Apply Default classification labels to new files automatically

Supported editions for this feature: Frontline Starter and Frontline Standard; Business Standard and Business Plus; Enterprise Standard and Enterprise Plus; Education Standard and Education Plus; Essentials, Enterprise Essentials, and Enterprise Essentials Plus; G Suite Business.  Compare your edition

As an administrator, you can use default classification to  automatically apply labels to Drive files to support your organization's data security needs. These default classification labels are applied when a file is created or the owner of the file changes. You set Default data classification policies by organizational unit or group, so you can specify different labels for different sets of users or shared drives.

Default classification labels can be applied to any Google Drive file and use Drive labels with options list field types.

Before you begin

Expand all  |  Collapse all

Understand and create Drive labels

Before you can apply Drive labels with Default classification, take the following steps:

Understand default classification settings and file Drive ownership

Default classification lets you apply default classification labels to new Drive files, based on the file ownership (either of an individual or a shared drive) within an organizational unit or group. Users and shared drives can belong to different organizational units, so they can have different default classification policies.

When a file’s ownership changes, Default classification labels are applied based on the new owner, but any existing labels aren't changed. For example, if a user moves a file from My Drive to a shared drive, the shared drive's labels are applied. Conversely, if a user moves a file from a shared drive to My Drive, the user's organizational unit or group labels are applied.

Why use default classification rather than DLP rules to apply labels?

You might want to use default classification for general, low-risk labels, such as which department created the file, and DLP rules to apply labels used for data protection and retention.

How default classification labels work

  • Applies labels to new files and when the ownership of a file changes. Default classification doesn’t retroactively apply labels to existing files unless the file owner changes.
  • Applies labels based on the file owner’s organizational unit or group. Default classification doesn’t search the file content or metadata for certain conditions.
  • If users have permission to change a label, they can change it or remove it after it’s automatically applied.
  • Only labels with an options list field are supported for default classification.
  • Default classification labels are overwritten by DLP-set labels, even if the data classification value is higher in the options list.

How labels set by DLP rules work

  • Applies labels to new and existing files.
  • Applies labels based on conditions such as file type, word matches, and string matches. DLP rules don’t accept organizational unit or group as a condition.
  • You can’t apply a label with a DLP rule that uses a label as a condition.
  • You can prevent users from changing the label, even if they have permission to change it. If they change it, DLP will scan the file again immediately and revert to the DLP label configuration.
  • External users can’t view the version history of files that had a label applied to them by a DLP rule at any point. 
  • DLP rules can apply labels with options list fields, including badged labels.

How AI classification labels work

  • Applies labels to new and existing files.
  • Only labels with one options list field with 2–4 values are supported for AI classification.
  • Applies labels after a training period. During the training period, designated labelers apply a training label to at least 100 files per field option.
  • AI classification labels are overwritten by DLP-set labels, but overwrite default classification labels.
Understand the difference between default classification and AI classification (beta)

While Default classification (described in this article) applies labels based on the user's organizational unit or group, AI classification requires you to train a model to recognize sensitive content in your organization. Once the model is trained, AI classification automatically analyzes new and existing files and applies labels according to file content. Learn more about AI classification.

Learn how to encouraging users to fill out labels using required fields

You might want users to always fill out the value of a certain label field. For example, to assign a File Sensitivity level to all files, such as Top Secret, Internal, Public, or Personal.

You can accomplish this by creating a File Sensitivity label with a required field called Classification that has the four options. The automated classification policy applies the File Sensitivity label to new files, and highlights the required field to remind users to provide the label value.

If needed, you can set a default value for a selection field and then users can change the value if the default isn't correct.

Ensure users have permission to use the label if they need to be able to change field values

If you want users to be able to edit field values for or remove the labels applied through a data classification policy, you must grant them permission from the label manager. For details, see Set who can view or use a label.

In some cases, you might want to apply labels that users can’t view or edit. Data classification labels are applied to new files whatever the user's permissions on a label are.

Understand the interaction between default classification, DLP rules, and users

Default classification settings and DLP rules

Labels can be applied to a file by both default classification and DLP rules. Labels applied with DLP rules always take priority over labels applied with default classification.

Default classification settings and users

Labels are applied automatically when a user creates a file, transfers ownership to another user, or moves a file into a shared drive. The Data classification policy applies a label and can apply default values for selection fields. We recommend that you use the required field setting in the label manager to encourage users to apply fields. User permissions on the label don't impact the ability to apply a label through data classification. Data classification can be used to apply labels that users cannot modify or remove (or even see).

Understand label locking

When you use labels for default classification, those labels are locked in the label manager. No one can edit, disable, or delete those labels. This prevents changes that could break business policies. To unlock a label, remove it from all default classification policies.

Apply labels to new files by owner's organizational unit or group

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. In the Admin console, go to Menu and then Securityand thenAccess and data controland thenData classification.
  3. If there are no labels listed in the label manager:
    1. Click Create labels.
    2. Create new labels
    3. Return to these instructions.
  4. If needed, click Turn on labels to activate labels in the label manager.
  5. Under Default classification, next to Drive and Docs, click Manage.
  6. (Optional) To apply the setting only to some users, at the side, select an organizational unit (often used for departments) or configuration group (advanced). Show me how

    Group settings override organizational units. Learn more

     For example, if you select the group Finance, the labels you configure apply to files created by users in Finance.

    Note: If a user is a member of both organizational units and groups with data classification policies, the group-based labels are applied, up to the 20-label limit.

  7. Click Select labelsand thenAdd Label.
  8. Select the labels you want to use. Note: You can’t create Data classification policies with disabled labels, unpublished changes to labels, or labels that don't have a field with an options list.
  9. (Optional) Set a default value for an options-list field. Select the value from the options and click Save. For multi-select fields, you can select more than one default option.

    Note: Default field values set for a user’s group take precedence over default field values set for the user’s organizational unit. If the user belongs to more than one group, default field values are applied in order of group priority.

  10. Click Continue. Review the selected labels.
  11. Click Save. The Apply labels page lists the labels applied under Configuration.

Default classification known issues

Reseller support

Resellers can manage default classification but cannot manage labels in the label manager. Full support for default classification for resellers managing resold domains is planned for a future update. This is similar to the limited support offered though the Drive label manager. Go to Manage Drive labels for details.

Was this helpful?

How can we improve it?
Search
Clear search
Close search
Google apps
Main menu