Skip to main content

Policy Definition Document

Document version: v0.1

Target Product: SHIELD Gate
Scope: Business System Control (Top Level) · App Conditional Policy · URL Input Field Conditional Policy

SHIELD_Gate_Policy_Definition_Work_System_Conditional_Policy_v0.1.xlsx


0. Document Overview

  • This document is SHIELD GateConditional Policy for Business SystemsThe policy items that can be set by the administrator, by itemWhat to do / How it appears to the user or is blocked / Product recommendationsThis is the policy consultation sheet organized with __PH_0__.
  • During the introduction process, the client representative is responsible for each item.적용 정책Enter the adoption value in the column to finalize the policy.

Default Provision vs Option (Separate Introduction) Distinction

The following items are**Not a standard feature and requires separate implementation (optional)**Available only during the time. In the table[옵션]is represented as.

Option itemsContent
[옵션] SHIELD ViewerViewer for previewing in read-only mode without downloading the file
[옵션]SHIELDGate File Cabinet (SHIELDrive)Isolated storage for storing downloaded files in an isolated environment
[옵션]CDR DecontaminationFile Sanitization Engine. Required when using CDR download.

If the option is not introduced, the corresponding repository and inspection options will not be displayed on the policy screen or will be unavailable for selection. Please confirm the scope of introduction with the sales/deployment team.


1. Overview of Conditional Policies and Application Principles

1.1 Policy 3-Tier Structure

divisionExplanationUser Screen · Actions When AppliedNote
Business System Control Conditional Policy (Top Level)Access permission for the app·URL input field menu itself, limit on the number of simultaneous screensIf the menu is blocked, entry is not possible regardless of the sub-policy.
App Conditional PolicyAccess and Isolation Security Policy by Registered AppAccess, Block, Authenticate according to policy when clicking the appTarget = App / App Group
Conditional Policy for URL Input FieldSite-specific Access and Isolation Security Policies via URL Input FieldInput Address · Access · Block · Authentication According to PolicyTarget = All Sites / Registered Sites·Groups / Web Categories

⚠️ Top Priority Principle: Menus (app/URL input fields) that are not allowed in the top-level control policy cannot be accessed by users, regardless of how many subordinate conditional policies are set.

1.2 Priority Principle

itemExplanationNote
Priority NumberThe smaller the number, the higher the priority (1 > 2 > 3 …)Drag and drop · Quick move for adjustment
Collision HandlingIf multiple policies apply under the same conditions, the most restrictive policy takes precedence.Exception policies are placed with high priority
Search Filter StatusPriority changes are not possible while applying search filters.Need to clear all filters when changing

1.3 Policy Evaluation Flow

  1. User Access (App Click or URL Input)
  2. Top-level control policy determination → Menu access permission status · Screen count verification
  3. Members·Conditions (Location·Time·Device) Judgment → Application Policy Determination
  4. Access Policy Enforcement (Allow / Block / Additional Authentication)
  5. Usage Policy (Isolation Security Policy) Enforcement (Keyboard, File, Clipboard, etc.)
  6. Execution Result Reflection and Log Recording

2. Business System Control Conditional Policy (Top Level)

The top priority control policy that limits the number of screens that can be opened simultaneously and the work systems (app·URL input field) accessible by each member.

divisionSetting OptionsExplanationUser Screen · Actions When AppliedRecommended PolicyNote
Policy NametextUnique name for policy identification (no duplicates allowed)Name the target to be identifiablemandatory
MembersAll Users / Users·Groups (Assign·Exclude)Policy Application Target DesignationApplied only to assigned members, excluded ones are not applied.group unit'All users' cannot be excluded
Target Business System — AppAllowed / Not AllowedAccess Permission for Registered App ListAccess to app menu is not allowed.Allow Work Necessary GroupIf not allowed, app conditional policy invalidation
Target Business System — URL Input FieldAllowed / Not AllowedDirect URL Input Feature Access PermissionIf not allowed, URL input field cannot be usedDecision Based on PolicyInvalid URL conditional policy when not allowed
Condition — LocationNo Limit / Registration LocationPolicy Application Scope Based on Connection IPConditions outside the location are not appliedReview of separation between in-office and remote workManagement Center [Condition Item] Registration
Condition — TimeNo Limit / Registration TimeApplication Scope of Policy Based on Connection Time ZoneConditions outside of the time zone are not applied.Specify Working Hourssame
Condition — DeviceNo Limit / Desktop·Tablet·MobileScope of Policy Application Based on Access DevicesDevices outside the conditions are not applicable.Review limited to work terminalssame
Number of Concurrent ScreensNo limit / Up to N items (1 or more)Number of isolated browser screens that can be viewed simultaneouslyDisplay "Screen Opening Limit Notification" modal when trying to open a new screen after reaching the limit (close the existing screen and retry)Differentiation by Job Category (See Notes Below)Resource Protection
Usage StatusUse / Do not usePolicy Activation StatusNot operational when unuseduse

