Introducing the Workspace Policy API mutate endpoints for DLP

Google Workspace Updates: Introducing the Workspace Policy API mutate endpoints for DLP

The Workspace Policy API provides a centralized, comprehensive view of your security settings, eliminating the need to navigate to numerous pages in the Admin console.

With our latest update, we are introducing mutate endpoints (Create, Update, Delete) alongside existing read-only capabilities (Get, List) for data loss prevention (DLP) rules and detectors. This allows super admins to programmatically manage and fully automate the entire lifecycle of their DLP policies, from initial creation to real-time activation and deactivation.

Note this is an API-only launch for capabilities currently supported in the Admin console.

About DLP

DLP lets Workspace admins control external file sharing to prevent sensitive information leaks. It scans files for violations, triggering incidents and protective actions like content blocking.

How DLP works:

Admins define rules for sensitive content across Drive, Gmail, Chat, and Chrome.
DLP scans content for DLP rule violations that trigger DLP incidents.
DLP enforces the rules you defined and violations trigger actions, such as alerts.
Admins are alerted for DLP rule violations.

Summary of capabilities supported by mutate endpoints for DLP

Getting started

Admins: You must be a super admin to use the Policy API. See our developer documentation to learn more about the Policy API. You can also use GAM, an open source tool for managing Workspace, which now supports the Policy API.
End users: This is an admin-only capability.

Rollout pace

Rapid Release and Scheduled Release domains: Available now

Availability

Available to all Google Workspace customers and Workspace Individual subscribers

Google has officially introduced mutate endpoints (Create, Update, Delete) for Data Loss Prevention (DLP) within the Google Workspace Policy API. This shifts the API from a read-only auditing tool to a fully functional programmatic management plane. [1, 2]

Key Capabilities

Full Lifecycle Automation: Super administrators can now programmatically create, patch, modify, or delete DLP detectors and rules. [1, 2]
Centralized Management: Eliminates the need to navigate through complex, manual click-through steps across multiple pages in the Google Admin console. [1]
Unified Scope: The programmatic control extends across built-in Workspace DLP parameters for Google Drive, Gmail, Google Chat, and Chrome. [1]

Strategic Impact

Security-as-Code Adoption: IT infrastructure teams can treat security rules with the same rigour as code, allowing DLP configurations to be version-controlled, auditable, and easily replicated across multi-tenant environments. [2]
Ecosystem Integration: Security teams can link the Policy API directly to Continuous Integration/Continuous Deployment (CI/CD) pipelines or Security Operations Centers (SOC) to update data protection constraints dynamically based on real-time threat intelligence. [2]
Streamlined Compliance Reporting: API-driven updates generate clear programmatic logs, which makes tracking historical policy modifications considerably simpler for strict enterprise compliance audits like ISO 27001 and SOC2. [2]

Eligibility & Deployment

Availability: The mutate endpoints are accessible immediately to all Google Workspace customers and Workspace Individual subscribers across both Rapid Release and Scheduled Release tracks. [2]
Access Requirements: You must hold Super Admin privileges within your Google Workspace instance to invoke mutate operations through the Policy API. [1]
Tooling Support: Beyond custom developer integrations, the update is natively integrated into GAM, a popular open-source command-line tool used by IT professionals to manage Google Workspace environments at scale. [1, 2]

Introducing the Workspace Policy API