Security controls are what you add to Box Shield access policies to define what gets enforced in those policies. There are several security control types, and you can add one or more to any access policy. This topic describes the purpose of each security control type. For details about the settings in security controls, see Shield Access Policy Settings.
- External Collaboration Restriction
- Shared Link Restriction
- Download and Print Restriction
- Application Restriction
- FTP Restriction
- Box Sign Request Restriction
External Collaboration Restriction
External collaboration restrictions allow you to restrict all or some external collaboration based on domains and users. You can also define exceptions to external collaboration restrictions by entering business justifications for any exceptions you want to allow for an external collaboration restriction.
When your users attempt to share something with someone outside your organization that is restricted by a smart access policy with an external collaboration restriction, in the Share dialog box, they will be allowed to select one of the justifications defined in the policy for the exception to the access policy.
See External Collaboration Restriction Settings for details about how to configure external collaboration restriction settings in an access policy.
Shared Link Restriction
Shared link restrictions allow you to specify who can access files and folders via shared links.
After you apply an access policy with a shared link restriction to content, Shield applies the security control to new shared links going forward and retroactively to all existing ones.
For example, if you create an access policy for confidential content and restrict link sharing to Invited people only, users can share links to confidential content only with invited people. If an existing shared link to that content was previously shared with people who are not invited, such people can no longer access the content through that link.
See Shared Link Restriction Settings for details about how to configure shared link restriction settings in an access policy.
Download and Print Restriction
Download and print restrictions enable you to restrict download, print, online and offline access to the content by managed and external users across platforms. For example, after you enable the policy for Box Web App, for restricted users:
- Box disables the Download option and local editing on desktop via Box Drive, Box Tools, Box Sync, or Box for Office.
- Box does not display the Print option in Box preview, and restricts on browser printing - restricted users printing from a browser receive only blank pages.
- Box allows editing in Microsoft Office for the web, but does not display the Print option in Office for the web, and restricts printing from the browser - restricted users printing from a browser receive only blank pages.
- Box restricts saving a copy from Office Online and iWork.
- Box prevents file Move and Copy operations for Editors and Viewers if Restrict Managed Users > Restrict all users except Owners/Co-owners is selected,
- Box prevents file Copy operation for Viewers if Restrict Managed Users > Restrict all users except Owners/Co-owners and editors is selected.
- Workflows created by a user using Relay will be restricted from moving or copying content if the user is restricted from moving or copying the content from any modality, such as the web app, the mobile app, or the desktop app.
- Copying a file from one location in Box Drive and pasting it to a different location in Box Drive is considered a new upload. Because of this, the classification label of the original file will not be copied to the new file.
Additionally, the same restriction applies to the Box Embed Widget in any applications that have Box embedded.
Download and Print Restriction is not supported in Box Notes.
See Download and Print Restriction Settings for details about how to configure download and print restriction settings in an access policy.
Application restrictions enable you to restrict all or some 3rd-party applications including published custom applications with which your organization is integrated from downloading. Note that Microsoft Office for the web, Google Workspace, Apple iWork, and Adobe Acrobat Online, which your users can select to open a file within the Box Web App, are not restricted from the application restrictions.
See Application Restriction Settings for details about how to configure application restriction settings in an access policy.
FTP restrictions enable you to restrict downloads via the FTP protocol. This is simply a toggle that you can enable or disable, and applies globally to all content protected by the access policy.
Note: FTP Restriction is not supported in Box Notes.
Watermarking places a semi-transparent overlay of the current viewer's name and time of access across the file's contents, is visible in Preview to all collaborator roles, and is applied to downloaded and printed files for certain collaborator roles. Box Notes and some file types do not support watermarking. To learn more about watermarking in Box, see Watermarking Files., and for details about this setting, see Watermarking Settings.
Box Sign Request Restriction
When Box Sign is enabled for your organization, users can initiate Box Sign signature requests even on files matched by access policies with the following security controls:
- Download and print restrictions
- External collaboration restrictions
- Shared link restrictions
The Box Sign Request security control allows you to prohibit users from requesting signatures for files matched by policies with these security controls. See Box Sign request Restriction Settings.
Box Sign request restriction FAQ
How does Box Sign enforce Shield Policies?
Box Sign checks for both the Box Sign Security and Watermarking security controls when selecting a file to be used during the e-signature process. The sender can pick any destination folder for the signing process regardless of any shield policies. Once the signing process is complete any shield policies will be applied based on auto-classification.
Can the new security control interrupt any existing processes?
No, the security control does not affect any past or in progress sign requests
Can I download my classified content if sign request restrictions are enabled?
Yes, it is legally required that all signees can download a copy of the document. Even if there are coexisting download and print restrictions, you can still download the document.
If Box Sign requests restriction is disabled, can the users send sign requests to external signees?
Yes, even if there are existing collaboration restrictions, users can still share content with external parties using Box Sign.