3. Policy Basic Information (App / URL Input Field Common)

divisionSetting OptionsExplanationUser Screen · Actions When AppliedRecommended PolicyNote
Policy NameText (up to 20 characters)Unique Name for Policy IdentificationName to identify target and grade clearlymandatory
ExplanationText (up to 200 characters)Policy Additional ExplanationOperating Intent DocumentationSelection
Members — AssignmentAll Users / User·Group SelectionSpecify the target for policy applicationPolicy actions only for assigned usersMinimize Target ScopeGroup Unit Recommendation
Members — ExcludeUser·Group SelectionTarget for policy non-application regardless of allocationExcluded members have no policy impact.Specify exceptions only'All users' cannot be excluded
Target (App)App / App Group (Multiple)Specify the app to which the policy will be appliedApply policy only to selected appsSeparation by business appApp Policy Only
Target (URL)All Sites / Registered Sites·Groups / Web CategoriesSpecify the site to which the policy will be appliedApply policy only to selected targetsDefault Block (All Sites) + Selective AllowanceURL Policy Only

Target Setting Strategy (URL): Set "All Sites = Block Access" to a low priority, and allow specific sites and categories with a separate policy at a high priority.


4. Conditions (Connection Environment)

divisionSetting OptionsExplanationUser Screen · Actions When AppliedRecommended PolicyNote
LocationAll Locations / Registered Locations (Exception Selection)Limit Policy Application Scope Based on Connection IPThe policy does not apply outside of the specified conditions.Separation by location such as in-office and remoteRegister Location in the Management Center [Condition Items]
timeAll Time / Registered Time (Exception Selection)Limit the scope of policy application based on the access time zone.The policy does not apply outside the specified time zone.Specify Working HoursManagement Center [Condition Item] Register Time
deviceAll Devices / Desktop / Tablet / MobilePolicy Application Based on Type of Access DevicePolicy not applied to devices outside the conditions.Review limited to work terminals (Desktop)

5. Execution Policy — Access Policy

divisionSetting OptionsExplanationUser Screen · Actions When AppliedRecommended PolicyNote
Access PermissionAccess Allowed / Access DeniedDetermining Target AccessibilityAccess unavailable when blocked, display guidance pageWork Target Allow / Non-Work BlockTop-level control
Additional AuthenticationNot Used / Email Verification / OTP VerificationAdditional identity verification required upon access approvalDisplay authentication screen → Access after authentication. If failed, "Authentication has failed." popup, access not possible.General target not used / Sensitive target OTPCan only be set in the access permission policy.
Email Verification (Detailed)Display of authentication code input field, time limit 5 minutesEnter the code within 5 minutes. If not received, 'Resend verification code'Environment required for receiving emails
OTP Authentication (Detailed)Enter the authentication code after registering the initial QR code and recovery key.Initial registration screen → Then enter OTP codeRecommended for High Security TargetsAuthentication app required

6. Isolation Security Policy (Usage Policy)

After access is granted, it controls user behavior within the isolated browser. All items are set to allow/block (or enable/disable).

