ZTCAP
sidebar_position: 1 title: UC-001: Conditional Policy Registration tags:
- SDF
UC-001: Conditional Policy Registration
Version Control
| version | Author | Date | Change log |
|---|---|---|---|
| 1.0 | Onamgyu | 2025-07-13 | First Draft |
| 2.0 | Song Hee-soo | 2026-03-06 | Modify Execution Policy Section |
Related Materials
1. Overview
This feature allows you to set conditional policies for documents within the organization to prevent information leakage and control user security behaviors.
2. Common Information
- actor: Administrator (a user who registers and edits policies)
- Prerequisites :
- The administrator has the authority to set conditional policies and is logged in.
- There are general users or specific user groups that are subject to the policy.
- Apps with conditional policies applied → Displayed in the [Linked App Management] menu**([Integration App Management] Menu Guide)**
- When applying the DRM document policy, there is an existing ID for the encryption type.
- When applying AIP document policies, existing AIP labels are registered.
3. Basic Flow
3-1. Trigger
- Click the 'Register Policy' button on the SDF Conditional Policy page.
3-2. Main Flow
[Policy Basic Information]
- Enter the policy name and description.(Feature ID: FS-001)
[Target Setting]
- Select the app to which the policy will be applied.(Feature ID: FS-002)
- [Integration App Management] Menu GuideProviding a guide UI for new registration and selection for users.
- Assign users to apply or exclude the policy.(Feature ID: FS-003)
- All users: All users within the organization are subject to this, and you can select users and groups to exclude.
- Select Users and Groups: Directly select the users and groups to which the policy will be applied or excluded.
[Document Properties]
- Select the document to which the policy will be applied.(Feature ID: FS-004)
- General Document
- Not Applicable: Policies are not applied to general documents.
- All general documents: Apply all general documents regarding supported file extensions to the policy.
- File Extension Specification: Applies the policy to general documents for the specified extension among the supported extensions.
- DRM Document
- Not Applicable: Policies are not applied to DRM documents.
- All DRM Documents: Apply all DRM documents regarding supported extensions to the policy.
- Designated DRM Document
- Check Creator Information: Apply policy based on whether the document creator and the logged-in user are the same.
- DRM Document Encryption Type: Register after entering DRM encryption type and policy ID.* The policy ID can be checked by accessing the CS console and web console.
- DAC: Enter Policy ID
- MAC: Enter Category ID
- GRADE: Enter Grade ID
- Specify Extension: Applies DRM documents for the specified extension among the supported extensions in the policy.
- AIP Document
- Not Applicable: Policies are not applied to AIP documents.
- All AIP Documents: Applies all AIP documents regarding supported extensions to the policy.
- Designated AIP Document
- Labeling: Select the AIP label to apply to the policy in the AIP document.([Label Lookup] Menu Guide)
- Specify Extension: Applies the AIP document for the specified extension among the supported extensions to the policy.
- General Document
- Select the security label for the document to which the policy will be applied.(Feature ID: FS-005)
- Label grade: A top-level classification criterion to distinguish the security levels of data such as confidential, sensitive, and public.
- Label: You can create and use multiple labels based on subcategory criteria under the registered grade.
- Selection Order: Select Label Grade → Select Sub-label
- If the label grade is not registered, registration is required on the Security 365 admin page. ※ Security 365 Admin Center → [Security Classification Labels] menu
- Set the target document to the document containing hidden information.(Feature ID: FS-006)
- Policies are applied to documents that contain registered hidden information.
- Hidden information is set as Key-Value pairs. Example:**SOFTCAMP(Key) – Product Planning Department(Value)**Policy actions for documents with embedded hidden information.
- Key value: 20 characters or less (regardless of Korean/English)
- Value: Up to 1000 characters (regardless of Korean/English)
- Select the document event where the policy will be applied.(Feature ID: FS-007)
- Encryption: When a user calls a conditional policy, the request is made based on an encryption event.
- Decryption: When a user calls a conditional policy, the request is based on a decryption event.
- Encapsulation Export: When a user invokes a conditional policy, the request is based on the encapsulation export event.
[Condition]
- Select the location (IP) condition.(Feature ID: FS-008)
- Operates based on the location information (IP) of the event requester
- All registered locations: Policies are applied under the condition of all registered locations, and you can select conditions to exclude specific locations.
- Select from registered locations: Directly select the location conditions to apply and exclude the policy.
- Select a time condition.(Feature ID: FS-009)
- SDF operates based on the time it receives the conversion event request.
