Stop data loss with DLP

Apply automated classification with DLP rules

Supported editions for this feature: Enterprise; Education Standard and Education Plus.  Compare your edition

DLP for Drive is also available to Cloud Identity Premium users who are also licensed for Workspace editions that include Drive audit log.

As an Admin, you can apply labels to Drive files to support company data security policies using automated classification.

In the case of DLP rules, automated classification means applying classification labels to new or existing Drive files based on detection of sensitive content (using DLP rules as described in this article). This method can be scoped by user membership in an organizational unit or group. 

These features work for all Google Drive files, and use Drive labels and fields (sometimes known as metadata). 

The examples in this article assume labels have previously been created in the label manager. The label and data names in the examples in this article are not actual data native to label manager or DLP.

Before you begin

Expand all  |  Collapse all

Understand and create Drive labels

Before you can use Drive labels with DLP rules, you must:

Understand automated classification and Drive ownership

Automated classification means applying classification labels to new or existing Drive files, based on the file ownership (either of an individual or a shared drive) within an organizational unit or group and detection of sensitive content. Note that users can belong to different organizational units, which means users and shared drives can already have different automated classification policies.

Note that when a file’s ownership changes, the automatic classification settings are applied to the new owner. For example, if a user moves a file from My Drive into a team's shared Drive, the shared Drive's labels are applied. Conversely, if a user moves a file out of a team's shared Drive, the user’s labels are applied.

Use DLP rules or Data classification settings?
Use DLP rules to automatically apply labels if you need to use specific conditions or actions for applying labels. If you only want to apply labels to new files when they are created by specific users, use Data classification settings.
Understand Drive label interoperability in DLP rules (for conditions and actions)

When using Drive metadata in DLP rules you:

  • Cannot create a metadata action on a rule that has a metadata condition.
  • Can use a new rule that has a metadata condition based on the metadata you added as an action in a different rule.
Understand rule conflict resolution when Drive labels are applied using a DLP rule action

The label value in Drive is established the first time a rule action is performed. It can change if the file or the DLP rule changes. 

This value remains stable if:

  • Drive files do not change
  • DLP rules that use actions based on Drive labels have not changed
  • No new DLP rule has been added that uses actions based on Drive labels
Know how rule conflicts are resolved by order in the label manager options list

Label values can change if two or more rules try to apply a conflicting label option to the same file. In this case, the option that is higher in the options list created in the label manager is applied. For example, if a field has three options listed in the label manager: 

  1. Confidential
  2. Internal
  3. Public

If Rule 1 tries to apply the field value Confidential, and Rule 2 tries to apply the field value Public to the same file, Confidential (Rule 1) is applied.

Allow or prevent users to change labels and fields

When you configure a DLP rule, you can choose to allow users to change labels and field values applied to their files, using the Select whether users are allowed to change label and field values applied to their files option. Select Allow to activate this option. If this setting is enabled, the system won’t change labels and field values set by users.

If you use this option, users can change values after the rule runs. Note that even if this option is selected, DLP will reapply labels and field values that are removed by the user. Also, if the user applies a value before the DLP rule runs, the rule will not apply the new value.

Another point is that if a user must have applier access to a label in the label manager to be able to apply label or set field values, even if the Select whether users are allowed to change label and field values applied to their files option is used.

To prevent users from changing label and field values, select Don’t allow. Reapply rule labels and field values if users change them. In this case, when a user removes the label or changes the field value that was applied by DLP, the changes will trigger DLP rules to run again immediately which will revert the removed label and changed field value to those originally applied.

NoteSelect whether users are allowed to change label and field values applied to their files option applies only to DLP rules that have single field options.

DLP for Drive label rule condition examples

Use Drive labels in rule conditions.

Example: DLP rule condition with a drive label with one value

In this example, the Drive label is called Contract, and has a field Cost Center, and with the single Cost Center value, Finance. When DLP scans the drive and finds the Drive label Contractand thenCost Centerand thenFinance, it will match the files associated with that Drive label and the field value, Finance.

For badged labels, the label values for Drive label and Label field are the same. Go to Manage Drive labels for details.

