To prevent your sensitive content from being accidentally leaked, Smart Access enables you to configure access policies that Shield automatically enforces. With Smart Access, you can use automated controls to restrict sharing, restrict viewing, and restrict downloading and printing based on classification of content.
Here's a video showing how Box enforces an access policy from a user's perspective and a video showing how to create an access policy.
Access Policy Limits
The following table describes the limits in access policies.
| Item | Limit |
|---|---|
| Name | 80 characters |
| Description | 255 characters |
| # of policies | 26 (25 for each of the # of classifications plus 1 for unclassified content) |
Access Policies: Enforce vs. Monitor
Because access policies affect how your users access content in Box and because you may have a large amount of content in Box, you may want to review details of how a policy restricts access before applying the policy. In 4 of the 5 types of access policies, External Collaboration Restriction, Download and Print Restriction, Application Restriction, and FTP Restriction, you can choose to monitor policy restrictions when you enable the policy rather than enforce the restrictions right away. You can then monitor any violations of policy restrictions via the Event API.
Creating an access policy
Smart Access enables you to create and apply up to 25 classification-based access policies to sharing and downloading so you can restrict the scope of access.
Creating an access policy enables you to
- Select a classification label,
- Specify collaboration restrictions for external users based on a list of domains you define,
- Specify who can access shared links to content,
- Select restrictions on download and print for different user types from all platforms or selected platforms,
- Restrict third-party applications from downloading content via API calls, and
- Restrict FTP downloads.
Based on your selections, Shield applies this access policy to either all content marked with the selected classification label, or to content that currently has no classification label.
To create an access policy
- In the left pane of Admin Console, click Shield.
- In the top of the window, click Access Policies.
- In the top-right corner, click Create Policy. Box displays the Create Access Policy window.
- In Policy Name, type a name for your policy.
- In Description, optionally type a description.
- In Content Type, select:
- Apply to all content without a classification label, or
- Apply to only content with the following classification label and then choose a classification label.
- In Security Controls, click Add Security Control, and then select which security control you want to add. See Security Control Types for information on how to configure each security control type.
- In the Enforcement Action section (except for Shared Link Restriction) of the security control, select:
- Enforce restrictions - To enable the access policy once it is started. Select this option if your are ready to enforce the policy for your users.
- Monitor restriction violations only - To monitor user actions that violate the access policy without warning or restricting users. Select this option to gather data about how this access policy will affect your users.
- In the top-right corner of the window, click Next. Box displays the policy's review window.
- To apply the policy, in the top-right corner of the review window, click Start Policy.
Security Control Types
Box Shield has several security control types that you can add to access policies:
- External collaboration restriction
- Shared link restriction
- Download and print restriction
- Application restriction
- FTP restriction
- Watermarking
The following sections describe the function of each security control type and the options in each.
External Collaboration Restriction
External collaboration restrictions enable you to restrict all external collaboration, or some external collaboration based on domains and users. You can also define exceptions to external collaboration restrictions by entering business justifications for any exceptions you want to allow for an external collaboration restriction.
When you allow exceptions to an external collaboration restriction, you enter one or more business justifications. Then, when your users attempt to share something with someone outside your organization, in the Share dialog box, they will be allowed to select a justification for the exception to the access policy.
| Option | Description |
|---|---|
| Domain/User Options | |
| Allow only specified domains and external users |
Specifies only what the Smart Access policy allows for external collaboration. External collaboration will be limited to only what is specified, and blocked for anything else. Click Select, and then enter one or more domain names, email addresses, or Shield lists. |
| Block specified domains | Specifies only what the Smart Access policy prevents for external collaboration. External collaboration will be blocked by what is specified, and allowed for anything else. |
| Block all external collaboration | All external collaboration is blocked for anything within Box to which the Smart Access policy is applied. |
| Apply To | |
| Only new external collaborators | Restrictions will be imposed only on external collaborations created after the Smart Access policy goes into effect. |
| Existing and new external collaborators | Restrictions will be imposed on all new and existing external collaborations. Note: if any existing collaborators on the content should be restricted once the access policy takes effect, those people, despite remaining as a collaborator, can no longer access the content. Once the restrictions on them are lifted, they will automatically regain access to the content. |
| User Justifications | |
| Allow User Justifications |
When you click to enable the Allow User Justifications toggle, a User Exception for External Collaboration dialog box appears.
