ZTCAP - Improvement of Execution Policy Structure
| version | Author | Date | Change log |
|---|---|---|---|
| 1.0 | Song Hee-soo | 2026-03-03 | First Draft |
| 2.0 | Song Hee-soo | 2026-03-04 | Event-dependent structure + group selection method improvement |
| 3.0 | Song Hee-soo | 2026-03-10 | Improved with 5 equal group structures, removed "maintain state", added conflict combination validation |
| 4.0 | Song Hee-soo | 2026-03-11 | Integrate encryption/decryption into a single group, changing to a structure of 4 groups. |
1. Feature Overview
Execution policy when setting conditional policiesStructure of 4 Independent GroupsChange to.
Each group can independently control allow/block at an equal level, andMultiple selection between groups, Single selection within the groupenables flexible policy combinations.
Core Design Principles
- Document Events(Encryption/Decryption/Encapsulation Export) = User/AppRequested action(trigger)
- Execution Policy= The system regarding that requestActual actions performed(response)
- 4 groupsEqual LevelOperates independently (no distinction between main operation / auxiliary operation)
- Encryption and decryption structurally prevent conflicting combinations of single selections within the same group.
Operational Scenario
- Accessing the Execution Policy Section in the Conditional Policy Creation/Modification Screen
- All four groups are displayed, and toggle settings for allow/block are set for each group.
- Selecting and Setting Detailed Options Within the Group When Allowed
2. Current Provided Features (AS-IS)
Constraints
- The execution policy is a single selection method.
- Only one execution policy can be applied (mutually exclusive structure)
- Combination of policies not applicable
- Additional actions (hidden information, security labels) are mixed at the same level as the main actions (encryption, decryption), but only one can be selected.
- "Maintaining state" essentially means blocking, but it is not intuitive.
3. Overview of Improvement Features (TO-BE)
Key Improvements
- Execution Policy4 Independent GroupsStructured as (equal level)
- between groups: Multiple selection allowed (independent allow/block)
- within the group: Single Selection (Mutually Exclusive Options)
- Integrating encryption/decryption into a single group→ Prevent conflicts with single selection within the group
- Remove "Maintain State"→ Block All Groups = Maintain Status
4. Execution Policy Group Structure
4.1 Group Classification
| Group | Included Items | Selection within the group | Allow/Deny |
|---|---|---|---|
| 1. Encryption and Decryption | Encryption with DRM, encryption with AIP, decryption, normalization | Single Selection(Choose 1) | toggle |
| 2. Capsule Export | Capsule Export | Single Item (Detailed Permission Settings) | toggle |
| 3. Document Rating Assignment | Security Level | Grade Selection | toggle |
| 4. Insertion of Hidden Information | Inserting Key/Value Metadata | Key/Value Input | toggle |
All groupsEqual LevelOperates independently. There is no distinction between main operation and auxiliary operation. Encryption and decryption are single selections within the same group, so simultaneous application is structurally impossible.
4.2 Selection Rules
between groups: Multi-select (Independent Allow/Block Toggle) /within the group: Single Choice (Radio)
1. Encryption and Decryption — Allow / Block Toggle
- within the groupSingle Selection(Radio)
- ○ Encryption with DRM → Detailed settings: Encryption type (DAC/MAC/GRADE), Policy ID, Document permissions
- ○ Encrypt with AIP → Detailed Settings: Select AIP Label
- ○ Decryption → Remove only the external encryption layer
- ○ Decryption → Fully release all encryption layers
2. Capsule Export — Allow / Block Toggle
- Detailed settings when allowed:
- Save As: Allow / Block (Automatically grant password decryption permission when allowed)
- Reading (Viewing): Allow / Block, Set Count (1~99 or Unlimited)
- Print: Allow / Block, Count Setting (1~10)
- Destruction: Allow / Block, Set Expiration Date
- OLESOM Viewer: Allow / Block
3. Document Rating - Allow / Block Toggle
- Detailed settings when allowed:
- Select Security Level → List of registered levels in the Security365 portal
4. Hidden Information Insertion — Allow / Block Toggle
- Detailed settings when allowed:
- Enter Key (up to 20 characters)
- Enter Value (up to 1000 characters)
- Add Key-Value pair with the Register button
- Registered items are displayed as a list and can be deleted individually.
