Can Metadata/labelling or classification help me?

%3CLINGO-SUB%20id%3D%22lingo-sub-841633%22%20slang%3D%22en-US%22%3ECan%20Metadata%2Flabelling%20or%20classification%20help%20me%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-841633%22%20slang%3D%22en-US%22%3E%3CP%3EHI%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20have%20currently%20have%201%20document%20library%20and%20within%20these%20we%20have%20various%20folders%20and%20files.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20want%20to%20be%20able%20to%20classify%20our%20files%20due%20to%20there%26nbsp%3Bsensitivity%20-%20high%2C%20medium%2C%20low.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBy%20default%20we%20want%20anything%20marked%20low%20set%20so%20everyone%20can%20see%20it%2C%20while%20everything%20high%20only%20certain%20people%20can%20see%20and%20other%20policies%20would%20be%20in%20place%20so%20that%20high%20rated%20files%20cant%20be%20emailed%20out.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESo%20the%20idea%20is%20the%20once%20everything%20is%20classified%20if%20you%20go%20into%20one%20of%20the%20folders%20withing%20the%20Document%20library%20and%20there%20is%20%22high%22%20rated%20document.%20Most%20users%20would%20bot%20be%20able%20to%20see%20this.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ECan%20this%20be%20done%20with%20365%20labeling%2C%20metadata%2Cclassification%3F%20or%20is%20there%20any%20other%20way%20to%20do%20this%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-841633%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EDocument%20Library%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EMetadata%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EPermissions%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESecurity%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESharePoint%20Online%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-841982%22%20slang%3D%22en-US%22%3ERe%3A%20Can%20Metadata%2Flabelling%20or%20classification%20help%20me%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-841982%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F272339%22%20target%3D%22_blank%22%3E%40Pn1995%3C%2FA%3E%26nbsp%3BYes%20definitely%20you%20can%20do%20using%20the%20appropriate%20labels%20as%20it%20will%20be%20robust%20approach.%20But%20if%20your%20need%20to%20share%20content%20with%20small%20set%20of%20users%20across%20different%20departments%20and%20with%20a%20frequent%20change%20of%20the%20permission%20or%20access%20needs%20then%20I%20might%20be%20refrained%20from%20using%20labels.%20I%20will%20use%20labels%20to%20assign%20permission%20for%20something%20like%20HR%20Repository%20where%20I%20share%20files%20for%20full-time%2C%20contractor%20and%20interns.%20Then%20I%20will%20assign%20different%20permission%20for%20each%20of%20them%20and%20then%20according%20to%20the%20label%20the%20content%20will%20be%20shared.%20The%20advantage%20is%20I%20don't%20have%20to%20manually%20add%20or%20remove%20people%20frequently%20and%20it%20makes%20the%20process%20robust%20and%20easy.%20SO%20if%20your%20need%20something%20similar%20you%20can%20use.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EOn%20the%20other%20hand%20if%20my%20need%20is%20designing%20a%20departmental%20a%20repository%20where%20a%20lot%20of%20people%20share%20information%2C%20we%20control%20and%20alter%20the%20user's%20permission%20frequently%20then%20I%20will%20use%20the%20SharePoint%20permission%20management%20to%20set%20unique%20permission%20for%20each%20file%20according%20to%20certain%20metadata.%20To%20automate%20the%20permission%20management%20I%20can%20write%20a%20workflow%20to%20set%20unique%20permission%20every%20time%20a%20document%20gets%20added.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-842402%22%20slang%3D%22en-US%22%3ERe%3A%20Can%20Metadata%2Flabelling%20or%20classification%20help%20me%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-842402%22%20slang%3D%22en-US%22%3E%3CP%3EThanks%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F394813%22%20target%3D%22_blank%22%3E%40Vikram_Samal%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESo%20just%20so%20i%20fully%20understand%20this%2C%20you%20create%20a%20Label%20in%20365%20(is%20this%20a%20sensitivty%20label%20you%20use%3F)%20and%20then%20assign%20this%20to%20a%20file%20.%20Do%20you%20then%20use%20some%20kind%20of%20DLP%20policy%20to%20control%20who%20can%20access%20the%20files%20or%20not%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIf%20you%20have%20any%20links%20that%20desicribes%20how%20this%20is%20done%20it%20would%20be%20really%20useful.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EJust%20to%20confirm%20what%20we%20want%20to%20do%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E1)%20Assign%20a%20label%20called%20say%20%22confidential%22%20and%20only%20certain%20people%20are%20allowed%20to%20access%2Fsee%20%22confidential%22%20files%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-843994%22%20slang%3D%22en-US%22%3ERe%3A%20Can%20Metadata%2Flabelling%20or%20classification%20help%20me%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-843994%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F272339%22%20target%3D%22_blank%22%3E%40Pn1995%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EYes%20this%20can%20be%20done%20with%20labelling%20-%20see%20previous%20responses.