Content and sharing settings for your enterprise – Box Support

The Content & Sharing tab in Enterprise Settings allows you to enable or disable various permission types that are available to managed user when collaborating and sharing files.

Shared Links

You can customize settings for everyone's shared links and defaults by navigating to Admin Console > Enterprise Settings > Content & Sharing tab. More information on customizing shared link settings.

Collaboration Restrictions

This section enables you to set restrictions on how collaborators can be invited to the content in your account or in the account of one of your managed users. See a detailed explanation of each permission level.

Default collaboration role: Use this setting to modify across your entire organization the default access level to files people share. The standard default access level is Editor. To change this default to the more secure setting of Viewer, click the down arrow and select Viewer.
Restrict invites: Enables you to set who can invite collaborators. If this option is enabled then only folder Owners and Co-owners and Admins (including Co-admins and Group Admins) are able to invite collaborators to a given folder.
Enable invite links: Enabling this function permits people to use invite links to collaborate.
Enable group invites: Enabling this option makes it possible for users to invite groups to collaborate in folders.
Restrict Ownership Transfer: Check this box to prevent people from transferring ownership of a file or folder to external collaborators. Also prevents people from moving a file or folder owned by your enterprise to a folder owned by an external account. Admins and co-admins of the account, however, retain the ability to transfer content ownership.
External collaboration:
- Enable external collaboration: This enables people within your organization to collaborate with other Box users outside your company.
- Limit collaboration to allowlisted domains: Box Governance enables you to restrict collaboration to an approved set of domains, or a allowlist. Access this feature via either the normal Box UI or the Box API. To enable allowlisted domains:
  1. Under Enterprise Settings > Content & Sharing > Collaborating on Content > External Collaboration, click Limit collaboration to allowlisted domains.
  2. Click Manage Allowlist. The Collaboration Allowlist window opens.
  3. Enter each domain specifically. Your people can collaborate only with people from one of the domains you specify.

Note Limit collaboration to allowlisted domains goes both directions - your user cannot invite someone who is not from one of the specified domains, and someone not on the specific domain cannot invite your user to collaborate.

Important
If a folder is accessible to a set of collaborators outside your enterprise, clicking Limit collaboration to users within Enterprise for does not block that folder to those external collaborators, though the folder is blocked to new external collaborators.

When you create your allowlist, you can also can exert finer control and limit collaboration to one direction, inbound or outbound, as defined from the perspective of someone inside your enterprise.

Inbound collaboration – Your people are INVITING SOMEONE FROM OUTSIDE IN TO your enterprise to collaborate on content that resides inside your organization.

To allow only inbound collaboration, prepend each domain with a plus sign (+)

Outbound collaboration – People from outside your enterprise are INVITING SOMEONE FROM INSIDE your enterprise OUT to collaborate on content that resides outside your organization.

To allow only outbound collaboration, prepend each domain with a minus sign (-)

To enable collaboration with any domain, use an asterisk (*)

Typically you'll use an asterisk to enable unidirectional collaboration -- for example to allow only your users to be invited to other content and not allow any external users to be invited to your content.

Here are some examples:

Domains Allowlisted	Expected Behavior
abc.com	Box users within your company can invite people only from Company ABC and can only be invited to folders from Company ABC. Note The allowlist is literal, and only works on single domains. In this example, "x.abc.com" is not allowlisted. You would need to add it separately. Do not use spaces.
+abc.com	Your company's users can invite only people from Company ABC to their folders. Do not use spaces.
-abc.com	Only people in Company ABC can invite Box users from your company to join their folders as well. No one else can invite your company's users to their folders. Do not use spaces.
+*	Your company’s users can invite anyone from any domain to collaborate on content within your enterprise, but no one outside of your company can invite your company’s users to collaborate externally. Do not use spaces.
-* +abc.com	Anyone from any domain can invite your people to collaborate on content externally, but your people can invite only users from company abc.com to collaborate on content that resides within your enterprise. Do not use spaces.

Other points:

Users not subject to allowlist: You can allow certain users special privileges to collaborate with domains outside of the allowlisted domains. To grant this privilege, below Users not subject to allowlist, enter the names or email addresses of your selected users in the box.
External Collaborator Invitations: Enables you to restrict external collaborators from inviting other external collaborators into content owned by your enterprise and to prevent them from increasing other external collaborators' permission levels.

Things to know about collaboration restrictions:

External collaboration allowlisting is only available as part of the Governance package and must be enabled by request. Please contact your Box Representative or Box User Services to enable these features.

