control action numbers, 160 scores, 156 effect of, 157 summary, 158 set up new triggers, 162 smart tag guidelines, 169 smart tag names or values?, 168 smart tag variables, 167 syntax for categories, 165 examples, 166 trigger guidelines, 159 Categorize option, for Intervention setting Data At Rest control action, 224 Data In Motion control action, 224 E-mail control action, 224, 225 categorizing events, overview, 154 %category% variable, 167 %CC% variable, 254
J K L M N O P Q R S T U V W X Y Z
CCL (calculated confidence level), for transaction validation, 190 %CCN% variable, 255 central management server See
CMS
check interval, free disk space, 74 checkpoints, 87 machine policy settings, 148 child group, 43 child policy, 119 Chinese characters See Unicode characters class, of e-mail, 141 classifiers See document classifications Client File System Agent, 246 controlling USB devices, 248 machine policy settings, 151 client machines adding, 70 default policies, 71 definition, 61 deleting, 70 icons, 62 moving, 70 renaming, 335 replication, 66 Client Print System Agent, 246 controlling printers, 247 clipboard, copying administration search results to, 96 cloning, content agents, 323 CMS adding, 68 backing up, 67 backing up and restoring, 67 connecting, 67 connecting to as different user, 67 connection failure, 335, 337 definition, 61 groups, 68 icons, 62
machine policy settings, 150 multiple CMSs, 68 overview, 66 policy, 66 renaming, not recommended!, 335 single sign-on, 67 suspending, 75 code, installation, 36 columns, in exported user hierarchy spreadsheets, 53 combination list checking, 104 command line operations exporting user hierarchy, 52, 72 importing machines, 73 common client policy, 71 common gateway policy, 69 compressed files See zip files compression, of data overview, 79 policy setting stored data, 145 transmitted data, 146 confidence levels transaction validation, 190 configurations, for document classifications, 176 connecting to CMSs, 67 failure to, 335 connection management settings, 146 console Administration console, 25 tools, 36 cannot access, 337 options, 36 Administration, 36 single sign-on, 67 console-only machines, 62 contact details, 24 content agents, 317 administrative privileges, 57 before you start, 316
A B C D E F G H
J K L M N O P Q R S T U V W X Y Z
342
A B C D E F G H
cloning, 323 Content Agent file settings editing, 322 Content Agent triggers editing, 322 e-mail, 144 Web, 143 creating, 319 default test documents, 318 deleting, 323 icons, 317 properties, 321 publishing, 321 republishing, 323 screen, 33 testing, 320 training, 319 training and test documents, 317 unpublishing, 323 content database, preparing, 318 content indexer logfiles, 90 content searches before you start, 316 Content Search triggers, 143 control overview, 215 controlling users, 55 events, 217 procedure diagram, 216 strategies, 215 control actions, 136 Application Monitor, 137 overview, 242 settings, 137 Data At Rest, 137 e-mails, 136 overview, 236 settings, 136 overview, 136 precedence, 232 suspended machines, 76
J K L M N O P Q R S T U V W X Y Z
Web pages, 136 overview, 233 control events blocking, 217 disregarded warning, 217 heeded warning, 217 quarantined event, 217 silent events, 217 control triggers Application Monitor, 134 Data At Rest, 135, 244 Data In Motion, 244 detailed, 143 e-mails, 134 exemptions, refinements, 260 overview, 133 suspended machines, 76 Web pages, 134 control triggers, overview, 133 copying policies, 128 policy list items, 105 scanned files, 250 text from warning dialogs, 259 corrupt policies, 334 credentials database accounts events searches, 37 system, 37 logon details, caching, 145 credit card numbers obscuring captured numbers, 127 variables in notification messages, 255 Credit Card triggers, 144 CSV files policy lists, importing into, 105 currency characters, detecting, 180 custom items, in policy lists, 103 customized attributes, 51
D
DALs See dynamic address lists Data At Rest capture actions, 132 capture triggers, 130 control actions, 137 control triggers, 135 DoD deletions, 249 icons, 218 smart tags, 171 trigger settings file lists, 245 triggers, 144 data compression, 79 data encryption, 77 data files, Account Import, 54 Data In Motion capture actions, 132 capture triggers, 131 smart tags, 171 triggers, 144 data lookup, 272 Address Book lookup, 272 examples, 298 syntax, 275 blank e-mails, detecting, 283 cache management settings, 148 capture trigger settings e-mail, 130 file, 131, 135, 136 commands complex True-False test, 293 defining, 273 examples, 297299 control trigger settings, 134 domains, counting, 301 failure mode, 273
