Secure PDFs and Office Files in Sharepoint

In this guide you’ll learn how to secure PDF and Microsoft Office files using the SharePoint user interface (UI). Examples of securing a documents in SharePoint include disabling printing and restricting the ability to select or copy a document’s text.

In addition you can add user-specific watermarks to documents in real-time (the moment a file is downloaded or accessed). It’s important to note that all watermarks must be applied to a document before they are secured.

You can perform the following to the document using this feature:

  • Apply security to MS Word, MS Excel, MS PowerPoint and PDF Files.

  • Apply security after user specific watermarks have been applied.

  • Apply typical PDF Security including Open Password, Owner Password, Prevent Printing, Prevent Copy, Prevent Document assembly, etc.

  • Allow filters to be specified and only apply security when a condition is met, e.g. a Status field is set to Approved, or the user that is accessing the document is in a specific group.

  • Apply security to files in Document Libraries as well as files attached to individual list items.

  • Works on all MS SharePoint 2007 and later versions.

Automatically Securing documents using the MS SharePoint User Interface

Let’s work through an example to show how easy it is to set this up.

  1. By default the Secure / Watermark on open facility is disabled so use SharePoint Central Administration to enable the Muhimbi Document Converter - Automatic Document Processor Feature at the relevant Web Application.

Note: This is a Web Application Scoped Feature, not a Farm or Site Collection scoped one. You also need to enable the Muhimbi Document Converter - Automatic Document Processing User Interface Feature at either the Web Application level (to enable the screen on all Site Collections) or at the individual Site Collection level.

  1. Once enabled, a new menu named Security settings can be found in the Site Actions / Site Settings screen as well as the List Settings screen on each individual List and Document Library. Default security settings can optionally be specified at the Site Collection level, which can then be inherited at the individual List or Library Level, which is displayed in the following screen.
    secure documents

  2. There are also options to enable security during Insert and Update events. However, the focus of this example is to Secure On Open. In this screenshot we have specified both an Open and an Owner Password. The Owner Password must be set when any of the PDF Security Options are selected, the Open Password is optional.

    insert and update events

  3. You can also specify a filter to only secure documents when the person opening the file is in a specific SharePoint group.

    Note: You can only use MS SharePoint group names and not Windows group names.

  4. When a PDF or MS Office file is opened from the Document Library, and the user opening it is a member of the specific group in the filter, then security will be applied automatically to the file without modifying the original in the List or Document Library.

  5. Please note that securing files this way is a real-time action and adds some overhead. If there is no need to apply security in combination with user specific watermarks, or based on a user specific filter, then we recommend applying security using MS SharePoint Designer Workflow or Nintex Workflow the moment a file is created or modified.

Securing Different File Formats

Document Converter allows various file formats to be secured, each file type has its own strengths and weaknesses. For example, the PDF standard allows a range of individual restrictions to be applied to a PDF File, whereas MS Office documents have a much simpler security model.

All supported files formats have the following in common:

  • Open Password: By specifying an optional open password, users need to provide the password in order to see the contents of the document. Once opened, the file can be edited unless an owner password is specified as well.

  • Owner Password: When the optional owner password is specified, users can open the file without needing to know the password, but they cannot make changes to the document unless they have access to the owner password.
    Note: In order to apply restrictions to PDF files (disable print etc), an owner password must be specified and that owner password must be different from the open password. The main differences between the various file types, in the context of applying security, can be found below:

  • PDF: The PDF standard supports additional security features such as restrict printing, restrict content copying, etc. These restrictions are not supported by the various MS Office file formats.
    Note: In order to apply restrictions to PDF files, an owner password must be specified and that owner password must be different from the open password.

  • MS Word: MS Word document format supports the standard open and owner passwords described above. If the source document is already encrypted by means of an open password, then it is not possible to change the open or owner password.

  • MS Excel: MS Excel supports the standard open and owner passwords described above. If the source document is already encrypted by means of an open password then it is not possible to change the open or owner password.

  • MS PowerPoint: MS PowerPoint supports the standard open and owner passwords described above. If the source document is already encrypted by means of an open password, then it is not possible to change the open or owner password. In addition, if the source presentation is already secured using an owner password (read-only) then it is not possible to add an open password or update the owner password.

Additional Resources

In this guide you’ll learn how to secure PDF and Microsoft Office files using a SharePoint Designer Workflow. You can use the SharePoint Designer Workflow Activity to automatically add security settings to documents, including password protection, disabling printing and prevent text copying. This guide can be used in SharePoint Online or On-premises deployments.

