Policies are applied to all users and Hubs that are assigned to a Tenancy. To implement more than one policy set, multiple Tenancies should be used.
If a user is a member of multiple Tenancies, the DekkoSecure application will pick up the strictest combination of policies and apply them to the user. In an example where a Standard (non-SSO) user is in two tenancies with the following authentication policies:
- 8-character PW, 2FA ON
- 15-character PW, 2FA OFF
The user will be made to use the stricter authentication controls (indicated in bold) - 2FA and a 15-character password (note: a user only has one account with one password).
Only users with the Tenant admin role are able to modify policies. Please contact your account manager or DekkoSecure support request the assignment or removal of an administrator on your Tenancy.
Default Policies
DekkoSecure typically engages clients in a consultative process to determine the best policy settings for their use case(s). For clients with policy requirements that vary depending on their use cases, multiple tenancies can be set up. Below is the standard tenancy policy configuration:
Minimum password length | 8 characters |
Session timeout | 120 minutes |
File retention | 365 days |
Enforce 2FA | ON |
Trusted Tenant | OFF |
Disable Public Hub | ON |
Invite message appendix | OFF |
Status tagging | OFF |
Enforce Attributes | OFF |
External File Verification | OFF |
Invite-only onboarding | ON |
Content Access Account | OFF |
Limit users who can create hubs | ON |
Policies
Policy | Step(s) / Notes |
Set minimum password length | Enter the specific character count, then press the "Update policies" button.
Note: password length requirements are not applied to SSO users. |
Set session timeout | Enter the required session duration in minutes, then press the "Update policies" button.
Note: session timeout is not applied to SSO users. |
Set file retention | Enter the required retention duration in days, then press the "Update policies" button.Note: file retention is applied to versioned files (not current files). |
Enforce 2FA | Note: 2FA enforcement is not applied to SSO users. |
Trusted Tenant | Note: the trusted user function is not applied to SSO users. A user must log at least once after the policy is applied to be able to reset their password. |
Status tagging | When ON, users in all Hubs that belong to this Tenancy will be able to add a status from the specified list to files and folders.
To specify tags, press the manage tags button, then add a tag. The default tag colour is dark grey, but can be adjusted from the standard colours list. Tags selection will appear in the same order as the tag management list - drag the ⋮⋮ marker to re-order your tags.
See notes for examples of status tags in use. |
Disable Public Hub | When OFF, users that are members of any Hubs that belong to this Tenancy will be able to access the Public Hub. The Public Hub does not belong to this Tenancy, and no Policies are applied to it.
When ON users that are members of any Hubs that belong to this Tenancy will not be able to access the Public Hub. |
Invite message appendix | Enable by ticking the policy, then enter your appendix content. Appendix content will be applied to all future invites.
See notes for example invite with appendix. |
Invite-only onboarding | Note: this setting controls whether users in Hubs associated with the selected tenancy are able to share files and send messages with unregistered users.
Policy OFF: users can share files with/send messages to unregistered users. The file/message key is stored securely by DekkoSecure until the recipient registers. All interactions after this point are zero knowledge.
Policy ON: users cannot share files with/send messages to unregistered users. Users must invite recipients and wait for them to register. Following registration, files/messages can be sent. File/message keys are never stored by DekkoSecure. |
Central Access Account | This policy nominates a user that automatically gains access to files uploaded to Hubs in the Tenancy. File access is granted to files that are uploaded after the policy is enabled. |
Limit users who can create Hubs | This policy controls who in your Tenancy (i.e., users who belong to Hubs which are assigned to your Tenancy).
This policy is OFF by default, meaning that all users who are already in your Tenancy are able to create new Hubs.To limit Hub creation, add a rule or rules to the policy. There are two possible rules:
- Individual users
- Users with a shared domain
To set an individual user, enter their ID (email address, i.e., john@dekko.io) and then press 'Add'.
To set a domain, use a wildcard (*), for example *@yourdomain.com, then press 'Add'.
You can add as many users and/or domains as required. Current limits will be displayed under the limit field, and can be removed at any time.
Note: users with the Tenant admin role are able to create Hubs regardless of any rules set in Hub creation limitation. |
Policy notes
Invite appendix
An invite appendix adds text to the end of all invite messages sent from Hubs that belong to a Tenancy. This policy is typically used for legal disclaimers or branding purposes.
Example:
Status tagging
Adding and managing tags:
Note: if you remove a tag from the tag manager that is in use, it will be removed from all associated files.
Tag use example:
Tags can be added to files that you own (uploaded) or of which files you are an administrator (shared with full permissions). Tags set on shared content will be displayed for all users that have access to the file/folder.
Tag changes are also shown in the audit log -
Invite-only Onboarding
Turning this policy ON disables the share-and-invite feature.
When files are shared with an unregistered address, the file and file key is stored securely by the DekkoSecure system and then passed to the recipient user when they complete registration - This is called “share-and-invite”. After this exchange has taken place, all future interactions between the sender and newly registered user is end-to-end encrypted.
If invite-only onboarding is ON, Files can only be shared with existing DekkoSecure users, meaning all users must register via an invite, then receive files after they register, meaning all content accessed by them is secured using end-to-end encryption by way of an asymmetric key exchange.
Content Access Admin
The Content Admin Account will be set as a member of all Hubs in the Tenancy and has access to all files with full permissions. Content Admin Accounts cannot be removed by Hub administrators or file owners. The Content Admin Account is not a ‘normal’ user account; it should be treated as a special access role that remains in place once assigned, and only removed under exceptional circumstances.
Credential management for the Content Admin Account should be done with extreme care. A generic ID (e.g., admin@your-org.com) is recommended.
Things to note about Content Admin Accounts:
- One Content Admin Account can be set at a time.
- All activity (e.g., downloading, deleting) is captured in the audit log.
- Access is granted to all files that are uploaded in this Tenancy after nomination; there is no retrospective access to files shared prior to nomination.
- A notice will be displayed in the sharing menu and the account will be shown in all Hub contact lists.
- If this user is removed from the policy they will still have access to files shared with them prior to removal.
Feature Availability
Features can be disabled for all Hubs in your Tenancy my opening the Edit Feature Policies window:
Turning a feature Off will hide it in the navigation panel on the left of the DekkoSecure application interface.