Overview

Employee and Usernames are critical context for Privileges Analysis, Data-in-Use Monitoring, and understanding which ghost or decommissioned employees should not have access to sensitive data.

If you integrate Netskope One DSPM with your employee directory to import employee data, you can link employees to database users discovered by Netskope One DSPM. You can also add context to either using Tags. This information can then be used to trigger policies that determine inside threats or enforce the Principle of Least Privilege.

Linking Employees to Usernames

Linking employees to Usernames can be accomplished in several ways:

• Automatically, as part of your scheduled synchronization with your employee directory
• Adding multiple expected Usernames via CSV upload, which will then auto-map to employees
• Manually, when you adjust the system-defined mappings, as needed.

Currently defined linkages are visible in the All Employees tab of the Employee Management screen, while any Usernames not yet mapped are listed in the separate Un-Linked Users tab. We recommend visiting this screen regularly to identify newly-discovered Usernames to be linked.

Employees could have multiple Username mappings, especially if their expected Usernames match across multiple data stores.

Automatic Linking

Netskope One DSPM will attempt to link employees to Usernames automatically. This is accomplished by:

1. Using the Employee Directory integration to populate the Expected Usernames field for each employee; and
2. Comparing the Expected Usernames field to the Usernames we’ve discovered. Any matches we find will be automatically linked.

If you expand the record for any employee linked to Usernames, you can see which Data Stores are involved per Username.

For details on how to map Okta to the Expected Username field, visit our Integrating with Okta Universal Directory article. For details on how to map Entra ID to the Expected Username field, visit our Integrating with Microsoft Entra ID article.

Adding Multiple Expected Usernames

Integrating with Okta Universal Directory and Integrating with Microsoft Entra ID outline the steps to map multiple expected Usernames via directory sync. Below are additional methods to add and link expected Usernames.

CSV Upload

Take the following steps to add multiple expected Usernames and automatically link them with employees.

1. Navigate to the User Identity > Employee Management.
2. Click the Add Expected Usernames icon.  

3. Drag and drop or select from your computer a CSV file containing employee email addresses and their corresponding expected Usernames. Download the CSV mapping template if you would like to reference an example.
4. Click SAVE.
5. Expected Usernames from the uploaded file automatically map to corresponding employees and will appear in their record on the Employee Management page.

Manual Linking

In some instances, you may wish to link employees to Usernames manually. Common scenarios include:

• The automatic linking was incorrect and requires manual correction. For example, you may have an employee named John Smith with the expected Username of “jsmith”. Depending on the data store, “jsmith” might actually represent a different user such as “Jane Smith”, which you would want to switch to the appropriate employee.
• The automatic linking wasn’t able to find a match. For example in one data store, John Smith’s Username might be defined as “johns”. You can manually add such links.
• Adding additional Usernames or expected Usernames to the employee record.

To edit an employee’s links to Usernames:

1. Navigate to the User Identity > Employee Management.
2. Click on the All Employees tab.
3. For the employee in question, click the Edit icon within the Actions column.
4. The Employee Details modal is displayed.
5. Click NEXT to move to the Usernames tab.
6. To add a Username, use the dropdown below Add Usernames and select which you would like to add. Be sure to note of the Data Store name next to each Username, to ensure you’re picking the correct value. 
7. Click the ADD button.
8. To remove an existing link, click its Delete icon.
9. Click NEXT. 
10. On the Expected Usernames tab, you can manually add expected Usernames. Separate by hitting Return/Enter.
11. Click the SAVE button.

Alternatively, you can also create these links starting with the Username:

1. Navigate to the User Identity > Employee Management screen.
2. Click on the Un-Linked Users tab.
3. For the User in question, click the LINK hyperlink within the Actions column.
4. Select Directory Employee Information
5. Use dropdown below Employee to select which employee you want to link, then click SAVE when ready.

Once the link is complete, the Username will be removed from the Un-Linked Usernames tab, and instead be included in the All Employees tab.  

Tagging Employees and Usernames

Employee Tags are a way to group and organize employees. These Tags can be used within:

• Policy Management, to drive alerts based on condition matches 
• Employee Administration, to categorize employees so Policy conditions can reference them

To edit the Tags for either an Employee or Unlinked User:

1. Navigate to the User Identity > Employee Management screen.
2. Select one of the following tabs:
   1. All Employees tab
   2. Un-Linked Usernames tab
3. For the record in question, click the Edit icon within the Actions column.
4. The Edit Employee Details modal is displayed.
5. Click the Tags field, then select one or more Employee Tags.
6. Click the NEXT button.

Alternatively, you can click the Employee Tags field directly from either tab's list, then use the selection control to pick one or more Employee Tags.