Create classification labels for your organization

Supported editions for this feature: Frontline Starter and Frontline Standard; Business Standard and Business Plus; Enterprise Standard and Enterprise Plus; Education Standard and Education Plus; Essentials, Enterprise Essentials, and Enterprise Essentials Plus; G Suite Business. Compare your edition

Note: To apply classification labels to your files in Drive, go here instead. To apply classification labels to your Gmail messages, go here instead.

As an administrator, you can create classification labels for users to apply to files in Drive and messages in Gmail (beta). You can create up to 150 labels, including multiple badged labels. You create labels in your Admin console.

Avoid confidential information in label names, field names, and selection options. Labels can be viewed by any admin in your organization with the Manage Classification Labels privilege. They could also be visible to everyone in your organization if the label's permissions are set that way.

Before you begin: Learn about label best practices.

Step 1. Create a label

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. In the Admin console, go to Menu and then Securityand thenAccess and data controland thenLabel manager.
  3. Click New label.
  4. Enter a name for the label.
  5. Check the boxes next to the apps you want to use the label in.
  6. (Optional) Add a label description. Users see the label description when they open the Labels panel for a file.
  7. (Optional) For labels with a badged field, add a link to documentation about the label. Users see this “learn more” link when they point to the badged label or open the Labels pane for a file.

Continue to the next sections to add fields (optional) and publish your label.

Step 2. (Optional) Add fields to the label

You can add up to 10 fields to labels to allow more granular classification. For example, a Department label could have a field with a list of options such as Finance, Engineering, and Legal.

  1. With the label open, click Add Fields.
  2. Click Add field next to each type of field you want to add. For details about field types, review the table that follows these steps.

    Tips:

    1. Minimize the number of fields in a label to encourage consistent use. Users are more likely to apply labels and edit field values if it's quick and easy.
    2. Drive data-protection rules can use only labels with badged fields or labels with a single-selection Options List field type. Other field types aren’t supported.
  3. Click Add fields.
  4. Click a field to configure options, such as the field name, what options are available, or the format of a date field. You can set badge colors and reorder field options.
  5. (Optional) Make the field required by checking Require users to pick an option. Important: Users see highlights on these labels to encourage completion, but required fields aren't enforced.

If you add an extra field or field option, you can delete them before you publish the label. For the field or field option you want to delete, click Moreand thenDelete.

Review the new fields carefully. After you publish the label, you can’t change the field type. For Person fields, you can’t change whether users can pick multiple values.

Field types

Field What users can do Additional details
Badge list Pick one option from a list of badges
  • Only one badge list field can be added per label
  • No more than 200 options
  • Users can select only one option
Options list (Single select) Pick one option from a list No more than 200 options
Options list (Multi select)

not supported for Gmail

Pick one or more options from a list
  • No more than 200 options
  • Users can select no more than 10 values
Number

not supported for Gmail

Enter a numerical value Only whole numbers
Date

not supported for Gmail

Pick a calendar date Date format can be set to Long: Month DD, YYYY, or Short: MM/DD/YY
Text

not supported for Gmail

Enter text in a text box No more than 100 characters allowed
Person

not supported for Gmail

Pick a person from their Workspace contacts
  • Optional configuration: Allow multiple sections
  • If multi-select is allowed, users can select no more than 10

Step 3. Set who can view or use a label

By default, everyone in your organization can view and apply labels. Edit label permissions to control who can view, apply, edit field values, and search by the label. For example:

  • To allow external users, or groups containing external users, to view and use the labels, add these users and groups under Advanced permissions.
  • To test a new label, you can set Restricted access at first and give only a test group access to the label. After testing, you can change permissions so everyone can use the label.
  • If a label contains confidential information, you can set Restricted access so that only users who should have access to that information can view or use the label.

Note:

  • For Drive classification labels, file permissions still apply. For example, if a user has view-only access to a file, they can only view labels applied to that file, even if they’re allowed to apply and set those labels.
  • Any user with a Google account can be granted permission to view or apply labels. However, Drive classification labels can only be applied to items that are owned by users with a license that supports Drive labels or items in shared drives.

To set label permissions:

  1. If it’s not open already, open the label.
  2. In the Permissions pane at the right, click Edit.
  3. Select the permission level for your organization:
    1. Can apply labels and set values–Users can apply, set values, and search for this label on flies they can edit.
    2. Can view this label–Users can view and search for the label on files they can view or comment on.
    3. Restricted access–Only users and groups you specify can view or apply labels. You can choose the permissions for each user or group in the next step.
  4. (Optional) Add permissions for specific users and groups:
    1. Under Advanced permissions, begin entering a user or group account and select the account. The suggested accounts include both internal and external users and groups that you have contacted. If you don’t see a user or group account in the suggestion list, you can still manually add it. For example, if you’re a reseller admin, you can add any resold customer’s users or groups. Note: Dynamic groups aren’t supported for Gmail classification labels.
    2. Select the permission level for that account.
  5. Click Save.

Step 4. Preview and publish a label

New labels are created in a "draft" state so you can review how your label will appear to users before making it available.