- No time limit: Policies apply at all times, and you can select times to exclude from the registered hours.
- Select from registered time: Directly select the time conditions to apply and exclude the policy.
[Execution Policy]
- Select an execution policy. → Below '4. Detailed Flow by Execution Policy' (Feature ID: FS-010)
- DRM encryption / AIP encryption / full decryption / partial decryption / encapsulated export / hiding / security level setting / exception pass
[Settings]
- Select whether to enable the policy and the validity period.(Feature ID: FS-011)
- Policy usage setting (Use - Do not use) → When 'Do not use' is selected, the policy will not operate.
- Expiration date setting → The default value is not used. Unlimited setting is also possible.
- Click the 'Register' button to register the conditional policy.
3-3. Exception Flow
[Policy Basic Information]
- If the policy name is blank → Registration not possible. Display notification to the user.
- Character limit for description (e.g., 200 characters) → Cannot type beyond the character limit.
[Target Setting]
- If the linked app is not registered → Policy registration not possible, guide to register the app first.
- If the targets for inclusion and exclusion are set the same → Notify that inclusion and exclusion users cannot overlap.
[Document Properties]
- If proceeding without selecting a general/DRM/AIP document → Display a message indicating that selecting a target document is required.
- If the AIP label is not registered → Guide to first register the AIP label in Microsoft Purview.
- When entering hidden information
- If the Key value exceeds 20 characters → Restriction Notice
- If the Value exceeds 1000 characters → Limitation Notice
[Condition]
- When an invalid IP value is entered under the location (IP) condition → Registration not possible and error displayed
- If the start time is later than the end time when entering time conditions → "The time condition is not valid."
[Execution Policy]
- If no execution policy is selected → Policy registration not possible, display a message indicating that selecting an execution policy is mandatory.
[Settings]
- When setting the policy validity period, if the start date is later than the expiration date → Unable to save and guidance message
- If the policy is saved as "Not in use" → It is registered normally, but does not actually function (displayed as inactive in the policy list)
3-4. Postconditions
-
When the policy is successfully registered:
- New policies are displayed on the policy list screen.
- Reflecting policy status (enabled/disabled, validity period, etc.)
- This policy is applicable immediately (however, it will not function if in "Disabled" state).
- Registered policies can be modified or deleted in the admin console.
-
When the policy fails (unable to save):
- Registration process is interrupted, and an error message/validation guidance is displayed on the screen.
- Users can attempt to register again after correcting the incorrect values.
-
When modifying/deleting a policy:
- The revised policy will be implemented immediately.
- The policy will no longer function upon deletion and will be removed from the policy list.
4. Detailed Flow by Execution Policy
The following execution policy is the criteria that has been implemented.
4-1 DRM Encryption
Document encryption with the selected DRM type
Trigger
- Selecting 'DRM Encryption' Enforcement Policy at the Enforcement Policy Stage
Main Flow
- Select the DRM encryption type and enter the corresponding ID value.
- DAC (ACL): Enter the policy ID value
- MAC: Enter category ID
- GRADE: Enter the grade ID
- For DAC types, set document permissions.
- Sets the reading feature, editing feature, decryption feature, SOM file export feature, print output, print marking, and permission change feature for the document.
- Read permissions are required to be set.
- Sets whether to use the forced encryption policy.
- Specify the SCI server ID.
Exception Flow
- If the ID value is not entered → Unable to save, guidance on entering the ID value
Postconditions
- When registering normally
- The DRM encryption policy has been added to the policy list.
- The corresponding DRM encryption policy is applied when a document event occurs.
- Registration Failure
- The policy will not be saved, and an error message screen will be displayed.
- System Operation After Saving
- When a document event occurs, the document is controlled according to the selected DRM encryption type and permission settings.
- If you deactivate or delete the policy, the DRM encryption operation will stop immediately.
4-2 AIP Encryption
Document Encryption with Selected AIP (MIP) Label
Trigger
- Selecting 'AIP Encryption' enforcement policy in the enforcement policy stage
Main Flow
- Select the AIP label.
- Select a label to apply from the registered AIP labels.
Exception Flow
- When proceeding without selecting a label→ Policy registration not possible, guidance on label selection
- If there are no registered labels→ Policy registration not possible, guide to register AIP labels in Microsoft Purview
- When selecting a deleted or disabled label→ Unable to save, notification about deletion or deactivation
- System error occurs when selecting a label (e.g., AIP service integration error, API call failure)→ Policy Registration Suspension, Notification on AIP Service Integration Error
Postconditions
- When registering normally
- The selected AIP label is saved in the policy.
