Chat now with support
Chat with Support

ControlPoint 8.7 - User Guide

Preface Getting Started with ControlPoint Using Discovery to Collect Information for the ControlPoint Database Cache Searching for SharePoint Sites Managing SharePoint Objects Using ControlPoint Policies to Control Your SharePoint Environment Managing SharePoint User Permissions Data Analysis and Reporting
Specifying Parameters for Your Analysis Analysis Results Display Generating a SharePoint Summary Report Analyzing Activity Analyzing Object Properties Analyzing Storage Analyzing Content Generating a SharePoint Hierarchy Report Analyzing Trends Auditing Activities and Changes in Your SharePoint Environment Analyzing SharePoint Alerts Analyzing ControlPoint Policies Analyzing Users and Permissions The ControlPoint Task Audit Viewing Logged Errors
Scheduling a ControlPoint Operation Saving, Modifying and Running Instructions for a ControlPoint Operation Using the ControlPoint Governance Policy Manager Using Sensitive Content Manager to Analyze SharePoint Content for Compliance Using ControlPoint Sentinel to Detect Anomalous Activity Provisioning SharePoint Site Collections and Sites Default Menu Options for ControlPoint Users About Us

Using ControlPoint Policies to Control Your SharePoint Environment

You can use ControlPoint Policies to prevent and/or send out a notification when an attempt is made to:

·delete a subsite

·exceed a quota imposed on a subsite

·delete documents/items

·create content

·upload a file that exceeds a specified size limit

·create a subsite

·create a subsite with a specific template

·create a subsite after a certain depth

·create or delete a list (optionally, with a specific template)

·upload files of one or more specific types

·add or delete a permission

·add, delete, or update a Permissions Level

·add, delete, or update a SharePoint group

·add or delete SharePoint group members

·break or restore permissions inheritance

You can configure your policy to

·include in the policy—or exclude from the policy—either:

§all users

§specific users and Active Directory groups

§users in one or more SharePoint groups

OR

·exclude from the policy users with a specified Permissions Level.

If Sensitive Content Manager is installed in your environment, you are a member of the Compliance Administrators group, and the options are enabled, you can also create policies to scan content for sensitive content whenever an item or document is added to—or updated in—a SharePoint list or library.

IMPORTANT:  If you have upgraded to version 2.0 or later of Metalogix Sensitive Content Manager from an earlier version and have existing policies to scan content, you may have to re-create or re-register these policies.  Contact Quest Support for assistance.

In a multi-farm environment, you can create and manage ControlPoint policies for the home farm only.

 

Factors to Consider When Creating ControlPoint Policies

Policies that can be Created:

You can create ControlPoint polices to control:

·subsite creation

·creation of subsites with specific templates

·creation of subsites after a certain depth

·subsite deletion

·the creation and deletion of lists

·the enforcement of subsite-level quotas

·the deletion of documents/items (and optionally, attachments)

·content creation, using a custom Web service

·the uploading of files over a specified size

·the uploading of files of one or more specific types

·the adding or deleting of permissions

·the adding, deleting, or updating of Permissions Levels

·the adding, deleting, or updating SharePoint groups

·the adding or deleting of SharePoint group membership

·permissions inheritance breaking or restoring

·if Sensitive Content Manager is installed in your environment, you are a member of the Compliance Administrators group, and the options have been enabled, the submission of a document/item for sensitive content analysis whenever it is added to—and/or updated in—a list or library.

IMPORTANT:  If you have upgraded from Sensitive Content Manager 1.9 and have existing policies to scan content, you may have to re-create or re-register these policies.  Contact Quest Support for assistance.

Excluding Specific Users from All Policies

ControlPoint Application Administrators can exclude selected users—such as farm administrators—from all policies via the ControlPoint Configuration Setting Users to Exclude from All ControlPoint Policies (CPPOLICYSUPERUSERS).  Refer to the ControlPoint Administration Guide for details.  

NOTE:  Users specified in this setting will always be excluded from all policies, even if they are explicitly added to a policy.

How Policies Impact Operations Performed in ControlPoint

Any action on a SharePoint site that is initiated through ControlPoint is actually carried out by the ControlPoint Service Account rather than the logged in user.  Therefore, if the ControlPoint Service Account is included in a policy, the policy will be enforced for any ControlPoint action that is restricted by that policy (for example, Delete Site and Copy/Move Site--which involves site creation/deletion), regardless of the user who initiated it.

When "Include Children" Applies to Your Scope

Most policies created at the site collection level or above will include all child sites by default. If  a policy is created for a site (other than the root site) or subsite, by default the policy will apply to the selected site and not its child sites.  This behavior is consistent with the model for Selecting Objects on Which to Perform a ControlPoint Operation.

EXCEPTION:  Because the action applies specifically to the creation of child sites, Control Subsite Creation in Certain Depth will always include child sites, regardless of whether "Include Children" is explicitly checked in the Selection panel.

Including and Excluding Users and Active Directory Groups

You can either include or exclude users and/or Active Directory groups from a policy.

Creating Policies That Control Subsite Quota

Subsite-level quotas do not supersede the quota set for an entire site collection.  That is, once a site collection quota is reached, no more content can be added.

NOTE:  Because the contents of Recycle Bins are managed at the site collection level, they are not considered in a subsite-level quota.

Creating Policies That Affect Users Based on Permissions Level

You can only exclude (not include) a SharePoint permissions level from a policy.  

Creating Policies Involving Site Templates

If you want to control the creation of sites that use one or more specific templates, you can choose from any template that has been deployed for the entire farm.   The creation of a site using a certain template cannot literally be "prevented," since it is only upon successful creation of the site that ControlPoint can evaluate the template.  The way ControlPoint enforces this type of policy is by deleting a site that is in violation immediately after it is created.

Creating Content Insertion Policies Using a Custom Web Service

You can create a policy to invoke a custom Web service whenever content in a SharePoint list or library is inserted or updated.  For example, you may want documents and attachments to be scanned for sensitive content and have a notification sent when the policy is violated.

A content insertion policy can be created if:

·the Web service includes the logic necessary to integrate with ControlPoint and is accessible by ControlPoint Service account.  (Details can be found in the guide Running ControlPoint Actions Programmatically.)

AND

·the ControlPoint Configuration Setting Content Creation Policy URL (POLICYSERVICEURL) is populated with the path to the Web Service asmx file.  (Details can be found in the ControlPoint Administration Guide.)

NOTE:  The ControlPoint policy cannot prevent content that violates a policy from being added.

Users Subject to Multiple Polices

If a user is restricted by more than one similar policy, all policies, including the most restrictive one, will be enforced.  

EXCEPTION:  If a policy is created at the list level, any similar policies at a higher scope will be ignored.

Updating or "Re-Registering" a Policy When a New Site Collection or Subsite is Added to the Scope

Whenever you add a Web application or site collection to the scope covered by a policy, you must "re-register" the policy so that the new site collection will be included.  This assigns the new object to the SharePoint event handlers that watch for the actions covered by the policy.  When a subsite is created the event handlers are automatically propagated to the new site.

See Re-Registering a New Site Collection for a Policy.

 

Creating a ControlPoint Policy

Before creating a ControlPoint policy, it is recommended that you review Factors to Consider When Creating ControlPoint Policies.

To create a ControlPoint policy:

1Select the object(s) for which you want to create the policy.

2Choose Automation > Create a ControlPoint Policy.

Create CP Policy

3Complete the Policy section as follows:

a)Select one of the Policy Rules.  Use the information in the following table for guidance.

CP Policy RULES DROPDOWN

If you want to ...

Then ...

control the creation of all new sites

select Control Subsite Creation.

control the creation of sites based on one or more specific templates

 

Select Control Subsite Creation in Selected Template.

Highlight each of the Site Templates you want to include in the policy.

