Getting started with Box Shield Smart Access
To prevent your sensitive content from being accidentally leaked, Smart Access enables you to configure access policies that Shield automatically enforces. With Smart Access, you can use automated controls to restrict sharing, viewing, downloading and printing, and requesting signatures based on content classification.
Creating a policy
To create a new access policy, navigate to your shield access policies on your administration console.
You must decide if this policy is going to be applied to content without a classification label or choose to which classification it should be applied.
To lean more about classifications, check out this article:
Next, you create one or more security controls.
There are 7 different types of security controls to choose from. For detailed information on each one of them check out this article.
Let’s continue with our example.
External Collaboration Restriction
This restriction allows you to allow specific domains or external users, deny domains or completely block external collaboration.
Now if I try to invite an external collaboration on a document classified as
Internal Only I get this error:
Shared Link Restriction
This restriction allows you to limit the scope of the shared links. If you select
People in your company you are effectively disabling the
People with the link, and if you select
Inviting people only then you are disabling the other two.
For the example above this is what I get when creating a shared link on that document.
Download and Print Restriction
To test this restriction, I’ve invited a user as an
editor. This user won’t be allowed to download or print the document.
Learn more about collaboration roles like
With thousands of integrations, you might need to restrict access to content for all applications, specific applications or even just allow specific ones.
In the example above I’m trying to block access to any integration Adobe related (just as an example).
This restriction will disable downloads of content using the FTP protocol.
If I try to download my test file, for example using FileZilla, this is what happens.
This will watermark the supported content with the logged in user and date of access. This personalized watermark has quite an effect on users sharing a print of the file, since their identification is included.
When I login as the investment user and preview the file, we can see that it is watermarked with the user email and date of access.
Box Sign Request Restriction
This restriction will disable the Box sign feature.
In my test document the sign button is now disabled.
While Box Classifications allow admins to configure policies to automatically classify content, by it self, it only provides the users with a visual cue in the format of a label.
Box Smart Access takes it to the next level by applying restrictions to the classification labels.
Check out the other articles on this Box Shield and Classification series:
- Box Shield Ethical Walls
- Box Shield Threat Detection
- Box Classifications
- Box Shield Smart Access (this article)
- Classification service using FastAPI and Python (stay tuned)