Chat now with support
Chat with Support

Metalogix ControlPoint 8.2 - User Guide

Preface Getting Started with ControlPoint Using Discovery to Collect Information for the ControlPoint Database Cache Searching for SharePoint Sites Managing SharePoint Objects
Accessing SharePoint Pages Viewing Properties of an Object within the SharePoint Hierarchy Creating Dashboards for Monitoring Statistics within Your SharePoint Farm Setting Object Properties Managing Site Collection and Site Features Managing Audit Settings Creating and Managing SharePoint Alerts Setting ControlPoint Alerts Managing Metadata Copying and Moving SharePoint Objects (Version 8.0 and Earlier) Moving a Site Collection to Another Content Database Deleting Sites Deleting Lists Archiving Audit Log Data Before Moving or Deleting a Site Collection Duplicating a Workflow Definition from one List or Site to Others Removing a Workflow from One or More Lists (or Sites)
Using ControlPoint Policies to Control Your SharePoint Environment Managing SharePoint User Permissions Data Analysis and Reporting
Specifying Parameters for Your Analysis Analysis Results Display Generating a SharePoint Summary Report Analyzing Activity Analyzing Object Properties Analyzing Storage Analyzing Content Generating a SharePoint Hierarchy Report Analyzing Trends Auditing Activities and Changes in Your SharePoint Environment Analyzing SharePoint Alerts Analyzing ControlPoint Policies Analyzing Users and Permissions The ControlPoint Task Audit Viewing Logged Errors
Scheduling a ControlPoint Operation Saving, Modifying and Executing Instructions for a ControlPoint Operation Using the ControlPoint Governance Policy Manager (SharePoint 2010 and Later) Using Sensitive Content Manager to Analyze SharePoint Content for Compliance Using ControlPoint Sentinel to Detect Anomalous Activity Default Menu Options for ControlPoint Users About Us

Using ControlPoint Policies to Control Your SharePoint Environment

You can use ControlPoint Policies to prevent and/or send out a notification when an attempt is made to:

·delete a subsite

·exceed a quota imposed on a subsite

·delete documents/items

·create content

·upload a file that exceeds a specified size limit

·additionally, for SharePoint 2010 and later farms:

§create a subsite

§create a subsite with a specific template

§create a subsite after a certain depth

§create or delete a list (optionally, with a specific template)

§upload files of one or more specific types

·additionally, for SharePoint 2013 and later farms:

§add or delete a permission

§add, delete, or update a Permissions Level

§add, delete, or update a SharePoint group

§add or delete SharePoint group members

§break or restore permissions inheritance

You can configure your policy to

·include in the policy—or exclude from the policy—either:

§all users

§specific users and Active Directory groups

§users in one or more SharePoint groups

OR

·exclude from the policy users with a specified Permissions Level.

If Sensitive Content Manager is installed in your environment, you can also create policies to scan content for sensitive policies whenever an item or document is added to—or updated in—a SharePoint list or library.

In a multi-farm environment, you can create and manage ControlPoint policies for the home farm only.

 

Factors to Consider When Creating ControlPoint Policies

Policies that can be Created:

For SharePoint 2010 and later farms, you can create ControlPoint polices to control:

·subsite creation

·creation of subsites with specific templates

·creation of subsites after a certain depth

·subsite deletion

·the creation and deletion of lists

·the enforcement of subsite-level quotas

·the deletion of documents/items (and optionally, attachments)

·content creation, using a custom Web service

·the uploading of files over a specified size

·the uploading of files of one or more specific types

·if Sensitive Content Manager is installed in your environment, the submission of a document/item for sensitive content analysis whenever it is added to—and/or updated in—a list or library

Additionally, for SharePoint 2013 and later farms:

·the adding or deleting of permissions

·the adding, deleting, or updating of Permissions Levels

·the adding, deleting, or updating SharePoint groups

·the adding or deleting of SharePoint group membership

·permissions inheritance breaking or restoring

For SharePoint 2007 farms, you can create policies to control:

·subsite deletion

·the enforcement of subsite-level quotas

·the deletion of documents/items (and optionally, attachments)

·content creation using a custom Web service

Excluding Specific Users from All Policies

ControlPoint Application Administrators can exclude selected users—such as farm administrators—from all policies via the ControlPoint Configuration Setting Users to Exclude from All ControlPoint Policies (CPPOLICYSUPERUSERS).  Refer to the ControlPoint Administration Guide for details.  

