Box makes it simple to create and collaborate on content. Box Shared Links enable you to share hyperlinks to content stored in Box with people both inside and outside your company. Sending someone a shared link to a file or folder is an easy way to collaborate. You can also make things easier to remember by customizing the URL of shared links. These shared links are called Custom Shared Links.
To ensure the right people have access to shared content, you can configure access controls on a Box Shared Link as follows:
- People with the link (public/open) - Anyone with the link can access the item and no Box account is required.
- People in your company - People within your same Box enterprise, and people who have a Box account with the same email domain, can access content.
- Invited people only - Only people who have been invited to the item (folder or file) can access the content.
In most cases, “people in your company” is self-explanatory -- everyone with your company’s email domain can access this shared link However, certain very large enterprises can consist of two or more subsidiaries or affiliates, each of which has its own Box Enterprise ID (EID). In this case, you can define whether “people in your company” refers to people who all share an email domain (such as firstname.lastname@example.org), or whether it refers only to people whose business shares the same Box EID as the person sending the link.
To ensure the people who have access to the shared content can perform only the actions you allow, you can also define action controls. See Creating Shared Links for details.
You can also enable security controls such as password-protection and auto-expiration policies on shared links. In addition to user-level security controls, company Box administrators can apply enterprise-wide security controls on shared links. Coupled with appropriate security controls based on the sensitivity of the content, shared links provide a frictionless and secure way to collaborate.
Creating public custom shared links for any content can mean that anyone who correctly guesses the URL can gain access to that content. To reduce exposure risk to sensitive content, we recommend that:
- Administrators configure shared link default access to 'People in your company' to reduce accidental creation of public (open) links by users.
- Administrators regularly run a shared link report to find and manage public custom shared links.
- Individuals do not create public (open) custom shared links to content that is not intended for public consumption.
If you are an admin and would like to report on the security of Custom URLs, follow the steps detailed in Reporting on Custom URLs.
When you share, move, or copy content, the permission to access those items might change, often to a less restrictive setting. More on how Box helps you keep your content secure.