AvePoint Docs
Graph API
My support tickets
Graph API
My support tickets
English

Home > policy-enforcement > Create a Policy

Export to PDF

Create a Policy

In Policy enforcement, rules and policies work together to enforce compliance, where the rule defines the “what” and the policy defines the “how” and “where”.

- A rule is the fundamental building block – a pre-defined condition that controls, restricts, or detects a specific configuration. It defines the standard that must be met. For the list of supported rules in the system, refer to [Supported Rules](#missing-link). - A policy is the enforcement mechanism for a rule. You need to add a single rule to a policy to activate it. The policy then enables the customization of the rule by defining the scope of data it monitors and the actions to take when a violation is detected.

For detailed instruction on creating policies, refer to the following sections.

Automatic Policy

Automatic policies enable continuous, scheduled compliance monitoring by scanning predefined data scopes for rule violations. Administrators configure these policies by selecting rules, defining target object types and conditions, and setting violation handling actions such as reporting, automatic remediation, or approval workflows. These policies operate on a customizable schedule, running scans at specified intervals to ensure ongoing enforcement of security and compliance standards. The system provides full lifecycle management for these policies, including editing, enabling/disabling, and deletion from a centralized interface.

Create an Automatic Policy

To create an automatic policy, complete the following steps:

  1. On the Automatic policies page, click Create policy in the upper-right corner.

  2. In the Create policy panel, complete the following configurations in Basic information first:

    • Rule – Select a rule for this policy. For the list of supported rules in the system, refer to Supported Rules.

      You can search for a specific rule by entering the rule name in the Search text box and then selecting it from the suggestion list.

    • Policy name – The policy name will automatically inherit the rule name. You can modify the name based on your needs.

    • Description – Enter a description for the policy

    • Status – Configure whether this policy will be in the Enabled or Disabled status upon creation.

    Click Next.

  3. In Scope, define the policies’ monitoring scope by completing the following configurations:

    • Object type – Select an object type for this policy. The available object type to select depends on the selected rule.

    • Conditions – To narrow down the scope, define the conditions. Only objects that match the configured conditions will be included in the policy’s monitoring scope. The available conditions to configure depend on the selected rule.

    Click Next.

  4. In Policy details, configure the violation processing approach, notification settings, and scanning schedule for the policy.

    While detailed policy settings differ from one another based on the rule selection, there are some common optional settings during policy creation:

    • Operation – Select the operation to take after a violation is detected. You can select:

      • Report the violation – The violation will be recorded in the Violation Report where both violation details and further actions are available.

      • Fix directly – Configure a fixing action and automatically fix the violation upon detection.

        *Note: This option is not applicable to rules that can only be fixed through manual fixes. For example, for the Manager count restriction rule, when violations are detected, administrators need to decide the user to add or remove from the shared drive’s manager list.

      • Fix through approval process – Evaluate the violation and fixing details through the approval process created in Configure Approval Process.

        *Note: This option is not applicable to rules that require manual fixes. For example, for Manager count restriction, when violations are detected, administrators need to decide the user to add or remove from the shared drive’s manager list.

    • Trigger when an object meets the following conditions– Configure the conditions that triggers the selected operation.

    • Action details – If Fix directly or Fix through approval process was selected, configure the fixing action to take. The selected action will be executed upon violation detection or approval.

    • Approval process – If Fix through approval process was selected, select an approval process.

    • Send violation notifications to – To notify certain user of the detected violation, select the recipients.

    • Schedule – Complete the following schedule setups:

      • Scan start time – Select the time to start the first scan job of this policy.

      • Scan interval – Configure the scan job’s frequency. The interval can be certain days, weeks, or months.

      • Retention duration – Configure the number of days to retain the scanned data of this policy. The maximum duration is 365 days.

  5. Click Save and the policy will operate based on your schedule configurations. Or you can click Save and run to assign the policy to the selected scope and run a job immediately.

Manage Automatic Policies

All created automatic policies will be displayed on the Automatic policies page, where you can manage them by the following operations:

- **Search** **for policies** – Find specific policies by typing all or part of their name into the search bar to filter the list. - **Filter** **policies** – Narrow down the displayed list of policies based on specific criteria like status, object type, or modified time. - **Manage columns** – Customize which information columns are displayed in the policy list table for better visibility. - **Refresh** – Click Refresh to reload the page to update the list of policies and ensure all information displayed is current. - **Edit** **policy** – Select a policy and click **Edit** or click ![Icon: Action list.](/en/aos/command-centers/images/image49.png "Icon: Action list.") to expand the action list and select **Edit**. Then, modify the configuration of a selected policy, such as changing its scope, rule, or violation actions. - **Enable** **/ Disable policy** – Select a policy and click **Enable** / **Disable** or turn on / off the toggle in the **Status** column to activate or deactivate a currently policy. - **Delete** **policy** – Select a policy and click Delete or click ![Icon: Action list.](/en/aos/command-centers/images/image50.png "Icon: Action list.") to expand the action list and select **Delete**. This will permanently remove the selected policy from the system, which will stop all future scans and violation processing.

On-Demand Policy

On-demand policies provide targeted, manual compliance checks for specific Google Workspace objects without scheduled scanning. These policies allow administrators to create customized rules and instantly apply them to selected shared drives or other objects for immediate violation assessment. They are ideal for conducting focused audits, investigating specific security concerns, or verifying compliance before project deployments. Unlike automatic policies, on-demand executions are one-time operations that provide immediate results without creating ongoing monitoring schedules.

For detailed instructions on on-demand policy applying, refer to Apply Policies to Shared Drives.