To preview how a label will work in Drive and Gmail, review the Preview panel at the right. At the top, select the app that you want to preview the label for. If a label includes fields that aren’t supported by Gmail, those fields aren’t listed in the Gmail preview but are listed for the Drive preview.

To publish a label:

  1. If it’s not open already, open the label.
  2. Review the label and any fields. Important: Field type can’t be changed after the label is published.
  3. Click Publish.
  4. Confirm that you want to publish the label by clicking Publish.

Users with permissions to view or use the label now have access, and you can use the label to classify and protect data (described in the next section).

When you edit a label, changes are saved as a draft. To make your edits available to users, you must publish the label again.

Step 5. (Optional) Use classification labels to classify, protect, and manage data

You can set up policies to automatically apply classification labels to files in Drive or messages in Gmail. You can also set up data loss prevention (DLP) and Vault retention rules to prevent deletion based on a file’s labels.

Important:

  • When you use a label for default classification, AI classification, DLP, or Vault retention rules, the label’s settings are locked in the label manager. This prevents edits to labels that could break business policies.
  • When you use a label in DLP rules or Vault retention rules, the label can’t be disabled or deleted. Label managers can see that the label is used in a rule in the Rules column of the table of labels. However, they can’t see details of the rule that uses the label unless they have the required admin privileges.

Automatically apply labels to files in Drive

There are 3 ways to automatically apply labels to files: default classification, DLP, and AI classification. They work in different ways, and you can use them in combination depending on the type of labeling you want to do.

Expand all  |  Collapse all

Method comparison for Drive

How default classification labels work

  • Applies labels to new files and when the ownership of a file changes. Default classification doesn’t retroactively apply labels to existing files unless the file owner changes.
  • Applies labels based on the file owner’s organizational unit or group. Default classification doesn’t search the file content or metadata for certain conditions.
  • If users have permission to change a label, they can change it or remove it after it’s automatically applied.
  • Only labels with an options list field are supported for default classification.
  • Default classification labels are overwritten by DLP-set labels, even if the data classification value is higher in the options list.

How labels set by DLP rules work

  • Applies labels to new and existing files.
  • Applies labels based on conditions such as file type, word matches, and string matches. DLP rules don’t accept organizational unit or group as a condition.
  • You can’t apply a label with a DLP rule that uses a label as a condition.
  • You can prevent users from changing the label, even if they have permission to change it. If they change it, DLP will scan the file again immediately and revert to the DLP label configuration.
  • External users can’t view the version history of files that had a label applied to them by a DLP rule at any point. 
  • DLP rules can apply labels with options list fields, including badged labels.

How AI classification labels work

  • Applies labels to new and existing files.
  • Only labels with one options list field with 2–4 values are supported for AI classification.
  • Applies labels after a training period. During the training period, designated labelers apply a training label to at least 100 files per field option.
  • AI classification labels are overwritten by DLP-set labels, but overwrite default classification labels.
Label conflict resolution

Label values set by DLP rules take priority over AI classification, and both take priority over default classification.

When 2 or more of the same kind of rules try to apply different label values to the same file, the value that's higher in the label's options list is applied. For example, you might have a label with a field that has 3 options listed in the label manager: 

  1. Confidential
  2. Internal
  3. Public

If Rule 1 tries to set the label as Confidential, and Rule 2 tries to set the label as Public for the same file, Confidential (Rule 1) is applied. Make sure that a label's field options are listed in your preferred order of priority before setting up rules.

Set up automatic labeling for Drive

To set up Default classification labels, follow the steps in Apply Default classification labels to new files automatically.

To set up DLP rules to automatically apply labels, follow the steps in Apply classification labels to Drive files automatically with DLP rules.

Automatically apply labels to messages in Gmail

You can use DLP rules to automatically label messages based on the message’s content. To learn more, go to About Gmail DLP & automatic classification labels.

Prevent external sharing and sending with label-based DLP rules

You can define rules that apply only to items or messages with a specific label or field. For example, you can create a DLP rule that scans for credit card numbers and social security numbers in documents or messages. If a match is found, a label, such as Sensitivity, is applied, the field value is set to Confidential, and external sharing and sending is blocked.

Data-protection rules can use labels with badged fields or Options List fields. Other field types aren’t supported.

To set up a DLP rule, follow the steps in Create DLP for Drive rules and custom content detectors or Prevent data leaks in email & attachments. Tip: You can set up DLP rules to apply to both files in Drive and messages in Gmail. You’ll choose what action to take for each app when DLP detects the label.

Retain Drive files by label with Google Vault

You can define retention rules that prevent an item from being deleted, or require that an item be deleted, based on a Drive label and any field values. For examples and to learn more, see Retain Drive files with Vault.

Next steps

Now that you have labels your organization can use:

  1. Teach your users how to apply Drive classification labels and use them to search for files.
  2. Teach your users how to apply Gmail classification labels.
  3. Learn how to edit, disable, delete, and monitor labels.

Was this helpful?

How can we improve it?
Search
Clear search
Close search
Google apps
Main menu
7001369441642144666
true
Search Help Center
true
true
true
true
true
73010
false
false