Combine DLP rules with Context-Aware Access conditions

Supported editions for this feature: Frontline Standard and Frontline Plus; Enterprise Standard and Enterprise Plus; Education Standard and Education Plus; Enterprise Essentials Plus. Compare your edition

Drive DLP and Chat DLP are available to Cloud Identity Premium users who also have a Google Workspace license. For Drive DLP, the license must include the Drive log events.

To create rules for Chrome browser, you need Chrome Enterprise Premium.

1. Sign in with an administrator account to the Google Admin console.

   If you aren’t using an administrator account, you can’t access the Admin console.

2. Go to Menu  Rules > Create rule > Data protection.

   Requires having the View and Manage DLP rule privileges.

3. Add a name and, optionally, a description for the rule.
4. In the Scope section, select All in your-organization or choose to search for and include or exclude organizational units or groups that the rule applies to. If there's a conflict between organizational units and groups about inclusion or exclusion, the group takes precedence.
5. Click Continue.
6. In the Apps section, for Chrome, check the File downloaded box and click Continue.
7. In the Conditions section, click Add condition and then configure the condition as follows:
   • For Content type to scan, select All content.
   • For What to scan form, choose a DLP scan type and select attributes.
     For more information on available attributes, go to Create a DLP rule.
8. For Context conditions, click Select an access level.
   If you already created an appropriate access level, in the Context conditions section, select your access level and go to step 15.
9. Click Create new access level.
10. Enter a name and, optionally, a description for the new access level.
11. In the Context conditions section, click Add condition.
12. Select Doesn’t meet 1 or more attributes (OR).
13. Click Select attributeIP subnet and enter your corporate network’s IP address. The address should be an IPv4 or IPv6 address or routing prefix in CIDR block notation.
    • Private IP addresses are not supported (including users' home networks).
    • Static IP addresses are supported.
    • To use a dynamic IP address, you must define a static IP subnet for the access level. If you know the range of the dynamic IP address and the defined static IP address in the access level covers that range, the context condition is met. If the dynamic IP address is not in the defined static IP subnet, the context condition isn't met.
14. Click Create. You return to the Create Rule page. Your new access level and its attributes are added to the list.
15. Click Continue.
16. On the Actions page, for ChromeOS action, choose Block.
17. (Optional) To send alert notifications when an event meets the rule's criteria, in the Alerting section, check the Alert center box.
    • (Optional) To email alert notifications to super admins, check the All super admins box.
    • (Optional) To email alert notifications to others, click Add email recipients, add one or more usernames or email addresses, and click Done.
18. Click Continue to review the rule details.
19. Select a status for the rule:
    • Active—Your rule runs immediately.
    • Inactive—Your rule exists, but is not in effect. This gives you time to review the rule and share it with team members before implementing. Activate the rule later by going to SecurityAccess and data controlData ProtectionManage Rules. Click the Inactive status for the rule and select Active. The rule runs after you activate it, and DLP scans for sensitive content.
20. Click Create.

Changes can take up to 24 hours but typically happen more quickly. Learn more

To create rules for Chrome browser, you need Chrome Enterprise Premium.

1. Sign in with an administrator account to the Google Admin console.

   If you aren’t using an administrator account, you can’t access the Admin console.

2. Go to Menu  Rules > Create rule > Data protection.

   Requires having the View and Manage DLP rule privileges.

