Watermark & Secure ‘OnOpen’ in SharePoint Online - FAQ
Please find below an overview of common questions and answers related to the real-time ( OnOpen) watermarking and security facility that ships with the Muhimbi Document Converter for SharePoint Online. For details see this blog post.
Please note that this article does NOT apply to the on-premise version of this same facility.
Does the OnOpen facility work with List Item attachments as well?
Yes, this facility works with files stored in Document Libraries as well as files attached to List Items.
Is it possible to process non-PDF files?
Yes, we support applying watermarks and security, in real-time, to MS-Word, Excel, PowerPoint and PDF files. Please keep in mind that this works for ‘modern’ versions of the various file formats only (DOCX, XLSX, PPTX), legacy file formats (DOC, XLS, PPT) need to be converted to their modern equivalents first, which can be done using Muhimbi’s software as well.
For other file file formats, use our software to convert almost any file type to PDF using the SharePoint User Interface, Microsoft Flow, Azure Logic Apps, a REST API or SharePoint Designer workflows.
Does this work for both Modern and Classic Lists and Libraries?
SharePoint’s Modern Experience uses a completely different extension model than its Classic counterpart. As a result extra installation steps are needed to use this facility in Lists and Libraries that utilise the Modern View. For details see this Knowledge Base article.
Why is SharePoint behaving differently when this functionality is enabled?
In order to automatically apply watermarks and security settings when files are opened in SharePoint Online, we have had to disable a number of features that would allow users to access files without watermarks being applied. For example drag-and-drop, downloading of entire folders in one go, and various sharing options have been disabled.
This is by design, please inform users of site collections that utilise automatic watermarking that certain SharePoint features have been disabled.
Which web browsers are supported?
All web browsers supported by SharePoint Online can be used. Although at the time of writing it largely works, Internet Explorer is no longer supported by Microsoft when it comes to SharePoint Online, and is therefore not officially supported by Muhimbi either.
Does this work for external and guest users?
The real-time watermarking facility supports external users, but not guest users. Due to architectural limitations in SharePoint Online, it is essential that external users are added to a site group named ‘Muhimbi Document Converter - Automatic PDF Processing’. This group is automatically created when the App Feature named ‘Muhimbi Document Converter - Automatic PDF Processing’ is enabled.
Adding users to this group has been automated. Just navigate to Site Settings / Muhimbi Real-time settings, and click the Refresh security group button.
Please note that this process will need to be repeated whenever external users have been added to the site. Before a user can be added to this group, it is essential for that user to have accessed the site at least once. Please make sure this is made part of your business process when registering external users.
Take into account that some information is missing for these kinds of users e.g. {USER_NAME}, {LOGON_USER}. This is beyond our control as SharePoint does not store this information for external users. An overview of field codes can be found below.
When sharing files with external users, please keep the following in mind:
-
When sharing via the ‘Modern experience’, make sure you share to ‘Specific people’.
-
When sharing via the ‘Classic experience’, tick the ‘require sign-in’ box if this option has been enabled in the Sharing settings for the site collection.
Should I be concerned about users saving secured / watermarked files back to SharePoint
Yes!
Although this is not really the case for PDF Files, which tend to be used mainly for read-only purposes, MS-Word, Excel and PowerPoint files tend to be ‘living documents’ that are opened, edited and saved back to SharePoint all the time.
It is therefore important to put some serious thought in how your documents will be used. Imagine that automatic watermarking and security is applied every time an MS-Word file is opened. A user opens the document for editing purposes and then saves it back into SharePoint… INCLUDING THE NEW PASSWORD AND WATERMARK. From this point forward both the watermark and the password protection are permanent and can no longer be changed unless manually removed by someone with access to the appropriate password. It is for this reason that we recommend using either a filter to only apply real-time security in certain situations, or to only enable it on read-only documents or folders specifically created and maintained for sharing documents.
We are using this facility for security purposes, how secure is it?
