Different rights for different users, using the same label.

-
I got a question today about how to give different rights to different users, using the same label and thought that could be an interesting blog post.


Let’s say you have a label called Internal IT. This labels should protect content, and give the members of the Sales group ready-only access, while the Engineering team should have complete control. Of course you could create a scoped policy and use different labels (see previous blog post: http://pewinther.blogspot.com/2018/09/creating-scoped-policy-and-linking-it.html ), but what if you don’t want to do that? Is it possible to use the same label for this? The answer is yes. And it’s actually pretty easy.

For this I will use the Azure portal.


      First  create your label called Internal IT by going to Azure Information Protection – Labels +Add a new label. 


     When you have given your label a name, and description, you can chose to do other customization, but that is not in this scope. Here we will add protection, by selecting Protect – Azure (cloud key) and then + Add permissions.


      Add the group/users you want to give one type of permission, by selecting browse, find the group/user and give them the permissions you want: 


       Repeat with the next user/group you want to give another right. 

5     As we can see, you now have two different rights for different groups on the same label. 


All we need to do now is save, and then we have our new label with different rights for different groups/Users. 



Labeling content with this new label will give the members of the Engineering group Co-Owner (full access) and the members of the Sales group Viewer (Read-Only) Remember that the groups we use for this needs to be mail-enabled, and normal security groups will not work.

Comments

Post a Comment

Popular posts from this blog

Do not Forward and the protection of attachments

-
Image
Maybe I am the only one who has misunderstood this, but if not, this may be useful for you. I've been wrong about this for a while, and since it is not a feature we have used, I didn't really look into it until today. I always thought that using Do not Forward in a label would make sure attachments where given the same DNF rights.  Unfortunately I was shown the error of my ways by one of my customers today, when I answered (with some confidence) that, yes: Attachments get the same protection. He then replied that he was able to do all kinds of things with the attachment, and I started to look into it more closely. Microsoft has many great articles about protecting information, and this article is no exception. I guess you just have to read it carefully. They say:  “When the Do Not Forward option is applied to an email, the email is encrypted and recipients must be authenticated. Then, the recipients cannot forward it, print it, or copy from it . For example, in the Outlook cli
Read more

Using Do not Forward or Encrypt Only as the results of a Sensitivity Label

-
Image
Do not Forward and Encrypt Only can be found in Outlook by default for all who uses Office 365 E3 or equivalent/higher. And as many know, they can also be used in a Sensitivity label. But what are the consequenses of using these, instead of creating our own encryption settings within the label? This is what we will be looking at today.  As many know, we can use these two in Outlook, as long as we have the proper license. They are well hidden away under Options, and can look a little like this:    EO and DNF in Outlook.  I've covered these in earlier blogposts , but lets just quickly go through them again here: " Encrypt/Encrypt-Only " option makes sure the email is encrypted and recipients must be authenticated, but then they have all usage rights except Save As, Export and Full Control (Basically means no restriction except that they cannot remove the protection). When the Do Not Forward option is applied to an email, the email is encrypted and recipients must be au
Read more