OneDrive 使用資訊障礙Use information barriers with OneDrive

資訊障礙是 Microsoft 365 中的原則,合規性管理員可以設定這些原則,以避免使用者彼此通訊和協同作業。Information barriers are policies in Microsoft 365 that a compliance admin can configure to prevent users from communicating and collaborating with each other. 例如,如果一個部門處理的資訊不應與特定其他的部門共用,或是必須防止或隔離,以與部門外的所有使用者共同作業,此解決方案就很有用。This solution is useful if, for example, one division is handling information that shouldn't be shared with specific other divisions, or a division needs to be prevented, or isolated, from collaborating with all users outside of the division. 資訊障礙通常是用於高度管制的行業,也就是具有規範需求(例如財務、法律和政府)的組織。Information barriers are often used in highly regulated industries and those organizations with compliance requirements, such as finance, legal, and government. 深入瞭解資訊障礙Learn more about information barriers.

下圖說明組織中的三個數據段: HR、Sales 及 Research。The following image illustrates three segments in an organization: HR, Sales, and Research. 已定義資訊屏障原則,以封鎖銷售和研究段落之間的通訊和共同作業。An information barrier policy has been defined that blocks communication and collaboration between the Sales and Research segments.

組織中的區段範例

在 OneDrive 中的資訊壁壘中,當資料段套用至使用者時,會在24小時內自動與使用者的 OneDrive 產生關聯。With information barriers in OneDrive, when a segment is applied to a user, within 24 hours that segment is automatically associated with the user's OneDrive. 其他與使用者區段相容的區段,也會與 OneDrive 產生關聯。Other segments that are compatible with the user's segment and with each other will also get associated with the OneDrive. OneDrive 最多可以有100段與其相關聯。A OneDrive can have up to 100 segments associated with it. 全域或 SharePoint 系統管理員可以使用 PowerShell 管理這些區段,如稍後在 使用者的 OneDrive 上關聯或移除其他區段的章節所述。A global or SharePoint admin can manage these segments using PowerShell, as described later in the section Associate or remove additional segments on a user's OneDrive.

在上述範例中,HR 區段與銷售和研究都相容。In the above example, the HR segment is compatible with both Sales and Research. 不過,銷售及調研區段是不相容的。However, the Sales and Research segments are incompatible. 在此情況下,Sales 中的使用者 OneDrive 會有銷售和人力資源區段,而研究中的使用者 OneDrive 會有研究與 HR 區段。In this case, the OneDrive for a user in Sales will have the Sales and HR segments, and the OneDrive for a user in Research will have the Research and HR segments. 在 HR 中,使用者的 OneDrive 只會有 HR 區段,因為銷售和研究是不相容的。The OneDrive of a user in HR will have only the HR segment because Sales and Research are incompatible.

當這些網段與 OneDrive 相關聯時,只有具有比對區段的使用者,才可與之共用內容和存取內容。When these segments are associated with the OneDrive, content can be shared with and accessed by only users who have a matching segment.

必要條件Prerequisites

  • 請務必符合資訊障礙的授權需求Make sure you meet the licensing requirements for information barriers.
  • 建立區段並定義每個區段中的使用者。Create segments and define the users in each. 建立會封鎖各段間通訊的原則,然後將其設定為作用中。Create policies that block communication between the segments, and then set them to active. 如需詳細資訊,請參閱 定義資訊障礙原則For info, see Define policies for information barriers. 等候24小時,以透過您的環境傳播變更。Wait 24 hours for the changes to propagate through your environment.
  • 完成表單 ,以在組織中啟用 SharePoint 和 OneDrive 資訊障礙。Complete the form to enable SharePoint and OneDrive information barriers in your organization. 請注意,如果您在租使用者中至少有一個作用中資訊障礙原則,則只有在您的租使用者中才能啟用 SharePoint 和 OneDrive 資訊障礙。Note that SharePoint and OneDrive information barriers can only be enabled in your tenant if you have at least one active information barriers policy defined in the tenant.
  • 在您的租使用者中啟用 SharePoint 和 OneDrive 資訊障礙之後,請等候24小時以透過您的環境傳播變更。After SharePoint and OneDrive information barriers is enabled in your tenant, wait 24 hours for the changes to propagate through your environment.