Create an On-Demand Policy

To create an automatic policy, complete the following steps:

  1. On the On-demand policies page, click Create policy in the upper-right corner.

  2. In the Create policy panel, complete the following configurations in Basic information first:

    • Rule – Select a rule for this policy. For the list of supported rules in the system, refer to Supported Rules.

      You can search for a specific rule by entering the rule name in the Search text box and then selecting it from the suggestion list.

    • Policy name – Enter the policy name.

    • Description – Enter a description for the policy

    Click Next.

  3. In Policy details, configure the violation processing approach and notification settings.

    While detailed policy settings differ from one another based on the rule selection, there are some common optional settings during policy creation:

    • Object type – If the added rule supports monitoring multiple types of object types, select the object type for this policy.

    • Operation – Select the operation to take after a violation is detected. You can select:

      • Report the violation – The violation will be recorded in the Violation Report where both violation details and further actions are available.

      • Fix directly – Configure a fixing action and automatically fix the violation upon detection.

    • Trigger when an object meets the following conditions – Configure the conditions that triggers the selected operation.

    • Action details – If Fix directly was selected, configure the fixing action to take. The selected action will be executed upon violation detection or approval.

    • Send violation notifications to – To notify certain user of the detected violation, select the recipients.

    • Retention duration – Configure the number of days to retain the scanned data of this policy. The maximum duration is 365 days.

  4. Click Save.

After on-demand policies are created, you can manually apply them to your Google Workspace objects in the Administration module. For detailed instructions, refer to Apply Policies to Shared Drives.

Manage On-Demand Policies

All created on-demand policies will be displayed on the On-demand policies page, where you can manage them by the following operations:

- **Search** **for policies** – Find specific policies by typing all or part of their name into the search bar to filter the list. - **Filter** **policies** – Narrow down the displayed list of policies based on specific criteria like status, object type, or modified time. - **Manage columns** – Customize which information columns are displayed in the policy list table for better visibility. - **Refresh** – Click Refresh to reload the page to update the list of policies and ensure all information displayed is current. - **Edit** **policy** – Select a policy and click **Edit** or click ![Icon: Action list.](/en/aos/command-centers/images/image51.png "Icon: Action list.") to expand the action list and select **Edit**. Then, modify the configuration of a selected policy, such as changing its scope, rule, or violation actions. - **Delete** **policy** – Select a policy and click **Delete** or click ![Icon: Action list.](/en/aos/command-centers/images/image52.png "Icon: Action list.") to expand the action list and select **Delete**. This will permanently remove the selected policy from the system.

Supported Rules

The table below lists the supported rules in the system.

RuleRuleApplicable Policy TypeApplicable Policy TypeSupported Google Object TypesSupported Google Object TypesSupported Google Object TypesSupported Google Object TypesSupported Google Object Types
NameDescriptionAutomatic PoliciesOn-Demand PoliciesUser DrivesShared DrivesGroupsUsersGmail
Admin role assignment restrictionRestrict drive permission assignment of certain users.YesNoNoNoYesNoNo
Drive user / group restrictionControl users and groups that can be added to drives.YesNoYesYesNoNoNo
Edit permission restriction for sharing linksRestrict the sharing permission shared via sharing links.YesNoYesYesNoNoNo
External access to groups restrictionDetect and restrict external users’ group membership.YesYesNoYesNoNoNo
External email forwarding restrictionDetect and restrict emails being forwarded to external mailboxes.YesNoNoNoNoNoYes
External group member detectionDetect and report external users in groups.YesYesNoNoYesNoNo
External sharing expiration enforcementEnforce the expiration time of drive permission shared to external users.YesYesYesNoNoNoNo
External user manager / content manager permission restrictionReport and remove manager or content manager roles from guest users.YesYesNoYesNoNoNo
External user monitorDetect external users in a shared drive where external sharing is disabled.YesYesNoYesNoNoNo
File permission inheritance protectionProtect permission inheritance from being broken at the file level.YesYesYesYesNoNoNo
Group with external users detectionDetect and remove groups with external users from drives.YesYesYesYesNoNoNo
Inactive user account detectionDetect inactive user accounts.YesNoNoNoNoYesNo
Manager / Content manager restrictionRestrict users who can be added to a shared drive as managers.YesNoNoYesNoNoNo
Manager count restrictionRestrict the number of managers in a shared drive.YesYesNoYesNoNoNo
Manager enforcementEnforce specific users and groups to be managers of a shared drive.YesNoNoYesNoNoNo
Member invitation restrictionDetect and remove users invited to shared drives.*Note: This rule can only detect users invited within the last 30 days.YesNoNoYesNoNoNo
Membership restrictionRestrict users who can be added to a shared drive as members.YesNoNoYesNoNoNo
Orphaned users drive permission detectionDetect users who have been deleted but has remaining drive permissions.YesYesYesYesNoNoNo
Shadow user detectionRemove users who have access to a document in a shared drive but are not members of the shared drive.YesYesNoYesNoNoNo
Shared drive creation restrictionControl who can create shared drives.YesNoNoYesNoNoNo
Shared drive settings restrictionRestrict content sharing settings for shared drives.YesYesNoYesNoNoNo
Shared permission expiration enforcementEnforce the expiration time of shared drive permissions.YesYesYesNoNoNoNo
Sharing link restrictionRestrict the creation of sharing links or adding specific audiences to sharing links.YesYesYesYesNoNoNo
User permission replacementReport or remove permissions from a specific user and assign the permissions to other designated users.YesNoYesYesNoNoNo