Enterprise Shield accounts have the option to customize the sharing setting for externally owned documents and folders. This includes three options:
- Allow access to externally owned documents and folders (default)
- Block access to externally owned documents and folders
- Block access to externally owned documents and folders, except for those shared by specified domains or user emails
If you are an account owner or account admin on an account with Enterprise Shield and looking to customize this setting, refer to the Lucid admin panel: Security settings article for instructions. The purpose of this post will be to represent the user experience based on the setting that is in place on their account.
Note: For the sake of this post, “internal users” refers to users on your Enterprise account and “external users” refer to any users not on your Enterprise account that are trying to share documents and folders.
If an admin elects to “Block access to externally owned documents and folders,” Lucid will block access for internal users on your account if they attempt to open an external document. External users can continue to share new documents, but internal users will not be able to access them. To preserve admin setting privacy, the external user will not be alerted that the internal user has lost access to the document. The external document owner and other collaborators will still see the internal user as a collaborator on the document.
If an admin elects to “Block access to externally owned documents and folders, except for those shared by specified domains or user emails” then internal users will be able to access documents and folders owned by those domains/users. If an external user with a domain or email that is not on the allowlist shares a document or folder with your account, access will be blocked for internal users when they attempt to open it. This follows the same user experience as the "Block access to externally owned documents and folders" setting mentioned.
When a user is added to a document/folder owned by a Team or Team Folder we verify the domain or user email of the account owner associated with the Team, as Teams and Team Folders are owned by the entire account, not an individual. Anything created in a Team Folder is owned by the Team Folder’s account.
Error messaging displayed for documents
When an internal user tries to open a document owned by an external user, the internal user will see the following Forbidden page:
In addition to being unable to access externally owned documents, the documents will be disabled in the docs list (see image below). This prevents internal users from taking any actions on these documents—such as copying or sharing—once this feature is enabled, even for documents shared in the past.
Restoring your internal users’ access to any externally owned documents can be done by either reverting the setting to 'allow access to externally owned documents and folders' or by adding the external user email or domain to the allowlist.
Error messaging displayed for folders
If an external user has already shared a folder with an internal user, we will remove the internal user from that folder so they cannot access it anymore. If the internal user had created a document in that externally owned folder, then they will lose access to the document. If you are going to block access to external documents and folders, we recommend that you first go into your Discovery feature and move any document that your account owns out of externally owned folders so you do not lose access to the document. Restoring your internal users’ access to externally owned folders can’t be done via the admin panel so please be careful when restricting access.
When an internal employee tries to open a new folder link owned by an external account, the internal employee will be redirected to their docs list with the following error banner:
