Different rights for different users, using the same label.

I got a question today about how to give different rights to different users, using the same label and thought that could be an interesting blog post.

Let’s say you have a label called Internal IT. This labels should protect content, and give the members of the Sales group ready-only access, while the Engineering team should have complete control. Of course you could create a scoped policy and use different labels (see previous blog post: http://pewinther.blogspot.com/2018/09/creating-scoped-policy-and-linking-it.html ), but what if you don’t want to do that? Is it possible to use the same label for this? The answer is yes. And it’s actually pretty easy.

For this I will use the Azure portal.

      First  create your label called Internal IT by going to Azure Information Protection – Labels +Add a new label. 

     When you have given your label a name, and description, you can chose to do other customization, but that is not in this scope. Here we will add protection, by selecting Protect – Azure (cloud key) and then + Add permissions.

      Add the group/users you want to give one type of permission, by selecting browse, find the group/user and give them the permissions you want: 

       Repeat with the next user/group you want to give another right. 

5     As we can see, you now have two different rights for different groups on the same label. 

All we need to do now is save, and then we have our new label with different rights for different groups/Users. 

Labeling content with this new label will give the members of the Engineering group Co-Owner (full access) and the members of the Sales group Viewer (Read-Only) Remember that the groups we use for this needs to be mail-enabled, and normal security groups will not work.


Popular posts from this blog

Do not Forward and the protection of attachments

Using Do not Forward or Encrypt Only as the results of a Sensitivity Label