- AIP encryption is performed on documents to which the policy is applied, and the corresponding label is assigned to the document metadata.
- You can check policy information with the AIP label on the policy list screen.
- Registration Failure
- Policy is not saved.
- Guide the user on the cause of the error (unselected, incorrect label, system error, etc.)
- System Operation After Saving
- The selected AIP label is automatically applied during document conversion/distribution.
- If you deactivate or delete the policy, AIP encryption will not be applied to subsequent documents.
- Existing encrypted documents are not affected (the policy applies to new events only)
4-3 Culturalization
Remove all encryption layers at once, including double encryption (AIP+DRM) documents.
Trigger
- Selecting 'Normalization' Execution Policy in the Execution Policy Stage
Main Flow
- Possible Cases
| case | Target Document | Processing Steps | Result Document |
|---|---|---|---|
| 1 | DRM Document | DRM Decryption | General Document |
| 2 | AIP Document | AIP Decryption | General Document |
| 3 | AIP+DRM Document | DRM Decryption → AIP Decryption | General Document |
Exception Flow
- When processing AIP+DRM documents
- DRM decryption was successful, but AIP decryption failed → Remains in AIP document status, error log recorded.
- AIP decryption was successful, but DRM decryption failed → Remains in DRM document status, error log recorded
- If either of the two steps fails, it will not be converted to a complete normalization (regular document).
Postconditions
- When registering and executing normally
- DRM Document → DRM Decryption → General Document
- AIP Document → AIP Decryption → General Document
- AIP+DRM Document → AIP Decryption after DRM Decryption → Final General Document
- The result document is saved in a standard document format at the specified storage location.
- Success history is recorded in the log (document ID, user, time, processing stage, final status, etc.)
- On Execution Failure
- The document remains in its original state (maintaining DRM/AIP encryption)
- Failure reasons are logged (insufficient permissions, authentication errors, partial failures, etc.)
- In case of partial failure (e.g., only DRM is released and AIP fails) → Document status remains in intermediate stage (AIP document), administrator confirmation required.
- When Maintaining/Deleting Policies
- If the policy is in an active state, the full decryption execution continues to apply.
- If the policy is deactivated/deleted, full decryption will not be performed for subsequent events.
4-4 Decryption
Remove only the external encryption layer for the target document.
Trigger
- Select 'Decryption' execution policy in the execution policy stage
Main Flow
- Possible Cases
| case | Target Document | Processing Steps | Result Document |
|---|---|---|---|
| 1 | DRM Document | DRM Decryption | General Document |
| 2 | AIP Document | AIP Decryption | General Document |
| 3 | AIP+DRM Document (Dual Encryption Document) | DRM Decryption Only | AIP Document |
Exception Flow
- When processing AIP+DRM documents→ “This double encryption document will only be released from DRM” notice
Postconditions
- When registering and executing normally
- DRM document → Converted to a regular document after decryption
- AIP document → converted to a decrypted regular document
- AIP+DRM Document → DRM decryption is performed, leaving it in the AIP document state.
- Decryption success history is recorded in the log (document ID, user, time, result status, etc.)
- System Operation After Saving
- The specified decryption logic is automatically executed every time a conditional policy is triggered.
- The decrypted document is saved in the specified storage location and can be used as a regular document thereafter.
- If the policy is deactivated or deleted, decryption will not be performed on events that occur afterward.
4-5 Encapsulation Export
Exporting the generated SOM file and setting permissions ※**SOM file stands for Secure Open Media.**To safely deliver internal documents (both secure documents and general documents) to external users who do not have document security programs installed.
Trigger
- Selecting 'Export Encapsulation' Event in the Document Event Selection Step
- Select 'Export Capsule' Execution Policy in the Execution Policy Stage
Main Flow
- Allows and blocks the "Save As" feature.
- Allows and blocks the reading (viewing) function.
- If allowed, enter the number of read function calls.
- Allows and blocks the print function.
- If allowed, enter the number of print function usages.
- Allows and blocks the deletion feature.
- If allowed, set the destruction validity period.
- Allows and blocks OLESOM Viewer features.
Exception Flow
- Save As
- When saving with a different name allowed, the decryption permission is also granted automatically, so it is necessary to inform that the decryption permission is also granted when saving with a different name allowed.
- Reading (Viewing)
- Input range: 1~99
- Unlimited is an additional option.
- Exception → None (Values outside the range cannot be input)
- Print
- Input range: 1~10
- "0 times = Block" is selected from the block options, not a numeric input.