A B C D E F G H
J K L M N O P Q R S T U V W X Y Z
Index
343
A B C D E F G H
keywords and, 274, 275 contains, 284 contains all, 285 contains any, 284 excludes, 285 excludes all, 285 excludes any, 285 includes, 284 includes all, 285 includes any, 284 is, 284 is any, 284 is not, 284 is not all, 284 labeled, 280, 281 mapi, 275, 298 msgattr, 275, 299 not, 274, 275 or, 274, 275, 296 userattr, 274, 297 xmlattr, 276, 300 Message Attribute lookup, 272, 299 counting domains, 301 syntax, 275 overview, 271 settings, in machine policy, 150 true-false tests, 272 User Attribute lookup, 274 examples, 297 syntax, 274 variables, 277 %recipient%, 278, 282 %sender%, 278, 282 <attribvalue>, 279 <msgvalue>, 283 <msgvar>, 282 <numericoperator>, 283 <stringoperator>, 284 <text>, 286 <type>, 286 <uservar>, 287 <who>, 278 <xpath>, 290
J K L M N O P Q R S T U V W X Y Z
XML Attribute lookup examples, 300 syntax, 276 data management settings, 145 data replication See replication data security, 145 databases backing up and restoring, 67 credentials event searches, 37 system, 37 troubleshooting, 337 purging, 80 machine policy settings, 145 turning off, 83 default group definition, 43 editing, 45 default items, in policy lists, 103 default policies users, 48 Default Policy for Files setting, 149 default test documents, for content agents, 318 %Default% variable, 255 definitions, in user policy, 258 definitions, user policy settings, 140 Delete Silently option, 225 deleting client machines, 70 content agents, 323 gateways, 69 groups, 42 users, 47 Detail tab Machine Administration, 27 User Administration, 26 detect blank e-mails, 283 detect key words or phrases, 111, 112 diagnostics machine policy settings, 148 diagnostics, for machines, 85 dial-up connections, 338 digital signatures exempting e-mails capture triggers overview, 212 settings, 130 control triggers overview, 261 transaction triggers, 138 Disable attribute, 116 disabling integration See browser integration See Data At Rest See e-mail integration policy folders and settings, 116 replication, 65 disclaimers, checking for, 144, 177 disk space, monitoring, 74 display names, in e-mails, 109 disregarded warnings clicking Continue, 230, 231 clicking Personal, 231 definition, 217 distribution lists, and data lookup, 288 DOC and DOT files, searching content, 114 document classifications e-mails, 176 example generic classification, 181 generic, 176 overview, 176 parameter 6 functions, 179 policy settings, 140 setting up, 177 types, 176 Document Classifier triggers, 177 e-mails, 144 setting file size limit, 177 Web pages, 143 documents
A B C D E F G H
J K L M N O P Q R S T U V W X Y Z
344
A B C D E F G H
triggers detect key text content, 113 DoD deletion, 249 DoD Overwrite and Delete Silently option, 225 DoD Overwrite and Replace Silently option, 229 domain extraction, 301 Domino addresses, 110 Domino Server, 54 Domino server agent notification e-mails, 265 overview, 263 dynamic address lists, 38 SQL query guidelines, 39
J K L M N O P Q R S T U V W X Y Z
capture triggers, 211 control triggers, 260 Infrastructure Failure setting, 76 system settings, 210 e-mails archive integration, 204 attachments See "A" attachments automatic captures, 201 capture button, 55 class, user policy setting, 141 delays, 329 Domino, integration with, 263 embedded messages policy settings, 141 searching for text content, 115 Exchange, integration with, 263 forwarding, 238 icons, 186 importing, 204 manual captures, 201 marking for quarantine, 313 modifying recipient lists, 239 notification e-mails, 252 process on arrival, 141 Public Folders, 204 Public Folders, saved in, 240 quarantined e-mails, 312 replies identifying the source e-mail, 240 Reply overview, 237 setting up, 252 retrieving full details, user policy setting, 141 triggers, 143 viruses, 328 embedded e-mails policy settings, 141 searching for text content, 115 EMC Centera integration, 145 enabling integration
See browser integration,
disabling
See e-mail integration, disabling
E
EAS archive, integration with, 204 editing policies, 99 client machines, 71 CMS, 66 gateways, 69 groups, 45 users, 48 e-mail addresses Bloomberg aliases, 110 display names, 109 Domino, 110 EX, 110 importing into policy lists, 106 internal e-mails See EX addresses matching addresses to policy lists, 109 SMTP, 109 updating, 51 variables in user notifications, 253 wildcards, 108 X.400, 110 e-mail categorization, 154 e-mail integration, disabling