%20It%20sounds%20like%20you're%20trying%20to%20create%20access%20control%20within%20a%20library%20using%20classification%20instead%20of%20permissions.%20While%20it%20sounds%20good%20at%20first%2C%20the%20devil%20is%20in%20the%20details%20and%20I%20would%20use%20EXTREME%20caution%20before%20implementing%20it%20across%20your%20tenant.%20Unlike%20permissions%2C%20I%20don't%20believe%20access%20rights%20by%20classification%20can%20be%20over-ridden%20without%20changing%20the%20classification%20of%20the%20document%20or%20granting%20access%20to%20ALL%20highly%20classified%20content.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESo%20for%20example%2C%20the%20assistant%20to%20the%20CEO%20may%20need%20access%20to%20some%20highly%20confidential%20content%2C%20but%20not%20all.%20Or%20maybe%20there%20is%20a%20highly%20classified%20project%20and%20someone%20needs%20access%20to%20the%20content%20for%20that%20one%20project.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHow%20would%20the%20owner%20of%20the%20highly%20classified%20content%20make%20exceptions%20for%20these%20people%20without%20changing%20the%20classification%20of%20the%20document%20or%20granting%20them%20access%20to%20ALL%20highly%20confidential%20content%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20fear%20what%20you%20would%20end%20up%20with%20is%20a%20lot%20of%20content%20being%20under-%20or%20over-classified%20as%20a%20shortcut%20to%20control%20access.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20would%20recommend%20you%20ask%20what%20problem%20you%20are%20trying%20to%20solve.%20If%20you%20want%20to%20control%20access%20rights%2C%20then%20I%20would%20do%20that%20using%20permissions%20on%20sites%20%26amp%3B%20libraries.%20Use%20classification%20to%20prevent%20content%20from%20being%20printed%2C%20downloaded%20or%20leaving%20the%20company%20without%20approval.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-844220%22%20slang%3D%22en-US%22%3ERe%3A%20Can%20Metadata%2Flabelling%20or%20classification%20help%20me%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-844220%22%20slang%3D%22en-US%22%3E%3CP%3EThanks%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F57004%22%20target%3D%22_blank%22%3E%40Rachel%20Davis%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20idea%20would%20be%20this%20would%20only%20be%20assigned%20to%20a%20single%20document%20library%20and%20all%20other%20areas%20would%20be%20controlled%20by%20permissions%20etc...%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20issue%20if%20they%20have%20a%20host%20of%20documents%20in%20a%20library%20in%20various%20folders%20and%20which%20the%20library%20is%20protected%20by%20permission.%20In%20every%20folder%20if%20they%20have%20say%20100%20files%2C%205%20or%206%20of%20these%20will%20be%20deamed%20%22confidential%22%20so%20instead%20of%20moving%20these%20to%20a%20differnet%20area%20or%20changing%20permissions%20the%20thought%20is%20to%20classify%20them%20so%20most%20people%20can't%20access%20them%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-844307%22%20slang%3D%22en-US%22%3ERe%3A%20Can%20Metadata%2Flabelling%20or%20classification%20help%20me%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-844307%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F272339%22%20target%3D%22_blank%22%3E%40Pn1995%3C%2FA%3E%26nbsp%3BBefore%20I%20say%20anything%20further%20I%20must%20reiterate%20Controlling%20access%20is%20best%20done%20by%20permission%20management%20so%20if%20you%20can%20do%20this%20that%20will%20help%20to%20manage%20easily.Please%20let%20me%20know%20if%20this%20method%20works.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3COL%3E%3CLI%3ECreate%20a%20choice%20column%20named%20as%20%22Confidentiality%22%20and%20have%20the%20options%20such%20as%20%22Public%22%2C%22Private%22.%20Default%20value%20being%20%22Public%22%3C%2FLI%3E%3CLI%3ECreate%20a%20group%20named%20as%20%22private%20Document%20Group%22%20and%20add%20the%20user%20who%20need%20access%20to%20the%20private%20contents.%3C%2FLI%3E%3CLI%3EYou%20can%20then%20set%20a%20workflow%20that%20if%20anytime%20the%26nbsp%3B%26nbsp%3BConfidentiality%20value%20%3D%20%22Private%22%20run%20the%20permission%20management%20workflow%20to%20set%20unique%20permission%20and%20give%20access%20to%20only%20the%20Private%20Group%20created%20in%20step%202%20.%3C%2FLI%3E%3CLI%3EThe%20other%20condition%20will%20be%26nbsp%3B%20Confidentiality%20value%20%3D%20%22Public%22%20do%20nothing%20as%20they%20can%20be%20accessed%20by%20the%20users%20of%20the%20library.%3C%2FLI%3E%3CLI%3EBut%20only%20catch%20is%20that%20the%20people%20who%20have%20edit%20rights%20they%20should%20not%20make%20any%20of%20such%20changes%20such%20as%20making%20a%20%22Private%22%20doc%20to%20%22Public%22.%20In%20that%20case%20you%20need%20to%20have%20little%20more%20steps%20to%20handle%20that.%3C%2FLI%3E%3C%2FOL%3E%3CP%3EPlease%20let%20me%20know%20if%20this%20helps.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Frequent Contributor

