Data Loss Prevention

The organization is hoping to push out incident management to business unit managers.

How do you accomplish the following?

1)

"Bulk add" users into the DLP solution?   If I want to add 100 unit managers, how can this be accomplished?

(The logon authentication is integrated with Active Directory.)

2)

Manage the security so that these new users, can only see the incidents related to their direct reports.

(Management structure is up-to-date in Active Directory.)

The only we see to manage this security is to create individual "roles" for all 100 managers.

Your suggestions?

Regarding #1, I had this requirement with a customer of mine.  They were looking to do a "bulk" upload of between 50 - 100 users, and they also use AD Authentication.  Since there's no standard way, I resorted to creating a script to do it.  I just have them create the list of users in a CSV, including which role they want each user to be in, then parse that out into SQL statements which I run directly on the database to insert the users.  It's not an "ongoing" process, more a one-time load, so it didn't make sense to refine it further than that.

On #2, you're right.  The only way to do this is to create unique roles for each manager, or department.  Might I suggest that if it's at a level where there are 100's of "units", that maybe you're too low in the organization for this to be effective.  It might require a new organizational role which is responsible for managing DLP incidents across multiple units, etc.  Not that I'm trying to mold the org to accomodate a limitation in the system, but I see a lot of problems with having that many users managing incidents (training, consistency of use, application of standards, etc).  If these were just users from a reporting standpoint, and not actually acting on and remediating incidents, I might suggest use of the Reporting API might be a good alternative and give you a little more flexibility. 

Just my opinion.

~Keith