Policies are applied to all users and Hubs that are assigned to a Tenancy. To implement more than one policy set, multiple Tenancies should be used.
If a user is a member of multiple Tenancies, the DekkoSecure application will pick up the strictest combination of policies and apply them to the user. In an example where a Standard (non-SSO) user is in two tenancies with the following authentication policies:
- 8-character PW, 2FA ON
- 15-character PW, 2FA OFF
The user will be made to use the stricter authentication controls (indicated in bold) - 2FA and a 15-character password (note: a user only has one account with one password).
Only users with the Tenant admin role are able to modify policies. Please contact your account manager or DekkoSecure support request the assignment or removal of an administrator on your Tenancy.
Default policies
DekkoSecure typically engages clients in a consultative process to determine the best policy settings for their use case(s). For clients with policy requirements that vary depending on their use cases, multiple tenancies can be set up. Below is the standard tenancy policy configuration:
Policy | Description | Default Setting |
Minimum password length | Sets the minimum number of characters required for user passwords. | 12 Characters |
Session timeout (minutes) | Sets the period of inactivity after which users are automatically logged out. | 120 minutes |
Previous version retention | Controls how long previous file versions are retained (in days). Once the expiry period is exceeded, previous versions are permanently deleted. | 365 days |
File size upload limit (MBs) | Sets the maximum size of a single uploaded file in megabytes. A value of '0' allows unlimited file sizes. | 0 (no limit) |
Disable PDF redaction feature | Turns off the PDF redaction capability for all users in this tenancy. | OFF |
Disable deletion via DekkoDrive | Prevents files from being deleted through the DekkoDrive client. | ON |
Enforce 2FA | Forces all users in the tenancy to enable two-factor authentication at their next login if they have not already done so. | ON |
Trusted Tenant | Allows tenant admins to reset user passwords. Each user must log in at least once before this takes effect for that user. | OFF |
Disable Public Hub | Restricts access to the Public Hub for all users in this tenancy. | ON |
Invite message appendix | Appends custom text to the end of all Hub invites in the tenancy (maximum 2000 characters). | OFF |
Status tagging (Manage tags) | Allows file and folder tagging across all Hub content in the tenancy. Tags are displayed in the status column. | OFF |
Enforce classification | Requires classification labelling to be applied to all uploads and messages. | OFF |
External File Verification | Enables external authenticity and ownership checking for all files in the tenancy by storing private hashes. | ON |
Invite-only onboarding | Disables invite via sharing. New users must register via invite and join a Hub in the tenancy before files can be shared with them. | OFF |
Malware scanning | Scans files uploaded to Hubs in the tenancy for malware. Files containing malware cannot be shared or downloaded. | OFF |
Recycle bin | Moves deleted files to "Archive" instead of deleting them immediately. Files are permanently deleted once the expiry period (days) is exceeded. Shared file recipients cannot access archived files until the owner restores and re-shares them. | ON (7 days) |
Data Expiration | Automatically deletes all data older than a specified age (in days) on a daily cadence. The checkbox or button opens the expiration menu to configure this. | OFF |
Allow public submissions on folders | Lets folder owners and admins enable per-folder public submission links. Links can be disabled by folder owners and admins at any time. Submissions are anonymous, so malware scanning is recommended. | OFF |
Limit users who can create hubs (Add) | Restricts Hub creation to specified users or domains. A wildcard such as *@yourdomain.com permits all users on a domain, and multiple domains or users can be added. | ON |
Central Access Admin | Makes the nominated Central Access Admin a member of all Hubs in the tenancy with Full Permissions on all shared files. They cannot be removed by Hub administrators or file owners, and cannot be the same user as the Central Backup Account. | OFF |
Central Backup Account | Makes the nominated Central Backup Account a member of all Hubs in the tenancy with Download only permission on all shared files. They cannot be removed by Hub administrators or file owners, and cannot be the same user as the Central Access Admin. | OFF |
Policy notes
Invite appendix
An invite appendix adds text to the end of all invite messages sent from Hubs that belong to a Tenancy. This policy is typically used for legal disclaimers or branding purposes.
Example:
Enforced attributes
When enabled, all users in the Tenancy must select a classification marking each time they upload files and folders:
The chosen classification appears next to the file or folder name and is visible to all users with access to the shared content:
Attribute scheme:
AU Protective Marking Standard | • UNOFFICIAL
• OFFICIAL
• OFFICIAL: Sensitive
• PROTECTED
• CLASSIFICATION UNKNOWN |
AU Export Controlled Labels | • Not Export Controlled
• OFFICIAL - Not Export Controlled
• OFFICIAL - Export Controlled
• OFFICIAL: Sensitive - Not Export Controlled
• OFFICIAL: Sensitive - Export Controlled |
AU Non-Export Controlled Labels | • Not Export Controlled
• OFFICIAL - Not Export Controlled
• OFFICIAL: Sensitive - Not Export Controlled |
CA Protected Information | • Protected A
• Protected B
• Protected C |
Note: one scheme can be selected at a time, e.g., AU Protective Marking Standard and CA Protected Information cannot be used simultaneously.
