Protect agreements from accidental information leakage when users or groups are shared within an organization.
Restricted access to agreements is a feature designed to protect recipients from unintentional data leaks, particularly within their organizations, through user or group sharing that grants other users access to all of a user's content.
The Restricted access to agreements controls allow recipients to be marked as "restricted" within the agreement's scope. The restricted identifier can be applied by rule or configured to allow senders manual control over whether recipients should be so marked.
When an agreement is marked as restricted, the sharing of the agreement is suppressed by default:
- All recipients are in scope for the restrictions.
- The restricted agreement does not appear on the recipient's shared view of their Manage page.
- The restricted agreement does not appear on the sender's shared view of their Manage page.
- The restricted agreement will not auto-delegate through the user's Acrobat Sign auto-delegation rules. (Admins can suppress this behaviour.)
For the recipients, access to the agreement has modified access rules within the Acrobat Sign user interface:
- The recipient can sign the agreement through the Manage page
- The recipient may not view or download the agreement from the Manage page until it's signed.
- Once the agreement is completed, the recipient can view and download the agreement as usual.
The above behavior applies only to the Acrobat Sign web UI. Accessing agreements via API continues to provide full access to the agreements.
Availability:
The Restricted access to agreements controls are available for the enterprise license plans only.
Configuration scope:
The feature can be enabled at the account and group levels.
How it's used
Administrators can configure the feature to be editable by senders or not.
- When the feature is enabled for sender configuration, the editable controls are found in the Agreement settings section when composing a new agreement.
- When the feature is not enabled for users to edit, the interface for the feature is removed from the Agreement settings section of the Compose page.
A sender would check or uncheck the restricted access feature as needed.
If the sender's option to edit the setting is disabled, the configured experience is applied outside the view of the sender.
There are four controls within the feature family:
When the feature is enabled, all agreements sent from the group will have the Restricted access to agreements rules applied to all of their agreements.
If only this option is checked, there is no indication in the sender's interface. The setting is applied quietly with no interaction.
When the setting is disabled, the Restricted access to agreements rules are not applied to any agreements.
When enabled, the Restricted access option becomes visible and editable in the sender's interface (in the Agreement settings section of the Compose page).
When enabled, the option to restrict access to the agreement enabled (checked) by default when creating a new agreement. Senders could then manually uncheck the option from the Agreement settings section.
When the Restricted access to agreements feature is enabled, Acrobat Sign automatically blocks the auto-delegation of agreements based on a user's profile settings. This prevents agreements from being delegated until the recipient signs.
Administrators can select the Allow auto-delegation for agreements with restricted access option to allow auto-delegation even when restricted access is enabled, following the user's auto-delegation rules as usual.
Things to know
- The API implementation of this feature has one experiential difference with regards to when the document can be accessed if the 2nd factor authentication type is set to "None":- Within the Acrobat Sign interface, the recipient may not View or Download the agreement until it is signed. Even if no 2nd factor authentication is configured, access to the agreement is disabled by suppressing the View and Download actions.
- When using the API, the agreement may be viewed and downloaded with the token after authentication is passed. In the case where no 2nd factor authentication is configured, the agreement can be viewed or downloaded before it is signed.