I found more to this “Sensitivity” column beyond what I discussed last time. There, we talked about how the sensitivity column does not get updated when a user defined permission (UDP) label is applied to a document and uploaded to SharePoint or OneDrive library.
Today, let us look at some other nuances around this all-important sensitivity label. By enabling EnableAIPIntegration feature at the tenant for a SP or OneDrive repository, the “Sensitivity” column is able to display the associated template-based label for a protected document. Check here for more details on integration part.
However, we found a strange issue. When Encryption enabled Template Based Label is set to a document in SPO/OD document library, the column value does not get wiped out when UDP label is applied and another version of the same document is uploaded.
Functional Issues encountered
Due to the above-mentioned limitation, we encountered certain functional issues which could eventually block our suggested solution. Let me give a brief about few of those issues:
Issue 1: Providing wrong information to users which would make them confused
Suppose a document is already labelled with Template based label and uploaded to SharePoint Online or OneDrive. If any user downloads the file, changes the label from Template Based Label to UDP label and uploads another version of the document, the user would still see the Sensitivity column showing Template Based Label. This would provide wrong information anyone visiting the library and referring to the Sensitivity column to understand the label applied to the document.
Issue 2: Document once intended for internal user now needs to be shared with external user
Think of a situation when an important document (could be some proposal or an invoice) was created targeting internal employees in draft version. Once the document is completely reviewed and finalized, it would be shared with some external B2B user.
In this case, first few versions, a Template Based label might be set which restricts the access of the document to the internal users only. Any update being made to the document is exposed internally. When the document is reviewed and finalized, we would now need to share the document with an external user. Since UDP label is not inherently supported in SPO, we can follow below process to share the document to external user making sure we provide appropriate access:
- Download the document
- Provide Co-Author/Viewer/Reviewer access to the external B2B user
- Re-Upload the document as new version
- Share the document using SPO/OneDrive OOTB Sharing feature
At this point, we expect the external user to get proper access to the document since we are enabling RMS access as well as SharePoint access to the user. But once the user receives the sharing email and tries to access the document using the link provided in the email, access to the document will not be allowed and the following error would be thrown:
Sorry, you don’t have permission to open this document. The document is protected by a rights management service, such as Azure Information Protection
The root cause of the issue is not that the user is lacking some RMS or SharePoint permission. Culprit here is the “Sensitivity” column. When a protected document is uploaded to SPO/OneDrive and Sensitivity column populates some value, SharePoint by default tries to check the permission of the user who is trying to access the document. In this case, since Sensitivity column did not wipe out the previous template-based label which allowed only internal user to access the document. The external valid B2B user fails to access the document and we are encounter with serious functional issue.
Both the above-mentioned issues can be solved if we are able to clean off Sensitivity column when template-based label is no longer applied to the document. We observed that this issue does not arise in case we upload a non-protected rather non-labelled version of file. That time Sensitivity column is properly being set as blank.
Based on this observation, we came up with the below work around to address this issue where we perform below activities programmatically when user shares the document to external user:
- Download the file
- Remove classification aka sensitivity label and protection from the document
- Keep a copy of the un-labelled file
- Change the sensitivity label to UDP label
- Upload un-labelled file
- In quick succession upload UDP labelled file so that end user does not realize the intermediate unlabeled version of the file
- Delete the un-labelled version of the file from SPO/OneDrive
Now, you would see the Sensitivity column no longer shows the Template Based Label name and both discussed issues would not arise.
As mentioned in my earlier blog as well, these issues are present as on date. Microsoft has been apprised of it for a fix. Please validate the behavior before you try to implement any work around as part of your solution.
Download the Datasheet to learn more about Netwoven’s Information Protection and Compliance service.
Download the Solution Brief to learn how Netwoven’s solution proactively identifies and protects your sensitive data.
Looking forward to hearing from you.
Stay tuned to the series for my next post.