To configure this use case:

  1. In the Triggers section, select Google Drive.
  2. In the rule configuration flow, you have come to the Conditions section. Click Add Condition
  3. Specify these values for the condition fields:
    • Field—Drive label
    • Value—Is
    • Drive label—Contract
    • Label field—Cost Center
    • Field option—Finance
  4. Click Continue to continue configuring your rule
Example: DLP rule condition for unset field values, using the NOT operator

In this example, the Drive label has the name Classification,  with the field Confidentiality Levels,  and the field values Amber, Red, and Green. When DLP scans the drive, it labels all files in Google Drive that do not have label value Classification, or the field values Amber, Red, or Green.

Note that using the NOT operator in this way in a DLP rule causes a high trigger rate for that rule. This causes DLP to update a large number of files when the rule runs initially, which takes time and generates many audit events. Also, when a user creates a new file, the rule triggers unless the file is classified.

To configure this use case:

  1. In the Triggers section, select Google Drive.
  2. In the rule configuration flow, you have come to the Conditions section. Click Add Condition
  3. Specify these values for the condition fields:
    • Field—Drive label
    • Value—Is
    • Drive label—Classification
    • Label field—Confidentiality Levels
    • Field option—Amber, Red, Green
  4. Select NOT.
  5. Click Continue to continue configuring your rule

DLP for Drive label rule action example

Use Drive label as an automatically-applied DLP action. When the DLP rule is triggered, DLP applies labels to Drive files that meet the rule criteria as an action. 

Example: DLP Drive label rule action with one value

In this example, the Drive label is called Contract, and has a field Cost Center, and with the single Cost Center value, Finance. When DLP scans the drive and finds the Drive label Contractand thenCost Centerand thenFinance, it will match the files associated with that Drive label and the field value, Finance.

To configure this use case:

  1. In the rule configuration flow, you have come to the Triggers section, select Google Drive. Click Continue.
  2. Configure conditionsand thenClick Continue.
  3. In the Actions section, select Apply Drive labels.
  4. Specify these values for the action fields:
    • Drive label—Contract
    • Label field—Cost Center
    • Label option—Finance
  5. Under User changes, select Allow
  6. Click Add label.
  7. Click Continue to continue configuring your rule.

Working with DLP rules and the Drive labels

Understand label locking

Labels, fields, and field options that are associated with DLP rules are locked in the label manager. This prevents edits to labels or fields that could break business policies. Unlock the label, field or field option by removing it from all DLP rules.

Edits in the label manager such as: 

  • Renaming or adding new fields or field options are allowed. 
  • Disabling or deleting labels, fields, or field options that are used in DLP rules are not allowed.

You can’t create DLP rules with disabled labels, fields, or field options, even in drafts of published labels.

Undo a global change to Drive labels

If you accidentally apply a label (or a label and field values) to a broad range of files through a DLP rule, you can use DLP to clean up those changes.

To do so, disable the DLP rule that applied the change. The rule automatically removes the label and any field values. Or, edit the DLP rule in question to remove the Apply label action. This also removes the label and field values applied by the rule. Applying this change may take a few minutes, a few hours, or more - depending on how many documents need to be updated.

An exception to this clean-up occurs if you use the Select whether users are allowed to change label and field values applied to their files – Allow option. The labels and fields modified by DLP rules are removed, but the user-modified labels and field values remain intact.

Check the Drive audit log to verify actions

If you want to investigate what changed in a file, check the Drive audit log. The column Event Description lists the DLP actions, such as DLP Rule applied Label Contract. Go to Drive audit log for details.

DLP scans are taking longer than I expect. What's going on?
Using DLP to apply labels automatically gives you the power to make changes to multiple documents on Drive. This can result in more files being affected than you expect. Rules that update a large number of files can take longer to process than rules that only affect a small number of files. You might want to test a rule that applies a label on a small sample before applying it at large.

Automated classification known issues

Reseller resold domains not supported
DLP rules automated classification for resellers managing resold domains is not currently supported.
Working with automated classification DLP rules created during the earlier Beta
Automated classification rules created in December 2021 or earlier didn’t automatically lock their associated labels, fields, and field options. This means that Drive labels can be modified in ways that may disrupt a DLP policy. We recommend that customers who participated in the Automated Data Classification Beta edit and save all their existing DLP rules that use labels as either a rule condition or a rule action. This will automatically trigger a lock in the label manager, which protects the DLP policy from incompatible changes being made to label definitions.
Was this helpful?
How can we improve it?

Need more help?

Sign in for additional support options to quickly solve your issue

Search
Clear search
Close search
Google apps
Main menu
Search Help Center
true
73010
false
false