Skip to main content
Question

Real-Time Leavers DLP Monitoring Policy Enforcement

  • July 2, 2026
  • 0 replies
  • 7 views

akshays_singh-7f69324f

Background :

We have Netskope SMTP DLP, Endpoint DLP, and Microsoft Exchange integrated with Netskope. Users are currently imported via Directory Importer (LDAP/AD) with a synchronization interval of 180 minutes.

Use Case

We are implementing a Leavers Email and Endpoint Monitoring Policy (Monitor/Allow mode only). When HR raises a MyAccess request, the user is automatically added to a dedicated LDAP group. The Netskope policy is configured against this group.

The challenge is that policy enforcement is delayed until the next Directory Import sync, which can take up to 60 minutes. Our requirement is for the policy to become effective immediately after the user is added to the LDAP group. 

 

Options Considered

  • SCIM Provisioning: We considered using SCIM to provision the specific leavers group and apply policies based on SCIM group membership. However, our understanding is that users already imported through Directory Importer should not also be provisioned through SCIM, as this could create identity conflicts and potentially impact Netskope Client behavior.
  • Netskope Custom Group + API Automation: We are also considering creating a Netskope Custom Group and having the MyAccess workflow directly add users to this group via Netskope APIs instead of them populating in LDAP group. This would eliminate dependency on Directory Import synchronization and potentially enable immediate policy enforcement.

Questions

  1. Has anyone implemented a similar use case using SCIM, APIs, or another automation mechanism so that policy enforcement is immediate?
  2. Can we intergate MyAccess with Netskope so the users are added directly in Netskope custom group instead of LDAP?