C++ Access Controls

No one can predict the future. Access controls let you change your mind about who has access and under what conditions.

Grant Access

Let’s say Bob enters your circle of trust. If you grant him access, he can decrypt your sensitive data.

#include <virtru_client.h>
#include <cstdlib>

using namespace virtru;

int main()
{
    auto email = std::getenv("VIRTRU_SDK_EMAIL");
    auto appId = std::getenv("VIRTRU_SDK_APP_ID");
    if (email == nullptr || appId == nullptr) {
        std::cerr << "An environment variable is not set:\n- VIRTRU_SDK_EMAIL\n- VIRTRU_SDK_APP_ID" << std::endl;
        return EXIT_FAILURE;
    }
    Client client {email, appId};

    Policy policy;
    policy.shareWithUsers({"[email protected]"});

    client.updatePolicyForFile(policy, "sensitive.docx.tdf.html");
    return EXIT_SUCCESS;
}

You can also grant access before you encrypt:

#include <virtru_client.h>
#include <cstdlib>

using namespace virtru;

int main()
{
    auto email = std::getenv("VIRTRU_SDK_EMAIL");
    auto appId = std::getenv("VIRTRU_SDK_APP_ID");
    if (email == nullptr || appId == nullptr) {
        std::cerr << "An environment variable is not set:\n- VIRTRU_SDK_EMAIL\n- VIRTRU_SDK_APP_ID" << std::endl;
        return EXIT_FAILURE;
    }
    Client client {email, appId};

    Policy policy;
    policy.shareWithUsers({"[email protected]"});
    EncryptFileParams params {"sensitive.docx", "sensitive.docx.tdf.html"};
    params.setPolicy(policy);

    client.encryptFile(params);
    return EXIT_SUCCESS;
}

Revoke Access

Let’s say Bob leaves your circle of trust. It’d be great if he no longer had access to your sensitive data. Revoke will prevent Bob from decrypting your sensitive data:

#include <virtru_client.h>
#include <cstdlib>

using namespace virtru;

int main()
{
    auto email = std::getenv("VIRTRU_SDK_EMAIL");
    auto appId = std::getenv("VIRTRU_SDK_APP_ID");
    if (email == nullptr || appId == nullptr) {
        std::cerr << "An environment variable is not set:\n- VIRTRU_SDK_EMAIL\n- VIRTRU_SDK_APP_ID" << std::endl;
        return EXIT_FAILURE;
    }
    Client client {email, appId};

    Policy policy;
    policy.removeUsers({"[email protected]"});

    client.updatePolicyForFile(policy, "sensitive.docx.tdf.html");
    return EXIT_SUCCESS;
}

You will still have access to your sensitive data.

Revoke All Access

Let’s say you landed a new job Alice. Well done! But your circle of trust becomes outdated. Rather than removing every Bob from accessing your sensitive data, you can remove everyone with revoke all:

#include <virtru_client.h>
#include <cstdlib>

using namespace virtru;

int main()
{
    auto email = std::getenv("VIRTRU_SDK_EMAIL");
    auto appId = std::getenv("VIRTRU_SDK_APP_ID");
    if (email == nullptr || appId == nullptr) {
        std::cerr << "An environment variable is not set:\n- VIRTRU_SDK_EMAIL\n- VIRTRU_SDK_APP_ID" << std::endl;
        return EXIT_FAILURE;
    }
    Client client {email, appId};
    client.revokeFile("sensitive.docx.tdf.html");
    return EXIT_SUCCESS;
}

You will still have access to your sensitive data.

Expire Access

Some things aren’t meant to last. Your landlord, Trent, shouldn’t have access to the sensitive data in your lease forever. Let’s make sure your sensitive data expires in a year when your lease does:

#include <virtru_client.h>
#include <cstdlib>

using namespace virtru;

int main()
{
    auto email = std::getenv("VIRTRU_SDK_EMAIL");
    auto appId = std::getenv("VIRTRU_SDK_APP_ID");
    if (email == nullptr || appId == nullptr) {
        std::cerr << "An environment variable is not set:\n- VIRTRU_SDK_EMAIL\n- VIRTRU_SDK_APP_ID" << std::endl;
        return EXIT_FAILURE;
    }
    Client client {email, appId};

    Policy policy;
    policy.expireInDays(365);

    client.updatePolicyForFile(policy, "lease.docx.tdf.html");
    return EXIT_SUCCESS;
}

You can also expire at a specific date and time:

#include <virtru_client.h>
#include <cstdlib>

using namespace virtru;

int main()
{
    auto email = std::getenv("VIRTRU_SDK_EMAIL");
    auto appId = std::getenv("VIRTRU_SDK_APP_ID");
    if (email == nullptr || appId == nullptr) {
        std::cerr << "An environment variable is not set:\n- VIRTRU_SDK_EMAIL\n- VIRTRU_SDK_APP_ID" << std::endl;
        return EXIT_FAILURE;
    }
    Client client {email, appId};

    Policy policy;
    policy.addExpiration("2020-05-24T16:12:41Z"); // ISO-8601 Format

    client.updatePolicyForFile(policy, "lease.docx.tdf.html");
    return EXIT_SUCCESS;
}

Expiration prevents everyone else on the policy from decrypting after that time. You will still have access.

Make the same expiration calls to update dates or times.

If you’re feeling permissive, you can always remove expiration too:

#include <virtru_client.h>
#include <cstdlib>

using namespace virtru;

int main()
{
    auto email = std::getenv("VIRTRU_SDK_EMAIL");
    auto appId = std::getenv("VIRTRU_SDK_APP_ID");
    if (email == nullptr || appId == nullptr) {
        std::cerr << "An environment variable is not set:\n- VIRTRU_SDK_EMAIL\n- VIRTRU_SDK_APP_ID" << std::endl;
        return EXIT_FAILURE;
    }
    Client client {email, appId};

    Policy policy;
    policy.removeExpiration();

    client.updatePolicyForFile(policy, "lease.docx.tdf.html");
    return EXIT_SUCCESS;
}

Watermark Access

Trust doesn’t have to be absolute. If you want Bob to access your sensitive data, but discourage him from sharing it, you can enable watermarking:

#include <virtru_client.h>
#include <cstdlib>

using namespace virtru;

int main()
{
    auto email = std::getenv("VIRTRU_SDK_EMAIL");
    auto appId = std::getenv("VIRTRU_SDK_APP_ID");
    if (email == nullptr || appId == nullptr) {
        std::cerr << "An environment variable is not set:\n- VIRTRU_SDK_EMAIL\n- VIRTRU_SDK_APP_ID" << std::endl;
        return EXIT_FAILURE;
    }
    Client client {email, appId};

    Policy policy;
    policy.enableWatermarking();

    client.updatePolicyForFile(policy, "sensitive.docx.tdf.html");
    return EXIT_SUCCESS;
}

This option only applies in Virtru’s Secure Reader, where Bob’s email address will always overlay the decrypted sensitive data.

To disable watermarking:

Policy policy;
policy.disableWatermarking();

client.updatePolicyForFile(policy, "sensitive.docx.tdf.html");

Did this page help you?