Project Description

📖 2 mins read
You can now automatically restrict the ability to download, print, and copy sensitive documents through data loss prevention (DLP) rules. These new DLP-driven information rights management (IRM) controls, currently available in beta, will make it more difficult for users to make copies of documents that might expose sensitive content.
Google Workspace DLP rules already enabled admins to limit the sharing of documents directly. However, users could make copies of documents by printing it, copying it to unmanaged locations, or downloading it to physical media. These copies were not subject to the same sharing controls, increasing the risk of that content being exposed.
There are already controls so that document owners and editors can manually prevent viewers and commenters from printing, copying, or downloading their files. However, this placed the responsibility of selecting the correct restriction on a file on end users.

Who’s impacted

Admins and end users

Why it’s important

The new IRM controls will help ensure that only a single version of sensitive documents exists, and therefore that company DLP policies will help protect it. This could help reduce the potential for accidental or intentional exposure of sensitive content in documents. It also reduces the need for end-users to recognize and manually adjust the IRM settings for files, creating a more scalable and automated process to protect your organization’s content.

Additional details

Admin setting for IRM in the DLP rule creation workflow
When you’re creating or editing a DLP rule, there will be a new option: “Beta: Disable download, print, and copy for commenters and viewers.” If selected, this will prevent downloading, printing, and copying of the document unless the user has editor or owner permissions. Note that this is only available as part of Google’s  new Drive DLP system.
New beta adds IRM controls for DLP to help protect sensitive documents in Google Workspace 1
Admins can add IRM controls to DLP rules 
 
Users will see new notifications on affected files 
Document editors and owners will see a new note when in the settings section of the sharing screen, as pictured below. Users with view or comment access will not be able to download, copy, or print the document—these options will be greyed out for them. Note that this only places limits on “viewer” or “commenter” roles within Drive.
New beta adds IRM controls for DLP to help protect sensitive documents in Google Workspace 2
Document owners and editors will see a new note when they try to share the document 
New beta adds IRM controls for DLP to help protect sensitive documents in Google Workspace 3
Document viewers and commenters will have print, download, and copy options greyed out 
 

Getting started

  • Admins: This feature will be OFF by default and can be enabled as part of new and existing DLP rules. Visit the Help Center to learn more about how to create new DLP rules and see FAQs about the Drive DLP IRM beta.
  • End users: There is no end user setting for this feature.

Rollout pace

  • This feature is available now for all users.

Availability

  • Available to Google Workspace Enterprise, Google Workspace Enterprise for Education, Google Workspace for Education, and Google Workspace Enterprise Essentials customers
  • Not available to Google Workspace Basic, Google Workspace Business, and Google Workspace for Nonprofits, and Google Workspace Essentials customers

Roadmap

Thanks for sharing and spreading the word!