Drive Policy

A Drive policy refers to workflow which automates the execution based on a set of rules and guidelines governing the use of Google Drive to ensure security, compliance, and efficient data management. The specific meaning depends on the context:

Patronum Drive Policy

In a Patronum environment, Drive policies include:

Sharing restrictions filter (internal vs. external sharing vs Shared with Gmail.com vs Any Domain outside allowlist vs Anyone at domain with the link vs Anyone at Target Audience with the link)

Access control (Expire and Unshare files)

Data retention and access deletion (rules for keeping or auto-deleting files access)

Setting Up Google Drive in Patronum

Go to Policies

Create a New Policy

Select Drive from the Trigger drop-down

Tabs in Policies:

Workflow

Allow Domain List

Workflow

A workflow in policies refers to a structured sequence of steps that guide policy creation, review, approval, implementation, and maintenance. It ensures consistency and alignment with organisational goals.

Allow Domain List

This section defines domain-based restrictions in workflows, allowing for specific domains to be individually included or excluded.

Sections in Workflow:

Scope

Conditions

Actions

1. Scope

Based on Users: Assigns workflows to users belonging to an organisational unit or Google group. By default, the workflow applies to all users within a domain. It also allows exclusions.

Based on Files: Defines which files and Shared Drives the policy applies to. The workflow applies to all files within a domain by default. Options to include/exclude My Drive and Shared Drives are available.

Preview: Displays the targeted files based on applied conditions.

2. Conditions

Conditions filter out data or files that a policy applies to.

Condition Types/Attributes:

Document Title

Labels

Older Than

Shared

Shared With

Document Title Filters:

Contains: Includes items with a specific keyword.

Does not contain: Excludes items with a specific keyword.

Equal: Matches exact values.

Not Equal: Excludes specific values.

Empty: Identifies blank fields.

Not Empty: Identifies fields that contain data.

Labels

Filters data based on labels applied to files. A drop-down menu lists all existing labels for selection.
1) What are Labels?
Google Labels are a way to categorise and organise emails, files, or other items within Google services like Gmail and Google Drive. Unlike traditional folders, labels allow an item to have multiple labels at once, making organization more flexible.

Older Than

Filters the files which are older than x days within the organisation where x is that value what we set in the older than filter

Shared Filter – Explanation with Example

The Shared filter allows you to target files based on when they were shared. If you enter ‘X’ days, it will filter files that were shared exactly ‘X’ days ago.

Example:

You set Days = 10, meaning it will retrieve files shared 10 days ago.

Additionally, you can combine this with the Shared With filter to refine results further.

Example with Shared With Filter:

Shared = 10 days

Shared With = gmail.com

This will list all files that were shared 10 days ago with any email under the gmail.com domain. This helps administrators efficiently track and manage external file sharing.

Shared With

Filters based on specific sharing conditions:

Any Domain outside Allowlist: Filter the files based on those domains which are not mentioned in the Allowlist.

Any External Domain: Filter the files which are shared with any external domain

Anyone at Domain with the Link: Filter the files that are shared with internal users to access via a link.

Anyone at Target Audience with the Link: Filter the files which are shared with Target Audience with the link

Anyone with the Link: Filter the files which are accessible by anyone with the link.

Gmail.com: Filter the files that are shared with the Gmail.com

Logical Operators

AND: All conditions must be met.

OR: At least one condition must be met.

Action Section

Defines operations on targeted files.

Action Types:

Email to Drive Managers/Content Managers: Sends an email notification.
Here you set frequency based on Days, Months, and Years

Email User: Notifies the file owner (for My Drive) or Drive Manager (for Shared Drive).
Here you set frequency based on Days, Months, and Years

Expire Files: Revokes user permissions on a specified date.

Labels: Applies Drive labels to targeted files.

Move Files: Moves files or folders within Shared Drives.
Moving file from one location to another so that we can move a user's file to a shared drive where it can be shared with all the other Users

Notify: Sends notifications based on policy actions.

