Supported editions for this feature: Business Standard and Business Plus; Enterprise Starter, Enterprise Standard, and Enterprise Plus; Education Standard and Education Plus; Essentials, Enterprise Essentials, and Enterprise Essentials Plus. Compare your edition
Drive DLP and Chat DLP are available to Cloud Identity Premium users who also have a Google Workspace license. For Drive DLP, the license must include the Drive log events.
As an admin, you can use DLP rules to automatically apply labels to Drive files based on detection of sensitive content. The label and data names in the examples in this article are not actual data native to label manager or DLP.
Before you begin
Before you can use Drive labels with DLP rules:
- Understand the purpose and functionality of Drive labels. For details, go to Get started as a Drive labels admin.
- Create labels, or know of existing labels you want to use.
Use DLP rules to automatically apply labels if you need to use specific conditions or actions for applying labels. If you only want to apply labels to new files when they are created by specific users, use Data classification settings.
How default classification labels work
- Applies labels to new files and when the ownership of a file changes. Default classification doesn’t retroactively apply labels to existing files unless the file owner changes.
- Applies labels based on the file owner’s organizational unit or group. Default classification doesn’t search the file content or metadata for certain conditions.
- If users have permission to change a label, they can change it or remove it after it’s automatically applied.
- Only labels with an options list field are supported for default classification.
- Default classification labels are overwritten by DLP-set labels, even if the data classification value is higher in the options list.
How labels set by DLP rules work
- Applies labels to new and existing files.
- Applies labels based on conditions such as file type, word matches, and string matches. DLP rules don’t accept organizational unit or group as a condition.
- You can’t apply a label with a DLP rule that uses a label as a condition.
- You can prevent users from changing the label, even if they have permission to change it. If they change it, DLP will scan the file again immediately and revert to the DLP label configuration.
- External users can’t view the version history of files that had a label applied to them by a DLP rule at any point.
- DLP rules can apply labels with options list fields, including badged labels.
How AI classification labels work
- Applies labels to new and existing files.
- Only labels with one options list field with 2–4 values are supported for AI classification.
- Applies labels after a training period. During the training period, designated labelers apply a training label to at least 100 files per field option.
- AI classification labels are overwritten by DLP-set labels, but overwrite default classification labels.
Label values set by DLP rules take priority over AI classification, and both take priority over default classification.
When 2 or more of the same kind of rules try to apply different label values to the same file, the value that's higher in the label's options list is applied. For example, you might have a label with a field that has 3 options listed in the label manager:
- Confidential
- Internal
- Public
If Rule 1 tries to set the label as Confidential, and Rule 2 tries to set the label as Public for the same file, Confidential (Rule 1) is applied. Make sure that a label's field options are listed in your preferred order of priority before setting up rules.
Set up a DLP rule to apply a Drive label
- Begin following the steps in Create DLP for Drive rules and custom content detectors to create a rule.
- When you get to the Triggers section, select Google Drive and click Continue.
- Configure conditions and click Continue. Note: You can’t use a Drive label as a condition for a rule that applies Drive labels.
- In the Actions section, select Apply Drive labels. If this option isn’t available, make sure that you didn't enter a Drive label as a condition.
- Specify the details for the Drive label that you want to apply. Only badged labels and standard labels with Options list field type are supported. For details, see Get started as a Drive labels admin.
- Choose whether users who have permission to change the label can change the label and field values applied by this DLP rule. Only available for labels with single field options. Users must have permission to change the label in the label manager.
- When set to Allow, DLP doesn’t change labels and field values set by users. However, DLP will reapply labels and field values that are removed by the user.
- When set to Don’t allow, if a user changes or removes the label applied by this DLP rule, the change causes DLP to scan the file again and revert to the DLP rule’s label configuration.
- Continue configuring your rule. If desired, you can add another label by clicking Add label.
Working with DLP rules and Drive labels
Labels, fields, and field options that are associated with DLP rules are locked in the label manager. This prevents edits to labels or fields that could break business policies. Unlock the label, field or field option by removing it from all DLP rules.
Edits in the label manager such as:
- Renaming or adding new fields or field options are allowed.
- Disabling or deleting labels, fields, or field options that are used in DLP rules are not allowed. Admins with the Manage Labels privilege can see if a label is used in a rule, but can’t see the rule itself unless they have the required privileges.
You can’t create DLP rules with disabled labels, fields, or field options, even in drafts of published labels.
If you accidentally apply a label (or a label and field values) to a broad range of files through a DLP rule, you can use DLP to clean up those changes.
To do so, disable the DLP rule that applied the change. The rule automatically removes the label and any field values. Or, edit the DLP rule in question to remove the Apply label action. This also removes the label and field values applied by the rule. Applying this change may take a few minutes, a few hours, or more - depending on how many documents need to be updated.
An exception to this clean-up occurs if you use the Select whether users are allowed to change label and field values applied to their files – Allow option. The labels and fields modified by DLP rules are removed, but the user-modified labels and field values remain intact.
If you want to investigate what changed in a file, check the Drive audit log. The column Event Description lists the DLP actions, such as DLP Rule applied Label Contract. Go to Drive audit log for details.
Using DLP to apply labels automatically gives you the power to make changes to multiple documents on Drive. This can result in more files being affected than you expect. Rules that update a large number of files can take longer to process than rules that only affect a small number of files. You might want to test a rule that applies a label on a small sample before applying it at large.
