The article covers detailed aspects of SSProtect-managed content when utilized by an authorized sharing peer. Though in general usage is straightforward - access and modify content as you normally would - there are times when you will wish to deviate from standard user workflows and/ or want to look deeper into SSProtect, at which point you may notice some subtle realities. This article describes these details for clarification.
As noted in other Topic articles, you are by default authorized to access content generated by your Organization Peers. This is universal and automatic, though of course you must obtain the materials from your peers using the sharing mechanism(s) employed by your team(s).
Third Party Trusts
Third Party Trusts authorize external Users (Accounts) the right to access Organization content. Privileges are managed by Privileged Organization Users (or an Individual Account holder) as described in the article, Managing Third Party Trusts.
When Third Party Trusts are Fully Operational
When a Third Party Trust is configured, the cryptographic primitives are configured on the next Login for the trusted Third Party's Account. As a result, SSProtect will not perceive the Third Party Trust to be a trusted member of an Organization until after this event occurs.
This can lead to some confusion when using :Email, as it validates recipients as authorized Users and may in some cases not
:Email Third Party Trust Authorization Delays
SSProtect :Email is an Outlook Add-In that protects email message content, as described in the article, Getting Started with :Email. When you author a message to a recipient and protect content, upon delivery, :Email checks to be sure he/ she will be able to read your protected message. If not, you are notified and given a choice to remove the recipient or continue (override).
Because of the above-noted delay in finalizing a Third Party Trust, those who have been recently configured, but who have not-yet performed an SSProtect Login, will not be seen as authorized peers. Override any interim :Email prompt to send content to any User, and when they perform Refresh Login, the Trust will be established and they will be able to access your message.
Impact to Access of Enabling/ Disabling a Third Party Trust
When you Disable a Third Party Trust from the Sharing Policy display, the impact is immediate - any next action to access your managed content will be denied. However, if an existing item is being utilized, the Third Party Trust will be able to Save change and, on closing the document, will continue to re-protect content (and generate a new version).
Of course, the reciprocal is also true - when you re-enable a Third Party Trust (remove the Disabled state), the target User's next attempt to access your managed content will succeed. Note in this case there is no Refresh Login required - the Trust is immediately re-enabled.
Releasing and Re-Protecting Shared Content
You can perform SSProtect Release operations (when independently permitted by your Account Policy) on shared content (using shift-right-click on a shared/ managed item in File Explorer).
IMPORTANT: You cannot re-protect released shared materials - you must instead request that the original Owner protect and/ or merge any changes you have made into managed content.
NOTE: This is an interim limitation that will be addressed in the near future, and it relates to the way item Ownership is managed in the current system (avoiding the potential for the sharing peer to end up taking Ownership of the item, which has a dramatic impact on Audit records and Disclosure Risk Reporting with :Respond).
Working Around Re-Protection Limitations
If it is your absolute (coordinated) intent to take ownership of a shared item you've Released, you can do so by viewing your Hostlist using the Managed Files/ Restore context menu item them choosing Clean. You must acknowledge the intention to Clean the Shared List as indicated by the Prompt (choose Yes), which will force a Refresh Login operation at which point you can then Protect the shared item you Released (and thus create a new Version 1 instance you, "own").
Intermediate Hostlist Entries
When securely accessing shared files (by opening a shared document in its' native application container), you maintain continuous protection over the content just as the original Owner would when he/ she performs the same operation.
If however you display the Hostlist from the Managed Files/ Restore context menu item, you will see the managed file at or near the top of your list, in the (Opened) State. If you attempt to view Versions..., you will receive an error - and you will also not see this item in the Archivelist.
Once you finish reviewing/ editing and close the managed item, it will be re-protected and the Hostlist instance will be removed from your list with no further evidence (other than entries in your :Access Reports, which are also displayed in the Owning Organization's Reports).
Shared Re-Protection Conversion Mode
When you access Shared Content, re-protection utilizes the file's Conversion Mode, not the Conversion Mode of your Account or even of the Owner's Account. This maintains the intended method for managing content in any file - and obviously requires that the Owner make changes to his/ her own Conversion Mode then re-protect the file with the modified Mode before changes are applied for authorized sharing Users.
Re-protection Archive Quota Impact
When you access a managed shared item then save/ close, it is re-protected though retains the Yellow File Explorer overlay icon (indicating that it is not natively-owned, as otherwise evidenced by the Red overlay icon).
Re-protection associates Quota space to the original Owner, when applicable (see above). If for some reason your actions end up requesting Quota Space not available for the Owning Account, the file will be re-protected using Optimized Offloading (and thus not available for Restoration from the :Recover KODiAC Archive). This event triggers email notification to the Owning Organization's Privileged Users (but only once until the Owning Account's Quota is modified).
:Recover Archive Access to Shared Content
As the Owner, or Creator, of a managed item, you can access :Recover Archive content for each version you create. In some cases, you can Restore content created by Sharing Peers and Third Party Trusts.
In fact, if you are using Double Conversion, you can Restore any item, "created" by an authorized Organization Peer or even Third Party Trust. However, when using Hybrid Conversion, the default Conversion Mode, you can NOT access Third Party Trust information - it is not currently available for Restoration from the :Recover KODiAC Archive by either the Owner or by the Third Party Trust that created it. This will be changed in a future Release.
:Recover Restore Version
When performing a Restore operation on a Managed Item that has been recently accessed by an Organization Peer or Third Party Trust, SSProtect will identify the latest accessible Version and Restore it for you. Thus, if the last Version was a Hybrid-Converted item by a Third Party Trust, SSProtect will search past this item and Restore the one prior to it (so long as that one is accessible). Note, from the above information, that Organization Peer materials managed w/ Hybrid Conversion are accessible and as such, any recent access by an Organization Peer will be a viable item for Restore.