figma guide
Designing DLP and external sharing restrictions UI in Figma: policy controls and handoff
Design DLP and external sharing restriction UI in Figma with policy rules, share dialogs, blocked states, watermarking, and Dev Mode specs for enterprise security admin.
- Published
- Updated
- Jul 15, 2026
- Read time
- 7 min
- Level
- Intermediate
Quick answer
DLP and sharing restrictions control what members can share outside the org—configured under Organization → Security → Sharing & DLP. Design a policy rules table (scope, restriction type, enforcement, exceptions); share dialog overrides that block or warn on external emails; guest access limits tied to member invitations; watermark and download blocks for confidential assets; violation logs in audit activity; and break-glass approval for time-limited external shares. Start from the Figma guides hub and pair with team roles, IP allowlist, and Dev Mode handoff.
Who this is for
- Product designers building enterprise Security settings, share flows, and collaboration policy admin.
- Design system teams aligning DLP UI with custom roles and permission templates.
- Engineers implementing policy evaluation on share, export, and link-generation actions.
DLP policy entry points
| Location | Audience | Actions |
|---|---|---|
| Org → Security → Sharing & DLP | Security admin | CRUD sharing policies |
| Share dialog | End user | Hit policy at share time |
| File / project settings | Project owner | See inherited restrictions |
| Violation log | Security admin | Review blocked attempts |
Verdict: central Sharing & DLP page plus inline enforcement in every share/export surface—policies invisible until violated frustrate users.
Policy rules table
| Column | Spec | Notes |
|---|---|---|
| Policy name | ”Block external viewers” | Required |
| Scope | Org, team, project, label/tag | Enterprise granularity |
| Restriction | Block share, warn, require approval, watermark | Enum |
| Target | External email, public link, download, copy | Multi-select |
| Status | Active / Monitor / Disabled | Monitor = log only |
| Violations (7d) | Count | Link to log |
| Actions | Edit, Duplicate, Disable | Delete needs confirm |
DlpPolicyTable
├── Toolbar: [ Add policy ] [ Templates: SOC2, Zero-trust ]
├── Rows...
└── Footer: "4 active · 23 violations this week (monitor mode)"
Templates pre-fill common patterns: no public links, external share requires Manager approval, block @gmail.com on confidential-tagged files.
Restriction types and enforcement
| Type | User experience | Admin monitor mode |
|---|---|---|
| Block | Share fails; inline error | Log share.blocked |
| Warn | Modal: “Policy violation—continue?” | Log if continued |
| Require approval | Request sent to Security Admin | Queue in admin inbox |
| Watermark | Export/download gets overlay | Log application |
| Expire links | Max 7-day link TTL enforced | Log shortened TTL |
ShareBlockedModal
├── Icon: shield
├── Headline: External sharing is restricted
├── Body: "Acme policy blocks sharing with users outside @acme.com"
├── Details: Policy "No external viewers" · File: Q3 Roadmap
├── Actions: [ Cancel ] [ Request exception ]
└── Link: Contact security admin
Block copy must name the policy and remediation—never generic “not allowed.”
Share dialog integration
Every share surface evaluates policies before commit:
| Share action | Policy check point | Blocked UI |
|---|---|---|
| Invite by email | On add + on send | Inline on chip |
| Copy link | On link type change | Disable public link option |
| Export | On format select | Gray out PDF if download blocked |
| Duplicate to personal | On destination | Block with org policy cite |
ShareDialog
├── Invite: [ partner@vendor.com ✗ External blocked ]
├── Link access: ( ) Anyone (•) Org only ← public disabled
├── Permission: Can view ▾
└── [ Send invite ] disabled + tooltip
Show why public link is disabled—tooltip links to policy summary for project owners.
External collaborator and guest limits
Tie to member invitations and domain verification:
| Control | Spec | UI |
|---|---|---|
| Allowed domains | @acme.com, @vendor.io | Domain allowlist table |
| Max guest duration | 90 days | Shown on invite modal |
| Guest role ceiling | View only | Enforced in permission dropdown |
| Auto-revoke on offboard | Guest access ends with sponsor | Link to offboarding |
ExternalInviteModal
├── Email: [ consultant@agency.com ]
├── Sponsor: [ jane@acme.com ▾ ] required
├── Expires: [ 90 days ▾ ]
├── Warning: Guest will have view-only per org policy
└── [ Send invitation ]
Sponsor field creates accountability—guest access tied to employee lifecycle.