Some of our customers use this facility as a lightweight DRM solution to prevent users from copying content, disable printing and add user details (IP, Name, Date, Time) as a watermark to each file that is opened. SharePoint Online is a very restricted platform and we have done everything possible to make sure files are processed when they are opened by end users.
Having said that, there are a number of scenarios for which we cannot intercept the file and process it for securing / watermarking:
-
There is a slight delay (fraction of a second) after a page is loaded, but before the OnOpen facility becomes available. Theoretically it is possible - under extreme circumstances - for extremely quick and knowledgeable users to click a file before it can be processed.
-
SharePoint’s ‘Send a copy’ facility can be used to send a file to a different location. Our software cannot intercept this facility.
-
Any files downloaded outside the browser, e.g programmatically via CSOM, are not processed by the OnOpen facility.
-
Files synced using software such as OneDrive bypass our software and will not apply watermarking in real-time.
-
Files shared using SharePoint Online’s ’ Share Link’ facility are not processed. However, content shared at a higher level (e.g. an entire site) IS processed.
From time to time Microsoft make changes to particularly the ‘Modern View’, which may impact the availability of Muhimbi’s Watermarking & Security facilities. Muhimbi is always on top of the latest changes and continuously test the software on the latest SharePoint Online ‘Targeted’ release. It is recommend that customers NEVER enable the latest targeted release as this may cause issues with third party software such as Muhimbi’s Real-time watermarking facility.
How does this count towards my subscription’s monthly operations?
Subscriptions for the Document Converter for SharePoint Online come with a fixed number of monthly operations, e.g. 1000 operations. Each operation (e.g. Conversion to PDF, Watermarking, Securing) is counted toward the monthly allotment regardless of the platform used to carry out the operation (Workflows, the SharePoint User Interface, OnOpen).
In other words, when the OnOpen facility is active on a List or Library, each file that is opened from it will be counted as 1 operation. If both Secure OnOpen and Watermark OnOpen is enabled on a List or Library then this is counted as only a single operation as behind the scenes these operations are combined.
If an end-user repeatedly opens the same file from a List or Library then each open action will count as 1 operation as the file is repeatedly processed to guarantee the latest information is included. If real time information is not required then we recommend applying security and watermarks using workflows, which is only counted once per file, which can then be opened repeatedly without reprocessing.
How does it deal with applying watermarks in different time zones?
A typical site collection can be accessed by users from all over the world. When applying a date or time as a watermark to a document, it will automatically take the time zone associated with the profile of the current user into account and adjust the time accordingly. If the user has no associated profile, or the profile’s time zone is set to the default ’ visible to me only’ setting then the Site Collection’s time zone will be used. For details about how to change the user profile settings see this Microsoft article.
What about formatting of dates and numbers?
Different regions use different formatting options for dates and numbers. For example in the USA people expect dates to be formatted in mm/dd/yyyy format while in most European countries the dd/mm/yyyy convention is used. Similarly some countries use a comma to delimit fractions while other countries use a period (’.’).
When applying this information as a watermark, the OnOpen facility takes the regional settings associated with the user’s profile. If this information is not specified in the profile then it will take the regional settings specified at the Site Collection level.For details about how to change the user profile settings see this Microsoft article.
Will this facility slow down access to the watermarked documents ?
As it is not possible to run any 3rd party software directly on your SharePoint Online system, Muhimbi hosts all functionality on a farm of servers in Windows Azure. When a request comes in to process a file a secure link is created to retrieve the associated file from your SharePoint environment, the file is then processed (watermarked, encrypted etc) before it is returned to the user who requested the file. There is some overhead associated with fetching the file from your SharePoint servers as well the actual processing.
Although there are cases where it may be faster or slower, you should expect files that are processed via the OnOpen facility to take twice as long as normal to open. Unless a file is particularly large, the difference is usually not noticeable.
A document will be opened by thousands of users in a short time, will this be a problem?