Click Edit Justification if you want to make changes to, add, or delete any justifications. Click Preview to see a sample of what your users will see. |
Shared Link Restriction
Shared link restrictions enable you to restrict who can access shared links for the criteria selected. The options you can select are:
- People with the link - Links can be accessed by anyone including people outside of your company and no sign-in is required
- People in your company and invited people - Links can be accessed by anyone in your company or people invited to the file or folder
- Invited people only - Links can be accessed only by people invited to the file or folder
After you apply an access policy with a shared link restriction to content, Shield applies the security control to new shared links going forward and retroactively to all existing ones. For example, if you create an access policy for Confidential content and restrict link sharing to Collaborators Only, then users can enable shared links to Confidential content with only Invited People. And if an existing shared link to that content was previously shared with people who are not invited, those uninvited people can no longer access the content through that link.
Download and Print Restriction
Download and print restrictions enable you to restrict download, print, online and offline access to the content by managed and external users across platforms. For example, after you enable the policy for Box Web App, for restricted users:
- Box disables the Download option and local editing on desktop via Box Drive, Box Tools, Box Sync, or Box for Office.
- Box does not display the Print option in Box preview, and restricts on browser printing - restricted users printing from a browser receive only blank pages.
- Box allows editing in Microsoft Office for the web, but does not display the Print option in Office for the web, and restricts printing from the browser - restricted users printing from a browser receive only blank pages.
- Box restricts saving a copy from Office Online and iWork.
- Box prevents file Move and Copy operations for Editors and Viewers if Restrict Managed Users > Restrict all users except Owners/Co-owners is selected,
- Box prevents file Copy operation for Viewers if Restrict Managed Users > Restrict all users except Owners/Co-owners and editors is selected.
- Workflows created by a user using Relay will be restricted from moving or copying content if the user is restricted from moving or copying the content from any modality, such as the web app, the mobile app, or the desktop app.
- Copying a file from one location in Box Drive and pasting it to a different location in Box Drive is considered a new upload. Because of this, the classification label of the original file will not be copied to the new file.
Additionally, the same restriction applies to the Box Embed Widget in any applications that have Box embedded.
Note:
Download and Print Restriction is not supported in Box Notes.
You can select download and print restrictions for any of:
- Box Web App
- Box Mobile
- Box Desktop
For each of these, you can choose to restrict:
- Managed Users, either all users except Owners and Co-owners or all users except Owners, Co-owners, and Editors
- All External Users
Application Restriction
Application restrictions enable you to restrict all or some 3rd-party applications including published custom applications with which your organization is integrated from downloading. Note that Microsoft Office for the web, Google Workspace, Apple iWork, and Adobe Acrobat Online, which your users can select to open a file with in the Box Web App, are not restricted from the application restrictions. The options you can select are:
- Block all applications from downloading content - No integrated applications (except Microsoft Office for the web, Google Workspace, Apple iWork, and Adobe Acrobat Online) or published custom applications will be able to download content protected by the access policy.
- Block specified applications from downloading content - Only the integrated applications and published custom applications that you specify will be blocked from downloading content protected by the access policy. Enter one or more applications or Shield lists of applications when you select this choice.
- Allow only specified applications to downloading content - Only the integrated applications and published custom applications that you specify as well as Microsoft Office for the web, Google Workspace, Apple iWork, and Adobe Acrobat Online will be allowed to download content protected by the access policy. Enter one or more applications or Shield lists of applications when you select this choice.
Note:
Application Restriction is not supported in Box Notes for Application API.
FTP Restriction
FTP restrictions enable you to restrict downloads via the FTP protocol. This is simply a toggle that you can enable or disable, and applies globally to all content protected by the access policy.
Note:
FTP Restriction is not supported in Box Notes.
Watermarking
To automatically apply a watermark to files bearing the classification label you selected, click Enable watermarking slider button.
After you enable watermarking, Box places a semi-transparent overlay of the current viewer's name and time of access across the file's contents.
Watermarking is visible in Preview to all collaborator roles, and is applied to downloaded and printed files for certain collaborator roles. Box Notes and some file types do not support watermarking. To learn more about watermarking in Box, see this article.
Modifying an access policy
To modify an access policy:
- In the Admin Console's left pane, click Shield.
- In the top of the Shield window, click Access Policies.
- Click an access policy's name.
- In the top-right corner, click Edit.
Deleting an access policy
To delete an access policy:
- In the Admin Console's left pane, click Shield.
- In the top of the Shield window, click Access Policies.
- Click an access policy's name.
- In the top-right corner, click Delete.