Re: Restrict Internal sharing using google drive l...

NewtoGoogle1998 · 06-17-2024 09:12 AM

Hi everyone

I'm looking to set up Google Drive Labels to restrict internal sharing of certain files and folders. However, I couldn't find an option to specifically restrict internal sharing using Labels. Does anyone know how to achieve this, or if there are any workarounds available?

I.E -
We have x4 Labels -

Confidential

Internal use

Restricted

Public use

I am working for a large global Organisation that requires this urgently. I was thinking to set up a DLP rule and set this at the route level of the OU however this will have its own limitations. Any ideas or suggestions?

Many thanks!

wvoogt

Could this help solve your situation?

https://workspaceupdates.googleblog.com/2024/07/enable-classification-labels-on-workspace-apps.html

NewtoGoogle1998

Hey @wvoogt
Yes!!
Amazing new update has released this feature as this can now be applied to drive labels to restrict External sharing within an org.
However there is no such option to restrict internal sharing on specific labels. I.E - Confidential - Labeled filed not to be shared with anyone. Internal or External.
If you have any ideas on how to do this that would be great!
Many thanks!

have a great day!

aleixoc

Same problem here... It's incredible that such a basic feature is not available. Our company is now looking at moving to Microsoft to solve the problem.

StephenHind

@NewtoGoogle1998 to restrict internal sharing you need to use Trust Rules

Supported editions for this feature: Frontline Plus; Enterprise Standard and Enterprise Plus; Education Standard and Education Plus; Enterprise Essentials Plus.

Google does offer the possibility to do it but you may need to upgrade your Workspace to get it.

aleixoc

As far as I can see, the Trust Rules don't allow the use of labels to determine with which group/OrgUnit you restrict internal sharing.

StephenHind

@aleixoc I don't have access to Trust Rules to test, but I know the only way to restrict internal sharing is via Trust Rules. From the docs it looks like you could add those specific files to a Shared Drive and do the restriction there and then add a label to show that, but the label and the sharing restriction aren't connected.

NewtoGoogle1998

Hey Stephen,
External block yes.
However Internal sharing restriction is still not available.
This feature would be required mainly to ensure no data is shared outside of a specific OU. I.E Payroll.

a_aleinikov

Hi @NewtoGoogle1998 ,

– Google Drive Labels by themselves do not directly enforce sharing restrictions; they are metadata tags, not access controls.
– To restrict internal sharing based on labels, you need to combine Labels with Data Loss Prevention (DLP) rules in Google Workspace.
– Example: set up DLP rules that trigger when files labeled “Confidential” or “Restricted” are shared externally or even within certain groups.
– Apply these DLP rules at the OU or group level, but note: you can’t fully block internal sharing only with labels — you must use DLP or drive trust settings.
– Also check Drive Trust Rules (if available on your plan) for more granular internal control.

aleixoc

@a_aleinikov wrote:
– Example: set up DLP rules that trigger when files labeled “Confidential” or “Restricted” are shared externally or even within certain groups.
– Apply these DLP rules at the OU or group level, but note: you can’t fully block internal sharing only with labels — you must use DLP or drive trust settings.

This is precisely the problem, that DLP+labels does not allow restricting of internal sharing (with other groups or OU). And Trust rules does not work with labels, so you don't get the granularity of blocking internal sharing (groups, OUs) depending on document classification (i.e. labels).

OR, if there's any hack to configure it to achieve that, please let us know!

Restrict Internal sharing using google drive labels.