Understanding / managing multiple DLPs applying to an environment
Hi, I am trying to figure how to manage DLPs across my organisation, can someone please tell me:
Best practice for creating/applying DLPs to across an organisation (see goal below)
How multiple DLPs applied in the same environment resolve
Goal: Limit data sharing/access by default, but allow in certain teams [environments] where required
Current setup: Tenant admin has created DLP#1 that applies to all environments and has the ~10 or so standard O365 apps in allowed group (“business data only”) and all other apps are in “no access” group). Salesforce team want to connect SharePoint to Salesforce, and so created an environment (‘Salesforce Team’), and created DLP #2 which allows Salesforce and SharePoint.
Current situation: ‘Salesforce Team’ environment has DLP#1 and DLP#2 applied to it... However even though DLP#2 includes SharePoint and Salesforce in allowed group, my Salesforce->SharePoint Flow will not run as it “conflicts with my organisation policy” (presumably DLP#1?)
How should we manage the above (i.e. create an environment and DLP that allows Salesforce and SharePoint?
Do DLPs effectively take the minimum allowed set (i.e. has to be allowed is all applied groups to work)?
… If so, when our organisation matures and we say have 20 allowed apps and 20 environments, if team X comes along and wants to connect with app the 21st app, does this mean we essentially have to create a bespoke DLP for that (and every) environment, i.e. manually add the allowed 20 apps and then the 21st app to a new DLP and apply this DLP to the environment?.. So create from scratch from every time / no templates or organisation rules to inherit? – This seems a bit poor