CP Policy SITE TEMPLATES

REMINDER:  The Site Templates list contains all of the templates that have been deployed for the entire farm, and ControlPoint can only "prevent" a policy violation by deleting the site soon after it is created.  

control the creation of sites beyond a certain depth

§Select Control Subsite Creation in Certain Depth.

§Enter the maximum Site Depth you want the policy to allow.

Policy Rules CREATE DEPTH

control the deletion of a site

select Control Subsite Deletion.

control a subsite-level quota*

§Select Control Subsite Quota.

§Enter the quota (in MB) that you want to set.

Policy Rules CREATE DEPTH

REMINDER: Subsite-level quotas do not supersede the quota set for an entire site collection.  That is, once a site collection quota is reached, no more content can be added.

control the deletion of documents and list items*

§Select Control Document/Item Deletion.

Policy Rules DOC DELETE

§If you want to allow attachments to be deleted from list items, check the Allow Attachments to be Deleted box.

NOTE:  If you leave this box unchecked, users subject to the policy are prevented from both the item itself and any attachments to items.

control the creation of content based on a rule defined for your organization

Select Control Content Creation (Custom).

Policy Rules CONTENT CREATE

REMINDER:  You can only notify but not prevent content in violation of the policy from being created for a policy that uses this rule to be created, the ControlPoint Configuration Setting Content Creation Policy URL (POLICYSERVICEURL) must contain the service url for the rule.  Details can be found in the ControlPoint Administration Guide.

control the creation of a list

 

·Select Control List Creation.

·If you want to limit the policy to certain types of lists, highlight on or more List Templates.

CP Policy LIST CREATE

control the deletion of a list

 

·Select Control List Deletion.

·If you want to limit the policy to certain types of lists, highlight on or more List Templates.

CP Policy LIST DELETE

control the uploading of any file that exceed a specified size

·Select Control File Upload Size.

·Enter an Upload Size Limit (in megabytes).

CP Policy FILE SIZE

control the changing of:

·Permissions

OR

·Permissions Levels

OR

·SharePoint group permissions or group membership

OR

·Permissions inheritance

 

Select the applicable option from the drop-down:

CP Policies PERMISSIONS OPTIONS

control the uploading of files of a particular type

 

·Select Control File Upload by Type.

·Enter one or more file type extension(s).  (Enter multiple extensions as a semicolon-separated list.)

CP Policy FILE EXTENSIONS

If Sensitive Content Manager is installed in your environent, you are a member of the Compliance Administrators group, and the options are enabled

·submit a new document/item for scanning whenever it is added to a list or library

AND

·have ControlPoint automatically apply a Compliance Action based on the results of the scan.

A.Select Scan item for sensitive data when content is added.

B.Select a Profile for the scan from the drop-down.

NOTE:  Checked out files are not scanned. You can run a Checked Out Documents analysis to identify these files. (When a file is uploaded and checked in for the first time, it will be scanned as part of a Scan item for sensitive data when content is updated or saved policy.)

See also Using Sensitive Content Manager to Analyze SharePoint Content for Compliance.

·submit a document/item for scanning whenever it is updated or saved in a list or library

AND

·have ControlPoint automatically apply a Compliance Action based on the results of the scan.

A.Select Scan item for sensitive data when content is updated or saved.

B.Select a Profile for the scan from the drop-down.

NOTE:  Checked out files are not scanned. You can run a Checked Out Documents analysis to identify these files. (When a file is uploaded and checked in for the first time, it will be scanned as part of this policy.)

See also Using Sensitive Content Manager to Analyze SharePoint Content for Compliance.

*If you are creating a policy to control subsite quota, content creation, or document/item deletion, ControlPoint must process every event that the policy covers. Therefore, if the scope of the policy is exceptionally large (for example, it covers an entire farm with hundreds of sites, lists, and libraries) or the policy includes sites with a high volume of activity, performance of both ControlPoint and SharePoint may be impacted.

b)Enter a Policy Name and Policy Description.

c)Select either or both of the options described in the following table.

If you want to ...