4.3 Reason for Single Selection Within Group (Mutually Exclusive)
| Group | Mutual Exclusivity Reasons |
|---|---|
| 1. Encryption and Decryption | DRM encryption, AIP encryption, decryption, and normalization cannot be applied simultaneously to the same document. Only one processing method must be selected. |
4.4 Combination Between Groups
Multiple selection is possible between groups,All combinations are allowedIt is possible. Encryption/decryption conflicts are structurally prevented by single selection within the group.
| Combination | Availability | Reason |
|---|---|---|
| Encryption + Capsule Export | possible | Exporting the results after decryption to SOM (Sequential Processing) |
| Encryption + Document Classification | possible | Assigning Grades to Metadata during Encryption and Decryption |
| Homomorphic Encryption + Hidden Information Insertion | possible | Inserting Hidden Information in the Header During Encryption and Decryption |
| Capsule Export + Document Classification | possible | Granting Grades Upon Export |
| Encapsulation Export + Hidden Information Insertion | possible | Inserting Hidden Information During Export |
| Document Classification + Inserting Hidden Information | possible | Simultaneous Manipulation of Metadata |
5. Change in "Maintain State" Handling
AS-IS
- "Maintain State" exists at the same level as one of the 7 execution policies.
- Essentially means "block," but it is not intuitive.
TO-BE
- Remove "Maintain State" item
- All groups'**The "Block" toggle serves the same function.**Execution
- Blocking all 4 groups = Same effect as the existing "Maintain Status" (does not perform any action)
- Partial Blocking + Partial Allowance Possible(Scenarios that were previously impossible)
- For example: Decryption is blocked, but document classification and hidden information insertion are allowed.
- For example: It blocks encryption and decryption, but only changes the security level.
- Provide a clear decision-making structure of "Allow/Block" to the administrator
6. Execution Policy Settings Screen Configuration
6.1 Screen Structure
┌─────────────────────────────────────────────────────┐
│ 집행 정책 │
│ 각 그룹을 독립적으로 허용/차단 설정할 수 있습니다. │
├─────────────────────────────────────────────────────┤
│ │
│ 1. 암복호화 ─────────────────── [허용 / 차단 토글] │
│ ○ DRM으로 암호화 │
│ - 암호화 유형: DAC / MAC / GRADE 선택 │
│ - 정책 ID 입력 │
│ - 문서 권한: 읽기, 편집, 암호화 해제, │
│ SOM 반출, 프린트, 마킹, 권한 변경 │
│ ○ AIP로 암호화 │
│ - AIP 레이블 선택 │
│ ○ 복호화 (외부 암호화 레이어만 해제) │
│ ○ 평문화 (모든 암호화 레이어 완전 해제) │
│ │
│ 2. 캡슐화 반출 ────────────── [허용 / 차단 토글] │
│ - 다른 이름 저장: 허용 / 차단 │
│ - 읽기(열람): 허용 / 차단, 횟수 설정 │
│ - 프린트: 허용 / 차단, 횟수 설정 │
│ - 파기: 허용 / 차단, 유효기간 설정 │
│ - OLESOM Viewer: 허용 / 차단 │
│ │
│ 3. 문서 등급 지정 ─────────── [허용 / 차단 토글] │
│ - 보안 등급 선택 (Security365 포탈 연동) │