HI

 

We have currently have 1 document library and within these we have various folders and files.

 

We want to be able to classify our files due to there sensitivity - high, medium, low.

 

By default we want anything marked low set so everyone can see it, while everything high only certain people can see and other policies would be in place so that high rated files cant be emailed out.

 

So the idea is the once everything is classified if you go into one of the folders withing the Document library and there is "high" rated document. Most users would bot be able to see this.

 

Can this be done with 365 labeling, metadata,classification? or is there any other way to do this?

5 Replies

@Pn1995 Yes definitely you can do using the appropriate labels as it will be robust approach. But if your need to share content with small set of users across different departments and with a frequent change of the permission or access needs then I might be refrained from using labels. I will use labels to assign permission for something like HR Repository where I share files for full-time, contractor and interns. Then I will assign different permission for each of them and then according to the label the content will be shared. The advantage is I don't have to manually add or remove people frequently and it makes the process robust and easy. SO if your need something similar you can use.

 

On the other hand if my need is designing a departmental a repository where a lot of people share information, we control and alter the user's permission frequently then I will use the SharePoint permission management to set unique permission for each file according to certain metadata. To automate the permission management I can write a workflow to set unique permission every time a document gets added.

 

Thanks @Vikram_Samal

 

So just so i fully understand this, you create a Label in 365 (is this a sensitivty label you use?) and then assign this to a file . Do you then use some kind of DLP policy to control who can access the files or not?

 

If you have any links that desicribes how this is done it would be really useful.

 

Just to confirm what we want to do

 

1) Assign a label called say "confidential" and only certain people are allowed to access/see "confidential" files

 

Thanks 

@Pn1995 

 

Yes this can be done with labelling - see previous responses. It sounds like you're trying to create access control within a library using classification instead of permissions. While it sounds good at first, the devil is in the details and I would use EXTREME caution before implementing it across your tenant. Unlike permissions, I don't believe access rights by classification can be over-ridden without changing the classification of the document or granting access to ALL highly classified content.

 

So for example, the assistant to the CEO may need access to some highly confidential content, but not all. Or maybe there is a highly classified project and someone needs access to the content for that one project.

 

How would the owner of the highly classified content make exceptions for these people without changing the classification of the document or granting them access to ALL highly confidential content?

 

I fear what you would end up with is a lot of content being under- or over-classified as a shortcut to control access.

 

I would recommend you ask what problem you are trying to solve. If you want to control access rights, then I would do that using permissions on sites & libraries. Use classification to prevent content from being printed, downloaded or leaving the company without approval.

Thanks @Rachel Davis 

 

The idea would be this would only be assigned to a single document library and all other areas would be controlled by permissions etc...

 

The issue if they have a host of documents in a library in various folders and which the library is protected by permission. In every folder if they have say 100 files, 5 or 6 of these will be deamed "confidential" so instead of moving these to a differnet area or changing permissions the thought is to classify them so most people can't access them

 

 

@Pn1995 Before I say anything further I must reiterate Controlling access is best done by permission management so if you can do this that will help to manage easily.Please let me know if this method works. 

 

  1. Create a choice column named as "Confidentiality" and have the options such as "Public","Private". Default value being "Public"
  2. Create a group named as "private Document Group" and add the user who need access to the private contents.
  3. You can then set a workflow that if anytime the  Confidentiality value = "Private" run the permission management workflow to set unique permission and give access to only the Private Group created in step 2 .
  4. The other condition will be  Confidentiality value = "Public" do nothing as they can be accessed by the users of the library.
  5. But only catch is that the people who have edit rights they should not make any of such changes such as making a "Private" doc to "Public". In that case you need to have little more steps to handle that.

Please let me know if this helps.