Depending on the size and complexity of the document, and the number of users that will be opening the document at the same time, you will need to take some precautions. There will be considerable bandwidth usage in your office, but also Muhimbi’s software will need to fetch files from your SharePoint servers over and over again, this is a slow process beyond our control.
Although we monitor and scale our data centres all the time, capacity is not infinity and very high peak loads may cause slowdowns.
Our advice is to prepare, test well, and to stagger any messages to your users to all go out and open a file at roughly the same time.
Does this also work when opening ‘historical’ files?
Yes, the OnOpen facility also processes files that are opened from SharePoint’s file history facility. One thing to take into account is that any item specific meta-data that may have been specified for inclusion in the watermark will be taken of the most recent version of the item as SharePoint does not support programmatic access to historical meta-data.
What happens when there is an error?
Although for certain scenarios it doesn’t really matter if a watermark operation fails, e.g displaying ’ DRAFT’ in the background, quite a few of our customers use the OnOpen facility for security purposes. Depending on your scenario you may want to change how your deal with errors.
This can be configured using the Muhimbi Real-time settings under Site Settings. For dealing with errors the options are as follows:
-
Show the original, unprocessed, document: For situations where watermarking or applying security is a nice-to-have, but no show-stopper, you may want to choose this option, which - in case of an error - will return the original document as if the OnOpen facility is not active at all.
-
Block access to the original document: This option, which is the default, can be used to either send the processed document to the end user - when there are no errors - or completely block access to the document if for some reason it cannot be processed. This is generally used in situations where the document MUST be processed before it is sent out, no exceptions.
Situations that may cause an error (and trigger the above mentioned scenarios) can be caused by files that are already secured / encrypted or files that are corrupt / have syntax errors.
What happens when the subscription runs out of monthly operations?
A typical subscription for the Muhimbi Document Converter for SharePoint Online comes with a fixed number of monthly operations. Each time the OnOpen facility is invoked this counts toward this monthly allotment. If the number of operations for a month have run out then the OnOpen facility can no longer be used. However, it is still possible to control what happens to documents requested from a List or Library that has OnOpen enabled.
The options are the same as for when an error occurs, see previous question, and can be configured using the Muhimbi Real-time settings under Site Settings.
-
Show the original, unprocessed, document: For situations where watermarking or applying security is a nice-to-have, but no show-stopper, you may want to choose this option, which - in case operations run out - will return the original document as if the OnOpen facility is not active at all.
-
Block access to the original document: This option, which is the default, can be used to either send the processed document to the end user - when there are sufficient operations left - or completely block access to the document if the subscription has run out of monthly operations. This is generally used in situations where the document MUST be processed before it is sent out, no exceptions.
How can I include user specific information as well as meta-data in a watermark?
One of the main reasons for using the real-time OnOpen facility is to make sure that the most recent information is included in a watermark. This can range from typical meta-data such as Last Modified, Title and Author to custom fields as well as time based and user specific information.
The way this information can be included is via so called macros. Macros are small parts of text enclosed by braces { and }. An overview of the supported options can be found below:
Field Name****Description{LONG_DATE}The long representation of the current date, e.g. 18 April 2011.{LONG_TIME}The long representation of the current time, e.g. 12:35:48.{DATE}The short representation of the current date, e.g. 7/03/2011.{TIME}The short representation of the current time, e.g. 12:35.{PAGE}The number of the current page in the PDF file. This value is automatically updated for every page. This field is only supported by PDF files.{NUMPAGES}The total number of pages in the PDF file. This field is only supported by PDF files.Any column name
Any SharePoint column / field defined on the list such as {Title}, {Author}. Please use (case sensitive) internal field names. See this list of internal field names.
{HTTP_HOST}Returns the name of the Web server. This may or may not be the same as SERVER_NAME depending on type of name resolution you are using on your Web server (IP address, host header).{HTTP_REFERER}
Returns a string that contains the URL of the page that referred the request to the current page using an HTML tag. Note that the URL is the one that the user typed into the browser address bar, which may not include the name of a default document.