從具有相關聯之網段的 OneDrive 共用檔案Sharing files from a OneDrive that has segments associated

當線段與 OneDrive 相關聯時:When a segment is associated with a OneDrive:

  • 會停用與「具有連結的任何人共用」的選項。The option to share with "Anyone with the link" is disabled.
  • 檔案和資料夾只能與其區段符合 OneDrive 的使用者共用。Files and folders can be shared only with users whose segment matches that of the OneDrive. 在上述範例中,銷售區段中的使用者可以與銷售或人力資源區段中的其他使用者共用 OneDrive 內容,而 HR 區段中的使用者只能與 HR 區段中的其他使用者共用其 OneDrive 內容。In the above example, users in the Sales segment can share OneDrive content with other users in either the Sales or HR segment whereas users in the HR segment can share their OneDrive content with other users in the HR segment only.

當 OneDrive 沒有相關聯的區段時:When a OneDrive has no segments associated:

  • 使用者可以根據套用至使用者的資訊屏障原則及 OneDrive 的共用設定來共用檔案和資料夾。The user can share files and folders based on the information barrier policy applied to the user and the sharing setting for the OneDrive.

從具有相關聯之網段的 OneDrive 存取共用檔Accessing shared files from a OneDrive that has segments associated

若要讓使用者存取具有相關區段的 OneDrive 內容:For a user to access content in a OneDrive that has segments associated:

  • 使用者的區段必須與 OneDrive 相關聯的區段。The user's segment must match a segment that is associated with the OneDrive.

    ANDAND

  • 檔案必須與使用者共用。The files must be shared with the user.

非區段使用者只能從其他非區段使用者存取共用的 OneDrive 檔案。Non-segment users can access shared OneDrive files only from other non-segment users. 他們無法從已套用段落的使用者存取共用的 OneDrive 檔案。They can't access shared OneDrive files from users who have a segment applied.

使用 PowerShell 來查看與 OneDrive 相關聯的區段Use PowerShell to view the segments associated with a OneDrive

全域或 SharePoint 系統管理員可以查看和變更與使用者 OneDrive 相關聯的區段。A global or SharePoint admin can view and change the segments associated with a user's OneDrive.

  1. 以全域管理員身分 PowerShell 連線到 安全性 & 規範中心Connect to the Security & Compliance Center PowerShell as a global admin.

  2. 執行下列命令,以取得區段及其 Guid 的清單。Run the following command to get the list of segments and their GUIDs.

    Get-OrganizationSegment | ft Name, EXOSegmentID
    
  3. 儲存區段清單。Save the list of segments.

    姓名Name EXOSegmentIdEXOSegmentId
    銷售Sales a9592060-c856-4301-b60f-bf9a04990d4da9592060-c856-4301-b60f-bf9a04990d4d
    參考資料Research 27d20a85-1c1b-4af2-bf45-a41093b5d11127d20a85-1c1b-4af2-bf45-a41093b5d111
    人力資源HR a17efb47-e3c9-4d85-a188-1cd59c83de32a17efb47-e3c9-4d85-a188-1cd59c83de32
  4. 下載最新的 SharePoint Online 管理命令介面Download the latest SharePoint Online Management Shell.

    注意

    如果您已安裝舊版的 SharePoint 線上管理命令介面,請移至 [新增或移除程式],並卸載「SharePoint 線上管理命令介面」。If you installed a previous version of the SharePoint Online Management Shell, go to Add or remove programs and uninstall "SharePoint Online Management Shell".
    在下載中心頁面上,選擇您的語言,然後按一下 [下載] 按鈕。On the Download Center page, select your language and then click the Download button. 系統會請您選擇下載 x64 或 x86 .msi 檔案。You'll be asked to choose between downloading a x64 and x86 .msi file. 如果您執行的是 64 位元版本的 Windows,請下載 x64 檔案;或如果您執行的是 32 位元版本,請下載 x86 檔案。Download the x64 file if you're running the 64-bit version of Windows or the x86 file if you're running the 32-bit version. 如果您不知道,請參閱 https://support.microsoft.com/help/13443/windows-which-operating-systemIf you don't know, see https://support.microsoft.com/help/13443/windows-which-operating-system. 下載檔案之後,請執行檔案,並按照安裝精靈中的步驟進行。After the file downloads, run it and follow the steps in the Setup Wizard.

  5. 在 Microsoft 365 以全域系統管理員或 SharePoint 管理員的身分登入。Connect to SharePoint as a global admin or SharePoint admin in Microsoft 365. 若要了解如何進行,請參閱開始使用 SharePoint Online 管理命令介面To learn how, see Getting started with SharePoint Online Management Shell.