Key security features:

  • Apply security to MS Word, MS Excel, MS PowerPoint and PDF Files.

  • Apply security after user specific watermarks have been applied.

  • Apply typical PDF Security including Open Password and Owner Password.

  • Prevent Printing, Prevent Text Copy, Prevent Document assembly.

This section covers an example on how to create a MS SharePoint Designer Workflow to automatically apply security settings to any new or modified PDF files in a Document Library. In this example, we use MS SharePoint Designer 2010, but it works just as well in MS SharePoint Designer 2007 as well.

Secure Document Workflow Activity

The following are the options provided by the Secure Document workflow activity:

secure document workflow

In typical Muhimbi fashion, the workflow sentence is consistent with our other Workflow Activities, and is largely self-describing.

  1. this document: The document to apply the security settings to. For most workflows selecting Current Item will suffice, but some custom scenarios may require the lookup of a different item. You may also want to check that the file type of the document is ‘pdf’ before trying to apply security.

  2. this file: The name and location of the secured file. Leave this field empty to overwrite the source file with the secured copy. Enter a path, including the Document Library and any folder names, to write the secured file to a separate location. E.g. “shared documents/secured files/confidential.pdf”. You can even specify a different site collection.

  3. open password: When specified, anyone who wants to open the PDF file will need to enter this password.

  4. owner password: When specified, anyone who wants to change the security settings on the PDF file will need to enter this password.

  5. disable options: One or more restrictions to apply to the PDF file, separated by a pipe ‘|’ character . By default it applies all restrictions (Print|HighResolutionPrint|ContentCopy|Annotations|FormFields|ContentAccessibility|DocumentAssembly), but any combination is allowed. Enter the word Nothing to not apply any restrictions.

    Note: In order to activate these settings you must supply an owner password.

  6. List ID: The ID of the list the secured file was written to. This can later be used in the workflow to perform additional tasks on the file such as a check-in or out.

  7. Item ID: The ID of the secured file. Can be used with the List ID.

item ID

Prerequisites

Before starting, please ensure the following prerequisites are met.

  1. Download and install the Muhimbi Document Converter for SharePoint.

  2. Make sure you have the appropriate privileges to create workflows on a site collection.

Building the Workflow

You can create the workflow as follows:

  1. Create a new workflow using MS SharePoint Designer.

  2. Associate the workflow with the library of your choice, and tick the boxes next to both ‘Automatically start….’ options and proceed to the next screen.

  3. Because we are running the workflow when PDF files are created as well as modified, a new Yes/No column named Secured will need to be added to the document library using a default value of No. This way we can mark a document as secured and stop the workflows from recursively triggering. Alternatively, if the files are secured in place, you can decide to just trigger the workflow when new files are added.

  4. Design the workflow as per the following screen. In summary it does the following:

    1. Check if the file(s) is / are in PDF format. Otherwise security cannot be applied.

    2. Check if the file(s) has / have already been secured. If it has, then it doesn’t need to be secured again.

    3. The PDF File is secured in place. Both Open and Owner passwords are applied and all restrictions are set.

    4. The file is marked as Secured so the workflow doesn’t repeatedly run.

    5. A status message is written to the workflow history, to record the status of each file.
      design workflow

  5. Publish the workflow and create / convert / upload a new PDF file in the Document Library. After a few seconds the workflow column will change to Completed, indicating that the file has been secured successfully.

Information

We recently released the Muhimbi Document Converter Xtension for Nintex Automation Cloud. You can download it here or learn more about available Muhimbi deployments for Nintex on our product page.

In this guide you’ll learn how to secure PDF files using Nintex Workflows. You can enable workflows to automatically add security settings to your documents such as adding password protection, disabling printing and preventing text copying.

This article covers how you can secure the documents using Nintex Workflows - Both Nintex Workflows and Nintex Workflow for O365.

Using Nintex Workflows for O365 for Securing Documents

Prerequisites

Before you begin, please make sure the following prerequisites are in place:

Please note that this article is for the MS SharePoint Online version of Nintex Workflow for O365.

Building the Workflow

It is strongly recommended to follow the tutorial below, but the workflow is available for download as well. Import it in Nintex Workflow for Office 365, SET THE API KEY, publish it and you are ready to go.

