Solved: Duplicating DLP's

grantreid · ‎01-03-2021

I wanted to check that I'm approaching this the right way and haven't missed something....

We have a default DLP which is applied to the default and newly created environments. However, whenever someone wants a custom connector in their prod environment, a new DLP has to be created to allow it. This requires all 50ish connectors from the default DLP to be added to this new DLP, along with the custom connector.

I find it frustrating the DLP's are exclusive not inclusive. Now... every time we make a change to the default DLP, whenever a new Microsoft connector is added or changed, we have to update every other DLP!!!! I find this counter productive.

1. Is there a way to copy DLP's? I'm currently sitting here with split screens, with the new and old side by side manually mirroring the business connectors. I'm pondering creating a powershell script...

2. Am I correct with the "exclusive" aspect? What's the logic with this? Shouldn't it be that you have a base level DLP which applies across the board and in Environment X, you can also use connector Y granted by an additional DLP? This would be a more common scenario than needing to reduce/restrict the default DLP connectors.

RossCampbell · ‎05-17-2022

In the interest of anyone else trying to figure this out i finally got something that works. It creates a new environment and copies a DLP of your choice to that env. The new DLP sets the default connector group to blocked also.

Bare in mind i haven't ever worked in Powershell, or with the PowerAppsAdmin module, before. I make no assertions around the following and you should test them yourself before using them.

2 files are attached:

'function Add-ConnectorToDataGroup_v2'.txt' - run this first to create the requisite functions (you may have to run the commented install, import & add commands in 'NewEnvAndDlp_v1.txt' first).
'NewEnvAndDlp_v1.txt' - run this, it will prompt you for new environment name & description, new DLP name and the name of the DLP you want to copy [hint: this performs a search of type *query* on existing policies, my standard DLP is called 'Restricted(Default) - DLP' so i can simply enter 'default' ] . Make sure that the return codes you get are of the '200' type (as shown in attached image 'Expected.png').

View solution in original post

v-bofeng-msft · ‎01-04-2021

Hi @grantreid :

About Q1:

I'm not sure what copy DLP means. If you want to apply the same DLP to multiple environments, then this can be done.Just set the scop of the specified DLP, and then configure it:

About Q2:

If there are multiple DLPs in an environment, these DLPs need to be satisfied at the same time.

I think this link will help you a lot:

Combined effect of multiple DLP policies

Best Regards,

Bof

grantreid · ‎01-04-2021

Hi Bof

No problems adding or excluding DLP's across multiple environments. Where I getting stuck is if someone wants an additional connector which is allowed only in their environment, I can't add it to the standard DLP which is applied across multiple. So, a new DLP is required.

please correct me if I'm wrong:

If the default policy A (applied across multiple environments) has the 50 (roughly) family of Microsoft standard connectors set as "Business" and I create policy B with 1 custom connector in "Business", the result is they negate each other and 0 connectors are in the Business category.

If I want all 50 connectors from policy A to be allowed to work with the 1 custom connector, all 50 Microsoft connectors have to be added to policy B?

v-bofeng-msft · ‎01-04-2021

Hi @grantreid :

I think I roughly understand what you mean. You want to increase the number of connecotors that can be used simultaneously by adding DLPs. Am I right?

If so,the answer is 'No'.In other words, your app must satisfy the rules of DLPA, B, C ...at the same time.

For example:

DLPA

Bussiness:A,B

Non Bussiness:C,D

DLPB

Bussiness:A

Non Bussiness:,B,C,D

Then A and B cannot appear in the same app,because it violates the rules of DLPB.

However,there is another situation where DLPA and DLPB are opposite.

DLPA

Bussiness:A,B

Non Bussiness:C,D

DLPB

Bussiness:C,D

Non Bussiness:A,B

Then, since A and B do not violate any DLP rules, they can appear in the same application.

So if you want to use 51 connectors, I suggest you remove the original DLP and then add a new DLP. Or directly modify the original DLP.

Best Regards,

Bof

grantreid · ‎01-05-2021

Yes.. this is exactly my point, you've finally reached the same conclusion.... you need to add a new DLP with all of the same connectors as the default. We're not going to modify the original DLP as we don't want the majority of the users accessing this additional connector.

Every time someone wants something slightly different, I have to create a new DLP, which means duplicating all of the default connectors. As far as I'm aware, this is a manual process of clicking "add to business" for 50ish connectors. This is time consuming. Also... every time Microsoft changes one of their family of connectors, retires something and adds a new one, I have to update all of the other customized DLPs. For a platform pushing automation, this is mental. So back to the original questions:

1. There should be a way to copy a DLP.

2. DLP's should be inclusive, not exclusive. There should be a default DLP applied across all environments (maybe some are excluded if required) and if you want to customize something, you can add a second DLP. This would be the same concept as standard Security Groups.

v-bofeng-msft · ‎01-05-2021

Hi @grantreid :

I am afraid that your request cannot be realized at the moment. If you need this feature, I suggest you post your ideas to the idea form.

Best Regards,

Bof

LarsHem · ‎03-09-2022

@grantreid did you find a solution for this? We are struggling with the same and started to look into the "power platform for admins" connector to see if we could use some logic there.

grantreid · ‎03-10-2022

I set up some powershell scripts to export a list of connectors as the 'default' DLP. If someone wants an environment with something different, can just build a new DLP with powershell from this list and add the additionals.

LarsHem · ‎03-14-2022

Update from our side.

We decided to create a flow to copy all "settings" from our Default policy, create a new dlp and add selected environments to the new DLP and remove the selected environment from the Default policy.

Selecting environment, giving the new policy a name and executing the flow is done in a new screen we added to the CoE DLP Editor.

Any changes to the DLP (primarly adding new connectors to Business) must be done manually in DLP Editor in Coe after the new DLP is created.

RossCampbell · ‎05-16-2022

any chance you feel like sharing?

i've been trying to do this and can create the new dlp and apply all business connectors but not modify non-business and blocked connectors

Duplicating DLP's

Helpful resources

Power Apps News & Announcements

Introducing the Community Calls Conversations

Power Apps Community Blog