Then ...

prevent users from violating the policy

leave the Prevent box checked.

If you uncheck this box, the Notify box must be checked, which means that users will be able to carry out the controlled action, but a notification will be sent to the violator and/or user(s) of your choice.

NOTE:  The Prevent option is not available for Control Content Creation.

have an email notification sent to one or more specified users (and optionally, the violator of the policy)

check the Notify box.

4Complete the User Selection section as described in the following table.

REMINDER:  Any user that the ControlPoint Application Administrator has specified as a "super user" in the ControlPoint Configuration Setting Users to Exclude from All ControlPoint Policies (CPPOLICYSUPERUSER) will be excluded from the policy regardless of whether that user is explicitly included in the policy.

If you want the policy to ...

Then ...

include all SharePoint users

select Restrict All.

Policy Users RESTRICT ALL

include or exclude one or more SharePoint users or Active Directory groups

·Select Users/AD Groups.

·Select either Apply policy to selected users or Exclude selected users.

·Select the user(s) and/or AD group(s) you want to include in or exclude from the policy.

Policy Users USERS

exclude a specific Permissions Level

· one of the Permissions Levels from the drop-down.

Policy Users USERS

REMINDER:  You cannot include a permissions level in a ControlPoint policy.

include or exclude one or more SharePoint groups

·Select SharePoint Group Picker.

·Select either Apply policy to selected users or Exclude selected users.

·From the Group Picker, select the SharePoint group(s) that you want to include in or exclude from the policy.

Policy Users GROUP PICKER

5If you checked the Notify box, select the Enforce Policy tab and complete the Distribution Details as described in the following table.

If, when the policy is violated ...

Then ...

you want an email sent to one or more specified recipients

·In the Send To field, select the user(s) you want to notify of a policy violation.

·Complete the Subject and Message fields.

you want a notification of the policy violation to be posted to a document library as a text file

·Complete the Subject and Message fields

·Complete the Add to Library or List field as follows:

§Click [Select] to display the Destination Selection Page pop-up dialog, and select a document library from the Destination Farm Tree.   (Note that only lists and libraries within the current farm for which you have Full Control access display).  

§Select a library from the tree. (You can also enter a full or partial Name or URL to narrow your selection.)

Schedule SELECT LIB

·Click [OK] to dismiss the dialog and populate the field with the full url path to the selected library.

NOTE:  The title of the text file includes the Policy Name along with a date and time stamp.

you want any policy violators to receive an email notification

check the Send To Violator box.

you want any policy violator to receive a customized message

·Check the Use Custom Message To Violator box.

·Complete the Subject and Message fields.

NOTE:  If you leave this box unchecked, violators will receive the same email as any other specified recipient(s).

6Click [Run Now].

After the action has been processed:

·a confirmation message displays at the top of the page, and

·a ControlPoint Task Audit is generated for the action and displays in the Results section.

See also The ControlPoint Task Audit.

Managing ControlPoint Policies

The Manage ControlPoint Policies action lets you view ControlPoint policies for a selected scope.  You can:

·view/edit the details of a ControlPoint policy

·delete a policy, and

·re-register policies when a new Web application, site collection or subsite is added.

NOTE:  If you are a Farm Administrator, you will be able to view all policies within the selected scope; otherwise, you will only be able to view policies that you have created.

To manage ControlPoint policies:

1Select the object(s) whose policies you want to manage).

2Choose Automation > Manage Policies.

Manage CP Policies

All of the policies that apply to the selected scope display, along with the following information:

§the Policy Name and Policy Description

§an indication of whether the policy is Active

§the Owner (creator) of the policy

§the policy's Created Date

§the user the policy was last Updated By.

3If you want to narrow the list to include only policies that meet specific criteria:

a)Specify one or more of the following filters:

§Policy Name contains

§Policy Rule

§Policy Owner

§Show Active policies only

Manage CP Policies FILTER

b)Click [Refresh Display]

Now you can:

·open a policy for viewing/editing

·re-register one or more policies

·delete one or more policies.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating