Overview
Users can control how their personal data is collected and displayed in tyGraph tools. This capability offers a flexible solution to allow detailed tyGraph reports that satisfy organizational and GDPR requirements. The logic for controlling user data is defined by your organizations tyGraph Administrators.
TABLE OF CONTENTS
- Overview
- Data Protection Levels
- Organization Settings
- Viewing Data Protection Status
- Changing Data Protection Status
- User Data Omission (Custom Only)
- URL References
- Appendix A
Applicable Products
tyGraph Data Protection settings are applied uniformly across all compatible licensed tyGraph products for your organization by default. You can pick and choose which products have Obfuscation applied and leave other products Un-obstructed.
Data Protection supported products:
- tyGraph for Teams
- *Must have reporting database[1]
- tyGraph for SharePoint
- tyGraph for Yammer
- tyGraph Pulse
- tyGraph for OneDrive
- tyGraph Call Insights *Un-obstructed and Obfuscation Only*
[1] Standard deployments include a harvest database and reporting database. If the Power BI report is pointed to the same database as harvesting, then careful consideration needs to be made before applying Teams Data protection.
Data Protection Levels
There are three possible levels of data protection.
Un-obstructed
No logic is applied to hide or remove user’s information or activity. A user’s attributes can be viewed in reports and their data is counted exactly as in reality. |
Obfuscation
All data is collected and counted. All identifying information about that user is replaced with a random number. By default, obfuscation is applied to all user attributes except Country and Country code. As a custom feature you can choose additional, non identifying user attributes to be shown such as Department, Business Unit, City etc to be exposed for the Organization. |
Opt-Out
Only data generated by opted-in users is reported. Personal and activity data for opted-out users is entirely removed from reporting. This removal is far reaching and effects the products in the following ways: |
- Transactions:
- Teams, SharePoint, and/or Yammer activity where the user is opted out is not reported.
- tyGraph for Yammer:
- Examples:
- Messages and likes on messages that the user posted are removed.
- Likes made by non-opt-out users on a message posted by an opted-out user are removed.
Example, William (not opted out) likes Martha’s (opted out) message. Williams like is not counted for William. - Praises given to a non-opt-out user by an opted-out user are not counted and vice versa.
- Examples:
- tyGraph Pulse:
- Objects owned by an opted-out user are removed.
- Groups created opted out user are removed
- Full List:
- Group Owner
- Site Owner
- User Table Information
- tyGraph for SharePoint:
- Any activity taken by an opted-out user is removed.
- Any objects created by an opted-out user is removed.
- Any SP webs where the owner is opted out are removed.
- If Group Owner is opted out, data is not included.
- If Site Owner is opted out, data is not included.
- Activity Inventory URLs on users’ objects
- So long as one user on a file is not opted out the object will be reported. If all users on an object are opted out then the file will be removed.
Organization Settings
On the launch of Data Protection, the tyGraph License Administrators will choose a Data Protection level (See Data Protection Levels) for the organization. The organization must provide a data source (HR Table, Active Directory etc.) to uniquely identify users and their country of origin. The organization can apply default settings for users based on:
- Country: All users from a given list of countries will have your selected level of Data Protection applied by default. This is usually based on a users Usage Location Attribute from Azure Active Directory
- Organization: All users are applied a Data Protection setting by default.
Viewing Data Protection Status
A user can view their data protection status in two places:
tyGraph Online: Open a web browser and navigate to home.tygraph.com /Settings/DataProtection This will display a window with your current Data Protection status selected in the radio button.
Email: Email your organizations tyGraph Data Protection point of contact.
Changing Data Protection Status
A user can change their data protection status in the same two ways they can view their status.
Changing Status in tyGraph Online
To change your data protection status:
- Navigate to https://home.tygraph.com/Settings/DataProtection
- Select the button for the protection status that you would like.
