Stop data loss with DLP

Examples of DLP rules with nested condition operators

Use AND, OR, or NOT operators in DLP rule conditions

Supported editions for this feature: Frontline Standard; Enterprise Standard and Enterprise Plus; Education Fundamentals, Education Standard, Teaching and Learning Upgrade, and Education Plus; Enterprise Essentials Plus. Compare your edition

Drive DLP and Chat DLP are available to Cloud Identity Premium users who also have a Google Workspace license. For Drive DLP, the license must include the Drive log events.

When you create data loss prevention rules for DLP,  you add conditions that trigger these rules. Conditions can nest in other conditions, using AND, OR, or NOT operators. This article describes some examples of common use cases for these operators in the conditions in DLP for rules.

Functions of the AND, OR, and NOT operators

Operator What it does
AND An action occurs only when all the conditions that are combined with an AND operator are met. For example, a condition can block sharing if a document body contains the word Confidential AND Acme. Only documents containing both the keywords are blocked from sharing. If a document contains only the word Confidential, sharing is not blocked.
OR An action occurs if either of the conditions are met. For example, a condition can block sharing if the document contains the word Confidential or Acme. Documents containing either word or both words are blocked.
NOT This condition is excluded from evaluation before an action occurs.

Tip: If you change your mind about about adding a condition, click to remove it and start again.

DLP for rule condition examples

Example 1: DLP rule condition with AND and OR operators 

In this use case, the rule is triggered when a document title contains the word confidential, and the document body contains a United States passport number or a United States Social Security Number.

Here is a conceptual diagram of this use case:

To configure this use case:

  1. In the rule configuration flow, you have come to the Conditions section. Click Add Condition.
  2. Specify these values for the condition fields:
    • Field—Title
    • Value—Contains word
    • Enter contents to match—confidential
  3. Click Add Condition.
  4. In the second condition, click Add condition group Embed. This creates a group of two new conditions subordinate to the first condition.
  5. In the new group of conditions, change AND to OR
  6. Specify these values for the first grouped condition:
    • Field—Body
    • Value—Matches default detector
    • Default detector—Scroll and choose United States-Passport
    • Likelihood Threshold—Possible
    • Minimum unique matches—1
    • Minimum match count—1
  7. Specify these values for the second grouped condition:
    • Field—Body
    • Value—Matches default detector
    • Default detector—Scroll and choose United States--Social Security Number
    • Likelihood Threshold—Possible
    • Minimum unique matches—1
    • Minimum match count—1
  8. Click Continue to continue configuring your rule.
Example 2: DLP rule condition with an AND operator and multiple NOT operators

In this use case, the rule is triggered when the document title contains the word confidential, but doesn’t contain the word published.  And, the body of the document doesn’t contain the string safe to share. 

Here is a conceptual diagram of this use case:

To configure this use case:

  1. In the rule configuration flow, you have come to the Conditions section. Click Add Condition.
  2. Specify these values for the condition fields:
    • Field—Title
    • Value—Contains word
    • Enter contents to match—confidential
  3. Click Add Condition.
  4. Click Not  in the new condition.
  5. Specify these values for the first Not operator:
    • Field—Title
    • Value—Contains
    • Enter contents to match—published
  6. Click Add Condition.
  7. Click Not  in the new condition.
  8. Specify these values for the second Not operator:
    • Field—Body
    • Value—Contains
    • Enter contents to match—safe to share
  9. Click Continue to continue configuring your rule.
Example 3: DLP rule condition with NOT and OR operators

In this use case, the rule is triggered when the document title doesn’t contain the words safe, published, or non-confidential

Here is a conceptual diagram of this use case:

To configure this use case:

  1. In the rule configuration flow, you have come to the Conditions section. Click Add Condition.
  2. Click Not .
  3. Click Add condition group Embed.
  4. Change AND to OR.
  5. Specify the values for the first OR operator:
    • Field—Title
    • Value—Contains word
    • Enter contents to match—published
  6. Specify the values for the second OR operator:
    • Field—Title
    • Value—Contains word
    • Enter contents to match—safe
  7. Click Add Condition.
  8. Specify these values for the third OR operator:
    • Field—Title
    • Value—Contains
    • Enter contents to match—non-confidential
  9. Click Continue to continue configuring your rule.

Related information

Was this helpful?

How can we improve it?

Need more help?

Try these next steps:

Post to the help community Get answers from community members
Contact us Tell us more and we’ll help you get there
true
Start your free 14-day trial today

Professional email, online storage, shared calendars, video meetings and more. Start your free Google Workspace trial today.

Search
Clear search
Close search
Google apps
Main menu
18293583441944045068
true
Search Help Center
true
true
true
true
true
73010
false
false