NOTE:  Users specified in this setting will always be excluded from all policies, even if they are explicitly added to a policy.

How Policies Impact Operations Performed in ControlPoint

Any action on a SharePoint site that is initiated through ControlPoint is actually carried out by the ControlPoint Service Account rather than the logged in user.  Therefore, if the ControlPoint Service Account is included in a policy, the policy will be enforced for any ControlPoint action that is restricted by that policy (for example, Delete Site and Copy/Move Site--which involves site creation/deletion), regardless of the user who initiated it.

When "Include Children" Applies to Your Scope

Most policies created at the site collection level or above will include all child sites by default. If  a policy is created for a site (other than the root site) or subsite, by default the policy will apply to the selected site and not its child sites.  This behavior is consistent with the model for Selecting Objects on Which to Perform a ControlPoint Operation.

EXCEPTION:  Because the action applies specifically to the creation of child sites, Control Subsite Creation in Certain Depth will always include child sites, regardless of whether "Include Children" is explicitly checked in the Selection panel.

Including and Excluding Users and Active Directory Groups

You can either include or exclude users and/or Active Directory groups from a policy.

Creating Policies That Control Subsite Quota

Subsite-level quotas do not supersede the quota set for an entire site collection.  That is, once a site collection quota is reached, no more content can be added.

NOTE:  Because the contents of Recycle Bins are managed at the site collection level, they are not considered in a subsite-level quota.

Creating Policies That Affect Users Based on Permissions Level

You can only exclude (not include) a SharePoint permissions level from a policy.  

Creating Policies Involving Site Templates

If you want to control the creation of sites that use one or more specific templates, you can choose from any template that has been deployed for the entire farm.   The creation of a site using a certain template cannot literally be "prevented," since it is only upon successful creation of the site that ControlPoint can evaluate the template.  The way ControlPoint enforces this type of policy is by deleting a site that is in violation immediately after it is created.

Creating Content Insertion Policies Using a Custom Web Service

You can create a policy to invoke a custom Web service whenever content in a SharePoint list or library is inserted or updated.  For example, you may want documents and attachments to be scanned for sensitive content and have a notification sent when the policy is violated.

A content insertion policy can be created if:

·the Web service includes the logic necessary to integrate with ControlPoint and is accessible by ControlPoint Service account.  (Details can be found in the guide Running ControlPoint Actions Programmatically.)

AND

·the ControlPoint Configuration Setting Content Creation Policy URL (POLICYSERVICEURL) is populated with the path to the Web Service asmx file.  (Details can be found in the ControlPoint Administration Guide.)

NOTE:  The ControlPoint policy cannot prevent content that violates a policy from being added.

Users Subject to Multiple Polices

If a user is restricted by more than one similar policy, all policies, including the most restrictive one, will be enforced.  

EXCEPTION:  If a policy is created at the list level, any similar policies at a higher scope will be ignored.

Updating or "Re-Registering" a Policy When a New Site Collection or Subsite is Added to the Scope

For a SharePoint 2010 or later farm, whenever you add a Web application or site collection to the scope covered by a policy, you must "re-register" the policy so that the new site collection will be included.  This assigns the new object to the SharePoint event handlers that watch for the actions covered by the policy.  In SharePoint 2010 and later, when a subsite is created the event handlers are automatically propagated to the new site.

For a SharePoint 2007 farm, you must re-register a policy whenever a Web application, site collection or subsite is created.  It is recommended that the re-registering of policies be scheduled to run on a recurring basis to ensure that it occurs regularly.

See Re-Registering a New Site Collection for a Policy.

 

Creating a ControlPoint Policy

Before creating a ControlPoint policy, it is recommended that you review Factors to Consider When Creating ControlPoint Policies.

To create a ControlPoint policy:

1Select the object(s) for which you want to create the policy.

2Choose Automation > Create a ControlPoint Policy.