encryption attachments, unreadable capture triggers, 202, 212 control triggers, 261 transaction triggers, 196 exempting e-mails capture triggers overview, 212 control triggers overview, 262 settings, 134 transaction triggers, 138 exempting secure Web sites browser requirements, 234 control triggers overview, 262 settings, 134 files, unreadable capture triggers, 212 keys, 77 machine policy, 145 master key, 78 replicated data, 77 stored data, 77 uploaded files, unreadable capture triggers, 202 control triggers, 261 transaction triggers, 196 variable in notification message, 255 Enforce attribute, 117 Enforce Branch command, 117 enforced policy folders and settings, 117 engines See policy engines error level, free disk space, 74 event auditing audit field dependencies, 308 customized toolbar, 310 customizing the audit features, 303, 306
A B C D E F G H
J K L M N O P Q R S T U V W X Y Z
Index
345
A B C D E F G H
forwarding events, 309 mandatory changes, 308 required privileges, 305 suppress automatic auditing, 308 types of audit status, 304 event, calculating age of, 81 Event Import logs, 90 Event Import utility account synchronization, 51 event purging See purging events event status See audit status EX addresses, 110 Excel files, searching content, 114 exceptions, 186 Exchange server agent interactive warnings, 266 insertion variables, 267 message templates, 267 notification e-mails, 265 overview, 263 Excluded lists, 103 exemptions e-mails See also e-mail integration capture triggers, 211 control triggers, 260 data lookup, 271 digital signatures capture triggers, 212 control triggers, 261 encrypted capture triggers, 212 control triggers, 262 Web sites (secure), 262 browser requirements, 234 expiry date See also Minimum Retention settings expiry date, of minimum retention period, calculating, 81 exporting machine hierarchy, 72 policies, 128 user hierarchy, 52
J K L M N O P Q R S T U V W X Y Z
extensions settings, 142 External Agent API, 246 External Sender policy setting, 149 See also searches policy settings, 100 firing threshold, for content agents, 321 Forward button, in Policy Editors, 100 forwarded e-mails, 237 account requirements, 238 defining the notification e-mail, 252 forwarding to multiple addresses, 239 sending to another user, 239 variables in notification messages, 253 free disk space, 74 check interval, 74 error level, 74 machine policy setting, 145 warning level, 74 %From% variable, 255 FSA, 246, 247 controlling scanned files, 249 copying scanned files, 250 functions, for adjusting document classification scores, 179
F
failure mode, data lookup, 273 <fallguy> variable in data lookup commands, 280 in user notification messages, 257 Far Eastern characters detected by triggers, 112 failure to display, 338 Favorites folder, importing from, 106 file agents, 246 file categorization, 154 file events archive list, 209 capturing, 207 controlling files, 244 File Scanning Agent See FSA file sources, 246 file triggers, 244 File Upload triggers, 143 file uploads See uploaded files files copied to USB devices, 248 printing, 247 scanned, 249 searching content, 113 searching for key text, 105 smart tags, 171 unreadable capture triggers, 212 control triggers, 212 filters administration searches, 96 event import operations, 147 policy reports, 123 find items, 34
G
gateways, 69 default policies, 69 definition, 61 deleting, 69 icons, 62 moving, 69 renaming, not recommended!, 335 global sender, for notification emails, 265 groups captured data, for, 45 creating, 42 default group, 43
A B C D E F G H
J K L M N O P Q R S T U V W X Y Z
346
A B C D E F G H
deleting, 42 editing policies, 45 importing, 54 management, 43 moving, 42 moving users, 47 parent and child, 43 searching for, 94 Users group, 43
J K L M N O P Q R S T U V W X Y Z
customized toolbar, 310 customizing audit features, 303 one-click review buttons, configuring, 306 Ignored lists, 104 IM conversations, importing, 205 imported files searching, 113 unreadable capture triggers, 212 control triggers, 212 importing e-mails, 204 IM conversations, 205 machines, 73 policies, 128 policy list items, 105 users, 54 Included lists, 103 incoming e-mails replies identifying the source e-mail, 240 Reply overview, 237 setting up, 252 Inform option, for Intervention setting detail, 225 summary, 217 infrastructure, 63 failure to start, 76, 140 Infrastructure Failure setting, 140 machine policy settings, 145 running as named user, 63 Solaris wgninfra script, 63 stopping and restarting, 63 wgninfra.exe, usage, 63 inheritance See policy inheritance initialization settings, 140 installation code, 36 integration, disabling See browser integration
See Data At Rest See e-mail integration interactive warning e-mails autoheed timeout, 269 interactive warnings Exchange server agent, 266 insertion variables, 267 message templates, 267 internal events definition in policy, 140 Internet Explorer control trigger requirements, 234 dial-up settings, 338 secure Web sites not exempted, 331 Intervention setting, 220 Block Quietly, 223 Block With Notification, 222 Block with notification, 222, 223 Categorize E-mail control action, 224, 225 Categorize options Data At Rest control actions, 224 Data In Motion control actions, 224 E-mail control actions, 225 Delete Silently option, 225 DoD Overwrite and Delete Silently option, 225 DoD Overwrite and Replace Silently option, 229 Exchange and Domino server agents, effect of, 264 Inform, 225 No further actions option, 226 None, 227 Notify, 227 policy details, 220 Quarantine quietly, 228 Quarantine with notification, 228 Replace Silently, 229 Replace Silently option, 229
H
heeded warnings clicking Cancel, 230, 231 definition, 217 hidden policy folders and settings, 118 Hide attribute, 118 holding cache suspended machines, 75 holding cache, for replication failures, 65 HTML files, searching content, 113 HTML Password triggers, 143 HTTPS Web sites, exempting, 234 hyperlinks Administration console, 35 policy navigation, 100 hyphenated words, detecting, 113
I
icons CMS tree, 62 content agents, 317 control events, 218 file events, 218 machine administration, 62 machines, 62 policy list items, 103 transactions, 186 iConsole
A B C D E F G H
J K L M N O P Q R S T U V W X Y Z
Index
347
A B C D E F G H
Warn, but ... Personal option, 231 Warn option, 230 intranet sites definition in policy, 140
J K L M N O P Q R S T U V W X Y Z
List tab Machine Administration, 27 User Administration, 26 listed files searching for key text, 105 lists for file events, 245 lists, in policy settings, 102 combination list checking, 104 copying and importing, 105 default and custom list items, 103 Included and Excluded lists, 103 wildcards, 108 logfiles, 89 configuring, 90 copy entries to Windows event log, 91 Logging settings, in machine policy, 147 remote files, 91 screen layout, 31 types, 89 viewing, 91 long domains, 301 Look For settings, in administration searches, 96 Lookup Cache Management machine policy settings, 148 Lotus 1-2-3 files, searching content, 114 compression stored data, 145 transmitted data, 146 controlling changes, 101 data management settings, 145 diagnostic settings, 85 Diagnostics, 148 editing client machines, 71 gateways, 69 encryption, 145 filter setting, 147 free disk space, 145 infrastructure settings, 145 inheritance, 120 logging settings, 147 Lookup Cache Management, 148 Machine Policy Editor, 29 policy engines, 149 purging events, 83 remote data management settings, 146 replication settings, 146 resetting, 71 security settings, 145 Machine Policy Editor, 29 machines administration, 61 diagnostic support, 85 icons, 62 importing, 73 moving manually, 70 new clients, 70 searching for, 94 mail groups, and data lookup, 288 %MailDateTime% variable, 256 management groups, 43 assigning, 49 overriding, 44 purpose, 56 example usage, 297 mandatory, lookup variable, 289
J
Japanese characters See Unicode characters java.rmi error message, 335 JavaScript files not captured, 199 Jet Database Engine, troubleshooting, 337 JVM.Properties file, 336
K
key presses, recording, 205 key words, detected by triggers, 111 variables in notification messages, 256 keys, encryption, 77, 78 %Keystrength% variable, 255 keystrength exemptions, 234 %Keystrength% variable in notification messages, 255 control triggers, 134 setting up, 262 troubleshooting, 331 keystrength substitution, 255 %Keystring%, %Keyword%, %Keywords% variables, 256 Korean characters See Unicode characters
M
Machine Administration screen, 27 icons, 62 machine hierarchy, exporting, 72 machine policies, 145 Account Import setting, 147 checkpoints, 148 Client File System Agent, 151 CMS settings, 150
L
labeled lookup operator, 280, 281, 338 LDAP directory, 54 license files, 24, 36
A B C D E F G H
J K L M N O P Q R S T U V W X Y Z
348
A B C D E F G H
