Control access to apps based on user & device context

Control access to actions in apps

When you assign access levels to apps, you usually give access to everything in the app or nothing at all. Sometimes, however, certain actions in an app are more sensitive than others. In Google Drive, downloading a document might be more sensitive than simply viewing it.

As an administrator, you can enhance security for specific actions by combining Context-Aware Access conditions with data loss prevention (DLP) rules. You can, for example, restrict downloading files in Drive on personal or Bring Your Own Device (BYOD) devices. You can control how your organization’s data is accessed based on the user and their device.

Example: Block download of Drive files on personal devices

  1. Sign in with an administrator account to the Google Admin console.

    If you aren’t using an administrator account, you can’t access the Admin console.

  3. Click Create Access Level. You might need to click Access levels first.
  4. Enter a name, such as BYOD devices, and a description for the new access level.
  5. For Context conditions, click Add Condition.
  6. Select Doesn't meet 1 or more attributes (OR).
  7. For Select attribute, select Device.
  8. For Select condition, select Company-owned.
  9. Click Create. Now, you can create a DLP rule with this access level.
  10. Click Create Rule.
  11. Click Name and enter a name for the rule and, optionally, a description.
  12. For Scope, choose an option:
    • To apply to all users in your organization, select All in your organization.
    • To apply to specific organizational units or groups, select Organizational units and/or groups and add or exclude them as needed.
  13. Click Continue.
  14. In Apps, for Google Drive, check the Drive files box and click Continue.
  15. For Content type to scan, choose All content.
  16. For What to scan for, choose a DLP scan type and select attributes. For more information on available attributes, go to Create a DLP rule.
  17. In the Context conditions section, select Select an access leveland thenthe access level created earlier, such as BYOD devices.
    The rule is applied when the conditions in the access level are met.So, in this example, the access level must be True for BYOD devices.
  18. Click Continue.
  19. For Google Drive, click Action and select Disable download, print, and copyand thenFor commenters and viewers only.
  20. (Optional) To set an alert severity level and send alert notifications, choose the options.
  21. Click Continue.
  22. Review the rule details and for Rule status, select Active to immediately run the rule or Inactive to activate it later.
  23. Click Create.

Changes can take up to 24 hours but typically happen more quickly. Learn more

Related topic

Combine DLP rules with Context-Aware Access conditions

Was this helpful?

How can we improve it?
true
Start your free 14-day trial today

Professional email, online storage, shared calendars, video meetings and more. Start your free Google Workspace trial today.