Create CP Policy

3Complete the Policy section as follows:

a)Select one of the Policy Rules.  Use the information in the following table for guidance.

CP Policy RULES DROPDOWN

If you want to ...

Then ...

control the creation of all new sites

 

(SharePoint 2010 and later)

select Control Subsite Creation.

control the creation of sites based on one or more specific templates

 

(SharePoint 2010 and later)

Select Control Subsite Creation in Selected Template.

Highlight each of the Site Templates you want to include in the policy.

CP Policy SITE TEMPLATES

REMINDER:  The Site Templates list contains all of the templates that have been deployed for the entire farm, and ControlPoint can only "prevent" a policy violation by deleting the site soon after it is created.  

control the creation of sites beyond a certain depth

 

(SharePoint 2010 and later)

§Select Control Subsite Creation in Certain Depth.

§Enter the maximum Site Depth you want the policy to allow.

Policy Rules CREATE DEPTH

control the deletion of a site

select Control Subsite Deletion.

control a subsite-level quota*

§Select Control Subsite Quota.

§Enter the quota (in MB) that you want to set.

Policy Rules CREATE DEPTH

REMINDER: Subsite-level quotas do not supersede the quota set for an entire site collection.  That is, once a site collection quota is reached, no more content can be added.

control the deletion of documents and list items*

§Select Control Document/Item Deletion.

Policy Rules DOC DELETE

§If you want to allow attachments to be deleted from list items, check the Allow Attachments to be Deleted box.

NOTE:  If you leave this box unchecked, users subject to the policy are prevented from both the item itself and any attachments to items.

control the creation of content based on a rule defined for your organization

Select Control Content Creation (Custom).

Policy Rules CONTENT CREATE

REMINDER:  You can only notify but not prevent content in violation of the policy from being created for a policy that uses this rule to be created, the ControlPoint Configuration Setting Content Creation Policy URL (POLICYSERVICEURL) must contain the service url for the rule.  Details can be found in the ControlPoint Administration Guide.

control the creation of a list

 

(SharePoint 2010 and later)

·Select Control List Creation.

·If you want to limit the policy to certain types of lists, highlight on or more List Templates.

CP Policy LIST CREATE

control the deletion of a list

 

(SharePoint 2010 and later)

·Select Control List Deletion.

·If you want to limit the policy to certain types of lists, highlight on or more List Templates.

CP Policy LIST DELETE

control the uploading of any file that exceed a specified size

·Select Control File Upload Size.

·Enter an Upload Size Limit (in megabytes).

CP Policy FILE SIZE

control the changing of:

·Permissions

OR

·Permissions Levels

OR

·SharePoint group permissions or group membership

OR

·Permissions inheritance

 

(SharePoint 2013 and later)

Select the applicable option from the drop-down:

CP Policies PERMISSIONS OPTIONS

control the uploading of files of a particular type

 

(SharePoint 2010 and later)

·Select Control File Upload by Type.

·Enter one or more file type extension(s).  (Enter multiple extensions as a semicolon-separated list.)

CP Policy FILE EXTENSIONS

If Sensitive Content Manager is installed in your environent

·submit a new document/item for scanning whenever it is added to a list or library

AND

·have ControlPoint automatically apply a Compliance Action based on the results of the scan.

A.Select Scan item for sensitive data when content is added.

B.Select a Profile for the scan from the drop-down.

 

See also Using Sensitive Content Manager to Analyze SharePoint Content for Compliance.

·submit a document/item for scanning whenever it is updated or saved in a list or library

AND

·have ControlPoint automatically apply a Compliance Action based on the results of the scan.

A.Select Scan item for sensitive data when content is updated or saved.

B.Select a Profile for the scan from the drop-down.

 

See also Using Sensitive Content Manager to Analyze SharePoint Content for Compliance.

*If you are creating a policy to control subsite quota, content creation, or document/item deletion, ControlPoint must process every event that the policy covers. Therefore, if the scope of the policy is exceptionally large (for example, it covers an entire farm with hundreds of sites, lists, and libraries) or the policy includes sites with a high volume of activity, performance of both ControlPoint and SharePoint may be impacted.

b)Enter a Policy Name and Policy Description.

c)Select either or both of the options described in the following table.