You can set collaboration restrictions at the enterprise, user, and folder level. Box uses the most restrictive setting at any given time. For example, if an enterprise allows collaboration with 100 domains and a user within the enterprise further restricts collaborators for a particular folder, that folder will be governed by the user's more restrictive settings.

Watermarking

When your Box users choose to add a watermark to shared files, you can determine whether the watermarks on all files will be rasterized, or whether watermarks will be vector-based or rasterized, depending on the file type.

Select:

Vector-based and rasterized watermarking (recommended) - Provides infinite resolution, inclusion in search, clickable links, and a very small sized file overhead, but can and will be used on document-based files only. Rasterized watermarking will be used on all image and video files.

"Document-based files" are also known as files that have PDF support. Those file types are listed in the Supported File Types topic with a Yes in the PDF Support? column.

Note

Watermark types will be applied automatically based on file type when users add watermarks to files or folders.
Rasterized watermarking only - Provides increased security, but no resolution scaling, no searchability, no clickable links, a moderate file size overhead, and reduced usability. This watermark type can't be removed without damaging the underlying content.

Watermarking Differences

The different types of watermarking have differences that may affect your decision about which one to use. Vector

	Vector-based	Raster
Resolution	Infinite; the watermark scales when viewers zoom in or out	Limited to 2048 x 2048 pixels; the watermark does not scale when zooming
Text copying	Yes	No
Text searching	Yes	No
Links	Clickable	Not clickable
Destructive of underlying content	No	Yes
Watermarked document size	Smaller	Larger
Document security	Medium	High

Watermarking Use Cases

Use the Vector-based and rasterized watermarking option:

When dealing with large files that need to maintain readability, documents such as blueprints, diagrams, or files containing a lot of small print.
When dealing with text-based files where text needs to be copied and searched for or when hyperlinks need to be clickable.
When you have storage or bandwidth concerns with the size of watermarked files being shared.

Use the Rasterized watermarking only option:

When you want to lock down the watermarked file by not allowing any text to be copied.
When the content in question is of the highest sensitivity level. Note that while watermarking is a security deterrent, a very motivated and technically adept hacker can remove a vector watermark. Doing this will impact the original formatting of the underlying document. This is slightly different from a Rasterized watermark where you cannot remove the watermark without destroying the underlying content as well.

Content Creation

Restrict content creation: Prevents all non-admin managed users from creating, deleting, and moving folders in their "All Files" section. Check this box if you would like to create the folder structure for the entire account and then invite users into this structure. Note: If Restrict content creation is enabled, admins can transfer ownership of folders to managed users, but managed users cannot transfer ownership to others.
Restrict tag creation: Enables you to control who can create tags for files in your account. Check this box to limit tag creation either to Folder owners/co-owners and admins/co-admins, or to Admins and co-admins only.
Email Uploads: Enables you to allow people to upload file attachments to a specific Box folder via email.

Folder Level Metadata and Cascade

In this section, you enable your account holders to cascade metadata templates in folders and resolve conflicting metadata templates.

You can:

Disable for all managed users
Enable for all managed users
Enable for selected users based on a allowlist
Enable for selected users based on a denylist

Auto Expiration Settings

You can set shared links across your enterprise to expire a certain number of days after they have been created. After that period the link stops working. Setting default expiration periods helps keep data secure. For example, if a link to sensitive information is expired, you don't have to track it or worry about it if months later it is inadvertently shared with someone not entitled to access it. The setting is not retroactive; it applies only to links created after you establish or modify the expiration period.

You can set an expiration period on links to files, to folders, or to both.

You can also set one time period (or no time period at all) for all shared links, and a shorter time period that applies only to public links. In this way you can:

avoid a broad auto-expiration policy that forces people in your company to re-set links shared internally (or to specific external collaborators), which can impede collaboration, while preserving the ability to expire links that could be shared with anyone outside the four walls of your enterprise.
reduce the risk that results from relying on individual vigilance for manually adding auto-expiration policies for certain types of links at creation.

In addition, you can quickly review risk exposure by generating a report that lists all public shared links and their auto-expiration date (if any). (Do this by navigating to Admin Console > Reports > Shared Links.)

Finally, you can configure whether and when the system should notify people when links they've shared, or that have been shared with them, are about to expire.