NOTE:
If Data protection has not been enabled by your organization or if your login was not identified, then you will land on this page:
- The page will notify you that your status has been changed and you will receive and email from subscriptions@avepoint.com confirming your selection.
Changing status by Email
Each organization will have a point of contact for Data Protection status changes. If you are an Administrator for a tyGraph Licensed Product, please ensure to create this point of contact and internal workflow so that users can reach out for questions or changes.
Effects of Changing Status
Users who have applied to change status through tyGraph Online will see the change applied within 48 hours. tyGraph is not responsible for extended wait periods if your organization requires additional written applications and/or workflows to be completed to change status.
Once the change is applied you will be able to view your new status as defined above. (see Viewing Data Protection Status)
Report Effects
If you have requested removal from tyGraph data, your personal data will be removed in accordance with your organizations pre-defined data protection level. If your organization has selected obfuscation than any reports that list your personal information will be replaced with a random number. Similarly, if your organization has selected opt-out data protection than all your activity data will no longer be visible in tyGraph reports.
All tyGraph reports will still be accessible for users who have enabled data protection in accordance with the tyGraph Access Methodology[1] However, all tyGraph reports that utilize a security role (Group Admin, Group Member etc.) will no longer display any data to opted-out users.
User Data Omission (Custom Only)
There have been circumstances where customers request to have user data removed entirely instead of obfuscated. We are able to remove this data entirely from the report tables for most attributes. There are some core attributes that are critical to the tyGraph engine that cannot be removed. Below is a complete list of critical attributes that must be collected and utilized by the tyGraph engine and a brief explanation of why they are needed.
- AADUserID
- Used to Uniquely identify a user in processing and tyGraph Online Authentication
- Country
- Or any other location identifier which is used to know if a user is from an opt out country. Without this we would not know what country the user is from and could not obfuscate them in compliance with GDPR.
- Email
- Used to identify users in some circumstances. Also critical for group admin security trimming in Yammer. Without this you could not host reports in tyGraph Online that only show a user Yammer groups to which they are an admin/member.
- UserPrincipalName
- Used to uniquely identify users.
- SPLoginName
- Used to identify SharePoint Site owners.
- FullName
- Used in some mappings for tyGraph Pulse.
For a full breakdown of user attributes that can be hidden or omitted please see URL References
tyGraph Online- https://home.tygraph.com
Data Dictionary – Report within tyGraph Online
Appendix A.
Reports that have had all possible attributes omitted completely look like the following:
User tables contain the required attributes in an obfuscated form. All other columns have no data for “protected users”
URL References
tyGraph Online- https://home.tygraph.com
Data Dictionary – Report within tyGraph Online
Appendix A
Attribute | Default Report Obfuscation | Report Un-Obfuscation Available |
UserUID | N | N |
Y | Y | |
FullName | Y | Y |
FirstName | Y | Y |
Lastname | Y | Y |
JobTitle | Y | |
Y | Y | |
MobilePhone | Y | |
OfficeLocation | Y | |
PreferredLanguage | Y | |
PrincipalType | Y | |
UserPrincipalName | Y | Y |
SPLoginName | Y | |
tgIsExternal | Y | |
tgIsSystemAccount | Y | |
tgIsActive | Y | |
tgInsertDateTime | Y | |
tgUpdateDateTime | Y | |
tgDeleteDateTime | Y | |
City | Y | |
CompanyName | Y | |
Country | Y | |
Department | Y | |
MailNickname | Y | |
PostalCode | Y | |
State | Y | |
StreetAddress | Y | |
Surname | Y | |
UsageLocation | Y | |
UserType | Y | |
AboutMe | Y | |
Birthday | Y | |
HireDate | Y | |
MySite | Y | |
PreferredName | Y | |
ManagerUID | Y | Y |
ManagerEmail | Y | Y |
ManagerName | Y | Y |
DriveID | Y | |
TelephoneNumber | Y |
Obfuscation Example