I created a seperate group like the builtin/administrators-group with only the "SeTcbPrivilege" and shared the "/" as read-only. This seems to work but I don't know if this is the right way to give access to a DLP-Application because the solution as that is bypassing all security settings set on shares (cifs) and exports (nfs). As soon as the DLP application requests modify rights I need to really think about that again.
We do not have "a general group" on all our shares where I simply could put the dlp-user into that group and access would be granted, and, we do host millions of files.
Some more questions are:
Why DLP application asks for modify rights? I can not imagine what will be happen when the DLP client system catches malware or does wrong functions.
There are also aspects on auditing and performance..
I am really wondering on how do other NAS administrators handle DLP?