Protect the content in a Shareflex application – MS Purview

Goal

Our goal is to protect a SharePoint Online Shareflex application, such as Contract Management, from accidental or malicious deletion or modification by users or the Shareflex Online Enterprise Application in Entra. We must protect the application content and code.

Result

It’s no longer possible to delete a contract record. Please see the error message.

The only way to delete a contract is if the deletion is approved by a disposition workflow the following day (explained below).

We have ensured that it’s not possible to delete a library, for example, so all the coding is protected.

 

MS Purview functions available to achieve our goals

  1. M365 retention policies
  2. M365 record management policies

Lets start with the retention policy.

M365 retention policies

We followed this guide and created the following retention policy linked to the Shareflex application.

It took an hour to be enforced, not a week.

Delete a document from a contract is possible.

Delete a contract (SPO list items) is possible.

Documents can be deleted from the SPO library as well.

Its not possible to delete a library for example.

The preservation hold library holds csv files for the deleted list items and it holds deleted documents.

Right, it’s not possible to delete anything from the preservation library.

Concluding M365 retention policies

M365 retention policies protects the deletion of lists, libraries, and (sub) sites within the application. Next step is to protect content deletion with M365 record management.

M365 record management

Navigate to file plan and create a label

In below example we name the label with the value 10 years, but actually I want to use 1 day as retention period, this is a nice approach to protect the content and after approval it can be deleted after one day.

We use 1 day, after that day the item can be deleted (after approval), so we have one day to revert a hack for example.

Create stages and assign reviewers

The label is published to one SP site holding the Shareflex Contract Management application.

By the way here is the retention label saved:

Lets apply the label to one of the libraries of Shareflex Contract, via library settings.

Now we can add the retention labels to the documents pane in the Shareflex Contract interface.

The same label can also be applied to the contracts list protecting deletions here as well.

Then after a day the pending disposition workflow should start notifying the user set in the policy, the admin can then approve or reject the deletion of the documents and or contract (list item).

All the documents the user tried to delete are listed here:

But the item is not removed from the contract.

New test where we delete one document from the contract.

A second test where we delete a file from the SPO library

In default SPO and Shareflex the error message is not indicating the document is protected by Purview, this must be improved in the Shareflex interface.

We must wait one day to see how the disposition will work out.