Sanctioned DLP Policy Exceptions define when an event, message, or document should be ignored by the policy. Exceptions use the same rule types as the Rules section of the policy, and can be combined with Boolean Logic using Rule Groups. But, Rule Groups used as exceptions do not have associated Severity levels.
You can also add an exclusion to the exception policy, or an allow list, using a predefined dictionary of data identifiers, or you can manually exclude specific data identifiers.
NOTE: Exception rules block the match if anything is matched. Even if the file has a valid data identifier, keyword, or other, and the same file has keywords or content defined in the exception rules in the DLP policy, the whole file is excluded. It will not trigger a policy violation. This is by design.
To add an exception to a policy:
- Choose Policy > DLP Policies.
- Click Actions > Sanctioned Policy > Create New Policy, or click the name of an existing policy to edit it.
- In the Descriptions page, enter a name for the policy, an optional description, select Classifications if available, deployment type, and services the policy should apply to.
- In the Rules page, add a rule.
- Click Add Exception. Select an exception type from the list. (The types available are the same as those listed in DLP Policy Rules and Rule Groups.)