Shield Access Policy rule settings are used to configure access policies. Access policies contain one or more security control types and have settings that are common to all policies and security control types and settings that are specific to each security control type. This topic has the following sections:
Common Access Policy Settings
The following settings are common to all Access Policies.
- Policy Name
- Enter a short, unique, and descriptive name. 80 characters maximum.
- Description
- Enter an optional description that provides a summary of the policy purpose and function. 255 characters maximum.
- Content Type
-
Defines what content the access policy applies to. Select from:
- Apply to all content without a classification label - To apply the policy to all of the content in your organization
- Apply to only content with the following classification label (default) and then choose a single classification label (required) - To apply the policy to only the content in your organization with the defined classification label.
Common Security Control Settings
Access policies can contain one or more security controls. Several security control types, External Collaboration Restriction, Shared Link Restriction, Download and Print Restriction, Integration Restriction, and FTP Restriction, contain the following setting:
- Enforcement Action
- Defines action that occurs when the security control triggers the access policy. Select from:
- Enforce restrictions (default) - To enable the access policy once it is started. Select this option if you are ready to enforce the policy for your users.
- Monitor restriction violations only - To monitor user actions that violate the access policy without warning or restricting users. Select this option to gather data about how this access policy will affect your users.
Unique Security Control Settings
The following section describes the settings for the security controls you can add to access policies.
External Collaboration Restriction Settings
The following settings can be configured when you add the External Collaboration Restriction security control to an access policy:
- Domain and User Restriction
- Defines which domains and users have external collaboration allowed or blocked by the policy. Select from:
- Allow only specified domains and external users and then click Select to enter one or more external domains and email addresses. External collaboration for files matched by policy will be limited to only the domains and email addresses specified, and blocked for everyone else.
-
Block specified domains and then click Select to enter one or more external domains that define with whom external collaboration is blocked by policy. External collaboration for files matched by policy will be blocked for the domains and email addresses specified, and allowed for everyone else.
In the Select Blocked Domains dialog box, you can also enable Allow some external users and enter one or more email addresses. Email addresses in this field that are from the list of blocked domains will not be blocked from external collaboration.
- Block all external collaboration to block all external collaboration on content for files matched by policy.
- Apply To
- Defines which collaborations the policy applies to. Select from:
-
Only new external collaborations - To have the policy apply only to new direct collaborations created after the policy goes into effect.
Note
Inherited collaborations can still occur: When the policy is applied on a file level, but not on a folder, an external collaborator can be invited to the folder containing the file and they will be able to access the file. To prevent this, there are two options:
- Apply the policy to the folder that includes the file. This prevents an external collaborator from being invited to the folder.
- Select the Existing and new external collaborations option.
-
Existing and new external collaborations - To have the policy apply to all collaborations. Note that it may take a small amount of time to identify existing collaborations that the policy would apply to once the policy is put into effect, and collaborators will not be notified of any such collaborations that are restricted.
Note
Existing collaborators are restricted from viewing files matched by policy, not removed from collaboration. If the restriction is lifted, collaborations remain and collaborators can again access collaborated files.
-
Only new external collaborations - To have the policy apply only to new direct collaborations created after the policy goes into effect.
- User Justifications
- Determines if users are allowed to bypass these restrictions by providing a business justification defined for any new collaboration. If Allow User Justifications is enabled, you must add at least one and up to 10 business justifications that your managed users can select when creating an external collaboration to bypass the policy restriction.
To add business justifications
- Enable Allow User Justifications.
- Enter one or more business justifications. Click Add Justification to add more (up to 10).
- Click Done.
Once you have added business justifications to the security control, click Edit Justification to make changes to, add, or delete any justifications.
Click Preview to see a sample of what your users will see.
Shared Link Restriction Settings
The following settings can be configured when you add the Shared Link Restriction security control to an access policy:
- Shared Link Restriction
- Determines who can access shared links for any files matched by the policy. Select from:
- People with the link - To allow files matched by policy to be accessed via the shared link by anyone including people outside of your company and no sign-in is required.
- People in your company and invited people - To allow files matched by policy to be accessed via the shared link by anyone in your company or people invited to the file or folder.
- Invited people only - To allow files matched by policy to be accessed via the shared link only by people invited to the file or folder.
Download and Print Restriction Settings
The following settings can be configured when you add the Download and Print Restriction security control to an access policy:
- Download and Print Restriction
- Determines where and for whom download and print restrictions are enforced for any files matched by the policy. When added to an access policy, the maximum restriction levels are selected by default. Select from:
- For Box Web App - Restrictions are applied for file activity when using Box in a web browser. This option also restricts editing on desktop (via Box Edit), print operation when editing in Microsoft Office Online, and print operation from Box Web App or browser.
- For Mobile - Restrictions are applied for file activity when using the Box mobile app.
-
For Box Desktop - Restrictions are applied for file activity within
- Box Drive,
- Box Sync,
- Box for Microsoft Office Coauthoring, and
- Box for Office.
For each of these options you also select which users the restriction applies to. The default selection is the most restrictive. For each, you can include or exclude:
-
Restrict Managed Users, and then select:
- Restrict all users except Owners/Co-owners
- Restrict all users except Owners/Co-owners and Editors
- Restrict All External Users
Integration Restriction Settings
The following settings can be configured when you add the Integration Restriction security control to an access policy:
- Specify content download restrictions on integrations
- Determines which integrations are restricted from downloading any files matched by the policy. Select from:
- Block all integrations from downloading content (default) - To block integrations (except Microsoft Office for the web, Google Workspace, Apple iWork, and Adobe Acrobat Online) from downloading any files matched by the policy.
- Block specified integrations from downloading content, and then enter one or more integrations that are blocked from downloading files matched by policy.
-
Allow only specified integrations to download content, and then enter one or more integrations that are allowed to download files matched by policy.
Note
The following integrations will still be able to download content when users right-click on their files and select the Open with command even if you do not specify them here:
- Microsoft Office for the web
- Google Workspace
- Apple iWork
- Adobe Acrobat Online
FTP Restriction Settings
The following setting can be configured when you add the FTP Restriction security control to an access policy:
- Restrict FTP downloads
- Determines if downloads via ftp (file transfer protocol) are disabled for files matching the policy. Enabled by default.
Note
FTP Restriction is not supported in Box Notes.
Watermarking Settings
The following setting can be configured when you add the Watermarking security control to an access policy:
- Enable watermarking
-
Determines whether a semi-transparent overlay of the current viewer's user name and time of access across a document's contents of any files matched by the policy. Select from:
- Enabled (default) - To apply a watermark to files matched by the policy.
- Disabled - To remove any existing watermarks for files matched by the policy.
This applied watermarking is visible in Preview to all collaborator roles, and is applied to downloaded and printed files for certain collaborator roles. Box Notes and some file types do not support watermarking. To learn more about watermarking in Box, see Watermarking Files.
Box Sign Request Restriction Settings
The following setting can be configured when you add the Box Sign Request Restriction security control to an access policy:
- Restrict users from requesting signatures on content using Box Sign
- Determines whether Box Sign requests are restricted or specifically enabled for any any files matched by the policy. Select from:
- Enabled (default) - To prevent your users from initiating Box Sign requests for files matched by the policy.
- Disabled - To specifically allow your users to initiate Box Sign requests for files matched by the policy, which overrides download and print restrictions and shared link restrictions.