This article provides detailed insight on the use of shared content managed by SSProtect.
Introduction
The article covers detailed aspects of SSProtect-managed content when utilized by an authorized sharing peer. Though in general usage is straightforward - access and modify content as you normally would - there are times when you will wish to deviate from standard user workflows and/ or want to look deeper into SSProtect, at which point you may notice some subtle realities. This article describes these details for clarification.
Organization Peers
As noted in other Topic articles, you are by default authorized to access content protected by your Organization Peers. This is universal and automatic, though of course you must obtain the materials from your peers using the sharing mechanism(s) employed by your team(s).
Third Party Trusts
Third Party Trusts authorize external Users (Accounts) the right to access Organization content. Privileges are managed by Privileged Organization Users (or an Individual Account holder) as described in the article, Managing Third Party Trusts.
When Third Party Trusts are Fully Operational
When a Third Party Trust is configured, the cryptographic primitives are configured on the next Login for the trusted Third Party's Account. As a result, SSProtect will not perceive the Third Party Trust to be a trusted member of an Organization until after this event occurs.
This can lead to some confusion when using :Email since it can (via Policy settings) be configured to validate recipients of protected content.
:Email Third Party Trust Authorization Delays
SSProtect :Email is an Outlook Add-In that protects email message content, as described in the article, Getting Started with :Email. When you author a message to a recipient and protect content, upon delivery, :Email checks to be sure he/ she will be able to read your protected message. If not, you are notified and given a choice to remove the recipient or continue (override).
Because of the above-noted delay in finalizing a Third Party Trust, those who have been recently configured, but who have not-yet performed an SSProtect Login, will not be seen as authorized peers. Override any interim :Email prompt to send content to any User, and when they perform Refresh Login, the Trust will be established and they will be able to access your message.
Impact to Access of Enabling/ Disabling a Third Party Trust
When you Disable a Third Party Trust from the Sharing Policy display, the impact is immediate - any subsequent action to access (associated) managed content will be denied. However, if an existing item is being utilized, the Third Party Trust will be able to Save changes and, on closing, the item will be re-protected (creating a new version instance).
Of course, the reciprocal is also true - when you re-enable a Third Party Trust, the target User's next attempt to access your managed content will succeed. Note in this case there is no Refresh Login required - the Trust is immediately re-enabled.
Releasing and Re-Protecting Shared Content
You can perform SSProtect Release operations (when independently permitted by your Account Policy) on shared content (using shift-right-click on a shared/ managed item in File Explorer).
You can also, most often, re-protect content while maintaining the original shared association. In general, this will work so long as you do not start a new SSProtect Login Session after Release and before Re-Protect.
Taking Ownership of Shared Items
If it is your (coordinated) intent to take ownership of a shared item you've Released, you can do so by viewing your Hostlist using the Managed Files/ Restore context menu item, then choosing Clean. You must acknowledge the intention to Clean the Shared List as indicated by the Prompt (choose Yes), which will force a Refresh Login operation. At that point, you can then Protect the shared item you Released, resulting in a new, Version 1 instance of the file that you, "own".
Intermediate Hostlist Entries
When securely accessing shared files (by opening a shared document in its' native application container), you maintain continuous protection over the content just as the original Owner would when he/ she performs the same operation.
If however you display the Hostlist from the Managed Files/ Restore context menu item, you will see the managed file at or near the top of your list, in the (Opened) State. If you attempt to view Versions..., you will see all previous Versions, but not the actively opened Version (as it hasn't been created, and won't be, until you save and close).
Once you finish reviewing/ editing and close the managed item, you will have to choose Refresh to update any of the Managed Files panes. This will then reflect the new Version in the Versionlist pane.
Shared Re-Protection Conversion Mode
When you access Shared Content, re-protection utilizes the file's Conversion Mode, not the Conversion Mode of your Account or even of the Owner's Account. This maintains the intended method for managing content in any file.
For an Owner to change the protection mode, he/ she must modify his/ her method for Conversion and then access and store the item of interest - it is only at that time that changes in the Operating Mode get applied; this does not happen when carried out by a sharing peer.
Re-protection Archive Quota Impact
When you access a managed shared item then save/ close, it is re-protected though retains the Yellow File Explorer overlay icon (indicating that it is not natively-owned, as otherwise evidenced by the Red overlay icon).
Re-protection associates Quota space to the original Owner, when applicable (Hybrid/ Double Conversion applied as noted in the preceding paragraph). If for some reason your actions end up requesting Quota Space not available for the Owning Account, the file will be re-protected using Optimized Offloading (and thus not available for Restoration from the :Recover KODiAC Archive). This event triggers email notification to the Owning Organization's Privileged Users (but only once until the Owning Account's Quota is adjusted).
:Recover Archive Access to Shared Content
As the Owner, or Creator, of a managed item, you can access :Recover Archive content for each version you create. In some cases, you can Restore content created by Sharing Peers and Third Party Trusts.
In fact, if you are using Double Conversion, you can Restore any item, "created" by an authorized Organization Peer or even Third Party Trust. These versioned instances are also available in :xRecovery Archives.
When using Hybrid Conversion, the default Conversion Mode, you CANNOT Restore Third Party Trust versions.
Third Party Trust instances, however, are never present in :xRecovery Archives no matter what Operating Mode you are using.
As such, you can Restore a Third Party Trust instance managed with Double Conversion, but that same version will not be present in an :xRecovery Archive.
:Recover Restore Version
When performing a Restore operation on a Managed Item, SSProtect will identify the latest accessible Version and Restore it for you. Thus, if the last Version was a Hybrid-Converted item by a Third Party Trust, SSProtect will search past this item and Restore the most recent accessible version. Remember that Organization Peer materials, managed w/ Hybrid Conversion, remain Restore-accessible by the Owner.
Additional Resources
You can search this site for more information on various topics, or use this link to submit a specific request. You can also send email directly to support@definisec.com, and our staff will respond to your needs as soon as possible.
In the meantime, don't forget to check out our primary website and Insights columns for information on current trends, security topics, and how our technologies relate.
This article was updated w/ v9.2.1 of the :Foundation Client