Manual capture triggers e-mails, 144 Web pages, 143 manual suspensions, 75, 275 master encryption key, 78 maximum buffer size, for captured Web pages, 200 maximum document length, for content agents, 321 maximum transaction values defining, 187 Transaction Detector triggers outgoing e-mails, 144 Web pages, 143 MaxScore(n), document classifications, 179 MemberOf variable, and data lookup, 288 Message Attribute lookup, 272, 299 counting domains, 301 examples, 299 syntax, 275 message templates, for interactive warning e-mails, 267 metadata attributes, data lookup, 276 metadata, for events XML schema, 302 metadata, purging, 80 Microsoft Excel files, searching content, 114 Jet Database Engine, troubleshooting, 337 Office documents, searching content, 114
J K L M N O P Q R S T U V W X Y Z
Outlook disabling browser integration, 331 exempting e-mails, 210 optimization, 329 policy settings, 141 Outlook 2002 (XP), 2003 and 2007, triggers stop working, 327 Public Folders e-mails, 240 PowerPoint files, searching content, 114 Project 98 files, searching content, 114 Windows Explorer disabling browser integration, 331 Word files, searching content, 114 Works files, searching content, 114 MIF files, searching content, 113 minimum retention period calculating, 81 triggers, 82 capture triggers, 213 control triggers, 262 transaction triggers, 196 MinScore(n), document classifications, 179 %MONEY% variable, 180 money variables, 180 mouse clicks, recording, 205 moving gateways, 69 groups, 42 machines, 70 users, 47 MP3 files, searching for metadata, 114 MPP files, searching content, 114 msgattr, data lookup command, 275 <msgvar> lookup operator, 282 msiexec.exe, disabling browser integration, 76 multiple CMSs managing, 68 multiple message control triggers notification messages to users, 251 overview, 107 multiple users forwarding e-mails to, 239 multi-select categorize control actions, 161
N
names for actions See actions NBA, 246, 247, 249 negative training documents, for content agents, 317, 319 nested zip files, 115 Network Boundary Agent, 246, 247 new client machines, 70 importing, 73 CMS, 68 gateways, importing, 73 groups, 42 importing, 54 users, 46 importing, 54 Windows authentication, 46 No further actions option, 226 None option, for Intervention setting, 227 Normalize(m), document classifications, 179 notification dialogs, 251 Blocking dialog, 222, 223 Categorize dialog, 224, 225 dialog titles, 251 System settings, 140 Inform dialog, 225
A B C D E F G H
J K L M N O P Q R S T U V W X Y Z
Index
349
A B C D E F G H
messages copying text, 259 variables, 253 variables for file events, 253 Notify dialog, 227 Quarantine dialog, 228 advisory guidelines, 228 Warning (Personal) dialog, 231 Warning dialog, 230 notification e-mails, 252 Exchange and Domino server agents, generated by, 265 System settings, 140 text variables, 253 notification messages, and data replication, 64 Notify option, for Intervention setting, 227 summary, 217 NotLargerThan(y), document classifications, 179 NotSmallerThan(x), document classifications, 179 Novell eDirectory, 54 NT event logs See Windows event logs <numericoperator> lookup variable, 283
J K L M N O P Q R S T U V W X Y Z
options Administration console, 36 Out of Office Assistant, 238 Outlook See Microsoft Outlook overspending See spending limits common client policy, 71 common gateway policy, 69 controlling changes, 101 copying, 128 corrupt, 334 default user policies, 48 definition, 97 editing, 99 exporting, 128 find items, 100 gateways, 69 groups, 45 hyperlinks, 100 importing, 128 inheritance See policy inheritance list settings, 102 Machine Policy Editor screen, 29 navigation, 100 read-only mode, 99 reports See policy reports shortcuts, 99 suspended machines, 76 tooltip explanations machine policy, 29 user policy, 28 User Policy Editor screen, 28 users, 48 version checking with wgnpol.exe, 128 version numbers, 125 policy branch enforcing, 117 generating reports for, 122 inheritance, 119 policy engines, machine policy settings, 149 policy folders attributes (disable, enforce, hide), 116 inheritance, 119 policy inheritance, 119120 enforced folders, 117
P
parameter 6 functions, for document classifications, 179 parameters document classifications, 178 parent group, 43 parent policy, 119 parent-child inheritance, 119 partition-based purging, 80 passwords captured passwords obscuring, 127 troubleshooting, 326 password-protected attachments and files capture triggers, 212 password-protected attachments and uploaded files capture triggers, 202 control triggers, 261 transaction triggers, 196 Reset passwords privilege, 59 resetting database credentials system, 37 user passwords changing, 48 for new users, 46 PDF files, searching content, 114 pending warnings, maximum, 269 personal Web pages and e-mails, 231 phrases, detected by triggers, 111 policies client machines, 71 CMS, 66