│ - 하위 보안 레이블 선택 │
│ │
│ 4. 은닉 정보 삽입 ─────────── [허용 / 차단 토글] │
│ - Key (20자 이하) / Value (1000자 이하) 입력 │
│ - [등록] 버튼으로 추가, 리스트 표시 │
│ │
└─────────────────────────────────────────────────────┘
6.2 Toggle Action
- Allow Toggle ON: Detailed options within the group are displayed expanded
- Block Toggle ON: Collapse All Detailed Settings (Do not perform this action)
- Provide expand/collapse animation (within 100ms)
6.3 Displaying the Policy List Screen
- Display by combining allowed groups
- Example:
DRM으로 암호화 + 캡슐화 반출 + 은닉 정보 삽입 - Example:
평문화 + 문서 등급 지정 - Example:
모두 차단(= Existing "Maintain State") - Tooltip: Display detailed settings information on mouse over
7. Execution Policy Setting Process
7.1 Configuration Flow
7.2 Step-by-Step Flow Description
1. 정책 생성/수정 화면 접근
↓
2. 집행 정책 섹션에서 4개 그룹이 모두 표시됨
- 1. 암복호화
- 2. 캡슐화 반출
- 3. 문서 등급 지정
- 4. 은닉 정보 삽입
↓
3. 각 그룹별로 허용/차단 토글 설정
- 허용 시: 그룹 내 옵션 단일 선택 (라디오) + 세부 설정 확장
- 차단 시: 세부 설정 접힘 (해당 동작 수행하지 않음)
↓
4. 저장
- 모든 그룹 차단 = 기존 "상태 유지"와 동일 효과
- 하나 이상 허용 = 허용된 그룹의 동작 순차 실행
8. Real Application Scenarios
Scenario 1: External Transfer of Confidential Documents
문서 이벤트: 암호화
집행 정책:
1. 암복호화: 허용 → DRM 암호화 (DAC, 정책ID: P001, 읽기+프린트 권한)
2. 캡슐화 반출: 허용 → 읽기 10회, 프린트 2회, 파기 30일
3. 문서 등급: 허용 → 기밀 등급
4. 은닉 정보: 허용 → Key: "부서", Value: "제품기획부"
→ 결과: DRM 암호화 + SOM 반��출 + 기밀 등급 부여 + 은닉 정보 삽입
Scenario 2: Automatic Decryption of Public Documents
문서 이벤트: 복호화
집행 정책:
1. 암복호화: 허용 → 평문화 (전체 해제)
2. 캡슐화 반출: 차단
3. 문서 등급: 허용 → 공개 등급
4. 은닉 정보: 차단
→ 결과: 전체 복호화 + 공개 등급 재지정
Scenario 3: Grant only grade/hidden information (Maintain status + partial allowance)
문서 이벤트: 암호화
집행 정책:
1. 암복호화: 차단 ← 암복호화는 안 하지만
2. 캡슐화 반출: 차단
3. 문서 등급: 허용 → 비밀 등급 ← 등급만 부여
4. 은닉 정보: 허용 → Key: "프로젝트", Value: "Alpha" ← 은닉 정보만 삽입
→ 결과: 문서 상태는 유지하면서 메타데이터만 조작
Scenario 4: Complete Block (= Existing "Maintain State")
문서 이벤트: 암호화
집행 정책:
1. 암복호화: 차단
2. 캡슐화 반출: 차단
3. 문서 등급: 차단
4. 은닉 정보: 차단
→ 결과: 아무 동작도 수행하지 않음 = 기존 "상태 유지"와 동일
9. AS-IS vs TO-BE Comparison
| Comparison Items | AS-IS | TO-BE |
|---|---|---|
| Choosing an Execution Policy | out of 7Single Selection | 4 groupsMultiple Selection |
| structure | flat list | Independent Group (Equal Level) |
| Encryption/Decryption | Separated into a separate item | Integrate into a single group(single choice) |
| Main Action / Additional Action | Mixed at the same level | No distinction (all equal) |
| Maintain State | Separate Execution Policy | removal→ Block All Groups = Maintain Status |
| Partial Block + Partial Allow | impossible | possible |
| Policy Combination | Impossible (only 1) | possible(Allow all combinations between groups) |
| Conflict Combination Verification | None | unnecessary(Group-wide single selection structural prevention) |
| scalability | List length increases when adding items | You just need to add a new group. |