Status tagging
Adding and managing tags:
Note: if you remove a tag from the tag manager that is in use, it will be removed from all associated files.
Tag use example:
Tags can be added to files that you own (uploaded) or of which files you are an administrator (shared with full permissions). Tags set on shared content will be displayed for all users that have access to the file/folder:
Tag changes are also shown in the audit log -
Invite-only Onboarding
Turning this policy ON disables the share-and-invite feature.
When files are shared with an unregistered address, the file and file key is stored securely by the DekkoSecure system and then passed to the recipient user when they complete registration - This is called “share-and-invite”. After this exchange has taken place, all future interactions between the sender and newly registered user is end-to-end encrypted.
If invite-only onboarding is ON, Files can only be shared with existing DekkoSecure users, meaning all users must register via an invite, then receive files after they register, meaning all content accessed by them is secured using end-to-end encryption by way of an asymmetric key exchange.
Recycle bin
When enabled, deleted files are staged for permanent deletion in an “Archive”, listed in the left-navigation panel. The policy is set in days, and files can be restored from archive by file owners prior to deletion.
In combination with the recycle bin Tenancy policy, Tenant admins can wipe data from a tenancy. The clear out function can only be enabled when the recycle bin policy is enabled. Only data older than 30 days can be wiped:
A confirmation window is displayed prior to deletion being actioned:
Allow public submissions on folders
When enabled, folder owners can turn on Public Submissions. If file size limits are enabled they are applied to submissions, preventing uploads that exceed the policy.
Data Expiration
When enabled, this policy will automatically delete data that is older than the age (in days) specified in the policy.
Points to note:
- Clean up takes place once per day
- The minimum age allowed in the policy is 30 days
- Users can “extend” an expiration by using the overwrite function
- The policy will “clean up” when the policy is enabled*
* Example use - if a Tenancy has files in it that are 120 days old, and the policy is enabled with a 90-day expiration, the 120-day old files will be cleaned up on the next daily cleanup.
Central Access Admin
After activation, the Central Access Admin will be set as a member of all Hubs in the Tenancy and has full access to all files uploaded to Hubs in the Tenancy after its nomination with full permissions. It cannot be removed by Hub administrators or file owners - only by Tenancy admins. Access is not retrospective; files uploaded prior to activation are not shared with the account.
The Central Access Admin is not a “normal” user account; it should be treated as a special access role that remains in place once assigned, and only removed under exceptional circumstances.
Credential management for the Central Access Admin should be done with extreme care. A generic ID (e.g., admin@your-org.com), disciplined password management and 2FA is strongly recommended.
Things to note about Central Access Admins:
- One Central Access Admin can be set at a time.
- Users cannot nominate themselves; they must be nominated by another admin of the Tenancy*.
- All activity performed by the account (e.g., downloading, deleting) is captured in the audit log.
- A notice will be displayed in the sharing menu (”… this content is also shared with an administrative account …”)**.
- The account will be shown in all Hub contact lists.
- If this account is removed from the policy it will still have access to files shared with it prior to removal.
- If the access admin account should no longer have access to files, you can request that it be deleted. Please contact your DekkoSecure account manager to make a request.
* If your tenancy has one Tenancy admin, please contact your DekkoSecure account manager for assistance with nomination.
** An example of the notice displayed to file owners when the Content Admin policy is activated:
The Central Access Admin can be used with DekkoDrive to automatically synchronise files in a Tenancy to an external location for content management use cases.
Central Backup Account
After activation, the Central Backup Account will be set as a member of all Hubs in the Tenancy and has full access to all files uploaded to Hubs in the Tenancy after its nomination with download only permission. It cannot be removed by Hub administrators or file owners - only by Tenancy admins. Access is not retrospective—files uploaded prior to activation are not shared with the account.
The Central Backup Account is not a “normal” user account; it should be treated as a special access role that remains in place once assigned, and only removed under exceptional circumstances.
Credential management for the Central Backup Account should be done with extreme care. A generic ID (e.g., admin@your-org.com), disciplined password management and 2FA is strongly recommended.
Things to note about Central Backup Accounts:
- One Central Backup Account can be set at a time.
- Users cannot nominate themselves; they must be nominated by another admin of the Tenancy*.
- All activity performed by the account (e.g., downloading) is captured in the audit log.
- A notice will be displayed in the sharing menu (”… this content is also shared with an administrative account …”)**.
- The account will be shown in all Hub contact lists.
- If this account is removed from the policy it will still have access to files shared with it prior to removal.
- If the Central Backup Account should no longer have access to files, you can request that it be deleted. Please contact your DekkoSecure account manager to make a request.
* If your tenancy has one Tenancy admin, please contact your DekkoSecure account manager for assistance with nomination.
** An example of the notice displayed to file owners when the Central Backup Account is activated:
The Central Backup Account can be used with DekkoDrive to automatically synchronise files in a Tenancy to an external location for content backup use cases.
Feature availability
Features can be disabled for all Hubs in your Tenancy my opening the Edit Feature Policies window:
Turning a feature Off will hide it in the navigation panel on the left of the DekkoSecure application interface.