  6. 執行下列命令:Run the following command:

    Get-SPOSite -Identity <site URL> | Select InformationSegment 
    

    範例: Get-SPOSite-Identity HTTPs: //contoso-my .com/個人/John_contoso_onmicrosoft_com |選取 InformationSegmentExample: Get-SPOSite -Identity https://contoso-my.sharepoint.com/personal/John_contoso_onmicrosoft_com | Select InformationSegment

在使用者的 OneDrive 上建立或移除區段Associate or remove segments on a user's OneDrive

警告

如果與使用者的 OneDrive 相關聯的區段與使用者所套用的區段不符,則使用者將無法存取其 OneDrive。If the segments associated with a user's OneDrive don't match the segment applied to the user, the user won't be able to access their OneDrive. 請小心不要將任何區段與非區段使用者的 OneDrive 產生關聯。Be careful not to associate any segments with the OneDrive of a non-segment user.

注意

如果使用者的區段變更,您所做的任何變更將會覆寫。Any changes you make will be overwritten if the user's segment changes.

若要將區段與 OneDrive 產生關聯,請在 SharePoint 線上管理命令介面中執行下列命令。To associate a segment with a OneDrive, run the following command in the SharePoint Online Management Shell.

Set-Sposite -Identity <site URL> -AddInformationSegment <segment GUID> 

範例: Set-SPOSite-Identity HTTPs: //contoso-my .com/個人/John_contoso_onmicrosoft_comExample: Set-SPOSite -Identity https://contoso-my.sharepoint.com/personal/John_contoso_onmicrosoft_com
-AddInformationSegment 27d20a85-1c1b-4af2-bf45-a41093b5d111-AddInformationSegment 27d20a85-1c1b-4af2-bf45-a41093b5d111

如果您嘗試將不相容的區段與 OneDrive 上現有的區段產生關聯,就會出現錯誤。An error will appear if you attempt to associate a segment that isn't compatible with the existing segments on the OneDrive.

若要從 OneDrive 中移除區段,請執行下列命令。To remove segment from a OneDrive, run the following command.

Set-Sposite -Identity <site URL> -RemoveInformationSegment <segment GUID>

範例: Set-SPOSite-Identity HTTPs: //contoso-my .com/個人/John_contoso_onmicrosoft_comExample: Set-SPOSite -Identity https://contoso-my.sharepoint.com/personal/John_contoso_onmicrosoft_com
-RemoveInformationSegment 27d20a85-1c1b-4af2-bf45-a41093b5d111-RemoveInformationSegment 27d20a85-1c1b-4af2-bf45-a41093b5d111

變更使用者區段或資訊屏障原則的影響Effects of changes to user segments or information barrier policies

如果使用者的區段變更,與其 OneDrive 相關聯的區段將會自動更新為24小時內的相符,而且會新增任何相容的區段。If a user's segment changes, the segment associated with their OneDrive will be automatically updated to match within 24 hours, and any compatible segments will be added.

如果在共用檔案之後原則變更,則只有當嘗試存取共用檔案的使用者已套用段落符合與 OneDrive 相關聯的區段時,共用連結才會運作。If a policy changes after files are shared, the sharing links will work only if the user attempting to access the shared files has a segment applied that matches a segment associated with the OneDrive.

範例Example

本文開頭的範例會示範具有三個區段的組織: HR、Sales 及 Research。The example at the beginning of this article illustrates an organization with three segments: HR, Sales, and Research. 資訊障礙原則會封鎖銷售與調研之間的通訊和共同作業。An information barriers policy blocks communication and collaboration between Sales and Research. 「HR」沒有任何限制。The segment HR has no restriction. 此外,組織沒有套用任何區段的使用者。In addition, the organization has users with no segments applied. 下表顯示此設定的效果。The following table shows the effects of this configuration.

元件Components 人力資源使用者HR users 銷售使用者Sales users 調研使用者Research users 非區段使用者Non-segment users
與 OneDrive 相關聯的區段Segments associated with OneDrive 人力資源HR Sales、HRSales, HR 研究中心,HRResearch, HR None
OneDrive 內容可以與共享OneDrive content can be shared with 僅限人力資源HR only 銷售和人力資源Sales and HR 調研與人力資源Research and HR 根據選取之共用設定的任何人Anyone based on the sharing settings selected
可以存取 OneDrive 內容OneDrive content can be accessed by 僅限人力資源HR only 銷售和人力資源Sales and HR 調研與人力資源Research and HR 已共用內容的任何人Anyone with whom the content has been shared

另請參閱See also