Help Center
News
Help Center
News
Popular
Architecture and High-level Information
Scans
Agents
How to Use Dashboards
How to Use Data Asset Inventory
How to Use Tags
What is a Tag?Tag Management - OverviewHow to Create a TagTag ExamplesWhat Conditional Tag filters work best together?Which Conditional Tag filters identify public exposure?Which Conditional Tag Filters Capture Authenticated Users?Which Conditional Tag Filters Capture Contractor Access?Which Trustees are High Risk?How do I Combine Multiple Trustee Filters?How to Manage Your Target TagsHow to Manage the Permissions of a TagHow to View and Search for TagsHow to Edit a TagHow to Delete a TagHow to Filter Tags
How to Manage Business Processes
How to Work with Data Assets and Targets
How to Install\Uninstall and Set Up Spirion Sensitive Data Platform
How to Use Logs
How to Manage Users and Roles
Reports
Settings and Resources
Additional Resources
Release Notes
Reporting API
Customer Support Articles

How do I Combine Multiple Trustee Filters?

Combining multiple trustee filters in a conditional Tag enables you to catch different naming conventions (like "Everyone" vs. "Authenticated Users") while still ensuring the data is actually sensitive and the access is allowed.

To combine multiple ACL: Trustee filters effectively, you must use a combination of Grouped Logic (using parentheses) and OR/AND operators.

  • This enables you to catch different naming conventions (like "Everyone" vs. "Authenticated Users") while still ensuring the data is actually sensitive and the access is allowed.
  • In the Spirion Tag Management interface, you achieve this by adding multiple rows and carefully selecting the logic between them.

The "Best Practice" Structure

When combining trustees, you are usually trying to find any of several high-risk groups. Therefore, you use OR logic between the different trustees, but AND logic for the rest of the requirements.

Example: The "Broad Access" Tag

This conditional Tag catches any file that is open to the entire company OR the general public.

Row

Logic

Field

Operator

Value

1


ACL: Trustee

Contains

Everyone

2

OR

ACL: Trustee

Contains

Authenticated Users

3

OR

ACL: Trustee

Contains

Domain Users

4

AND

ACL: Ace Type

Equals

Access Allowed

5

AND

Unprotected Quantity

Greater Than

0

Key Rules for Combining Trustees

1. Use "OR" for Variations of the Same Concept

If you are looking for "Contractors," they might be called "Contractors," "Vendors," or "External." Link these with OR because a file only needs to have one of these groups to be a risk.

  • Example: Trustee Contains Contractor OR Trustee Contains External

2. Use "AND" to Narrow the Risk

Once you have identified the "Who" (the Trustees), you must use AND to ensure the "How" (Ace Type) and "What" (Quantity) are also true.

  • IMPORTANT! If you use OR for the Ace Type, you get thousands of "False Positives" because the rule triggers if either the trustee is a contractor or if any file anywhere has "Access Allowed."

3. Mind the "Order of Operations"

In the Spirion UI, the logic typically flows from top to bottom.

  • Top Section: List all your Trustees linked by OR.
  • Bottom Section: List your verification filters (Ace Type, Quantity, Authorization) linked by AND.

Advanced Example: The "Ransomware Risk" Combo

This identifies if any high-risk group has the power to change or delete sensitive data.

  • (ACL: Trustee Contains Everyone
    • OR ACL: Trustee Contains Authenticated Users
    • OR ACL: Trustee Contains Guest)
  • AND (ACL: Ace Type Equals Access Allowed)
  • AND (ACL: Authorization Contains Full Control OR ACL: Authorization Contains Modify)
  • AND (Unprotected Quantity > 0)

Troubleshooting Tip: The "Logic Trap"

The most common mistake is setting the logic to:
Trustee Contains Everyone AND Trustee Contains Authenticated Users.

Why this fails: A single permission entry (ACE) usually only has one trustee. If you use AND, you are telling Spirion: "Find me a single permission entry that is simultaneously 'Everyone' and 'Authenticated Users' at the same time." This almost always returns zero results.

Always use OR when listing multiple groups/trustees.

Summary of Logic

  • Multiple Trustees? Use the OR operator.
  • Verifying the Access? Use the AND operator.
  • Confirming the Data? Use the AND operator.


Was this article helpful?

Powered by Product Fruits