Control access to apps based on user & device context

    Control access to actions in apps

    When you assign access levels to apps, you usually give access to everything in the app or nothing at all. Sometimes, however, certain actions in an app are more sensitive than others. In Google Drive, downloading a document might be more sensitive than simply viewing it.

    As an administrator, you can enhance security for specific actions by combining Context-Aware Access conditions with data loss prevention (DLP) rules. You can, for example, restrict downloading files in Drive on personal or Bring Your Own Device (BYOD) devices. You can control how your organization’s data is accessed based on the user and their device.

    Example: Block download of Drive files on personal devices

    1. Sign in with an administrator account to the Google Admin console.

      If you aren’t using an administrator account, you can’t access the Admin console.

    2. Go to Menu  Security > Access and data control > Context-Aware Access .

      Requires the Data security access level and rule management privileges and the Admin API groups and users read privileges .

    3. Click Create Access Level. You might need to click Access levelsfirst.
    4. Enter a name, such as BYOD devices, and a description for the new access level.
    5. For Context conditions, click Add Condition.
    6. Select Doesn't meet 1 or more attributes (OR).
    7. For Select attribute, select Device
    8. For Select condition,select Company-owned.
    9. Click Create. Now, you can create a DLP rule with this access level.
    10. Click Create Rule.
    11. Click Nameand enter a name for the rule and, optionally, a description.
    12. For Scope, choose an option:
      • To apply to all users in your organization, select All in your organization .
      • To apply to specific organizational units or groups, select Organizational units and/or groupsand add or exclude them as needed.
    13. Click Continue.
    14. In Apps, for Google Drive, check the Drive filesbox and click Continue.
    15. For Content type to scan, choose All content.
    16. For What to scan for, choose a DLP scan type and select attributes. For more information on available attributes, go to  Create a DLP rule .
    17. In the Context conditionssection, select Select an access levelthe access level created earlier, such as BYOD devices.
      The rule is applied when the conditions in the access level are met. So, in this example, the access level must be Truefor BYOD devices. 
    18. Click Continue.
    19. For Google Drive, click Actionand select Disable download, print, and copy For commenters and viewers only.
    20. (Optional) To set an alert severity level and send alert notifications, choose the options.
    21. Click Continue.
    22. Review the rule details and for Rule status, select Activeto immediately run the rule or Inactiveto activate it later.
    23. Click Create.

    Changes can take up to 24 hours but typically happen more quickly.  Learn more

    Related topic

    Combine DLP rules with Context-Aware Access conditions

    Was this helpful?

    How can we improve it?

    Need more help?

    Try these next steps:

    Post to the help community Get answers from community members
    Contact us Tell us more and we’ll help you get there
    true
    Start your free 14-day trial today

    Professional email, online storage, shared calendars, video meetings and more. Start your free Google Workspace trial today .

    Enable Dark Mode
    Search
    Clear search
    Close search
    Google apps
    Main menu
    16096004253463752882
    true
    Search Help Center
    false
    true
    true
    true
    true
    true
    73010
    false
    false
    false
    false
    Create a Mobile Website
    View Site in Mobile | Classic
    Share by: