figma guide

Designing DLP and external sharing restrictions UI in Figma: policy controls and handoff

Design DLP and external sharing restriction UI in Figma with policy rules, share dialogs, blocked states, watermarking, and Dev Mode specs for enterprise security admin.

Published
Updated
Jul 15, 2026
Read time
7 min
Level
Intermediate

Quick answer

DLP and sharing restrictions control what members can share outside the org—configured under Organization → Security → Sharing & DLP. Design a policy rules table (scope, restriction type, enforcement, exceptions); share dialog overrides that block or warn on external emails; guest access limits tied to member invitations; watermark and download blocks for confidential assets; violation logs in audit activity; and break-glass approval for time-limited external shares. Start from the Figma guides hub and pair with team roles, IP allowlist, and Dev Mode handoff.


Who this is for

  • Product designers building enterprise Security settings, share flows, and collaboration policy admin.
  • Design system teams aligning DLP UI with custom roles and permission templates.
  • Engineers implementing policy evaluation on share, export, and link-generation actions.

DLP policy entry points

LocationAudienceActions
Org → Security → Sharing & DLPSecurity adminCRUD sharing policies
Share dialogEnd userHit policy at share time
File / project settingsProject ownerSee inherited restrictions
Violation logSecurity adminReview blocked attempts

Verdict: central Sharing & DLP page plus inline enforcement in every share/export surface—policies invisible until violated frustrate users.


Policy rules table

ColumnSpecNotes
Policy name”Block external viewers”Required
ScopeOrg, team, project, label/tagEnterprise granularity
RestrictionBlock share, warn, require approval, watermarkEnum
TargetExternal email, public link, download, copyMulti-select
StatusActive / Monitor / DisabledMonitor = log only
Violations (7d)CountLink to log
ActionsEdit, Duplicate, DisableDelete needs confirm
DlpPolicyTable
├── Toolbar: [ Add policy ] [ Templates: SOC2, Zero-trust ]
├── Rows...
└── Footer: "4 active · 23 violations this week (monitor mode)"

Templates pre-fill common patterns: no public links, external share requires Manager approval, block @gmail.com on confidential-tagged files.


Restriction types and enforcement

TypeUser experienceAdmin monitor mode
BlockShare fails; inline errorLog share.blocked
WarnModal: “Policy violation—continue?”Log if continued
Require approvalRequest sent to Security AdminQueue in admin inbox
WatermarkExport/download gets overlayLog application
Expire linksMax 7-day link TTL enforcedLog shortened TTL
ShareBlockedModal
├── Icon: shield
├── Headline: External sharing is restricted
├── Body: "Acme policy blocks sharing with users outside @acme.com"
├── Details: Policy "No external viewers" · File: Q3 Roadmap
├── Actions: [ Cancel ] [ Request exception ]
└── Link: Contact security admin

Block copy must name the policy and remediation—never generic “not allowed.”


Share dialog integration

Every share surface evaluates policies before commit:

Share actionPolicy check pointBlocked UI
Invite by emailOn add + on sendInline on chip
Copy linkOn link type changeDisable public link option
ExportOn format selectGray out PDF if download blocked
Duplicate to personalOn destinationBlock with org policy cite
ShareDialog
├── Invite: [ partner@vendor.com ✗ External blocked ]
├── Link access: ( ) Anyone  (•) Org only  ← public disabled
├── Permission: Can view ▾
└── [ Send invite ] disabled + tooltip

Show why public link is disabled—tooltip links to policy summary for project owners.


External collaborator and guest limits

Tie to member invitations and domain verification:

ControlSpecUI
Allowed domains@acme.com, @vendor.ioDomain allowlist table
Max guest duration90 daysShown on invite modal
Guest role ceilingView onlyEnforced in permission dropdown
Auto-revoke on offboardGuest access ends with sponsorLink to offboarding
ExternalInviteModal
├── Email: [ consultant@agency.com ]
├── Sponsor: [ jane@acme.com ▾ ] required
├── Expires: [ 90 days ▾ ]
├── Warning: Guest will have view-only per org policy
└── [ Send invitation ]

Sponsor field creates accountability—guest access tied to employee lifecycle.


Approval and exception flows

Require approval policies need an admin queue:

StepUI
1. User requests”Request exception” on blocked modal
2. JustificationRequired text field, max 500 chars
3. Time box24h / 7d / 30d exception TTL
4. Admin queueSecurity → Exceptions inbox
5. DecisionApprove / Deny with note
6. Auditdlp.exception.approved with expiry
ExceptionRequestModal
├── Share target: partner@vendor.com
├── File: Vendor contract v2
├── Reason: [ Required for legal review ]
├── Duration: [ 7 days ▾ ]
└── [ Submit request ]

Approved exceptions show countdown badge on file share settings—auto-revoke when TTL ends.


Watermark and download controls

Asset labelDownloadWatermarkCopy
PublicAllowedNoneAllowed
InternalAllowedOptional org watermarkAllowed
ConfidentialBlocked or watermarked PDF onlyRequired on screen + exportBlock “copy as”
RestrictedBlock all exportsPersistent overlayBlock
ConfidentialFileBanner
├── Label chip: Confidential
├── "Downloads disabled · Screenshot watermark active"
└── [ Request download exception ]

Watermark spec in Dev Mode: user email, timestamp, org name, opacity, diagonal repeat.


Role and permission interaction

Custom roles may grant override share capability:

Role capabilityEffect
share.externalBypass block policies (audited)
dlp.approve_exceptionsAccess approval queue
share.public_linkEnable public links where policy allows role override

Role editor should list DLP-related capabilities grouped under Security—mirror policy names to reduce admin confusion.


Network and access policy alignment

DLP and IP policy stack:

LayerControls
IP allowlistWhere user authenticates from
DLP sharingWho user can share with
Download restrictionWhat leaves the app
Compliance exportAdmin bulk export separate path

Settings sidebar note: “Sharing restrictions apply regardless of VPN—IP allowlist is additive.”


Violation log and reporting

Extend audit log with DLP-specific views:

ColumnSpec
TimestampISO + relative
ActorMember email
Actionshare.blocked, export.warned, exception.requested
ResourceFile / project name + link
PolicyPolicy name
OutcomeBlocked / Warned / Approved
DlpViolationLog
├── Filters: Policy · Team · Date · Outcome
├── Export CSV for SOC review
└── Row → ShareBlockedModal replay (read-only)

Monitor mode dashboard: violations that would have blocked—use for policy tuning before enforce.


Common mistakes

MistakeWhy it hurtsFix
Block without explanationSupport tickets spikeName policy + remediation
No monitor modeRisky big-bang enforceLog-only period first
Approval queue buriedExceptions stallNotify Security Admin on Slack/email
Public link toggle still visibleUser thinks share workedDisable + explain
Watermark only on exportScreen leak gapOn-screen overlay for Confidential
Guest sponsor optionalOrphan external accessRequire sponsor on every guest
Exception without TTLPermanent policy bypassTime-boxed approvals
DLP ignores copy/duplicateData still leavesEvaluate all egress paths
Role override unauditedCompliance gapLog every override share
Policies split across 3 settings pagesAdmin misconfigurationOne Sharing & DLP hub

  1. Design DLP policy table with scope, restriction type, and violation counts.
  2. Integrate share dialog blocked states, disabled link types, and exception request.
  3. Build approval queue for time-boxed exceptions with admin approve/deny.
  4. Add confidential labels with watermark banner and download blocks.
  5. Wire guest invite sponsor and expiry fields to invitation flow.
  6. Spec policy evaluation order (label > project > team > org) in Dev Mode.
  7. Link violation log and monitor-mode dashboard to audit console.

FAQ

Does DLP apply to API keys and automation?

Usually separate policy—API export paths need explicit DLP rules; link in Network/API settings.

Can project owners weaken org DLP?

No—org policy is ceiling; owners can only tighten (shorter link TTL, extra watermark).

How does DLP interact with compliance exports?

Admin exports bypass user DLP but require Compliance Officer role and full audit—do not use user share flows.

External share blocked but SSO guest from partner domain?

Domain allowlist on guest invites should align with SSO verified domains—cross-link setup wizards.

Monitor mode duration?

Recommend 14–30 days with weekly violation summary email to Security Admin before enforce.


Next steps

Share on X

§ Keep reading

Related guides.