On This Page

1 Overview
2 Understanding Actions
- 2.1 Apply Metadata
- 2.2 Approval
- 2.3 Delay
- 2.4 Delete
- 2.5 Email
- 2.6 MPIP Label
- 2.7 Modify Permissions
- 2.8 Move
- 2.9 Remediate
- 2.10 Remove Permissions
- 2.11 Remove Shared Links
3 Adding Actions
4 Editing Actions
5 Deleting Actions
6 Ordering Actions
7 Understanding Deferred Actions

Overview

The actions for a tracking group specify how DryvIQ handles the files in that group. Multiple actions can be applied to the tracking group to force remediation through an approval workflow, or you can take a definitive action against the file as soon as it is assigned to the tracking group.

Understanding Actions

There are seven actions available. Learn more about each below.

Apply Metadata

This action lets you specify the metadata to apply to the file when it is added to the tracking group. This option requires you to configure the data sources assigned to the policy to set the metadata field and value. Refer to Configuring Data Sources: Apply Metadata for more information on configuring data sources for metadata. The Allow configuration to be skipped on individual data sources option allows you to skip adding metadata configuration to data sources that don’t support metadata.

Approval

Select this action to require manual approval. You will choose this option if you want to manually take action against the files in the tracking group. The files are flagged, and you will be responsible for properly remediating the files.

Delay

This option delays any additional actions on the tracking group for the specified time. When selected, you will specify the delay value and interval (seconds, minutes, hours, or days). This option will be used in combination with the move or delete action. For example, you could set the action to delay deleting or moving files in a tracking group for five days to allow for review before the move or deletion occurs.

Delete

DryvIQ will delete files that belong to the tracking group.

Email

DryvIQ will email the specified subject line to the specified email address. The email will include a CSV file listing the items assigned to the tracking group. To use this option, you must have an email server set up in Settings. Email notifications are sent out by the system jobs, which run every two hours.

MPIP Label

This option displays when the mip-classifier extension is installed for your DryvIQ application. It allows you to select the Microsoft Purview Information Protection (MPIP) label you want to assign to the tracking group. The list that appears displays all the available MPIP labels for your account. DryvIQ will create another version of the file and add the label to the “Sensitivity” label.

The MPIP label will only be applied to the following file types.

doc
docm
docx
dot
dotm
dotx
pdf
potm
potx
pps
ppsm

ppsx
ppt
pptm
pptx
vsdm
vsdx
vssm
vssx
vstm
vstx

xla
xlam
xls
xlsb
xlsm
xlsx
xlt
xltm
xltx
xps

If you add new labels to your MIP label library, you must restart the DryvIQ Service Manager to update the label library.

Modify Permissions

DryvIQ will modify the permissions for specified groups and/or accounts. This action requires you to configure the assigned data sources to specify who should be granted permission and the permission level (Read, Read and Write, or Full Control). See Configuring Data Sources: Modify Permissions for more information on configuring this action for the data sources. The Allow configuration to be skipped on individual data sources option allows you to skip adding permission configuration to data sources that don’t support permissions.

When configuring the data source to modify permissions, you can set a single permission level for multiple groups and/or accounts simultaneously. However, you will need to add the Modify Permissions action to the policy multiple times if different permission levels are required. For example, if you need to set all three permission levels (Read, Read and Write, and Full Control), you will need to add the action to the policy three times. You will then configure one action for each permission level.

If you need to scan and apply permissions actions to content that is part of a Microsoft Teams Site, you must use the Microsoft Teams connector in order to properly access your Teams Site's groups.

Permission actions for Microsoft Office/Teams Sites only apply to permissions at the Direct Access level. Site permissions (subgroup level) are not affected by permission actions. If you select to remove or modify permissions at the Site permission (sub-group level), you will see a log entry indicating, “No matching permissions were found.” This is because DryvIQ cannot detect the permissions at this level.

