## Shared Links Access Controls
#### last updated on Sept 20, 2021
Several Link Security tab settings and organization policies interact to determine who can use each link. Those settings and policies are explained here.
\\
This page discusses the details of the "Who can access list", passwords and verification codes. A more general discussion of how to use the Shared Links feature is [[filesharing/sharing_with_links_usage|here]] and instructions for configuring the Shared Links feature are [[filesharing/sharing_with_links_configuration|here]].
\\
### Who Can Access
The "Who can access" list controls who will be able to access the shared link. There are three kinds of intended link users:
- Named guest recipients - identified on the list by their email addresses. A pull-down list and filter feature makes it easy to select email addresses from the link creator's Access Anywhere contacts.
- Any logged in user - identified on the list by a selectable option. This option covers all of Access Anywhere accounts belonging to the link creator’s organization including external users as well as org. admin and org. members.
- Named Access Anywhere users - identified by their email addresses which are associated with Access Anywhere accounts belonging to the link creator’s organization. Can include external users as well as org. admin and org. members. A pull-down list and filter feature makes it easy to select named Access Anywhere users.
“Any logged in user” can only be used by itself. Named guest recipients and named Access Anywhere users can be combined on the list.
If the list is left empty then there are no explicit identity based restrictions on who can use the link. Note, however, that logging in is required to use a link in some cases where the link was created with an empty "Who can access" list.
### Passwords and Verification Codes
Verification codes provide better security than passwords. Access Anywhere recommends using verification codes instead of passwords when circumstances allow and Access Anywhere's user interface encourages the use of verification codes over passwords.
The rules for when passwords and verification codes can, cannot or must be used are determined by the contents of the "Who can access list" and the settings for the "Enforce Passwords" and "Enforce recipient authentication" policies. They are summarized in this table:
\\
\\
{{ :filesharing:password_and_verification_code_rules.png?800 |}}
\\
#### Passwords
A password is a string of characters that is associated with a link. There is only one password per link, and all link users share that password.
Passwords cannot be used when the “Who can access” list contains any named users.
#### Verification Codes
Verification codes are six digit pseudo random time-based access codes that are delivered to prospective link users at their email addresses. Verification codes are only used when at least one named guest has been included on the “Who can access” list. Verification codes are required when there are both at least one guest and at least one named user on the “Who can access” list.
Verification codes are sent when the link holder tries to use the link. Verification codes for a link will only be sent to an email address that was provided in the link’s “Who can access” list. If Access Anywhere is able to identify the prospective link user from the link or by information that is attached to the link then Access Anywhere will send the verification code automatically. If the "Who can access" list allows the link to be used by more than one recipient and the prospective Access Anywhere is unable to identify the prospective link user by information that is attached to the link then Access Anywhere will request the prospective link user’s email address. In that case Access Anywhere will compare the email address supplied by the prospective user to the list of email addresses associated with the link, and it will only send a verification code if the prospective user’s email address is on the list.
If a verification code is required for guests and a user is on the “Who can access” list and she is logged in then she can use the link without a verification code. If, however, a verification code is required for guests and a user is on the “Who can access” list and she is not logged in then she can use the link by having a verification code sent to her Access Anywhere account email address.
#### Other Points to Note About Verification Codes and Passwords
Verification codes and passwords are mutually exclusive; you cannot create a link with both a verification code and a password.
If you include any guests on the "Who can access" list and set a password then anyone who has the password can use the link.
##### Org. Admins and Members with the Admin Role
When a link has been created for one or more named users only (in which case no password can be set), the org. admin and members with the Admin role will be able to use the link whether or not they are among the named users.
When a link has been created for one or more named users and for one or more guests (in which case a verification code is required), the org. admin and users with the Admin role will not be able to use the link unless they are among the named users.
## Policy Settings
Links work according to the policy settings that were in place when the links were created.
### Enforce Passwords
When links are created with this Policy is set to True:
* Link users must present a password or a verification code or be logged in to Access Anywhere as a user in the org. of the link creator.
* Each link must have a password unless a user and/or a guest is named in which case links can be created without passwords.
* If a link is created without a password and a guest is a recipient then the link must have an authentication code.
\\
Note that if a link is created without a password although "Enforce passwords" is in effect and a named user is a recipient then the link can be used by that user .
\\
### Enforce Recipient Authentication
This policy requires that each link user provides evidence of being one of the intended users from the "Who can access" list. An org. users evidences this by being logged in when she uses the link or, if the link provides validation codes, by presenting a validation code that was emailed to her Access Anywhere email address. Guests evidence this by presenting a validation code that was emailed to an address on the "Who can access" list.
#### Behavior When "Enforce recipient authentication" is Used With an Empty "Who can access" List
If "Enforce recipient authentication" is on when a link is created and the "Who can access" list is empty and the link does not have a password then:
* Only org. users can use the link. (Anyone who is logged in to a different org. will not be allowed to use the link.)
* Org. users who are logged in can use the link.
* Anyone who is not logged in and tries to use the link will be prompted to log in. Upon successful login to the org. they will gain access to the file or folder associated with the link.
If "Enforce recipient authentication" is on when a link is created and the "Who can access" list is empty and the link has a password then:
* Only org. users can use the link. (Anyone who is logged in to a different org. will not be allowed to use the link.)
* Org. users who are logged in can use the link if they present the password.
* Anyone who is not logged in and tries to use the link will be prompted to log in. Upon successful login to the org. if they present the password they will gain access to the file or folder associated with the link.
If both "Enforce recipient authentication" and “Enforce Passwords” are on when a link is created and the "Who can access" list is empty and the link has a password (required) then:
* Only org. users can use the link. (Anyone who is logged in to a different org. will not be allowed to use the link.)
* Org. users who are logged in can use the link if they present the password.
* Anyone who is not logged in and tries to use the link will be prompted to log in. Upon successful login to the org. if they present the password they will gain access to the file or folder associated with the link.