Apply classification labels to new files automatically

Supported editions for this feature: Enterprise; Education Fundamentals, Education Standard, Teaching and Learning Upgrade, and Education PlusCompare your edition

DLP for Drive is also available to Cloud Identity Premium users who are also licensed for Workspace editions that include Drive audit log.

As an Admin, you can create policies to apply labels to Drive files to support company data security needs. These labels are applied through automated Data classification settings based on organizational structure.

These features work for all Google Drive files, and use Drive labels and fields (sometimes known as metadata).

Before you begin

Expand all  |  Collapse all

Understand and create Drive labels

Before you can use Drive labels with new files:

Understand data classification settings and file Drive ownership

Data classification settings allow you to apply classification labels to new Drive files, based on the file ownership (either of an individual or a shared drive) within an organizational unit or group. Note that users can belong to different organizational units, which means users and shared drives can already have different automated classification policies.

Note that when a file’s ownership changes, the automatic classification settings are applied to the new owner. For example, if I move a file from My Drive into my team's shared Drive the shared Drive's labels are applied. Conversely, if I move a file out of my team's shared Drive, my labels are applied.

Why use data classification settings to automatically apply labels to new Drive files rather than DLP rules?

Using data classification settings is a direct way to apply labels to new files created by a segment of users (such as the Legal organizational unit, for example). If you need to protect specific sensitive content (such as a Social Security Number), DLP rules are recommended. If you only want to apply labels to new files when they are owned by specific users or shared drives, use Data classification.

It might help to think of:

  • Automated data classification settings as default labels: These are labels that act as a safety net for all documents created by certain users, like Legal. It provides blanket coverage, and is not precise. This is useful if you want to protect an entire team in the same way, such as applying the label Legal to all files created by the legal team.
  • DLP rules as a targeted, precise method to add labels and field values: These labels are added in direct response to sensitive data, such as a passport number. The precision can result in false positives and less than total coverage of your organization’s Drive documents.
Encouraging users to fill out labels using automated data classification settings and required fields

A common customer request is the ability to encourage users to always fill out the value of a certain label field. For example, asking everyone at the company to assign a File Sensitivity level to all files, such as Top Secret, Internal, Public, or Personal. 

You can accomplish this by creating a File Sensitivity label with a field called Classification that has these four options, applying this label for all employees at the company through the Admin console, and then marking that field as required in the label manager. The automated classification setting will apply the blank File Sensitivity label to all files at the company, and then the required field checkbox displays to remind end users to provide the label value.

Ensure users have permission to use the label

You must grant users from the label manager for them to be able to see the labels that are available to apply, or to edit the label fields. Also, fields must be marked as required in the label manager to encourage users to provide field values. When required fields are present, the users see a message requiring them to enter a field value. Go to Manage label permissions for details.

Note that a label is applied to newly created files irrespective of the creating user's permissions on that label.

Verify that the users you select in organizational units and groups are the same users you grant label manager permissions to. This will ensure that users who need to view labels and edit label fields can do so.

What is the interaction between Data classification settings, DLP rules, and users?

Data classification settings and DLP rules

Default labels you add to files using data classification settings can add labels to files; DLP rules can add labels and field values. In general, there is no conflict between Data classification and DLP rules. The set of applied labels on a file are the combination from both systems and any applied by the user.

Data classification settings and users

Labels are applied automatically whenever a user creates a new file. The Data classification setting applies a label only (not a field value). We also recommend that you use the required field setting to encourage users to apply fields. Data classification can be used to apply labels that users cannot modify or remove (or even see). Also, user permissions on the label don't impact the ability to apply a label through data classification settings.

Understand label locking
Labels that are associated with Data classification settings are locked in the label manager. This prevents edits to labels that could break business policies. Unlock the label by removing it from all Data classification settings. Disabling or deleting labels that are used in Data classification settings are not allowed. Also, you can’t create Data classification settings with disabled labels.

Apply labels to new files based on organizational unit or group membership of users

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. Go to Security > Data classification. If there are no labels created in the label manager, click Create labels, and create new labels and return to these instructions. Also, you might have to click Turn on labels to activate labels in the label manager.
    Note: You can’t create Data classification settings with disabled labels.
  3. Under Apply labels, click Drive and Docs.
  4. Search for and select the organizational unit or group to include those user members to automatically apply labels for. For example, if you select the group, Finance, you can then select the labels to be configured for Finance.
  5. Click Select labels
  6. Select the labels you want to use. These labels are applied to files when a user creates a new file in Drive. These labels can have fields associated with them that users can modify. Ensure that the users in the selected organizational unit or group have permission to use the labels in the label manager so they can see the labels and modify the label fields. 
  7. Click Continue. Review the selected labels. 
  8. Click Save. The Apply labels page lists the labels applied under Configuration.

Data classification known issues

Reseller support

Resellers can manage DLP rules that depend on labels but cannot manage labels in the label manager. Full support for DLP Data classification for resellers managing resold domains is planned for a future update. This is similar to the limited support offered though the Drive label manager. Go to Manage Drive labels for details.

Was this helpful?
How can we improve it?

Need more help?

Sign in for additional support options to quickly solve your issue

Search
Clear search
Close search
Google apps
Main menu
Search Help Center
true
73010
false
false