- Exception → None (Input of out-of-range values is not allowed)
- Destruction
- When allowing destruction, a validity period must be selected (default provided)
- Unable to select past dates
Postconditions
- When executed normally
- Creating SOM files with specified default values or user-selected range values
- Exportable with all permissions/counts/durations settings reflected.
- Logging Export Events and Permission Values
- On Execution Failure
- SOM file creation failed
- Logging Failure Causes (System Failures, Network Errors, etc.)
- When Maintaining/Deleting Policies
- Activation → Continue to apply the same conditions
- Deactivation/Deletion → New SOM creation not possible, existing SOM files continue to operate independently.
4-6 Application of Document Concealment Information
Embed metadata such as the source, classification, and purpose of the document within the document itself.
Trigger
- Select 'Apply Hidden Information to Document' enforcement policy in the enforcement policy stage.
Main Flow
- Enter the Key value of the hidden information.
- Enter the Value of the hidden information.
- Click the register button.
Exception Flow
- Key value
- Input limit: 20 characters or less (regardless of Korean/English)
- Value value
- Input limit: 1000 characters or less (regardless of Korean/English)
Postconditions
- When registering normally
- The entered Key-Value pair is stored in the policy.
- Hidden information is inserted into documents to which this policy applies.
- Record invisibly in document metadata or designated areas
- Hidden information is not directly exposed to the user during document decryption/viewing.
- The inserted hidden information will be laterTracking · Audit · Search Conditionscan be utilized as
- Policy registration/application details (Document ID, Key, Value, application time) are recorded in the log.
- On Execution Failure
- Key·Value pair is not stored in the policy.
- No hidden information is inserted into the document.
- The reason for failure is recorded in the log and an error notification is sent to the administrator.
- When Maintaining/Deleting Policies
- While the policy is active, the same Key-Value hidden information continues to apply.
- After deactivating/deleting the policy, hidden information will not be inserted into new documents.
- Documents that already have hidden information inserted will not be affected.
4-7 Security Level Settings
Apply security grades and security labels to distinguish the security level of the data in the target document.
Trigger
- Select 'Security Level Setting' Execution Policy in the Execution Policy Stage
Main Flow
- Select the **Security Level** to apply to the document.
- Select from the list of security levels registered in the Security 365 Management Center.
- Unique colors are assigned by grade (visually distinguished in the UI)
- Select **Security Label** under the selected grade.
- You can create and use multiple sub-labels for each grade.
- You can set the default selection grade.
- Label application orderSecurity Level → Sub-Security LabelWe will proceed in order.
- If the security level is not registered, it must be registered on the Security 365 admin page.
- Security 365 Management Center → [Security Classification Label] Menu
Exception Flow
- Security Level
- If there is no registered security level → Policy registration not possible, registration must be done first on the admin page.
- Sub Label
- If there are no sub-labels for the corresponding grade → Policy registration not possible, registration must be done first on the admin page.
Postconditions
- When registering normally
- The selected security level and label are stored in the policy.
- The security label is inserted into the policy application document.
- The applied security label is reflected in the document properties and tracking/audit records.
- Policy registration/application details (document ID, grade, label, application time) are recorded in the log.
- On Execution Failure
- The document does not have a security label applied.
- Failure reasons (no grade, label not selected, system error, etc.) are recorded in the log.
- Error Notification to Administrator
- When Maintaining/Deleting Policies
- The selected label remains applied while the policy is in an active state.
- After policy deactivation/deletion, labels will not be applied to new documents.
- The labels of the documents that have already been applied will remain unchanged.
4-8 Maintain State
It allows the original operation to be performed as is, skipping the application of other conditional policies for documents that match the criteria.
Trigger
- Select 'Maintain Status' execution policy in the execution policy stage.
Main Flow
- No additional configuration required
- For documents/users/conditions that match this policy, no other conditional policies will apply, and the original behavior will be maintained.
Exception Flow
- If the execution policy save is missing due to a system error→ Policy registration failed, error message output
Postconditions
- When registering normally
- The policy is registered in the policy list.
- When a document event matching the specified conditions occurs, exceptions are handled, and other policies are not applied.
- The applicability of exceptions is determined by policy priorities.
- Registration Failure
- Policy not saved
- Guide the user on the cause of the error
- System Operation After Saving
- Bypassing conditional policy application for matching documents when the policy is in an active state.
- When a policy is deactivated/deleted, the corresponding exception handling is released, allowing other policies to be applied normally.