If you want to ...

Then ...

prevent users from violating the policy

leave the Prevent box checked.

If you uncheck this box, the Notify box must be checked, which means that users will be able to carry out the controlled action, but a notification will be sent to the violator and/or user(s) of your choice.

NOTE:  The Prevent option is not available for Control Content Creation.

have an email notification sent to one or more specified users (and optionally, the violator of the policy)

check the Notify box.

4Complete the User Selection section as described in the following table.

REMINDER:  Any user that the ControlPoint Application Administrator has specified as a "super user" in the ControlPoint Configuration Setting Users to Exclude from All ControlPoint Policies (CPPOLICYSUPERUSER) will be excluded from the policy regardless of whether that user is explicitly included in the policy.

If you want the policy to ...

Then ...

include all SharePoint users

select Restrict All.

Policy Users RESTRICT ALL

include or exclude one or more SharePoint users or Active Directory groups

·Select Users/AD Groups.

·Select either Apply policy to selected users or Exclude selected users.

·Select the user(s) and/or AD group(s) you want to include in or exclude from the policy.

Policy Users USERS

exclude a specific Permissions Level

· one of the Permissions Levels from the drop-down.

Policy Users USERS

REMINDER:  You cannot include a permissions level in a ControlPoint policy.

include or exclude one or more SharePoint groups

·Select SharePoint Group Picker.

·Select either Apply policy to selected users or Exclude selected users.

·From the Group Picker, select the SharePoint group(s) that you want to include in or exclude from the policy.

Policy Users GROUP PICKER

5If you checked the Notify box, select the Enforce Policy tab and complete the Distribution Details as described in the following table.

If, when the policy is violated ...

Then ...

you want an email sent to one or more specified recipients

·In the Send To field, select the user(s) you want to notify of a policy violation.

·Complete the Subject and Message fields.

you want a notification of the policy violation to be posted to a document library as a text file

·Complete the Subject and Message fields

·Complete the Add to Library or List field as follows:

§Click [Select] to display the Destination Selection Page pop-up dialog, and select a document library from the Destination Farm Tree.   (Note that only lists and libraries within the current farm for which you have Full Control access display).  

§Select a library from the tree. (You can also enter a full or partial Name or URL to narrow your selection.)

Schedule SELECT LIB

·Click [OK] to dismiss the dialog and populate the field with the full url path to the selected library.

NOTE:  The title of the text file includes the Policy Name along with a date and time stamp.

you want any policy violators to receive an email notification

check the Send To Violator box.

you want any policy violator to receive a customized message

·Check the Use Custom Message To Violator box.

·Complete the Subject and Message fields.

NOTE:  If you leave this box unchecked, violators will receive the same email as any other specified recipient(s).

6Click [Run Now].

After the action has been processed:

·a confirmation message displays at the top of the page, and

·a ControlPoint Task Audit is generated for the action and displays in the Results section.

See also Auditing ControlPoint Administrator Tasks.

 

Managing ControlPoint Policies

The Manage ControlPoint Policies action lets you view ControlPoint policies for a selected scope.  You can:

·view/edit the details of a ControlPoint policy

·delete a policy, and

·re-register policies when a new Web application, site collection or subsite is added.

NOTE:  If you are a Farm Administrator, you will be able to view all policies within the selected scope; otherwise, you will only be able to view policies that you have created.

To manage ControlPoint policies:

1Select the object(s) whose policies you want to manage).

2Choose Automation > Manage Policies.

Manage CP Policies

All of the policies that apply to the selected scope display, along with the following information:

§the Policy Name and Policy Description

§an indication of whether the policy is Active

§the Owner (creator) of the policy

§the policy's Created Date

§the user the policy was last Updated By.

3If you want to narrow the list to include only policies that meet specific criteria:

a)Specify one or more of the following filters:

§Policy Name contains

§Policy Rule

§Policy Owner

§Show Active policies only

Manage CP Policies FILTER

b)Click [Refresh Display]

Now you can:

·open a policy for viewing/editing

·re-register one or more policies

·delete one or more policies.

 

Related Documents