Watermark & Secure 'OnOpen' in SharePoint Online - FAQ

Please find below an overview of common questions and answers related to the real-time (OnOpen) watermarking and security facility that ships with the Muhimbi PDF Converter for SharePoint Online. For details see this blog post.

Please note that this article does NOT apply to the on-premise version of this same facility.

 

Does the OnOpen facility work with List Item attachments as well?

Yes, this facility works with PDF files stored in Document Libraries as well as files attached to List Items.

 

Is it possible to process non-PDF files?

No, currently we only support PDF files. However, you can use our software to convert almost any file type to PDF using the SharePoint User Interface or via workflows.

 

We are using this facility for security purposes, how secure is it?

Some of our customers use this facility as a lightweight DRM solution to prevent users from copying content, disable printing and add user details (IP, Name, Date, Time) as a watermark to each file that is opened. SharePoint Online is a very restricted platform and we have done everything possible to make sure files are processed when they are opened by end users.

Having said that, there are a number of scenarios for which we cannot intercept the file and process it for securing / watermarking:

  1. There is a slight delay (fraction of a second) after a page is loaded, but before the OnOpen facility becomes available. Theoretically it is possible - under extreme circumstances - for extremely quick and knowledgeable users to click a file before it can be processed.
  2. SharePoint's 'Send a copy' facility can be used to send a file to a different location. Our software cannot intercept this facility.
  3. Any files downloaded outside the browser, e.g programmatically via CSOM, is not processed by the OnOpen facility.
  4. Files shared using SharePoint Online's 'Share Link' facility are not processed. However, content shared at a higher level (e.g. an entire site) IS processed.
  5. The 'New Style SharePoint Document Libraries', allow very little to no third party integration. At the time of writing we have workarounds available that can be used on tenants with the SharePoint Framework (SPFx) enabled. Contact us for details. If this is not an option for your organisation, and watermarking is important, then please revert to the Classic View for the relevant lists.

 

How does this count towards my subscription's monthly operations?

Subscriptions for the PDF Converter for SharePoint Online come with a fixed number of monthly operations, e.g. 1000 operations. Each operation (e.g. Conversion to PDF, Watermarking, Securing) is counted toward the monthly allotment regardless of the platform used to carry out the operation (Workflows, the SharePoint User Interface, OnOpen).

In other words, when the OnOpen facility is active on a List or Library, each PDF file that is opened from it will be counted as 1 operation. If both Secure OnOpen and Watermark OnOpen is enabled on a List or Library then this is counted as only a single operation as behind the scenes these operations are combined.

If an end-user repeatedly opens the same PDF file from a List or Library then each open action will count as 1 operation as the file is repeatedly processed to guarantee the latest information is included. If real time information is not required then we recommend applying security and watermarks using workflows, which is only counted once per file, which can then be opened repeatedly without reprocessing.

  

How does it deal with applying watermarks in different time zones?

A typical site collection can be accessed by users from all over the world. When applying a date or time as a watermark to a document, it will automatically take the time zone associated with the profile of the current user into account and adjust the time accordingly. If the user has no associated profile, or the profile's time zone is set to the default 'visible to me only' setting then the Site Collection's time zone will be used. For details about how to change the user profile settings see this Microsoft article.

 

What about formatting of dates and numbers?

Different regions use different formatting options for dates and numbers. For example in the USA people expect dates to be formatted in mm/dd/yyyy format while in most European countries the dd/mm/yyyy convention is used. Similarly some countries use a comma to delimit fractions while other countries use a period ('.').

When applying this information as a watermark, the OnOpen facility takes the regional settings associated with the user's profile. If this information is not specified in the profile then it will take the regional settings specified at the Site Collection level.For details about how to change the user profile settings see this Microsoft article.

 

Will this facility slow down access to the PDF files?

As it is not possible to run any 3rd party software directly on your SharePoint Online system, Muhimbi hosts all functionality on a farm of servers in Windows Azure. When a request comes in to process a file a secure link is created to retrieve the associated file from your SharePoint environment, the file is then processed (watermarked, encrypted etc) before it is returned to the user who requested the file. There is some overhead associated with fetching the file from your SharePoint servers as well the actual processing.

Although there are cases where it may be faster or slower, you should expect PDF files that are processed via the OnOpen facility to take twice as long as normal to open. Unless a file is particularly large, the difference is usually not noticeable.

 

Does this also work when opening 'historical' files?

Yes, the OnOpen facility also processes files that are opened from SharePoint's file history facility. One thing to take into account is that any item specific meta-data that may have been specified for inclusion in the watermark will be taken of the most recent version of the item as SharePoint does not support programmatic access to historical meta-data.

 

What happens when there is an error?

Although for certain scenarios it doesn't really matter if a watermark operation fails, e.g displaying 'DRAFT' in the background, quite a few of our customers use the OnOpen facility for security purposes. Depending on your scenario you may want to change how your deal with errors.

This can be configured using the PDF real-time settings under Site Settings. For dealing with errors the options are as follows:

  1. Show the original, unprocessed, document: For situations where watermarking or PDF security is a nice-to-have, but no show-stopper, you may want to choose this option, which - in case of an error - will return the original document as if the OnOpen facility is not active at all.
  2. Block access to the original document: This option, which is the default, can be used to either send the processed document to the end user - when there are no errors - or completely block access to the document if for some reason it cannot be processed. This is generally used in situations where the document MUST be processed before it is sent out, no exceptions.

Situations that may cause an error (and trigger the above mentioned scenarios) can be caused by PDF files that are already secured / encrypted or PDF files that are corrupt / have syntax errors.

 

What happens when the subscription runs out of monthly operations?

A typical subscription for the Muhimbi PDF Converter for SharePoint Online comes with a fixed number of monthly operations. Each time the OnOpen facility is invoked this counts toward this monthly allotment. If the number of operations for a month have run out then the OnOpen facility can no longer be used. However, it is still possible to control what happens to documents requested from a List or Library that has OnOpen enabled.

The options are the same as for when an error occurs, see previous question, and can be configured using the PDF real-time settings under Site Settings. 

  1. Show the original, unprocessed, document: For situations where watermarking or PDF security is a nice-to-have, but no show-stopper, you may want to choose this option, which - in case operations run out - will return the original document as if the OnOpen facility is not active at all.
  2. Block access to the original document: This option, which is the default, can be used to either send the processed document to the end user - when there are sufficient operations left - or completely block access to the document if the subscription has run out of monthly operations. This is generally used in situations where the document MUST be processed before it is sent out, no exceptions.

 

How can I include user specific information as well as meta-data in a watermark?

One of the main reasons for using the real-time OnOpen facility is to make sure that the most recent information is included in a watermark. This can range from typical meta-data such as Last Modified, Title and Author to custom fields as well as time based and user specific information.

The way this information can be included is via so called macros. Macros are small parts of text enclosed by braces { and }. An overview of the supported options can be found below:

Field Name Description
{LONG_DATE} The long representation of the current date, e.g. 18 April 2011.
{LONG_TIME} The long representation of the current time, e.g. 12:35:48.
{DATE} The short representation of the current date, e.g. 7/03/2011.
{TIME} The short representation of the current time, e.g. 12:35.
{PAGE} The number of the current page in the PDF file. This value is automatically updated for every page.
{NUMPAGES} The total number of pages in the PDF file.
Any column name

Any SharePoint column / field defined on the list such as {Title}, {Author}. Please use (case sensitive) internal field names. See this list of internal field names.

{HTTP_HOST} Returns the name of the Web server. This may or may not be the same as SERVER_NAME depending on type of name resolution you are using on your Web server (IP address, host header).
{HTTP_REFERER}

Returns a string that contains the URL of the page that referred the request to the current page using an HTML <A> tag. Note that the URL is the one that the user typed into the browser address bar, which may not include the name of a default document.

{HTTP_URL} Returns the raw, encoded URL, for example, "/vdir/default.asp?querystring".
{HTTP_USER_AGENT} Returns a string describing the browser that sent the request.
{LOGON_USER} The Windows account that the user is impersonating while connected to your Web server. Use REMOTE_USER to view the raw user name that is contained in the request header.
{REMOTE_ADDR} The IP address of the remote host (identifying the user) that is making the request.
{REMOTE_HOST}

The name of the host that is making the request. If the server does not have this information, it will set REMOTE_ADDR and leave this empty.

{REMOTE_USER} The name of the user as it is derived from the authorization header sent by the client, before the user name is mapped to a Windows account. If you have an authentication filter installed on your Web server that maps incoming users to accounts, use LOGON_USER to view the mapped user name.
{SERVER_NAME} The server's host name, DNS alias, or IP address as it would appear in self-referencing URLs.
{URL} Gives the base portion of the URL, without any querystring or extra path information, for example, "/vdir/default.asp".
{USER_NAME} The user’s name, if available.
{USER_EMAIL} The user’s email, if available.

 

Where can I find more details about the Free Form watermark type?

Most watermarks are simple, some text in the background showing the status of a document or a number of different fields in the header or footer to display meta-data. However, the Muhimbi PDF Converter comes with an extremely flexible watermarking engine that supports images, standard text, RTF text, lines, circles, QR codes etc.

Any of these watermarks types, or any combination of these types, can be applied in a single operation. This speeds up watermarking, but also keeps your cost down as Free Form watermarks are counted as only a single operation.

Very useful, however the price to pay for this flexibility is complexity. Free Form watermarks are defined using our XML syntax, which - although relatively easy for power users - may be intimidating for regular users. For details about this XML syntax see this blog post.

 

Have more questions? Submit a request

0 Comments

Please sign in to leave a comment.