All Products
Search
Document Center

Secure Access Service Edge:Get Started with Data Protection

Last Updated:Jun 17, 2026

Configure SASE (Secure Access Service Edge) data protection to monitor outbound transfers of sensitive data in real time, identify data breach risks, and secure your corporate data.

Use cases

  • Sensitive outbound file transfer detection: Prevent employees from transferring sensitive files through instant messaging tools, email, cloud storage services, and other channels.

  • View audit logs: Record and analyze sensitive outbound file transfer activity to identify potential data breach risks.

Prerequisites

  • You have purchased the Data Protection for Internet Access edition of SASE. For more information, see Billing overview of SASE and Getting started.

  • The SASE App installed on your corporate endpoints is version 4.3.1 or later.

Procedure

Step 1: Add an identity source

An identity source authenticates enterprise employees. SASE supports third-party and self-managed identity sources, including LDAP, DingTalk, WeCom, Lark, IDaaS, and custom identity sources. If your business uses multiple identity sources, you can configure them all to use SASE with different identities.

This topic uses a custom identity source as an example.

  1. Log on to the Secure Access Service Edge console.

  2. In the left-side navigation pane, choose Identity Authentication > Identity Access.

  3. Click the Identity synchronization tab, and then click Create IdP.

  4. In the Create IdP panel, select Custom IdP, and then click Configure.

  5. In the Basic Configurations section, configure the IdP Name and IdP Status parameters as described in the following table. Then, click Next.

    Parameter

    Description

    IdP Name

    The name of the custom identity source.

    Must be 2 to 100 characters in length and can contain Chinese characters, letters, digits, hyphens (-), and underscores (_).

    IdP Status

    The status of the identity source. Valid values:

    • Enabled: If no other custom identity source is enabled, you can enable this identity source.

    • Closed: If another custom identity source is already enabled, you can set the status of the new one to Disabled. To enable this new one, you must first disable the other custom identity source.

      Important

      If you disable a custom identity source, end users cannot use the SASE App to access internal applications. Proceed with caution.

  6. In the Logon Settings section, configure the logon methods.

    Parameter

    Description

    PC Logon Method

    Supports Logon with Account and Password and Password-free Logon.

    • When using account and password logon, you can enable Two-factor Authentication. Valid values:

      • OTP-based Authentication: If you enable this option, you must select an OTP Mode. The following modes are supported:

        • Allow the SASE mobile app to display tokens: SASE has a built-in OTP and requires employees to install the SASE mobile app.

        • Allow third-party app tokens: Ensure the OTP client's clock is synchronized. Standard OTP applications, such as the Alibaba Cloud app, are supported.

        • Allow enterprise-owned tokens: To use your in-house OTP solution, contact technical support for assistance with configuration.

      • Verification Code-based Authentication: Supports verification codes sent via SMS and email. Ensure that each user in the identity source has a configured mobile phone number or email address.

    • When using password-free logon, users must first download and log on to the SASE mobile app, and then scan a QR code to authenticate.

    Mobile Device Logon Method

    Supports Logon with Account and Password and Fingerprint or Face Recognition.

    • When using account and password logon, you can enable Two-factor Authentication. Valid values:

      • OTP-based Authentication: Before you enable OTP-based Authentication, you must enable OTP authentication for PCs and select either Allow Tokens on Third-party Applications or Allow Enterprise-owned Tokens. The token configuration for mobile devices mirrors the one for PCs.

      • Verification Code-based Authentication: Before you enable Verification Code-based Authentication, ensure that each user in the identity source has a configured mobile phone number or email address.

    • When using fingerprint or face recognition, users must still enter their account name and password during their first logon to the SASE App.

  7. Click OK to save the configuration.

Step 2: Add a user group

  1. Log on to the Secure Access Service Edge console.

  2. In the left-side navigation pane, choose Identity Authentication > Identity Access.

  3. On the User Group Management tab, click Create User Group.

  4. In the Create User Group panel, enter the user group information as described in the following table.

    Parameter

    Description

    User Group Name

    The name of the user group.

    Description

    The description of the user group.

    Group Scope

    The scope of the user group. Valid values:

    • Organizational Structure: When you select Organizational Structure, the existing Organizational Structure information is displayed below. You can select the corresponding structures as needed.

    • Account Name: When you set this to Account Name, the Configure Account Name input box is displayed below.

    • Email Address: When you set this to Email Address, the Configure Email Address input box is displayed below.