O
Office documents, searching content, 114 <offlimits> variable in data lookup commands, 281 in user notification messages, 257 Offline Browsing Pack, need for, 336 one-click review buttons, iConsole, 306 operators in data lookup commands, 283
A B C D E F G H
J K L M N O P Q R S T U V W X Y Z
350
A B C D E F G H
parent-child inheritance, 119 policy branch inheritance, 119 policy lists, 102 Policy on Print See Client Print System Agent Policy on Save See Client File System Agent policy path, 28, 29 policy reports, 121 available actions, 123 filters, 123 saving to file, 122 policy settings attributes (enforce, hide), 116 machine policy, 145 tooltip explanations machine policy, 29 user policy, 28 user policy, 129 polimex.exe, 128 positive training documents, for content agents, 317, 319 PowerPoint files, searching content, 114 PPT files, searching content, 114 predefined searches, for administration data, 94 primary administrator, 56 printing files, controlling, 247 privileges assigning to roles, 49 definitions, 57 event auditing requirements, 305 selecting, 50, 51 process e-mails on arrival, 141 prohibited activity, definition, 219 Project 98 files, searching content, 114 properties content agents, 321 users, 48 Public Folders, e-mails are ignored, 204, 240
J K L M N O P Q R S T U V W X Y Z
publishing content agents, 321 punctuation matching, 112 purging events, 80 machine policy settings, 83 minimum retention period, 81 purge SPs, 81 trigger-based retention periods, 82 turning off, 83 what data is purged?, 80 ReduceBySize(r), document classifications, 180 remote data management machine policy setting, 146 remote logfiles, viewing, 31 renaming client machines, 335 CMS, not recommended!, 335 gateways, not recommended!, 335 users, 47 troubleshooting, 333 reparenting machines manually, 70 Replace Silently option, 229 Replace Silently option, for Intervention setting, 229 replication compression, of data, 79 disabling, 65 encrypted data, 77 failures, 65 holding cache, 65 immediate, to client machines, 66 logfiles, 89 machine policy settings, 147 notification intervals, 64 overview, 64 settings, 146 suddenly stops when using ASDL, 336 suspended machines, 76 troubleshooting, 336 turning off on slow networks, 65 replication checkpoints, 87 replication failures suspended machines, 75 replication holding cache, policy settings, 146 replies to incoming e-mails identifying the source e-mail, 240
Q
QDF files administration data, 96 quarantine control actions, 232 Quarantine quietly option, for Intervention setting, 228 Quarantine with notification option, for Intervention setting, 228 quarantined e-mails, 312
R
RCL (required confidence level), for transaction validation, 190 read-only mode, viewing policies in, 99 %recipient% lookup operator, 278 Recipient triggers, 143 recipients moving to Bcc field, 239 records management categorization, 154 recreate users, 47 redirecting users to alternate URLs control actions, 136 overview, 234 which triggers?, 235
A B C D E F G H
J K L M N O P Q R S T U V W X Y Z
Index
351
A B C D E F G H
Reply overview, 237 setting up, 252 reported policy version, 125 reports policy reports, 121 republishing content agents, 323 resetting machine policies, 71 policies, 99 restoring the CMS, 67 retention period See Minimum Retention settings reviewer (role), 59 roles assigning to users, 49 creating, 49, 50 definitions, 59 redefining privileges, 49 RTF files, searching content, 114
J K L M N O P Q R S T U V W X Y Z
database credentials, 37 file contents, 113 filters administration data, 96 group accounts, 94 machine accounts, 94 no matching events returned, 325 predefined searches, 94 saving search expressions administration data, 96 screenshots administration searches, 30 Search Text triggers, 144 text, detected by triggers, 111 user accounts, 94 SEC 472, 312 Secure Sites triggers, 143 secure Web sites, exempting, 234 security bypassing management group limitations, 44 of data, 145 settings, 145 self-enrollment (new users), 46 %sender% lookup operator, 278 Sender triggers, 143 sensapi.dll file, 336 sensitive information handling overview, 127 policy settings, 140 sensitivity Transaction Detector triggers, 189 transaction matching adjusting, 193 policy settings, 140 separators, in policy list settings commas, semicolons, tabs and others, 105 server agents, versus client agents, 263 server-side warnings, 266 service desk URL, 24 short domains, 301 shortcuts console hyperlinks, 35 policy editing, 99 silent events Intervention option, 227 summary, 217 single sign-on, 67 single-select categorize control actions, 161 %Site% variable, 256 slow network links, 336 Smart Tagging, 170 categorization variables, 167 file triggers, 171 names and values, 172 variables, 172 mishandling of, 173 x-headers, 174 requirements and limitations, 175 SMTP addresses, 109 social security numbers variables in notification messages, 255 sources, of captured files, 246 spending limits, 187 spreadsheets policy lists, importing from, 105 searching content, 114 user hierarchy, exporting to, 53 SPs, purging, 81 SQL queries, for dynamic address lists, 39 SQL tab Administration console, 95 privilege to control access, 57 %SSN% variable, 255 SSW See server-side warnings statistics Statistics screen, 32 stored procedures See SPs
S
scanned files, 249 copying to new location, 250 score adjustment functions See parameters parameter 6 functions scores, category, 156 search text punctuation, 112 triggers, 144 search text variables, 112 searches See also find items See also detect key words or
phrases
administration data, 93 new searches, defining, 95 overview, 94 predefined searches, 94 running a search, 94 screen overview, 30
A B C D E F G H
J K L M N O P Q R S T U V W X Y Z
352
A B C D E F G H
strategies capture strategies, 197 control strategies, 215 <stringoperator> lookup variable, 284 %Subject% variable, 256 Submitted Credit Card triggers, 143 Submitted Search Text triggers, 143 Sun ONE Directory Server, 54 suspended machines CMSs, 75 insufficient free disk space, 74 overview, 75 replication failures, 75 syntax categories, specifying, 165 data lookup Address Book lookup, 275 Message Attribute lookup, 275 User Attribute lookup, 274 XML Attribute lookup, 276 stopping and restarting the infrastructure, 63 system database credentials, 37 troubleshooting, 337 system definition file administrative privileges, 57 installing, 38 system logfiles, 89 contacting the service desk, 24 machine policy settings, 147 System Settings folder, in the user policy, 140
J K L M N O P Q R S T U V W X Y Z
audit e-mails, 309 interactive warning e-mails, 267 insertion variables, 267 test documents, for content agents, 317, 319 default test documents, 318 testing a content agent, 320 <text> lookup variable, 286 text, detected by triggers, 111 variables in notification messages, 256 text files, searching content, 114 time-outs transaction activity, 140 User Attribute lookup commands, 274 timeouts interactive warning e-mails, replies to, 269 TM (transaction matching) score, 193 %To% variable, 257 tooltips Machine Policy Editor, 29 User Policy Editor, 28 TP (transaction probability), 189 training documents, for content agents, 317, 319 Transaction Detector triggers, 144 description, 143 maximum transaction values outgoing e-mails, 144 Web pages, 143 overview, 188 transaction settings, 138 action, 139 triggers, 143 transaction triggers, overview, 138 transactions automatic captures, 184 captured items, 139 exceptions, 186 icons, 186 manual captures, 184 matching, 193 overview, 183 spending limits, defining, 187 system settings, 140 validation, 189 travel configurations, for document classifications, 176 triggers Application Monitor, 144 capture triggers Application Monitor, 130 Data At Rest, 130 Data In Motion, 131 e-mails, 130 overview, 129 Web pages, 130 control triggers Application Monitor, 134 Data At Rest, 135 e-mails, 134 overview, 133 Web pages, 134 Data At Rest, 144 Data In Motion, 144 e-mails, 143 exemptions See exemptions minimum retention periods, 82 not saving details, 211 Search Text, 144 summary, 143 transaction detector, 188 transaction triggers, overview, 138 Web pages, 143 troubleshooting, 325 browsers, disabling integration, 331 cannot send audit e-mails, 330 cannot send forwarded .msg files or audit e-mails, 328 cannot use MAPI services, 330 CMS connection failure, 335, 337
T
tabs Detail and List tabs Machine Administration screen, 27 User Administration screen, 26 tags See smart tagging templates
A B C D E F G H
J K L M N O P Q R S T U V W X Y Z
Index
353
A B C D E F G H
dial-up connections, 338 e-mail attachments, 203 e-mail delays, 329 e-mail triggers stop working for Outlook 2002 (XP), 2003 and 2007, 327 event searches find no results, 325 features stop working, 328, 337 MS IE7 limitation, 330 passwords inadvertently exposed, 326 policies, 334 replication cannot turn off, 336 suddenly stops when using ASDL, 336 updating database logon credentials, 337 user renaming, 333 Web pages captured page does not match page in browser, 326 exempting secure sites, 331 true-false tests, in lookup commands, 272 TXT files, searching content, 114 <type> lookup variable, 286
J K L M N O P Q R S T U V W X Y Z
content agents, 323 uploaded files searching content, 113 triggers, 143 unreadable capture triggers, 202, 212 control triggers, 261 transaction triggers, 196 %URL% variable, 257 URLs %Site% variable in notification messages, 256 %URL% variable in notification messages, 257 URL triggers, 143, 144 wildcards, 108 US Social Security High Group file installing, 38 USB devices, blocking, 248 user administration logfiles machine policy settings, 147 User Attribute lookup, 274 examples, 297 syntax, 274 user definitions, 141 User Definitions, settings, 258 User Filter, machine policy setting, 147 user groups See groups user hierarchy, exporting, 52 user notifications, 251 user policies capture settings, 129 control settings, 133 controlling changes, 101 default, 48 definitions, 258 editing, 48 extensions settings, 142 inheritance, 120 list items, 102 settings, 129 system settings, 140 transaction settings, 138 transaction validation, 191 triggers, 143 User Policy Editor screen, 28 user properties, 48 account history, 48 customized attributes, 51 syntax, 274 users Users group, 43 adding, 46 attributes, 51 deleting, 47 importing, 54 moving, 47 properties, 48 recreating, 47 renaming, 47 troubleshooting, 333 searching for, 94 updating e-mail addresses, 51 User Administration screen, 26 <uservar> lookup variable, 287 utility machines, 62 icons, 62
U
"Undeliverable" e-mail notification messages, 238 unenforcing policy items, 117 unhiding policy items, 118 Unicode characters detected by triggers, 112 failure to display, 338 unique domains, identifying, 301 Unknown Internal Sender policy setting, 149 unlimited searches, required privilege, 58 unpublishing
V
validation, of transactions, 189 variables categorization smart tags, 167 data lookup, 277 document classifications, 180 for file events notification messages, 253 notification messages, 253 search text, detected by triggers, 112 smart tag values, 172, 173 templates for interactive warning e-mails, 267 user definitions, 258
A B C D E F G H
J K L M N O P Q R S T U V W X Y Z
354
A B C D E F G H
vCards, searching content, 114 VCF files, searching content, 114 version numbers, of policies, 125 checking with wgnpol.exe, 128 viewing policies in read-only mode, 99 viruses, and captured e-mails, 328
J K L M N O P Q R S T U V W X Y Z
wgninfra.exe, usage, 63 wgninfra.out logfile, 147 contacting the service desk, 24 wgnpol.exe, 128 Which Files Sources? setting, 246 <who> lookup variable, 278 wildcards document classifications, 180 policy list items, 108 search text, detected by triggers, 111 Windows authentication for new users, 46 Windows event logs, 91 Windows Explorer, disabling browser integration, 331 wizard, Account Import machines, importing, 73 users, importing, 54 WKS files, searching content, 114 Word files, searching content, 114 WordPerfect files, searching content, 114 words, detected by triggers, 111 variables in notification messages, 256 Works files, searching content, 114 WPS files, searching content, 114 XML documents, capturing, 199 XML files, searching content, 114 xmlattr, data lookup command, 276 xpath lookup operator, 290
Z
zero activity events, 206 zip files policy settings, 141 searching content, 115
W
W0078 log entries, 336 W0078 log file entry, 336 Warn, but allow users to designate as Personal option, 231 Warn option, 230 warning level, free disk space, 74 warnings configuring a control action, 230 disregarded, 217 heeded, 217 Warn, but ... Personal option, 231 Warn option, 230 Warning (Personal) dialog, 231 Warning dialog, 230 when browser starts up, 55 when e-mail starts up, 55 Web integration See browser integration Web pages buffer size overview, 200 policy settings, 141 JavaScript files not captured, 199 manual captures, 198 triggers, 143 Webmail, blocking, 241 Wgn.Group lookup variable, 287 Wgn.GroupParent lookup variable, 287 wgninfra script (Solaris only), 63 wgninfra.exe service, 63
X
X.400 addresses, 110 x-headers, generated from smart tags, 174 requirements and limitations, 175 XLS and XLW files, searching content, 114 XML Attribute lookup examples, 300 syntax, 276 XML metadata schema, 302
A B C D E F G H
J K L M N O P Q R S T U V W X Y Z