Configuring Google Badge Labels for API scanning

Configure Google Drive classification labels in the Google Admin Console and enable them in App Security to use as criteria for API scanning policies.

Google Drive allows users to attach structured classification labels to files to indicate how they may be shared or accessed. App Security can read these labels and use them as criteria for API scanning policies. When a file's label is deleted, changed, or the file is shared in violation of its classification, App Security detects the event and evaluates the configured policies automatically without downloading the file.

App Security supports Google Badge Labels only. A badge label is a label option that has a badge color assigned to it in the Google label manager. Standard label options without a badge color are not supported.

Note: Google Badge Labels must be configured and published in the Google Admin Console before they can be enabled in App Security. Complete the steps in order.

Note: App Security uses the User Label Change Date to track when a user first added a label to a file. This allows organizations to gradually roll out label-based policies without triggering enforcement on existing unlabeled files. Files created before a specified date are excluded from policy enforcement until a user adds a label to them.

For more information about the Traffic Light Protocol (TLP) classification framework, see https://www.first.org/tlp/.