    • Mobile Phone Number: When you select Mobile Phone Number, a Configure Mobile Phone Number input box is displayed below.

    Configure Relationship

    The relationship for the user group. Valid values:

    • Equal To

    • Not Equal To

  5. Click OK.

Step 3: Review data classification rules

SASE provides built-in identification rules to detect common types of corporate, customer, and personal data. Review these rules to understand their scope. You can also create custom identification rules to detect specific data, such as outbound file transfers that contain personal resumes.

  1. Log on to the Secure Access Service Edge console.

  2. In the left-side navigation pane, choose Data Protection > Data Classification.

  3. On the Data Classification > Identification Rules tab, go to the Data Category section on the left to view the details of the built-in identification rule for personal resumes.

Step 4: Configure an outbound file transfer policy

The sensitive file detection feature of SASE identifies sensitive files based on data elements. SASE combines data elements, data types, and sensitivity levels into data templates. These templates, together with response actions, form policies that detect when employees transfer sensitive files.

  1. Log on to the Secure Access Service Edge console.

  2. In the left-side navigation pane, choose Data Protection > Policy Center.

  3. On the Policy Center > Outbound Transfer Management tab, click Create Policy.

  4. In the Create Policy panel, create an outbound file transfer policy as described in the following table. Then, click OK.

    Parameter

    Description

    Policy Information

    Policy Name

    The name of the policy.

    Policy Description

    A description of the policy.

    Risk Level

    The risk level of the policy. Four levels are available:

    • Extremely High: Outbound events from pre-departure user groups, outbound events from extremely high-risk user groups, outbound events involving L4 files, etc.

    • High: High-risk user group exfiltration events, L3 file exfiltration events, etc.

    • Medium: Events such as outbound events from medium-risk user groups and L2 file outbound events.

    • Low: Catch-all events for all outbound traffic.

    Action

    The action to take when the policy is triggered. Four actions are available:

    • Audit Only

    • Audit and Prompt

    • Block and Notify

    • Block Only

    If you select Block and Notify or Block Only, you must also select a block type: Block all or Intelligently block.

    • Block All: The SASE App intercepts and audits all outbound file activities in real time.

    • Intelligently Block: The SASE App blocks files in real time based on the sensitive file characteristics defined in the data template. To ensure the effectiveness of blocking, the SASE App scans endpoint files in advance and tags them with sensitivity levels. Before the scan is complete, all files are blocked by default, and the blocking policy is not in effect. The scanning and tagging are performed on the endpoint and are not reported.

    Source File Retention

    Specifies whether to save the original outbound file.

    Retain Screenshot File

    Specifies whether to save screenshot evidence.

    Status

    The status of the policy. Valid values:

    • Enabled: The policy takes effect, and SASE scans files based on the policy.

    • Disabled: The policy is inactive.

    Data Identification Rule Settings

    Data Identification Rule

    Select an existing identification rule. To learn how to create one, see Configure detection rules for outbound file classification and categorization.

    Transmission Channel

    Select the transmission channels to monitor. The policy applies to files transferred through any selected channel. You can select all or some of the following supported channel types:

    Instant messaging (software), email (software), FTP, network share, printing, mobile storage, cloud drive (software), cloud notes (software), remote desktop, code hosting (software), large language model (software), cloud drive (web), email (web), code hosting (web), cloud notes (web), cloud blogs, large language model (web), social media, instant messaging (web), and others.

    Effective Scope

    User Group

    Select the user group to which the policy applies.

    Approval Process Configuration

    Specifies whether employees can request approval for a blocked file transfer.

    If this option is enabled, you must select an approval workflow. For information about how to create an approval workflow, see Configure an approval workflow.

    Prompt Display Configuration

    Configure the notification message displayed to users when a file transfer is blocked. You can set messages in both Chinese and English.

Step 5: View audit logs

After you complete the configuration, view the detection results for sensitive outbound file transfers in the audit logs.

  1. In the left-side navigation pane, choose Log Analysis > Log Audit.

  2. On the Log Audit > Sensitive File Detection tab, view the audit logs. You can select a time range, such as Last Hour, Last 6 Hours, Last Day, Last 7 Days, or Last Month.

  3. In the Actions column of an outbound file transfer event, click Details to view information such as Sensitive Message, Screenshot Evidence, Hit Policy, Office Terminal, Outbound Transfer Channel, and Account Information.

Related topics