3. Add a name and, optionally, a description for the rule.
4. In the Scope section, select All in your-organization or choose to search for and include or exclude organizational units or groups the rule applies to. If there’s a conflict between organizational units and groups about inclusion or exclusion, the group takes precedence.
5. Click Continue.
6. In the Apps section, for Chrome, check the File downloaded box and click Continue.
7. In the Conditions section, click Add condition.
8. For Content type to scan, select All content.
9. For What to scan for, choose a DLP scan type and select attributes.
   For more information on available attributes, go to Create a DLP rule.
10. In the Context conditions section, click Select an access level.
    If you already created an appropriate access level, in the Context conditions section, select your access level and go to step 18.
11. Click Create new access level.
12. Enter a name and, optionally, a description for the new access level.
13. In the Context conditions section, click Add condition.
14. Select Meets all attributes (AND).
15. Click Select attributeLocation and then select a country from the list.
16. (Optional) To add additional countries and apply the rule to users signing in from them:
    1. Click Add condition and select Meets all attributes.
    2. At the top of Conditions, set Join multiple conditions with to OR.
17. Click Create. You return to the Create Rule page. Your new access level and its attributes are added to the list.
18. Click Continue.
19. On the Actions page, for ChromeOS action, select Block.
    The action is applied only when both content and context conditions are met.
20. (Optional) To send alert notifications when an event meets the rule's criteria, in the Alerting section, check the Alert center box.
    • (Optional) To email alert notifications to super admins, check the All super admins box.
    • (Optional) To email alert notifications to others, click Add email recipients, add one or more usernames or email addresses, and click Done.
21. Click Continue to review the rule details.
22. Select a status for the rule:
    • Active—Your rule runs immediately.
    • Inactive—Your rule exists, but is not in effect. This gives you time to review the rule and share it with team members before implementing. Activate the rule later by going to SecurityAccess and data controlData ProtectionManage Rules. Click the Inactive status for the rule and select Active. The rule runs after you activate it, and DLP scans for sensitive content.
23. Click Create.

Changes can take up to 24 hours but typically happen more quickly. Learn more

1. Sign in with an administrator account to the Google Admin console.

   If you aren’t using an administrator account, you can’t access the Admin console.

2. Go to Menu  Rules > Create rule > Data protection.

   Requires having the View and Manage DLP rule privileges.

3. Add a name and, optionally, a description for the rule.
4. In the Scope section, choose All in your-organization or choose to search for and include or exclude organizational units or groups the rule applies to. If there’s a conflict between organizational units and groups about inclusion or exclusion, the group takes precedence.
5. Click Continue.
6. In the Apps section, for Google Drive, check the Drive files box and click Continue.
7. In the Conditions section, click Add condition.
8. For Content type to scan, select All content.
9. For What to scan for, choose a DLP scan type and select attributes.
   For more information on available attributes, see Create a DLP rule.
10. In the Context conditions section, click Select an access level.
    If you already created an appropriate access level, in the Context conditions section, select your access level and go to step 17.
11. Click Create new access level.
12. Enter a name and, optionally, a description for the new access level.
13. In the Context conditions section, click Add condition.
14. Select Doesn't meet 1 or more attributes (OR).
15. Click Select attributeDeviceAdmin-approved.
16. Click Create. You return to the Create Rule page. Your new access level and its attributes are added to the list.
17. Click Continue.
18. In the Actions section, for Google Drive, click Action and select Disable download, print, and copyFor commenters and viewers only.
    The action is only applied when both content and context conditions are met.
19. (Optional) To send alert notifications when an event meets the rule's criteria, in the Alerting section, check the Alert center box.
    • (Optional) To email alert notifications to super admins, check the All super admins box.
    • (Optional) To email alert notifications to others, click Add email recipients, add one or more usernames or email addresses, and click Done.
20. Click Continue to review the rule details.
21. Select a status for the rule:
    • Active—Your rule runs immediately.
    • Inactive—Your rule exists, but is not in effect. This gives you time to review the rule and share it with team members before implementing. Activate the rule later by going to SecurityAccess and data controlData ProtectionManage Rules. Click the Inactive status for the rule and select Active. The rule runs after you activate it, and DLP scans for sensitive content.
22. Click Create.

Changes can take up to 24 hours but typically happen more quickly. Learn more

In this example, the user is blocked if they try to navigate to the Salesforce admin console (salesforce.com/admin) with an unmanaged device. Users would still be able to access other parts of the Salesforce application.

To create rules for Chrome browser, you need Chrome Enterprise Premium.

1. Sign in with an administrator account to the Google Admin console.

   If you aren’t using an administrator account, you can’t access the Admin console.

2. Go to Menu  Rules > Create rule > Data protection.

   Requires having the View and Manage DLP rule privileges.

