Print

Limit collaboration to allowlisted domains

  • Posted Updated

In the Enterprise Settings > Content & Sharing > Collaborating on Content > External Collaboration setting, you can allow external collaboration with any external user or limit collaboration to only external users in domains you define. This topic explains how to limit collaboration to allowlisted domains.

  1. Go to Enterprise Settings > Content & Sharing.
  2. In the Collaborating on Content section, go to the External Collaboration setting and select Limit collaboration to allowlisted domains.
  3. Click Manage Allowlist.
  4. In the Collaboration Allowlist dialog box, enter one or more domains and press Enter after entering each one. See Domain Allowlist Configuration for additional details on how to configure allowlisted domains.
  5. Click Add.

Your people can collaborate only with people from one of the domains you specify.

Note

The limit on collaboration to allowlisted domains goes both directions: Your user cannot invite someone who is not from one of the specified domains, and someone not on the specific domain cannot invite your user to collaborate.

Your user can invite someone to collaborate by opening the "Share" window on a folder or a file. In the "Share" window, your user can choose (a) Invite People or (b) Send Shared Link. 

share_screen.png

          • If your user invites someone who is not from one of the specified domains, the system will display an error message

send_email_error.png

 

 

 

Important
If a folder is accessible to a set of collaborators outside your enterprise, clicking Limit collaboration to users within Enterprise for does not block that folder to those external collaborators, though the folder is blocked to new external collaborators.

 

Domain Allowlist Configuration

When you create your allowlist, you can also can exert finer control and limit collaboration to one direction, inbound or outbound, as defined from the perspective of someone inside your enterprise.

  • Inbound collaboration – Your people are INVITING SOMEONE FROM OUTSIDE IN TO your enterprise to collaborate on content that resides inside your organization.
    • To allow only inbound collaboration, prepend each domain with a plus sign (+)
  • Outbound collaboration – People from outside your enterprise are INVITING SOMEONE FROM INSIDE your enterprise OUT to collaborate on content that resides outside your organization.
    • To allow only outbound collaboration, prepend each domain with a minus sign (-)
  • To enable collaboration with any domain, use an asterisk (*)
    • Typically you'll use an asterisk to enable unidirectional collaboration -- for example to allow only your users to be invited to other content and not allow any external users to be invited to your content.

Here are some examples:

 

Domains Allowlisted

Expected Behavior

abc.com

Box users within your company can invite people only from Company ABC and can only be invited to folders from Company ABC.

Note The allowlist is literal, and only works on single domains. In this example, "x.abc.com" is not allowlisted. You would need to add it separately. Do not use spaces.

+abc.com

Your company's users can invite only people from Company ABC to their folders. Do not use spaces.

-abc.com

Only people in Company ABC can invite Box users from your company to join their folders as well. No one else can invite your company's users to their folders. Do not use spaces.

+*

Your company’s users can invite anyone from any domain to collaborate on content within your enterprise, but no one outside of your company can invite your company’s users to collaborate externally. Do not use spaces.

-*

+abc.com

Anyone from any domain can invite your people to collaborate on content externally, but your people can invite only users from company abc.com to collaborate on content that resides within your enterprise. Do not use spaces.

 

Other points:

  • Users not subject to allowlist: You can allow certain users special privileges to collaborate with domains outside of the allowlisted domains. To grant this privilege, below Users not subject to allowlist, enter the names or email addresses of your selected users in the box.
  • External Collaborator Invitations: Enables you to restrict external collaborators from inviting other external collaborators into content owned by your enterprise and to prevent them from increasing other external collaborators' permission levels.

 

Things to know about collaboration restrictions

  • External collaboration allowlisting is only available as part of the Governance package and must be enabled by request. Please contact your Box Representative or Box User Services to enable these features.
  • You can set collaboration restrictions at the enterprise, user, and folder level. Box uses the most restrictive setting at any given time. For example, if an enterprise allows collaboration with 100 domains and a user within the enterprise further restricts collaborators for a particular folder, that folder will be governed by the user's more restrictive settings.

Related articles