Approval and exception flows
Require approval policies need an admin queue:
| Step | UI |
|---|---|
| 1. User requests | ”Request exception” on blocked modal |
| 2. Justification | Required text field, max 500 chars |
| 3. Time box | 24h / 7d / 30d exception TTL |
| 4. Admin queue | Security → Exceptions inbox |
| 5. Decision | Approve / Deny with note |
| 6. Audit | dlp.exception.approved with expiry |
ExceptionRequestModal
├── Share target: partner@vendor.com
├── File: Vendor contract v2
├── Reason: [ Required for legal review ]
├── Duration: [ 7 days ▾ ]
└── [ Submit request ]
Approved exceptions show countdown badge on file share settings—auto-revoke when TTL ends.
Watermark and download controls
| Asset label | Download | Watermark | Copy |
|---|---|---|---|
| Public | Allowed | None | Allowed |
| Internal | Allowed | Optional org watermark | Allowed |
| Confidential | Blocked or watermarked PDF only | Required on screen + export | Block “copy as” |
| Restricted | Block all exports | Persistent overlay | Block |
ConfidentialFileBanner
├── Label chip: Confidential
├── "Downloads disabled · Screenshot watermark active"
└── [ Request download exception ]
Watermark spec in Dev Mode: user email, timestamp, org name, opacity, diagonal repeat.
Role and permission interaction
Custom roles may grant override share capability:
| Role capability | Effect |
|---|---|
| share.external | Bypass block policies (audited) |
| dlp.approve_exceptions | Access approval queue |
| share.public_link | Enable public links where policy allows role override |
Role editor should list DLP-related capabilities grouped under Security—mirror policy names to reduce admin confusion.
Network and access policy alignment
DLP and IP policy stack:
| Layer | Controls |
|---|---|
| IP allowlist | Where user authenticates from |
| DLP sharing | Who user can share with |
| Download restriction | What leaves the app |
| Compliance export | Admin bulk export separate path |
Settings sidebar note: “Sharing restrictions apply regardless of VPN—IP allowlist is additive.”
Violation log and reporting
Extend audit log with DLP-specific views:
| Column | Spec |
|---|---|
| Timestamp | ISO + relative |
| Actor | Member email |
| Action | share.blocked, export.warned, exception.requested |
| Resource | File / project name + link |
| Policy | Policy name |
| Outcome | Blocked / Warned / Approved |
DlpViolationLog
├── Filters: Policy · Team · Date · Outcome
├── Export CSV for SOC review
└── Row → ShareBlockedModal replay (read-only)
Monitor mode dashboard: violations that would have blocked—use for policy tuning before enforce.
Common mistakes
| Mistake | Why it hurts | Fix |
|---|---|---|
| Block without explanation | Support tickets spike | Name policy + remediation |
| No monitor mode | Risky big-bang enforce | Log-only period first |
| Approval queue buried | Exceptions stall | Notify Security Admin on Slack/email |
| Public link toggle still visible | User thinks share worked | Disable + explain |
| Watermark only on export | Screen leak gap | On-screen overlay for Confidential |
| Guest sponsor optional | Orphan external access | Require sponsor on every guest |
| Exception without TTL | Permanent policy bypass | Time-boxed approvals |
| DLP ignores copy/duplicate | Data still leaves | Evaluate all egress paths |
| Role override unaudited | Compliance gap | Log every override share |
| Policies split across 3 settings pages | Admin misconfiguration | One Sharing & DLP hub |
Recommended workflow
- Design DLP policy table with scope, restriction type, and violation counts.
- Integrate share dialog blocked states, disabled link types, and exception request.
- Build approval queue for time-boxed exceptions with admin approve/deny.
- Add confidential labels with watermark banner and download blocks.
- Wire guest invite sponsor and expiry fields to invitation flow.
- Spec policy evaluation order (label > project > team > org) in Dev Mode.
- Link violation log and monitor-mode dashboard to audit console.
FAQ
Does DLP apply to API keys and automation?
Usually separate policy—API export paths need explicit DLP rules; link in Network/API settings.
Can project owners weaken org DLP?
No—org policy is ceiling; owners can only tighten (shorter link TTL, extra watermark).
How does DLP interact with compliance exports?
Admin exports bypass user DLP but require Compliance Officer role and full audit—do not use user share flows.
External share blocked but SSO guest from partner domain?
Domain allowlist on guest invites should align with SSO verified domains—cross-link setup wizards.
Monitor mode duration?
Recommend 14–30 days with weekly violation summary email to Security Admin before enforce.
Next steps
- Design IP allowlist and network restrictions UI in Figma — network + sharing policy stack
- Design team member roles and permissions UI in Figma — share override capabilities
- Design member invitations and pending invites UI in Figma — guest sponsor and expiry
- Design audit log and security activity UI in Figma — violation and exception events
- Design custom roles and permission templates UI in Figma — DLP capability grouping
§ Keep reading