3. Add a name and, optionally, a description for the rule.
4. In the Scope section, choose All in your-organization or choose to search for and include or exclude organizational units or groups the rule applies to. If there’s a conflict between organizational units and groups about inclusion or exclusion, the group takes precedence.
5. Click Continue.
6. In the Apps section, for Chrome, check the URL visited box.
7. Click Continue.
8. In the Conditions section, click Add Condition.
9. For Content type to scan, select URL.
10. For What to scan for, select Contains text string.
11. For Contents to match, enter salesforce.com/admin.
12. In the Context conditions section, click Select an access level.
    If you already created an appropriate access level, in the Context conditions section, select your access level and go to step 18.
13. Click Create new access level.
14. Enter a name and, optionally, a description for the new access level.
15. In Context conditions, click the Advanced tab.
16. In the text box, enter:
    device.chrome.management_state != ChromeManagementState.CHROME_MANAGEMENT_STATE_BROWSER_MANAGED
17. Click Create. You return to the Create Rule page. Your new access level and its attributes are added to the list.
18. Click Continue.
19. On the Actions page, for ChromeOS action, select Block.
    The action is only applied when both content and context conditions are met.
20. In the Alerting section, click Low and select an alert severity level (Low, Medium or High).
21. (Optional) To send alert notifications when an event meets the rule's criteria, in the Alerting section,, check the Alert center box.
    • (Optional) To email alert notifications to super admins, check the All super admins box.
    • (Optional) To email alert notifications to others, click Add email recipients, add one or more usernames or email addresses, and click Done.
22. Click Continue to review the rule details.
23. Select a status for the rule:
    • Active—Your rule runs immediately.
    • Inactive—Your rule exists, but is not in effect. This gives you time to review the rule and share it with team members before implementing. Activate the rule later by going to SecurityAccess and data controlData ProtectionManage Rules. Click the Inactive status for the rule and select Active. The rule runs after you activate it, and DLP scans for sensitive content.
24. Click Create.

Note: If a URL that you're filtering has been visited recently, it's cached for several minutes and might not be successfully filtered by a new (or modified) rule until the cache is cleared of that URL. Allow approximately 5 minutes before testing out a new or modified rule.

In previous Chrome versions, context conditions are ignored. Rules behave as if only content conditions are set.

No. Rules do not apply in Incognito mode. Administrators can prevent sign-ins to Workspace or SaaS applications from Chrome Incognito mode by enforcing Context-Aware Access at sign-in time.

If the managed browser and managed profile user belong to the same enterprise, then both browser-level DLP rules and user-level DLP rules will be applied.

If the managed browser and managed profile user belong to different enterprises, then only the browser-level DLP rules will be applied. The context condition will always be considered as a match, and the strictest outcome will be enforced. There is no impact on IP-based or region-based conditions.

Context-Aware Access in the Admin console does not support all attributes supported by the Google Cloud console. Therefore, any basic access levels created in the Google Cloud console that include these attributes can be assigned in the Admin console, but can’t be edited there.

On the Rules page in the Admin console, you can assign Google Cloud console-created access levels, but can’t view condition details for access levels with unsupported attributes.

• Make sure you have the Services > Data Security > Access level management admin privilege, which is required to view context conditions during DLP rule creation.
• The context conditions card only displays when you select Chrome triggers during rule creation.

If an assigned access level is deleted, the context conditions default to true and the rule behaves like a content-only rule. Note that the rule will then apply to more devices and use cases than you originally intended.

No. Access level evaluation in rules is independent of Context-Aware Access settings. Context-Aware Access activation and assignment should not affect rules.

Empty conditions are evaluated to true by default. This means that for a Context-Aware Access-only rule, the content conditions can be left empty. Note that if both content and context conditions are left empty, the rule will always get triggered.

No. The rule is only triggered when both content and context conditions are met.

DLP and Context-Aware Access both rely on background services which may be periodically interrupted. If a service interruption occurs during rule enforcement, then there is no enforcement. When this happens, an event is logged in both the Rules log events and Chrome log events.

For device-based attributes, the context conditions will be considered as a match and the strictest outcome will be enforced. For non-device-based attributes (such as IP address and region) there’s no change.

Yes. You can view access level information by searching for either Rule log events or Chrome log events in the Access level column of the search results.

No. User remediation is not available in these flows yet.