--- title: External link policy path: administration/external-link-policy status: published --- External links let users share files with people who don't have ScaiDrive accounts. Useful — and a common source of compliance pain. The admin console gives you global controls to keep external sharing in check. Storage → External Links and System → Settings → Sharing are the two places this is configured. ## Global controls System → Settings → Sharing: | Setting | Effect | |---|---| | **External sharing allowed** | Global kill-switch. Off → no user can create any external link, anywhere. | | **Default link permissions** | What's pre-selected when a user creates a link (view-only vs view+download). | | **Require password** | Force every new link to have a password. | | **Require expiry** | Force every link to have an expiry date; cap the max expiry days. | | **Allowed link types** | View, download, upload-only — disable the ones you don't want. | | **Allowed audiences** | "Anyone with the link", "Anyone with an allowed email", or both. | | **Allowed IPs / blocked IPs** | Global allow/block list applied on top of per-link lists. | | **Cap download count** | Hard ceiling on the max download-count per link. | When a user creates a link, the dialog reflects these constraints — required fields are starred and options outside policy are disabled with a hover explainer. ## Per-share overrides Each share can override the global policy (Storage → Shares → share detail → **External sharing**). Useful for high-sensitivity shares where you want a tighter policy than the org default. Common patterns: - **Finance share**: external sharing disabled entirely. - **Customer-facing share**: external sharing allowed but capped at 30-day expiry and password required. - **Marketing share**: external sharing allowed with default settings. Shares marked with a [sensitivity label](/docs/scaidrive/administration/compliance-policies#sensitivity-labels) that blocks external sharing override both. ## Reviewing existing links Storage → External Links lists every active link in the system: | Column | What | |---|---| | Resource | File / folder / share the link points to | | Created by | User who made it | | Type | View / download / upload | | Audience | Anyone / email allowlist / IP allowlist | | Created / Expires | Lifecycle | | Access count | Total accesses to date | | Status | Active / expired / revoked | Filters: by share, by creator, by audience type, by expiry window ("expiring this week"). Bulk **Revoke** kills selected links immediately — useful when a user departs or an audit turns up something problematic. ## Forensics Click any link for a per-access log: timestamp, IP, country (from IP), user-agent, what action was performed (download, preview, password-entry-failed). This data also flows into the [Audit Log](/docs/scaidrive/administration/audit-and-activity) and to your SIEM. If you find a link being accessed from unexpected IPs, **Revoke** kills it and the access trail stays in the audit log forever. ## Auto-expiry A nightly job removes link records older than your **expired link retention** (System → Settings → Retention). By default, expired links are kept for 90 days for audit purposes, then deleted. Access logs survive even after the link record is gone — they're part of the audit-event store, not the link table. ## Common policies A few patterns that work well: **Strict (regulated industries):** - Require password on every link. - Cap max expiry to 7 days. - Require email allowlist (no anonymous links). - Hold sensitivity-labelled "confidential" content to internal-only. **Default (most companies):** - Allow anonymous links but cap at 30-day expiry. - Require password for upload links. - Allow per-share overrides. **Open (internal-only orgs, no external collaboration):** - Disable external sharing globally. - Users still get internal `[share file]` UX, which uses share membership instead. ## What's next - [Compliance policies](/docs/scaidrive/administration/compliance-policies) — sensitivity labels and DLP. - [Audit and activity](/docs/scaidrive/administration/audit-and-activity) — track link usage.