Using Security Classifications with Box Governance

With security classification, you can classify files based on their confidentiality and enforce security policies associated with that confidentiality level. This helps you protect sensitive information and encourage smarter behavior when people handle that content.



Note: Security classification is a paid, add-on feature available to Business Plus customers and Enterprise customers. 

Creating a Classification Label


To create a new classification, navigate to the Governance tab of the Admin Console, then open the Classification tab. Click Create in the upper-right to get started.

 Screen Shot 2018-09-24 at 11.11.19 AM.png
Now you can start setting up your new classification label.
 Screen Shot 2018-09-24 at 2.04.54 PM.png
  • Begin by naming your classification label. This name must be unique, and have a maximum of 40 characters.
  • If you would like classified files to display a visual indicator when selected or previewed, enable the display indicator. You can also provide an optional advisory message that will be shown when a classified file is selected or previewed, describing the classification in further detail for your end users. If enabled, the indicator will appear in the right hand sidebar, and look like this (with your customized text):
classification - 3
  • You also have the option to apply shared link restrictions on classified files. Select one of the following three levels of shared link restrictions available:
    • Public - No restriction on sharing the classified file
    • Company and Collaborators only - No external sharing of the classified file
    • Collaborators only - No company wide or external sharing of the classified file
  • Once you are finished modifying your classification policy settings, click Create
  • You cannot rename a classification once it has been created, and existing classifications cannot be deleted. Confirm that you understand these restrictions, then click Create to proceed. 
    Screen Shot 2018-09-24 at 2.06.41 PM.png
  • You have successfully created a classification label! Repeat the same steps to create more classification labels and policies.



View/Edit Classification Labels


To Edit a Classification Label:
  • Navigate to the Governance tab of the Admin Console, then open the Classification tab.
  • Click Edit to the right of an existing Classification to edit it. Note that you cannot rename or delete an existing classification.

Note: Do NOT edit classification labels from the Content > Metadata tab of the Admin Console.



Screen Shot 2018-10-01 at 9.56.35 AM.png 

Reporting on Security Classification


Usage Logs and Events Reports will show a full audit trail of the files whose classification attributes have been changed within the specified date range.


Searching for Classified Content 

Although Box cannot run a report to display all classified content, you can make use of Box's search functionality to achieve the same purpose. An administrator or co-administrator with sufficient privileges to search enterprise wide content can search content classified with a specific label. For example, to search for all content that has been classified as Confidential,
  • Click the Advanced Search icon
  • Select the Metadata tab
  • Select Classification from the Metadata Template drop down menu
  • Select the appropriate Confidential from the Classification drop down menu
  • Click the Search Icon or hit Enter to search.  

Screen Shot 2018-10-01 at 10.00.59 AM.png


Automatic Classification with CASB/DLP partners


Box customers who would like to make use of existing Data Loss Prevention policies can take advantage of our Partner integrations. Box Trust Partners Skyhigh, Netskope, and Aperture have integrated with Box APIs to let customers take advantage of their DLP or CASB technologies. Combining Box security classification with a partner DLP or CASB product will enable customers to automate the manual task of classifying documents. Customers can take advantage of DLP policies associated with sensitive information such as PII, HIPAA, PCI etc. to automatically classify such documents and update Box via the integration. The following diagrams shows how Box integration with Partner products can help you automatically classify content in Box.
classification - 7
classification - 8



Who can administrate security classification?
In order to have access to create and edit classifications, a person must have co-administrative privileges to at least Run new reports, View Policies, Create, Edit, and Delete Policies, and Create and Edit Metadata.
classification - 6
What roles can modify security classification metadata?

The following file permissions can both view and edit classification metadata:

  • Owner
  • Co-Owner
  • Editor
  • Viewer Uploader
  • Previewer Uploader
  • Uploader
  • The following file permissions can only view and cannot edit:
  • Viewer
  • Previewer
What roles can change a security classification that was previously defined (machine or manual)?
We don't distinguish between defining classification and changing classification at this time. So anyone with edit access (#1) can both define and modify classification

Can we use classification and another metadata template at the same time for one document?

Yes, a file can have multiple metadata templates and a classification label at the same time.


Is there a limit to the number of classification levels you can create?



What if you create a label but don't enable "display indicator" -- will a user see anything?

Yes, the label will still appear in the right hand rail. What will not show is the banner when you click to preview a file.


How can I prevent classified files from being accessed via a less restrictive folder-level shared link?

There are two ways to restrict classified files from being accessed via a folder-level shared link. 

  • Restrict Shared Links: By restricting shared links to 'Files Only', files in your Enterprise will follow the shared link settings that are designated (in compliance with any Security Classification applied at the individual file-level). Shared links for folders can still be enabled, but will only be accessible by invited Collaborators in the folder. 
  • Integrate with CASB Partner: Integrate with a CASB Partner in order to further prevent sensitive files from being shared via a folder-level shared link. 
Version history
Revision #:
20 of 20
Last update:
‎12-03-2018 01:01 PM
Updated by:
Labels (1)