How can we help? 👋

Tenancy Policies

Policies are applied to all users and Hubs that are assigned to a Tenancy. To implement more than one policy set, multiple Tenancies should be used.

 

If a user is a member of multiple Tenancies, the DekkoSecure application will pick up the strictest combination of policies and apply them to the user. In an example where a Standard (non-SSO) user is in two tenancies with the following authentication policies:

  • 8-character PW, 2FA ON
  • 15-character PW, 2FA OFF
 

The user will be made to use the stricter authentication controls (indicated in bold) - 2FA and a 15-character password (note: a user only has one account with one password).

 
💡

Only users with the Tenant admin role are able to modify policies. Please contact your account manager or DekkoSecure support request the assignment or removal of an administrator on your Tenancy.

Default Policies

DekkoSecure typically engages clients in a consultative process to determine the best policy settings for their use case(s). For clients with policy requirements that vary depending on their use cases, multiple tenancies can be set up. Below is the standard tenancy policy configuration:

 
Minimum password length
8 characters
Session timeout
120 minutes
File retention
365 days
Enforce 2FA
ON
Trusted Tenant
OFF
Disable Public Hub
ON
Invite message appendix
OFF
Status tagging
OFF
Enforce Attributes
OFF
External File Verification
OFF
Invite-only onboarding
ON
Content Access Account
OFF
Limit users who can create hubs
ON
 
💡
Default Tenancy policies should not be considered recommendations. Governance requirements vary per-client and should be considered carefully based on the descriptions and content provided by DekkoSecure, in combination with your internal practices and business processes. Please contact your DekkoSecure account manager to discuss custom Tenancy policies.

Policies

💡
Be sure to press 'Update Policies' after you make any changes!
 
Policy
Step(s) / Notes
Set minimum password length
Enter the specific character count, then press the "Update policies" button. Note: password length requirements are not applied to SSO users.
Set session timeout
Enter the required session duration in minutes, then press the "Update policies" button. Note: session timeout is not applied to SSO users.
Set file retention
Enter the required retention duration in days, then press the "Update policies" button.Note: file retention is applied to versioned files (not current files).
Enforce 2FA
Note: 2FA enforcement is not applied to SSO users.
Trusted Tenant
Note: the trusted user function is not applied to SSO users. A user must log at least once after the policy is applied to be able to reset their password.
Status tagging
When ON, users in all Hubs that belong to this Tenancy will be able to add a status from the specified list to files and folders. To specify tags, press the manage tags button, then add a tag. The default tag colour is dark grey, but can be adjusted from the standard colours list. Tags selection will appear in the same order as the tag management list - drag the ⋮⋮ marker to re-order your tags. See notes for examples of status tags in use.
Disable Public Hub
When OFF, users that are members of any Hubs that belong to this Tenancy will be able to access the Public Hub. The Public Hub does not belong to this Tenancy, and no Policies are applied to it. When ON users that are members of any Hubs that belong to this Tenancy will not be able to access the Public Hub.
Invite message appendix
Enable by ticking the policy, then enter your appendix content. Appendix content will be applied to all future invites. See notes for example invite with appendix.
Invite-only onboarding
Note: this setting controls whether users in Hubs associated with the selected tenancy are able to share files and send messages with unregistered users. Policy OFF: users can share files with/send messages to unregistered users. The file/message key is stored securely by DekkoSecure until the recipient registers. All interactions after this point are zero knowledge. Policy ON: users cannot share files with/send messages to unregistered users. Users must invite recipients and wait for them to register. Following registration, files/messages can be sent. File/message keys are never stored by DekkoSecure.
Central Access Account
This policy nominates a user that automatically gains access to files uploaded to Hubs in the Tenancy. File access is granted to files that are uploaded after the policy is enabled.
Limit users who can create Hubs
This policy controls who in your Tenancy (i.e., users who belong to Hubs which are assigned to your Tenancy). This policy is OFF by default, meaning that all users who are already in your Tenancy are able to create new Hubs.To limit Hub creation, add a rule or rules to the policy. There are two possible rules: - Individual users - Users with a shared domain To set an individual user, enter their ID (email address, i.e., john@dekko.io) and then press 'Add'. To set a domain, use a wildcard (*), for example *@yourdomain.com, then press 'Add'. You can add as many users and/or domains as required. Current limits will be displayed under the limit field, and can be removed at any time. Note: users with the Tenant admin role are able to create Hubs regardless of any rules set in Hub creation limitation.
 

Policy notes

Invite appendix

 

An invite appendix adds text to the end of all invite messages sent from Hubs that belong to a Tenancy. This policy is typically used for legal disclaimers or branding purposes.

Notion image
 

Example:

Notion image
 

Status tagging

 

Adding and managing tags:

Notion image

Note: if you remove a tag from the tag manager that is in use, it will be removed from all associated files.

 

Tag use example:

Tags can be added to files that you own (uploaded) or of which files you are an administrator (shared with full permissions). Tags set on shared content will be displayed for all users that have access to the file/folder.

Notion image
 

Tag changes are also shown in the audit log -

Notion image
 

Invite-only Onboarding

Turning this policy ON disables the share-and-invite feature.

When files are shared with an unregistered address, the file and file key is stored securely by the DekkoSecure system and then passed to the recipient user when they complete registration - This is called “share-and-invite”. After this exchange has taken place, all future interactions between the sender and newly registered user is end-to-end encrypted.

If invite-only onboarding is ON, Files can only be shared with existing DekkoSecure users, meaning all users must register via an invite, then receive files after they register, meaning all content accessed by them is secured using end-to-end encryption by way of an asymmetric key exchange.

 

Content Access Admin

The Content Admin Account will be set as a member of all Hubs in the Tenancy and has access to all files with full permissions. Content Admin Accounts cannot be removed by Hub administrators or file owners. The Content Admin Account is not a ‘normal’ user account; it should be treated as a special access role that remains in place once assigned, and only removed under exceptional circumstances.

Credential management for the Content Admin Account should be done with extreme care. A generic ID (e.g., admin@your-org.com) is recommended.

Things to note about Content Admin Accounts:

  • One Content Admin Account can be set at a time.
  • All activity (e.g., downloading, deleting) is captured in the audit log.
  • Access is granted to all files that are uploaded in this Tenancy after nomination; there is no retrospective access to files shared prior to nomination.
  • A notice will be displayed in the sharing menu and the account will be shown in all Hub contact lists.
  • If this user is removed from the policy they will still have access to files shared with them prior to removal.

Feature Availability

Features can be disabled for all Hubs in your Tenancy my opening the Edit Feature Policies window:

Turning a feature Off will hide it in the navigation panel on the left of the DekkoSecure application interface.

Did this answer your question?
😞
😐
🤩