Move

DryvIQ will move the files to a specified location. When you select this action, you need to specify the connection and directory where DryvIQ needs to move the files. The Connection list displays 100 connections. If you have more than 100 connections, use the Load more link to display additional connections as needed.

Files cannot be moved into the same data source being scanned, so ensure you select a different data source when setting the move location.

Remediate

DryvIQ will mark the files as remediated. This action indicates that no further action is required. This option will most often be used for files with a low risk level or files with no risk.

Remove Permissions

DryvIQ will remove the specified permissions from a group or account. This action required you to configure the assigned data sources to specify which users to select from and which permissions to remove. See Configuring Data Sources: Remove Permissions for more information about configuring this action for the data sources. The Allow configuration to be skipped on individual data sources option allows you to skip adding permission configuration to data sources that don’t support permissions.

If you need to scan and apply permission actions to content that is part of a Microsoft Teams Site, you must use the Microsoft Teams connector in order to access your Teams Site's groups properly.

Permission actions for Microsoft Office/Teams Sites only apply to permissions at the Direct Access level. Site permissions (subgroup level) are not affected by permission actions. If you select to remove or modify permissions at the Site permission (sub-group level), you will see a log entry indicating, “No matching permissions were found.” This is because DryvIQ cannot detect the permissions at this level.

Remove Shared Links

DryvIQ will remove shared links that allow access to the item. You will select whether to remove all links, internal links, or external links. Not all platforms support shared links, and DryvIQ does not support removing shared links from all platforms. Refer to the table below for the supported platforms and the specific permissions that will be removed, depending on whether internal and/or external permissions are selected for removal.

Platform	Internal Shared Link Types	External Shared Link Types	Not Supported

Platform	Internal Shared Link Types	External Shared Link Types	Not Supported
Box	People in your company Invited people only	People with the link
Microsoft Office 365/OneDrive	People in the company with the link Specific people	Anyone with the link
Dropbox	Anyone with a link (edit) Team members (edit/view) Only people invited (edit/view) People with password (edit/view)	Anyone with link (view)
Google Shared Drives	Company	Anyone with the link	Restricted

DryvIQ does not support removing shared links for Google Drive.

Adding Actions

Select the down arrow to expand the Actions section.
Select the action you want to apply.
For Delay and Move actions, enter the required delay time or location, then select Done.
To add another action, select the + under the action you just added and repeat steps 2-3 for each action you want to apply to the tracking group.
When you are done adding actions, select Apply changes to save the tracking group.

Editing Actions

Editing is available only for Delay and Move, since these options have additional fields that provide information for the action. To change other actions, you must delete the action and add the desired action.

If necessary, select Edit for the tracking group to enable editing.
Select the down arrow to expand the Actions section.
Select the ellipses (…) at the end of the action line.
Select Edit from the displayed menu.

Deleting Actions

If necessary, select Edit for the tracking group to enable editing.
Select the down arrow to expand the Actions section.
Select the ellipses (…) at the end of the action line.
Select Delete from the displayed menu.

Ordering Actions

Actions will be executed in the order they are displayed in the tracking group. If you add multiple actions to a tracking group, you can reorder them to ensure they are in the proper order if you add them out of sequence.

If necessary, select Edit for the tracking group to enable editing.
Select the down arrow to expand the Actions section.
Hover in front of the action line. Up and down arrows will appear.
Click the up arrow to move the action up and the down arrow to move the action down.

Understanding Deferred Actions

When reviewing the scan result details for a file, you may notice the Assignment status is “Processing,” and the activity is labeled “Action deferred.” Deferred actions are actions that await a process before they can be completed. You will see this for the Email action while the system is awaiting the notification to be sent, for the Delay action while the system waits for the specified time to pass, and for the Approval action while the system waits for user approval. If subsequent actions are in the tracking group after the deferred action, they will not be executed until the action is complete and the Data source is scanned again.

The Assignment status will remain “Processing” until a subsequent scan identifies that the action has been completed and that no other actions are pending. At that time, it will be “Complete.”

Actions