To ensure compliance with DIBCAC guidance, Exostar applies a “deny by default” approach, granting only the minimum privileges necessary. The Download Permissions feature allows organizations to control file download access at both the enclave level and the individual team/channel level.
By default, all team members are granted SharePoint Edit permission level, which includes the ability to download and print files. When data protection requirements necessitate it, you can block file downloads to protect your organization’s CUI (Controlled Unclassified Information) data.
When downloads are blocked, users can only access files through their browser, without the ability to download or print them. This blocking is implemented at the site level and affects all users with access to the site.
Permission Control Levels
Download permissions can be managed at two levels:
- Enclave Level: Sponsor Administrators can configure the Block download by default setting in Administration > Settings. This setting determines whether downloads are automatically blocked for all newly created teams and private channels.
- Team/Channel Level: Team Managers can review and adjust download permissions for each team or private channel individually via Manage Teams > Permissions.
Sponsor Admin: Manage Download Permissions
The Block download by default setting allows Sponsor Admins to automatically restrict downloads for all newly created teams and private channels in their enclave. To access the enclave-wide settings to manage download permissions:
1. Navigate to the Administration section.
2. Click Settings in the left-hand navigation menu to display configurable options for the enclave.
3. Locate the Block download by default setting. Click the toggle switch to turn the setting:
- ON (blue): Any new team or private channel created in your enclave will automatically have download blocking enabled. Users will be notified during team/channel creation that download restrictions have been applied.
- OFF (gray): New teams and private channels will be created with downloads permitted by default. Team Managers can still choose to block downloads for individual teams/channels through the Permissions tab.
IMPORTANT! The change takes effect immediately for any subsequently created teams or private channels. This setting only affects newly created teams and private channels. Existing teams and channels retain their current download permission settings. To modify permissions for existing teams, use the Permissions tab under Manage Teams.
Team Managers: Manage Download Permissions
This section provides access information, more in-depth information on the permissions table, and how to manage blocked downloads for a site.
Team Manager: Access Permissions
To manage download permissions for individual teams and channels as a Team Manager:
1. Navigate to Manage Teams.
2. Use the Choose a team dropdown at the top of the page to select the team you want to manage.
3. Click on Permissions in the left navigation menu.
Permissions Table
The Permissions page displays a table listing all sites associated with your team. Each row represents a channel or site where you can manage download permissions. The table displays the following information:
-
- Name: The name of the channel or site.
- Type: Indicates whether the channel is All Standard Channels (the main team site) or a Private Channel with its own separate SharePoint site.
- Site URL: The SharePoint site URL where files are stored.
- Block Download: A toggle switch to enable or disable download blocking for the site. When ON (blue), downloads are blocked for all users except those on the permitted users list.
- Permitted Users: Shows the number of users who have been granted download exceptions. Click Manage to view or modify the list of permitted users.
Block/Allow Downloads for a Site
To block or allow file downloads for a specific channel or site:
1. Locate the channel in the Permissions table.
2. Click the toggle switch in the Block Download column to turn it ON (the toggle will display blue) or OFF (the toggle will display gray).
3. Click the Save button at the bottom right of the page to apply your changes.
IMPORTANT! You must click Save to apply any changes you make. If you navigate away without saving, your changes will be lost. You can click Discard Changes to revert any unsaved modifications.
Manage Permitted Users
When downloads are blocked for a site, you can allow exceptions for specific users who require download access. The permitted users list allows you to grant download privileges to individual team or channel members while keeping downloads blocked for everyone else.
Add Permitted Users
1. Click the Manage link in the Permitted Users column for the channel you want to configure to expand the section, showing the current list of users with download permissions.
2. Click the Add User (+) button.
3. Search for and select the desired user
NOTE: The user will be added to the permitted users list with their email address and name displayed.
Remove Permitted Users
To revoke download privileges for a user:
1. Click the Manage link for the appropriate channel.
2. Locate the user in the permitted users list.
3. Click Remove in the Action column next to the user’s name.
Understand the Warning Message
If you add users to the permitted users list but have not enabled download blocking for that site, you will see a warning message:
⚠ **Download is not blocked. All users can download.
This warning indicates the permitted user list is only enforced when downloads are blocked for the site. To ensure only permitted users can download, you must turn ON the Block Download toggle for that site and click Save.
Best Practices
Enable “Block download by default” at the enclave level: For organizations handling CUI data, consider enabling the enclave-wide setting to ensure all new teams are protected by default.
Review your data protection requirements: Before blocking downloads, understand which sites contain sensitive information that requires download restrictions.
Communicate with your team: Notify team members before enabling download blocking so they understand the new restrictions and can request exceptions if needed.
Use permitted users sparingly: Only grant download exceptions to users who have a legitimate business need to download files offline.
Regularly audit permissions: Periodically review the permitted users list to ensure that only appropriate users have download access.
Remember to save: Always click the Save button after making changes. Unsaved changes will be lost if you navigate away from the page.
Troubleshooting
| Issue | Solution |
|---|---|
| New teams are not having downloads blocked automatically | Verify the Block download by default setting is enabled in Administration > Settings. This setting must be ON for new teams to automatically have download blocking enabled. |
| Changes are not being applied | Make sure you click the Save button after making changes. Use the Refresh button to verify the current state. |
| A permitted user still cannot download | Verify the user has been added to the correct channel’s permitted users list. Each private channel has its own site and permissions. |
| Users can still download despite blocking being enabled | Check if the user is on the permitted users list. Also ensure changes have been saved. Use the Refresh button to confirm the current settings. |
| Warning icon displays next to a channel | This indicates users have been added to the permitted list, but download blocking is not enabled for that site. Enable the Block Download toggle if you want to restrict downloads. |
| SharePoint site has not been created yet | Navigate to the Team and channel and click on the Files tab to force provisioning of the SharePoint site. |
| Download restriction is not immediately active | It may take several minutes for the restriction to be fully applied. The toggle will remain disabled until permissions are fully applied. Once complete, you will see a banner notification on the SharePoint site. |