Skip to content

Examples: Security & Compliance

End-to-end policy examples for regulated data, data motion, and audit controls.

What You'll Learn

  • How to combine data classification, watermarking, and clipboard rules for regulated data
  • How to configure residency-aware audit pipelines and failure policies
  • How to scope policy change requests to specific paths

Regulated Data: ITAR/CUI (Classification-Aware and Watermark)

Map provider labels (for example, Purview) to normalized enums, enforce clipboard denies for classified content, and apply dynamic watermarks with PII redaction.

Configuration

Global provider integration and mappings:

json
{
  "configuration": {
    "dataClassification": {
      "onClassificationFailure": "deny",
      "onUnknownClassification": "deny",
      "providers": [
        { "id": "corp-purview", "type": "purview", "confidenceThreshold": 0.8, "cacheTtlSeconds": 30 }
      ],
      "mappings": [
        { "providerId": "corp-purview", "externalLabelId": "11111111-2222-3333-4444-555555555555", "normalized": ["CUI", "CUI//SP-CTI"] },
        { "providerId": "corp-purview", "externalLabelId": "aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee", "normalized": ["ITAR"] }
      ]
    }
  }
}

Deny clipboard OUT for ITAR or CUI:

json
{
  "configuration": {
    "launch": { "runtime": { "dataMotion": {
      "settings": { "clipboard": { "enabled": true, "defaultAction": "deny" } },
      "rules": [
        { "id": "clip-deny-cui-itar-out", "enabled": true, "priority": 1000, "channel": "clipboard", "direction": "out", "match": { "classifications": { "normalized": ["CUI", "ITAR"] } }, "action": { "type": "deny" } }
      ]
    } } }
  }
}

Dynamic CUI watermark with hashed UPN (screen capture):

json
{
  "configuration": {
    "launch": { "runtime": { "dataMotion": {
      "settings": {
        "screenCapture": {
          "enabled": true,
          "mode": "foreground-only",
          "watermark": {
            "text": "CUI//SP-CTI\nControlled by: {Organization}\n{User.UPN|hash(8)} @ {Timestamp.UTC}",
            "opacity": 0.3,
            "persistent": true,
            "style": "diagonalRepeating",
            "variablesAllowlist": ["Organization","User.UPN","Timestamp.UTC"],
            "redactionDefaults": { "pii": "hash", "hashAlgorithm": "sha256", "salt": "env:PII_SALT" }
          },
          "blurBackground": true
        }
      }
    } } }
  }
}

Effective Behavior

  • Classification provider is required; unknown classifications are denied due to onUnknownClassification: "deny".
  • Labels from the corp-purview provider map into normalized values such as ["CUI", "CUI//SP-CTI"] and ["ITAR"].
  • Clipboard data classified as CUI or ITAR is denied on outbound clipboard operations.
  • Screen capture uses a CUI watermark that:

For a complete policy combining all CMMC/ITAR features, see: CMMC/ITAR Deployment Profile.

  • Displays organization and a hashed UPN.
  • Applies redaction defaults for PII with the specified hash algorithm and salt.
  • Applies only to the foreground window if mode: "foreground-only" remains configured.

Audit Trails (Selected Examples)

Configure baseline audit behavior, residency rules, failure policies, and policy change requests.

Minimal Global Audit Settings With Residency and Local Diagnostics Buffer

json
{
  "configuration": {
    "launch": { "runtime": {
      "audit": {
        "settings": {
          "enabled": true,
          "level": "standard",
          "dataResidency": {
            "enforceByMetadata": true,
            "allowedCountries": ["US","GB","IN","CN","BR"],
            "forbidInternationalTransfers": false
          },
          "export": { "mode": "platform", "localDiagnostics": { "enabled": true, "maxSizeMb": 100 } }
        }
      }
    } }
  }
}

Block Screen Sharing if the Audit Pipeline Is Unhealthy

json
{
  "configuration": {
    "launch": { "runtime": {
      "audit": {
        "settings": {
          "enabled": true,
          "failurePolicy": { "onFailure": "degrade", "requireHealthyFor": ["screenShare"] }
        }
      }
    } }
  }
}

Enable Policy Change Requests (Allow Only Data-Motion Rules and Capabilities)

json
{
  "configuration": {
    "launch": { "runtime": {
      "audit": {
        "changeRequests": {
          "enabled": true,
          "requireJustification": true,
          "allowedPaths": [
            "apps[*].capabilities",
            "configuration.launch.runtime.dataMotion.rules[*]"
          ],
          "payloadFormat": "policyIntent",
          "attachContext": { "lastDenyEventRef": true, "includeRedactedDetails": true }
        }
      }
    } }
  }
}

Effective Behavior

  • Audit is enabled at the runtime layer with a standard level.
  • Data residency is enforced based on metadata; only events associated with allowedCountries are permitted under the configured rules.
  • Local diagnostics buffer is enabled and capped by maxSizeMb.
  • When the audit pipeline is unhealthy:
    • The failure policy degrades capabilities and requires a healthy pipeline for screenShare.
    • Screen sharing is blocked while other behavior follows degrade semantics.
  • Change requests:
    • Are enabled and require justification.
    • Are scoped to apps[*].capabilities and configuration.launch.runtime.dataMotion.rules[*].
    • Use the policyIntent payload format with contextual information from the last deny event attached when available.

See also: