Guide: Creating an exception to your organisations sensitivity label policies
Why Create an Exception?
Creating an exception to your sensitivity label policies can be essential in certain situations where these labels interfere with automated processes.
For instance, in a recent incident I managed, a Robotic Process Automation (RPA) system faced an issue due to the Default and Mandatory label policy. The process involved an SAP automated workflow that needed to create a new Excel document. However, the process was interrupted because the policy required a sensitivity label to be selected for the document, something the automated system couldn’t do. By creating an exception for this specific process, we were able to ensure smooth operation without compromising the overall security and compliance framework.
This is very similar to what this SAP user has encountered: https://community.sap.com/t5/technology-q-a/how-to-setup-sensitivity-level-label-while-sending-an-email-through-sap/qaq-p/12692890
How to Set Up an Exception (Step-by-Step Guide)
Scenario: Your organization has a standard set of sensitivity labels (example: Public, Internal, Highly Confidential) and Default and Mandatory label policies turned on for the entire organization.
The requirement is to turn off the Default and Mandatory policies for a small set of specific users (in my case RPA users). In the steps below, assume that the policy has already been created and we need to create a “duplicate” policy and make it rank higher than the current policy but without the offending policies.
Step 1: Create a Duplicate the Existing Policy
Recreate the policy that you need to create an exemption
Step 2: Modify the Duplicated Policy
Name and Describe: Provide a new name and description for the duplicated policy, such as “Exception Policy for Specific Users”.Users and Groups:Remove the current users or groups.Add the specific users or groups that will be exempt from the Default and Mandatory label policies.Policy Settings:Turn off Require users to apply a label.Turn off Apply a default label to documents and emails.Click Next.
Step 3: Review and Submit the New Policy
Review the configuration details of the new label policy to ensure accuracy.Click Submit to create and apply the policy.
Step 4: Adjust Policy Ranking
Return to the Label policies section.Locate the new exception policy you just created.Use the Reorder or Priority settings to move the new policy above the existing standard policy. This ensures that the exception policy is applied first for the specified users. Reference: https://learn.microsoft.com/en-us/purview/sensitivity-labels#label-policy-priority-order-matters
The last and very important step to make sure that this is a success is:
Inform the selected users of the change.Monitor the application of the new policy to ensure that the Default and Mandatory label requirements are turned off for the specified users.
Why Create an Exception? Creating an exception to your sensitivity label policies can be essential in certain situations where these labels interfere with automated processes. For instance, in a recent incident I managed, a Robotic Process Automation (RPA) system faced an issue due to the Default and Mandatory label policy. The process involved an SAP automated workflow that needed to create a new Excel document. However, the process was interrupted because the policy required a sensitivity label to be selected for the document, something the automated system couldn’t do. By creating an exception for this specific process, we were able to ensure smooth operation without compromising the overall security and compliance framework. This is very similar to what this SAP user has encountered: https://community.sap.com/t5/technology-q-a/how-to-setup-sensitivity-level-label-while-sending-an-email-through-sap/qaq-p/12692890 How to Set Up an Exception (Step-by-Step Guide) Scenario: Your organization has a standard set of sensitivity labels (example: Public, Internal, Highly Confidential) and Default and Mandatory label policies turned on for the entire organization. The requirement is to turn off the Default and Mandatory policies for a small set of specific users (in my case RPA users). In the steps below, assume that the policy has already been created and we need to create a “duplicate” policy and make it rank higher than the current policy but without the offending policies. Step 1: Create a Duplicate the Existing PolicyRecreate the policy that you need to create an exemption Step 2: Modify the Duplicated PolicyName and Describe: Provide a new name and description for the duplicated policy, such as “Exception Policy for Specific Users”.Users and Groups:Remove the current users or groups.Add the specific users or groups that will be exempt from the Default and Mandatory label policies.Policy Settings:Turn off Require users to apply a label.Turn off Apply a default label to documents and emails.Click Next. Step 3: Review and Submit the New PolicyReview the configuration details of the new label policy to ensure accuracy.Click Submit to create and apply the policy. Step 4: Adjust Policy RankingReturn to the Label policies section.Locate the new exception policy you just created.Use the Reorder or Priority settings to move the new policy above the existing standard policy. This ensures that the exception policy is applied first for the specified users. Reference: https://learn.microsoft.com/en-us/purview/sensitivity-labels#label-policy-priority-order-matters The last and very important step to make sure that this is a success is: Inform the selected users of the change.Monitor the application of the new policy to ensure that the Default and Mandatory label requirements are turned off for the specified users. Read More