To set default expiration dates for shared links for your enterprise:

Open the Admin Console.
Navigate to Enterprise Settings > Content & Sharing tab.
When the Content & Sharing page displays, scroll down to the Auto-Expiration section.
To expire all shared links, check Disable all shared links after a specified time of link creation.
- Type in the number of days for which you want shared links to be valid.
To expire only public shared links, check Disable public shared links after a specified time of link creation.
- Type in the number of days for which you want shared links to be valid.

Links with expiration periods display throughout the Box UI with a small red clock icon (). Hover over the clock icon for details about the expiration policy.

Note

You cannot set an expiration period for all shared links that is shorter than the expiration period for public shared links. (The system won't let you proceed.) You can set an expiration period for all shared links that is longer than that for public shared links. However, the period for public shared links still applies. In other words, if you set all links to expire in 60 days, and public links to expire in 30 days, public links will still expire after 30 days.

The expiration periods you set are not retroactive; all pre-existing links still behave according to their pre-existing expiry settings, including if no expiry has been set at all. For example, prior links with no expiration date do not expire even after you set a 30-day expiration policy. Likewise, links set to expire one week after you set a period of 30 days still expire in one week. Or, if you change your an expiration period from 60 days to 30, new links created from that time forward expire in 30 days, while pre-existing links continue to expire 60 days after they were created.

Select whether to apply your expiration policy to links to file, folders, or both. To do this, click the Apply these settings to down arrow and select the item you want.
- This setting is unavailable if you do not set at least one link expiration policy
To notify content owners by email that links to the files they own are about to expire, check Notify item owners a specified time before expiration.
- In the box below, type the number of days in advance you want content owners to be notified of impending expired links.
- Box sends link expiration emails regardless of whether the expiration is dictated here via an enterprise-wide policy, or by each individual link creator. Also, if an individual modifies a link expiration period, Box automatically adjusts the notification period to keep it consistent with the link's revised date of expiration.
- These settings are unavailable if you do not set at least one link expiration policy.
To enable people to set or modify expiration periods on links they create, check Allow item owners and editors to modify the expiration date.
- By checking this box, you enable people throughout your organization to easily and quickly set their own expiration periods whenever they create their own links.
- If you do not set any auto-expiration period, Box automatically enables this setting AND applies it to all existing links. That means item owners and editors have full freedom to create, modify, or end expiration periods on a per-link basis.

Important

If you set an expiration period only on public shared links, AND you do not allow people to modify their links' expiration periods, Box displays a warning that this is not recommended. It means from this point forward no one in your organization can:

set an expiration period for any new link they create
modify the expiration period for any of their previously-existing links

You can save and implement this particular configuration, but we do not recommend it because it hampers the ability of your people to collaborate.

Tip

To maximize both security and collaboration, set an expiration period as a default, but allow people to disable, extend, or shorten their links' lives.

Invited collaborators expiration settings

You can set invited collaborators to be removed from shared folders or files automatically after a certain number of days.

Note
You must enable this setting via your Admin Console, in Enterprise Settings, for people to be able to set collaboration auto-expiration. If you do not enable this setting, no creation or modification of collaboration expirations are allowed.

To set enable and set expiration dates for invited collaborators:

Open the Admin Console.
Navigate to Enterprise Settings > Content & Sharing tab.
When the Content & Sharing page displays, scroll down to the Auto-Expiration section and find Invited collaborators expiration settings.
Check Automatically remove invited collaborators.
- Type in the number of days for the expiration period.
To allow folder owners to extend the expiration date beyond the default period you have specified, check Allow folder owners to extend the expiration date.
To have email notifications sent to users warning them of expiration, check Notify affected users:
- Type in the number of days before the expiration to configure when they will be notified.
  
  Note
  Box sends email notifications to the owner and any co-owners of the corresponding folder. Box only notifies co-owners who are directly collaborating on items with a pending expiration. Box does not notify co-owners who are collaborating via inherited permissions.
Click Apply these settings to: and, from the dropdown menu that displays, click an option to specify whether the setting applies only to All Collaborators or only to External Collaborators.
Click Save.

After you enable this setting, by default all subsequent collaborations created follow the enterprise setting. The creator of individual collaborations then is able to extend the expiration date beyond the default value.

Note
Enabling auto-expiration of collaborators for your enterprise is not retroactive. Adding a collaboration expiration date applies only to collaborators added after you enable this setting. This also means you can update collaborator expiration time only if the collaboration was created after this setting was enabled.

Trash

You can also customize your enterprise's trash settings to best fit your company's requirements.

When you're done, click Save.