  1. Navigate to a site collection and document library of your choice. You can choose the option to create a new Nintex Workflow. In this example, we use the standard Document Library that is available on most site collections.

  2. Create the following workflow variables as we need them later:

  • JSON (Text): Contains the JSON, JavaScript Object Notation, the command that will be sent to the conversion service.

  • API_KEY (Text): A unique ID that will be used to look up your Muhimbi subscription details.

  • ResponseText (Text): The status message returned by the Conversion Service.

  • ResponseCode (Integer): The status code returned by the Conversion Service.

  1. You can then insert a Set Workflow Status action, edit it and set it to ‘Started’. As MS SharePoint Online does not show a separate status, adding this action will show us the status that the workflow has actually triggered and it will also give us something to click on to inspect the current status of the workflow.

  2. You can then add a Build String action and set the Output to the JSON workflow variable. In the String field enter the following:

\[  
"sharepoint_file":
>
\[
>
"site_url":"‍{Workflow Context:Current site URL}‍",
>
"source_file_url":"‍{Current Item:Server Relative URL}‍",
>
"destination_file_url":"‍{Current Item:Server Relative URL}‍.pdf"
>
\],
>
"output_format":"PDF",
>
"fail_on_error":true
>
\]  
![](/images/guides/muhimbi/image9.jpg)
>
You need to pay attention to the following:
>

JSON Notation: Please note that we have replaced the curly braces - { } - with square brackets [ ] due to a bug in Nintex Workflow for Office 365. If you have any concerns using square brackets, (as they are also used for Array types) you can replace them with anything else, as we will fix this in a follow-up step.

Copy & Paste: When copying and pasting the JSON code, ensure you paste it in Notepad (and copy back) to strip out non-standard characters and formatting being copied.

References: The text displayed in red are Nintex Workflow references. After copy pasting the code fragment, you need to replace each Nintex reference using the Advanced Lookup facility located below the field.

Output file name: In this basic example, we just add ‘.pdf’ to the end of the output path and file name. This is not particularly pretty, but in order to keep things simple we are not including the Nintex Workflow actions to strip off the old extension and add the new one. You can use whatever you like here as long as it is a valid output path and file name.

  1. In an earlier step, as we have used square brackets in JSON, we need to replace them with curly braces again. You can do this by using Replace Substring in String action and by configuring it as follows:

  • Search String: Enter the opening square bracket [.

  • Replace String: Enter the opening curly brace {.

  • String: Insert a reference to the workflow variable named JSON.

  • Output: Pick the JSON workflow variable to store the results in.

Click Save button.

  1. You can now copy the workflow action using the action’s menu, and by pasting it as the next action. You can configure the newly pasted workflow action and replace the opening bracket with the closing bracket ‘]’.

You can do the same for the curly brace and replace ‘{’ with ‘}’, and click Save button to save the action. You now have valid JSON that you can send to the Conversion Service.

  1. As the next step, we need to set the API_KEY. Insert a Set Workflow Variable action and configure it to set the API_KEY workflow variable to the API Key you received by email when signing up for the Muhimbi Document Converter Services Online. e.g.:

decafbad-baad-baad-baad-decafbaaaaad

Do not try to use this particular key, as it will not work. Ensure you do not put curly braces around the key. Click Save button to save the action.

  1. Next, insert a Web Request action and configure it as follows:

URL: https://api.muhimbi.com/v1/operations/secure_document

Method: POST

Content type: application/json

Add header: Click Add header, specify API_KEY as the Header name and insert a reference to the API_KEY workflow variable for the Header value. Body: Select the Content option, add a reference to the JSON workflow variable in the Data field.

Store response content in: ResponseText.

Click Save button to save the action.

  1. Finally, insert another Set Workflow Status action and configure it with the text ‘Completed’. This should indicate when the workflow instance has completed its run. Your workflow should look something like the following:
    Nintex-O365-ConvertBasic-Part1
    Nintex-O365-ConvertBasic-Part2

  2. Save and Publish the workflow by giving it a suitable name and set the Start Options to a value of your choice.

  3. Once published, open the document library the workflow is associated with. Upload a PDF document which is not secured and manually start the workflow. After a few seconds, the PDF file will be updated. You can see this when you refresh the screen. This PDF file would be secured.

