Home > Policy Enforcement > Create a Policy > Supported Rules
Download this articleSupported Rules
The tables below lists the supported rules that can be added to policies.
User Drive Rules
| Rule Name | Description | Applicable to Automatic Policies | Applicable to On-Demand Policies |
|---|---|---|---|
| Drive user / group permission anomaly detection | Restrict user / group drive access and detect excessive or insufficient permission levels to enforce proper access controls. | Yes | No |
| Drive user permission replacement | Transfer all drive permissions of a user to another user and remove the original user's access for secure transitions during role changes or departures. | Yes | No |
| Edit permission restriction for sharing links | Restrict sharing links with edit permission that are shared with "Anyone" or specific target audience. | Yes | No |
| External sharing expiration enforcement | Restrict long access periods for externally shared files / folders or extend expiring shares as needed. | Yes | Yes |
| File permission inheritance protection | Restrict file-level permission inheritance breaks that cause drive permission inconsistencies. | Yes | Yes |
| Gemini accessed sensitive files detection | Detect and report high-frequency or abnormal Gemini AI access to sensitive files to prevent and investigate potential data scraping or mass extraction incidents via AI usage. | Yes | No |
| Orphaned users drive permission restriction | Restrict deleted, archived, and suspended users with drive permissions. | Yes | Yes |
| Permission restriction for groups with external users | Restrict groups containing external users from accessing drives. | Yes | Yes |
| Shared permission expiration enforcement | Restrict long access periods for internally shared files / folders or extend expiring shares as needed. | Yes | Yes |
Shared Drive Rules
| Rule Name | Description | Applicable to Automatic Policies | Applicable to On-Demand Policies |
|---|---|---|---|
| Drive user / group permission anomaly detection | Restrict user / group drive access and detect excessive or insufficient permission levels to enforce proper access controls. | Yes | No |
| Drive user permission replacement | Transfer all drive permissions of a user to another user and remove the original user's access for secure transitions during role changes or departures. | Yes | No |
| Edit permission restriction for sharing links | Restrict sharing links with edit permission that are shared with "Anyone" or specific target audience. | Yes | No |
| External sharing expiration enforcement | Restrict long access periods for externally shared files / folders or extend expiring shares as needed. | Yes | Yes |
| External user manager / content manager permission restriction | Restrict external users with manager or content manager permissions on shared drives. | Yes | Yes |
| External user restriction | Restrict external users in shared drives with external sharing disabled. | Yes | Yes |
| File permission inheritance protection | Restrict file-level permission inheritance breaks that cause drive permission inconsistencies. | Yes | Yes |
| Gemini accessed sensitive files detection | Detect and report high-frequency or abnormal Gemini AI access to sensitive files to prevent and investigate potential data scraping or mass extraction incidents via AI usage. | Yes | No |
| Manager / Content manager restriction | Restrict users and groups ineligible as shared drive managers. | Yes | No |
| Manager count restriction | Restrict the number of managers in a shared drive. | Yes | Yes |
| Manager enforcement | Enforce specific users and groups to be managers of a shared drive. | Yes | No |
| Member invitation restriction | Restrict designated users from adding members to shared drives during specific periods. | Yes | No |
| Membership restriction | Restrict specified users or groups from joining shared drives as members. | Yes | No |
| Orphaned users drive permission restriction | Restrict deleted, archived, and suspended users with drive permissions. | Yes | Yes |
| Permission restriction for groups with external users | Restrict groups containing external users from accessing drives. | Yes | Yes |
| Shadow user restriction | Restrict users with file / folder access in shared drives who are not members. | Yes | Yes |
| Shared drive access permission settings restriction | Restrict shared drive settings (manager permissions, external access, sharing, downloads) to maintain compliance and data protection. | Yes | Yes |
| Shared drive creation restriction | Restrict specified users from creating shared drives. | Yes | No |
| Shared permission expiration enforcement | Restrict long access periods for internally shared files / folders or extend expiring shares as needed. | Yes | Yes |
| Sharing link restriction | Restrict sharing links that are shared with specific target audience. | Yes | Yes |
Group Rules
| Rule Name | Description | Applicable to Automatic Policies | Applicable to On-Demand Policies |
|---|---|---|---|
| Admin role assignment restriction | Restrict certain users from being given administrative roles. | Yes | No |
| External group member detection | Detect Google groups that contain members from outside of your organization. | Yes | Yes |
| Group external access settings restriction | Restrict external users' access to groups by enforcing group access settings. | Yes | Yes |
User Rules
| Rule Name | Description | Applicable to Automatic Policies | Applicable to On-Demand Policies |
|---|---|---|---|
| 2-step verification enforcement | Detect user accounts that have disabled 2-step verification. | Yes | Yes |
| Inactive user account restriction | Restrict inactive users (not signed in for more than a specified period). | Yes | No |
Gmail Rule
| Rule Name | Description | Applicable to Automatic Policies | Applicable to On-Demand Policies |
|---|---|---|---|
| External email forwarding settings detection | Detect users who have enabled automatic email forwarding settings and are forwarding to external addresses. | Yes | No |
On this page