Report: Sends a policy preview report to specified recipients.

Safe-List Days Ago: Temporarily safe-lists a file for a defined period.(Used in Compliance)

Schedule: Defines scheduling actions.

Snooze-Days Ago: Temporarily snoozes a file for a defined period.(Compliance)

Unshare Files: Removes sharing permissions from targeted files based on delay based on Days, Months and years, once started it will show its progress with pass and fail detail in Dashboard Live Task Status.

Use Case Overview: Unshare Delay Mechanism

Scenario:

An admin sends an email to an end user on a specific date, requesting action or a
response. If the end user does not respond within the defined period, files will be
automatically unshared based on the policy settings.

*

Key Functionality of Unshare Delay

1. Unshare Delay Behaviour:

The delay timer starts when the admin sends the email.

If the user does not take action or respond, the files will be unshared once the delay period expires.

Compliance status does not affect the unsharing process—files are unshared automatically after the delay.

2. Policy Enforcement:

Acts as a strict enforcement mechanism, ensuring files are unshared regardless of user response.

Eliminates the need for manual intervention and prevents prolonged unauthorized access.

Files that have been snoozed or safelisted will not be unshared.

*

Example Scenario:

Admin sends an email: January 1, 2025

Unshare Delay period set in policy: 5 days

Outcome on January 6, 2025:

If the user does not respond, files are unshared automatically.

If the user safe-lists or snoozes specific files, only non-exempt files are unshared.

This ensures automatic file unsharing, enhancing compliance and data security without
waiting for user intervention.

Note: You can Reverse UnSharing from Live Task Status for the files you have completed the UnSharing Successfully.



Compliance in File Management ensures security and access control over organisational files, allowing users to monitor permissions, perform bulk actions, and enforce company policies.

Why Compliance in Patronum?

Compliance provides end users with the flexibility to unshare specific files based on their unique needs. Previously, unsharing was limited to predefined conditions, but what if a user wants to unshare only a single file that starts with "A"? Compliance makes this possible.

Beyond unsharing, Compliance also enables various actions, such as permission changes, ensuring users can manage file access while staying within policy guidelines—something that was not achievable before.

Key Benefits:

Centralised Control – Manage file permissions, bulk unshare, and modify access in one place.

Risk Mitigation – Revoke excessive access and enforce compliance standards.

Flexible Overrides – Snooze and Safe-list allow temporary exceptions without compromising security.

Proactive Security – Monitor access, receive alerts, and track compliance actions.

Audit Readiness – Log all file access changes for regulatory compliance.

Patronum simplifies security, reduces risks, and ensures continuous compliance—all in a single interface.

Below are the key operations available in Compliance:

1. Unsharing(Lock Icon to perform Unsharing action)

Bulk Unsharing of permissions directly from the compliance page.

This helps restrict access to sensitive files that might have been shared too broadly.

2. Snooze

This action temporarily suspends compliance enforcement on a file for a specified duration (days/months/years).

When a policy runs and a file is snoozed, the system prevents enforcement actions during this period.

A notification pops up when snooze is applied.

3. Safe-list

Similar to snooze but used to whitelist or exempt a file from compliance checks for a defined period.

When a policy runs, safe-listed files are excluded from automatic restrictions.

A notification appears when this action is performed.

Secure Drive Items
This refers to the ability to manage and control access to files stored in Google Drive from the compliance page. It includes actions such as deleting a specific permission (removing access for a user or group) and modifying the access type (changing who can view or edit the file). These actions help in securing sensitive data and ensuring that only authorized individuals have access.



Change Access Type This operation allows administrators to modify the access level of files that have been shared with "everyone else." If a file has been broadly shared (e.g., publicly or with an entire organization), this feature lets you change its access type to restrict or control who can view or edit the file directly from the compliance page

**

Updated on: 25/02/2025