Troubleshooting

Although both Nintex Workflow for Office 365 and the Muhimbi Document Converter work very well together, there are a lot of moving parts in the workflow like custom generated JSON, customer-specific API keys, paths to the document libraries, etc. So, there are chances that you may encounter some issues when deploying the workflow. Some common issues and troubleshooting tips are provided below for your reference:

  • Check prerequisites: Double-check that the prerequisites listed in the beginning of this section are in place.

  • Log to History List: If it is not clear what is going wrong, log critical parts such as the JSON workflow variable (after the replace operation) as well as the ResponseText workflow variable (after the web request) using the Log To History List workflow action. You can see the contents of this list by clicking on the Workflow Status column for the List Item the workflow is running on.

  • Send email: The amount of text that can be logged to the History List is limited (roughly 250 characters). For larger messages, use the Send an Email action instead to send an email with debug content in the body of the email to yourself.

  • Copy & Paste: When copying the JSON fragment into your workflow, paste it into Notepad first to clean it, and then copy it from Notepad and paste it into your workflow. This is because browsers tend to insert hidden characters that are not filtered out by the Nintex Workflow editor.

  • Nintex References: Make sure that the Nintex Workflow references in the JSON provided are replaced by actual Nintex Workflow references. You can double-check if the references are active by logging the JSON workflow variable to the History List. You should see the actual paths and not {Current Item:Server Relative URL}.

  • Muhimbi Support: After double checking all prerequisites and going over all troubleshooting steps in this section, if you are still stuck, please contact our friendly support desk, who are here to help.

Fine-tuning

The workflow created in the previous section was to give a quick idea of how to use the Converter. However, it would benefit from error handling and a solution for a possible recursion problem where the workflow will be triggered for PDF files that it has created by itself.

We have created a version of the workflow that is more production ready. Full details on the same are beyond the scope of this article. You can download the full workflow here and customize this as per your requirements.

After customization, you can import it into Nintex Workflow for Office 365, and set the API KEY, and then publish it for your use.

47

48

49

Other Operations

This section demonstrated how to invoke the Secure action on Muhimbi’s REST interface. Full examples are beyond the scope of this article, but you can find examples in the SharePoint section of our GitHub repository.

Using Nintex Workflows for Securing

The Muhimbi Document Converter for SharePoint On-Premise supports PDF Security.

Similar to all other Nintex Activities provided by Muhimbi, the Secure PDF activity integrates with Nintex Workflow at a deep level. It supports SharePoint 2007, 2010, 2013 & 2019, and allows errors to be handled and even supports integration with Nintex’ iterators to deal with multiple items and loops. For a comprehensive example and details about how to enable the Nintex Workflow integration see the blog post that discusses our generic Nintex PDF Conversion activity.


The fields supported by this Workflow Activity are as follows:

  • Destination Path: Enter the path to write the secured file to, either:

    • Leave it empty to use the same filename (and path) as the file that triggered the workflow.

    • A file name, without the full path, to write a differently named file to the same location as the source file.

    • A relative path to a subsite / document library / folder, e.g. Shared Documents/Some Folder/Some File.pdf.

    • An absolute path to a different site collection, e.g. /sites/Finance/Shared Documents/Some Folder/Some File.pdf. Please make sure the path does not include the host name, e.g. ‘http://your site/…’.

  • Open Password: An optional password that the user must enter in order to open the document.
    Note: Any password entered here is displayed in clear text to allow Nintex field references to be added.

  • Owner Password: An optional password that the user must enter in order to change the PDF restrictions. When specifying PDF Restrictions then this password must be set. Note: Any password entered here is displayed in clear text to allow Nintex field references to be added.

  • Individual PDF Restrictions: Select the individual restrictions such as Disable Printing or Disable Content Copying.

  • Output List ID: If you wish to carry out further actions on the secured document, e.g. send it by email or perform a check-in, then you can optionally write the ID of the List the file was written to in a workflow variable of type String.

  • Output List Item ID: Similarly to Output List ID, the Item ID of the secured file can optionally be written to a workflow variable of type Item ID (in SharePoint 2007) or Integer (in SharePoint 2010 and later versions).

  • Source List ID & List Item: The item that triggered the workflow is secured by default. You can optionally specify the ID of a different List and List Item using workflow variables. Please use the same data types as used by Output List ID and Output List Item ID.

  • Error Handling: Similar to the way some of Nintex’ own Workflow Activities allow errors to be captured and evaluated by subsequent actions, all of Muhimbi’s Workflow Activities allow the same. By default this facility is disabled meaning that any error terminates the workflow.

Additional Resources