divisionSetting OptionsExplanationUser Screen · Actions When AppliedRecommended PolicyNote
Keyboard InputAllow / BlockControl of Keyboard Input in Isolated BrowserInput not allowed when blocked, display "Input is prohibited due to policy." at the bottom center.Read-only target is blocked
Site NavigationAllow / BlockControl of Moving to External Sites in the Target DomainAllowed: Free movement / Blocked: Only representative and related URLs can be accessed, external movement will show "This action is prohibited by policy." guidance pageBlocking Work System / Allowing Search and PortalHigh impact in URL policy
File UploadAllow / Block (+Extension Restriction, Storage)Control of File Uploads to Isolated EnvironmentsCannot upload when blocked / Only specified extensions and storage are allowed when permittedAllowed only when necessary for workRepository: My PC Files /[옵션]SHIELDGate File Cabinet
File DownloadAllow / Block (+Extension Restriction, Storage)File Download Control in Isolated EnvironmentsBlocked: "This action is prohibited by policy. Downloading is prohibited by policy." Guidance page (returns upon closing)Differentiated by target gradeRepository details are below
└ Repository: My PC File FolderSelectionDownload to User's Local PCSave file locallyLow-risk subjects onlyProvided by default. Highest risk of leakage.
└ Repository: SHIELDGate File StorageSelection (SHIELDrive designation)Save to SHIELDrive storageStore in isolated storage instead of localRecommended Security Targets[옵션] **Separate introduction.**Members must be assigned to SHIELDrive storage to be available.
└ Repository: SHIELD ViewerSelectionRead-only preview instead of downloadView without receiving the original fileRecommended for subjects that only require viewing[옵션] **Separate introduction.**Subdivide into 3 options
└─ PDF DownloadAllow / BlockDownload the original as a PDF after conversionOnly available for receipt as PDF when allowed.allowedDefault: Allow (within SHIELD Viewer options)
└─ Download OriginalAllow / BlockDownload the original document as isCannot receive original when blockedBlockDefault: Block
└─ CDR DownloadAllow / BlockDownload after CDR declassification processingPossible to receive a decontaminated version upon approvalBlockDefault: Block.[옵션] CDR engine required
Clipboard — Isolation → PCAllow / BlockCopy from the isolated browser to PCCopying is not allowed when blocked, display "Clipboard usage is prohibited due to policy." at the bottom center.BlockData Export Path
Clipboard — PC→IsolationAllow / BlockPasting in an Isolated Browser on PCCannot paste when blockedallowedInput Convenience
Input Sensitive Information CheckAllow (Inspection) / Unused (+ Regular Expression Selection)Check and block input text with regular expressionsInput Blocking and Audit Log Recording During Pattern MatchingUsed for entering sensitive information[옵션] **Master Page Overlay (Company Unit) Introduction.**Regular expression · Target domain is managed in [Input Sensitive Information Management]
Session MaintenanceUsed / Unused (+ Idle Time Min)Data Protection with Screen Lock During InactivityScreen lock after idle time, return with 'Refresh'Use (according to idle time policy)Minute setting
Screen Markingused / unusedDisplay user identification watermark on the screenUsername·Email watermark displayed on the screenuseThe display method is customized in [Security Screen Settings].
Print Watermarkused / unusedInserting User Identification Watermark in Printed MaterialsPrint with watermark includeduseThe display method is customized in [Security Screen Settings].
Video Conference Modeused / unusedVideo Conference Performance Optimization ModeNo shortcut icon for SHIELDGate in the upper right corner when active.Use only for video conference participantsPerformance Optimization Purpose
Context MenuUse / Unused (+ Area-specific ON/OFF)Right-click menu control by areaOFF area does not display right-click menu, blocks associated shortcut keys (e.g., Print OFF → blocks Ctrl+P)Use (Sensitive Items OFF)The details of the area are below

6.1 Context Menu Area

areaRepresentative MenuUser Screen · Actions When AppliedRecommended PolicyNote
Page Background AreaBack, Forward, Refresh, Print, View Page Source, InspectDisplay right-click menu when ON / Hide when OFF · Block linked shortcut keysView Page Source · Inspect OFFClicking the top navigation button is not blocked (only keyboard shortcuts are blocked)
Text Selection AreaCopy, PrintDisplay on right-click after text drag / Not displayed when OFFSensitive Target Copy/Print OFF
linkOpen in new tab, Copy link addressDisplay on right-clicking the link / Not displayed when OFFMaintain default value (ON)
imageSave Image, Copy ImageRight-click on the image to display / Not displayed when OFFDownload block target is storage OFF
videoPlay/Pause, Save VideoRight-click on the video to display / OFF to hideMaintain default value (ON)
AudioPlay/Pause, Save AudioRight-click on the audio to display / Not displayed when OFFMaintain default value (ON)
Input FieldCut, Copy, PasteRight-click on the input box to display / Not displayed when OFFClipboard Policy and Compliance Settings

Hide the right-click menu for the area when all items in the area are OFF.전체 ON / 전체 OFF / 초기화provided.


7. Policy Settings

divisionSetting OptionsExplanationUser Screen · Actions When AppliedRecommended PolicyNote
Usage StatusUse / Do not usePolicy Activation StatusPolicy does not work when not in useuse
Expiration DateNot set / Period settingThe duration of policy operationDoes not operate outside the periodNot set (indefinite)Set limited-time policy only

8. Policy Operation and Management (Reference)

divisionExplanationNote
Priority ManagementDrag and Drop, Move to Top/Bottom, Directly Move NumberOnly possible when the search filter is disabled.
Management of Default Execution PolicyAutomatic application of default execution and isolation security policies when registering a new policyApp·URL defaults are independently managed
Policy SearchSearch by policy name, members, target, conditions, execution policy, and usage status.AND between filters, OR within filters
Policy Application Status InquiryPeriod-specific Applied/Not Applied Policy Inquiry · Excel DownloadManaging Complexity through Non-Application Policy Summary
Import·ExportJSON (Backup·Restore) / Excel (Status·Reporting)ZIP for multiple selection