{HTTP_URL}Returns the raw, encoded URL, for example, “/vdir/default.asp?querystring”.{HTTP_USER_AGENT}Returns a string describing the browser that sent the request.{LOGON_USER}The Windows account that the user is impersonating while connected to your Web server. Use REMOTE_USER to view the raw user name that is contained in the request header.{REMOTE_ADDR}The IP address of the remote host (identifying the user) that is making the request.{REMOTE_HOST}
The name of the host that is making the request. If the server does not have this information, it will set REMOTE_ADDR and leave this empty.
{REMOTE_USER}The name of the user as it is derived from the authorization header sent by the client, before the user name is mapped to a Windows account. If you have an authentication filter installed on your Web server that maps incoming users to accounts, use LOGON_USER to view the mapped user name.{SERVER_NAME}The server’s host name, DNS alias, or IP address as it would appear in self-referencing URLs.{URL}Gives the base portion of the URL, without any querystring or extra path information, for example, “/vdir/default.asp”.{USER_NAME}The user’s name, if available.{USER_EMAIL}The user’s email, if available.{UserProfile.Internal
NameOfProperty}Providing the Add-in is elevated centrally, and the visibility of the user profile property is set to ‘everyone’, profile specific information can be included in watermarks. For an overview of available property names, see this blog post.
Where can I find more details about the Free Form watermark type?
Most watermarks are simple, some text in the background showing the status of a document or a number of different fields in the header or footer to display meta-data. However, the Muhimbi Document Converter comes with an extremely flexible watermarking engine that supports images, standard text, RTF text, lines, circles, QR codes etc.
Any of these watermarks types, or any combination of these types, can be applied in a single operation. This speeds up watermarking, but also keeps your cost down as Free Form watermarks are counted as only a single operation.
Very useful, however the price to pay for this flexibility is complexity. Free Form watermarks are defined using our XML syntax, which - although relatively easy for power users - may be intimidating for regular users. For details about this XML syntax see this blog post.
Is there anything I need to be aware of before watermarking Office file formats?
Different file formats all have their own peculiarities so it is important to be aware of the limitations and potential issues that may arise.
PDF is the ideal format when it comes to watermarking as anything is possible. You can place content anywhere on a page with pixel perfect precision, and each individual page can be targeted exactly. Unfortunately, that is not the case for all file formats, particularly MS-Word, which describes text and formatting in the docx file, but it is up to the editor - in this case MS-Word - to render that information to the screen or ‘paper’.
-
Layering / z-order: This is true for PDF as well, but make sure you don’t hide your watermarks BEHIND your document’s content. For example placing your watermark in the background of a non-transparent document such as a scan, will hide the watermark. Note that for Excel and MS-Word, watermarks are ALWAYS located behind the document’s main content.
-
Targeting individual pages: PDF and PowerPoint files allow individual pages to be targeted (and counted), for example only add the watermark on the 3rd or last page. Unfortunately this is not possible with MS-Word and Excel. In MS-Word watermarks are applied to an entire section, it is not possible to target a watermark to a specific page unless that page has its own section. In Excel it is not possible to target individual pages either, all pages in a worksheet automatically get the same watermark. It is possible to apply different watermarks to different sheets in the workbook though. If configured accordingly in Excel and Word, the first page can have a different watermark compared to other pages.
-
Mandatory MS-Word Headers: Watermarks are added in MS-Word via page headers, that is just the way that file format works internally. When applying watermarks to Word files it is therefore essential that the headers have not been removed from sections. Our software cannot add watermarks to sections without headers.
-
RTF Watermarks in PowerPoint: We support many watermark types including one that allows rich text to be inserted via RTF. Unfortunately RTF is ignored in PowerPoint, it only displays the textual content embedded in the RTF without formatting.
-
Excel watermarks require one free header / footer slot without image: In Excel, watermarks are added via headers and footers. Excel has 6 slots, 3 in the header and 3 in the footer. Muhimbi’s software requires at least 1 slot to have no image present or it will not be able to apply the watermark.