Appearance
Examples: Security & Compliance
End-to-end policy examples for regulated data, data motion, and audit controls.
What You'll Learn
- How to combine data classification, watermarking, and clipboard rules for regulated data
- How to configure residency-aware audit pipelines and failure policies
- How to scope policy change requests to specific paths
Regulated Data: ITAR/CUI (Classification-Aware and Watermark)
Map provider labels (for example, Purview) to normalized enums, enforce clipboard denies for classified content, and apply dynamic watermarks with PII redaction.
Configuration
Global provider integration and mappings:
json
{
"configuration": {
"dataClassification": {
"onClassificationFailure": "deny",
"onUnknownClassification": "deny",
"providers": [
{ "id": "corp-purview", "type": "purview", "confidenceThreshold": 0.8, "cacheTtlSeconds": 30 }
],
"mappings": [
{ "providerId": "corp-purview", "externalLabelId": "11111111-2222-3333-4444-555555555555", "normalized": ["CUI", "CUI//SP-CTI"] },
{ "providerId": "corp-purview", "externalLabelId": "aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee", "normalized": ["ITAR"] }
]
}
}
}Deny clipboard OUT for ITAR or CUI:
json
{
"configuration": {
"launch": { "runtime": { "dataMotion": {
"settings": { "clipboard": { "enabled": true, "defaultAction": "deny" } },
"rules": [
{ "id": "clip-deny-cui-itar-out", "enabled": true, "priority": 1000, "channel": "clipboard", "direction": "out", "match": { "classifications": { "normalized": ["CUI", "ITAR"] } }, "action": { "type": "deny" } }
]
} } }
}
}Dynamic CUI watermark with hashed UPN (screen capture):
json
{
"configuration": {
"launch": { "runtime": { "dataMotion": {
"settings": {
"screenCapture": {
"enabled": true,
"mode": "foreground-only",
"watermark": {
"text": "CUI//SP-CTI\nControlled by: {Organization}\n{User.UPN|hash(8)} @ {Timestamp.UTC}",
"opacity": 0.3,
"persistent": true,
"style": "diagonalRepeating",
"variablesAllowlist": ["Organization","User.UPN","Timestamp.UTC"],
"redactionDefaults": { "pii": "hash", "hashAlgorithm": "sha256", "salt": "env:PII_SALT" }
},
"blurBackground": true
}
}
} } }
}
}Effective Behavior
- Classification provider is required; unknown classifications are denied due to
onUnknownClassification: "deny". - Labels from the
corp-purviewprovider map into normalized values such as["CUI", "CUI//SP-CTI"]and["ITAR"]. - Clipboard data classified as
CUIorITARis denied on outbound clipboard operations. - Screen capture uses a CUI watermark that:
For a complete policy combining all CMMC/ITAR features, see: CMMC/ITAR Deployment Profile.
- Displays organization and a hashed UPN.
- Applies redaction defaults for PII with the specified hash algorithm and salt.
- Applies only to the foreground window if
mode: "foreground-only"remains configured.
Audit Trails (Selected Examples)
Configure baseline audit behavior, residency rules, failure policies, and policy change requests.
Minimal Global Audit Settings With Residency and Local Diagnostics Buffer
json
{
"configuration": {
"launch": { "runtime": {
"audit": {
"settings": {
"enabled": true,
"level": "standard",
"dataResidency": {
"enforceByMetadata": true,
"allowedCountries": ["US","GB","IN","CN","BR"],
"forbidInternationalTransfers": false
},
"export": { "mode": "platform", "localDiagnostics": { "enabled": true, "maxSizeMb": 100 } }
}
}
} }
}
}Block Screen Sharing if the Audit Pipeline Is Unhealthy
json
{
"configuration": {
"launch": { "runtime": {
"audit": {
"settings": {
"enabled": true,
"failurePolicy": { "onFailure": "degrade", "requireHealthyFor": ["screenShare"] }
}
}
} }
}
}Enable Policy Change Requests (Allow Only Data-Motion Rules and Capabilities)
json
{
"configuration": {
"launch": { "runtime": {
"audit": {
"changeRequests": {
"enabled": true,
"requireJustification": true,
"allowedPaths": [
"apps[*].capabilities",
"configuration.launch.runtime.dataMotion.rules[*]"
],
"payloadFormat": "policyIntent",
"attachContext": { "lastDenyEventRef": true, "includeRedactedDetails": true }
}
}
} }
}
}Effective Behavior
- Audit is enabled at the runtime layer with a
standardlevel. - Data residency is enforced based on metadata; only events associated with
allowedCountriesare permitted under the configured rules. - Local diagnostics buffer is enabled and capped by
maxSizeMb. - When the audit pipeline is unhealthy:
- The failure policy degrades capabilities and requires a healthy pipeline for
screenShare. - Screen sharing is blocked while other behavior follows degrade semantics.
- The failure policy degrades capabilities and requires a healthy pipeline for
- Change requests:
- Are enabled and require justification.
- Are scoped to
apps[*].capabilitiesandconfiguration.launch.runtime.dataMotion.rules[*]. - Use the
policyIntentpayload format with contextual information from the last deny event attached when available.
Related Topics
See also:
