Caching and performance

Caching and performance

Xoralia has been built to be efficient and under most circumstances will load libraries and reports fast. It has been tested in scenarios with libraries containing over a thousand documents.

In order to achieve fast speeds and performance at all times we have had to put in place some caching functions. This is because querying SharePoint at page load time can be slow, especially with large libraries containing many documents. Whilst standard users are not likely to be affected by this, document owners might notice irregularities caused by caching.

It’s useful to know how caching works so that you do not get any unexpected results when using Xoralia: the system queries SharePoint document libraries at 10 minute intervals and caches the results. When a user loads a library Xoralia is returning the contents of the cache. This means the list of documents is at most 10 minutes old. Any documents uploaded into a document library within this 10 minute window might not show up until the cache is refreshed by the system. Document owners who upload a document into SharePoint and then want to start working on them immediately in Xoralia should wait up to 10 minutes before the documents will appear and actions such as assigning documents can be carried out.

Please note, caching does not affect ‘Documents I must read’. This list is always up to date and loads instantly.

Download user guide: Caching and performance

Application security, load testing and threat protection

Application security, load testing and threat protection


This article will cover all application security, data encryption and threat protection elements of Xoralia. Any further information required can be requested from [email protected].

Application Security

The Xoralia application infrastructure has been built with security at the forefront. All Azure services that are utilised are protected by both Azure Application Gateway Web Application Firewalls and Azure Virtual Networks. This ensures that only valid, secure traffic is passed on to Xoralia web apps and APIs.

Within the application itself, we have utilised the following technologies / techniques:

  • Azure SQL Auditing
  • Microsoft Defender for Cloud
  • Azure Transparent Data Encryption
  • Azure Key Vault

All staff working across the Xoralia platform are running Windows 10 or later compliant devices and using company-managed antivirus, malware and firewall systems. Content Formula staff are background checked prior to joining the team.

Data encrypted at rest and in transit

All data stored on Xoralia servers is encrypted at rest using Azure Transparent Data Encryption. All data in transit is sent over HTTPS connections only. HTTPS is enforced on all web apps and APIs.

Under load testing and scalability

Xoralia has been tested under high loads (>5000 active users) and has passed all tests as expected.

The Xoralia application architecture allows us to proactively monitor and instantaneously scale the application on demand should it be needed. In the event of high load on 1 service, the application monitoring will automatically scale that service until normal operations are realised.

Backup, retention and location of Xoralia data

Backup, retention and location of Xoralia data


In this article, we will describe how Xoralia handles backups, what data is backed up and retained on Xoralia systems and where that data is stored. Any further information required can be requested from [email protected].

What data is stored on Xoralia

Xoralia uses the following information:

  • Active Directory usernames (UPN)
  • Active Directory first and last names of users
  • Active Directory group names (of groups that are used in Xoralia only)
  • Document filenames and IDs
  • Document meta data that has been set inside of Xoralia (tags, review dates, assignments)
  • SharePoint site names, URLs and IDs
  • SharePoint document library names, URLs and IDs
  • Document reporting information (who has read, who has been assigned, when a document was read, which version was read)
  • System auditing information (system logins, who assigned a document, who updated metadata)

At no point does Xoralia consume or store the contents of any documents stored on SharePoint or any other platform. Xoralia only stores the names of people who are assigned documents or those who have some sort of privileged access such as document owners, Xoralia admins etc.

Back up policies

Xoralia backs up all data listed above every 24 hours in differential backups with point in time backups occurring every 7 days. All backups are stored for 7 days. Recovery of information usually takes less than 3 hours if required. Xoralia does not copy or back up your actual documents at any point since these are stored in your SharePoint instance. If any recovery needs to be made within SharePoint, Microsoft’s standard SharePoint back up policy backs up data every 12 hours and typical recovery times are less than 12 hours. If in doubt please check with Microsoft.

Retention of data

Once a customer has ended their association with Xoralia, all data relating to that installation will be removed from Xoralia systems within 90 days.

Location of data

During installation of Xoralia, you can choose which location your data will be stored in at rest. Currently Xoralia supports two Azure regions: UK South and Central US. Customers can select their favoured data residency location during installation.

How to configure SharePoint permissions with Xoralia

How to configure SharePoint permissions with Xoralia


When associating a SharePoint library with Xoralia, Xoralia will respect any permissions that have been set in SharePoint: if a user does not have access to a document, Xoralia will never show that document to the user. Similarly, if you would like to make a document assignment to a user in Xoralia, they must already have access to the SharePoint site before they will be able to view the document. Be sure to check out our article about the Xoralia permissions model in conjunction with this article.

Which SharePoint permissions are required?

For a user to be able to see a document in Xoralia, they must have at least Read access to the SharePoint document library.

Assigning permissions is quite straightforward in SharePoint, however they can get more complex the more rules that you enforce across your different libraries. SharePoint typically works on an inheritance model – if you have access to the top level site, you have access to everything therein. However, you can break this inheritance for certain libraries or files. We would normally recommend that you do not break inheritance and that you apply permissions at a site level as management of this can become somewhat cumbersome, although we do recognise that on occasion you may want to break this inheritance and give one library different permissions to another – Xoralia will respect any individual permissions you set up like this.

To assign permissions to an entire SharePoint site, simply navigate to the site homepage, click the SharePoint cog in the top right corner and then click on Site Permissions. Then clicking on Advanced Site Permissions will display a page that will typically show 3 groups (more may appear here depending upon the changes you’ve already made to site permissions previously): Owners, Members and Visitors

Visitors: anyone you would like to be able to consume your documents in Xoralia should be a Visitor – Visitors have Read access over your SharePoint site and therefore your SharePoint document libraries associated with Xoralia.

Members: usually people who have edit permissions across your site and libraries – anyone you add here will be able to add, edit and delete documents from your SharePoint site and libraries. Anyone in this group will have Read permission as well.

Owners: the users listed here have all of the permissions above but can also manage permissions and perform more site-wide operations. Should be limited to very few users typically.

To add a user, simply click the group you wish to add a user (or Active Directory group) to, and select New. Type your user(s) name in the box that pops up and choose under Show Options if you wish to notify them that you have granted permission. Once you have added the user here, within a few minutes they will have access to your Xoralia libraries that have been associated with this site.

How can I manage multiple users with SharePoint permissions?

SharePoint permissions supports Microsoft Groups and Active Directory security groups by default. We’d recommend that you create groups when assigning permissions in SharePoint. These groups can also be used when making assignments to documents in Xoralia.

The Xoralia permissions model

The Xoralia permissions model

In order to carry out certain tasks in Xoralia a user needs to have the correct permissions. Some of these permissions are set inside Xoralia and others are set inside SharePoint. Please refer to our article ‘How to configure SharePoint permissions with Xoralia‘.

The Xoralia permissions model:

Roles and permissions

Office 365 tenant admin

Where is the permission set?

Required to carry out the one-time installation of Xoralia inside your Office 365 tenant. Office 365 tenant admin centre

Xoralia admin

Associates Xoralia with relevant document libraries inside SharePoint Xoralia admin panel
Manages various Xoralia settings such as branding Xoralia admin panel
Grants reporting-only access (see ‘Reporting’ below) Xoralia admin panel

Document library owner

Has full access to all documents inside a library (see ‘Document owner’ below) SharePoint permissions

Document owner

Has access to edit documents inside a library SharePoint permissions
Has ability to set document expiry dates Document owner column in the document library
Has ability to assign documents as mandatory reads Document owner column in the document library
Has ability to add other document owners Document owner column in the document library
Has access to reporting access Document owner column in the document library


Required to access reporting only for a specified document library Xoralia admin panel

Document reader

Can read a document SharePoint permissions
Can attest a mandatory document has been read When doc owner assigns a document as mandatory read

Download user guide: The Xoralia permissions model



If a document is assigned to an audience as a must read, then owners and admins can view reports for that document. The reports show who in the target audience has and hasn’t read the document. There is no reporting for documents that have not been assigned.

Reports can be accessed via any of the document owner views in Xoralia.

The ‘Read’ tab

In the ‘Read’ tab the document owner can override a user’s read state by selecting one or more users and clicking the ‘Mark as not read’ button. This will remove the user from the ‘Read’ tab and put them back into the ‘Not read’ tab. It will also trigger reminder notifications for that user as if the document had just been assigned to them. For auditing purposes, the action of overriding a user’s state, whether it is for ‘read’ or ‘not read’, is written to the backend database along with the name of the document owner who overrode the status.

The ‘Version read’ column shows the manual version number of the document that the document owner has assigned to the document, not the SharePoint version history number which is automatically assigned by SharePoint as part of version control.

The ‘Not read’ tab

In the ‘Not read’ tab the document owner can override a user’s read state by selecting one or more users and clicking the ‘Mark as read’ button. This will remove the user from the ‘Not read’ tab and put them into the ‘Read’ tab. It will also cancel the assignment for that document and trigger a notification for that user telling them that they no longer need to read the document. For auditing purposes, the action of overriding a user’s state, whether it is for ‘read’ or ‘not read’, is written to the backend database along with the name of the document owner who overrode the status.

The document owner can also send a personal email message to one or more users in the ‘Not read’ tab. Other users (e.g. the user’s line manager) can also be added to the message in the CC field.

Download user guide: Reporting

Attesting to a document

Attesting to a document

A user will need to attest to reading a document when a document is assigned to them to read by a document owner.

Once the document has been assigned, the document reader will receive an email and Teams message (if notifications are switched on and Teams is in use) notifying them of their task.

The link in the email will take the user straight to the specific document within Xoralia, where they can consume the content of the document.

Once the user has finished reading the document, attestation is simple. Simply click the ‘I can confirm that I have read and understood this document’.

Then, the user is prompted to click again to acknowledge confirmation that their attestation is non-reversible.

All attestations are tracked within the read report against the document for the document owners auditing.

Download user guide: Attesting to a document



Notification channels:

  • Currently Xoralia sends notifications only via email. Emails are sent by [email protected] via the Xoralia SMTP service.
  • IMPORTANT: You should ensure that [email protected] is white listed on your email service so that it doesn’t end up in your users’ spam folders.
  • Notifications via Teams and Windows 10 Notifications are coming soon.

Notification frequency

  • When a document is assigned to a user they will receive a notification. The notification contains a default message, the name of the document, a link and a due date. Reminder notifications are sent 30, 15, 7 and 3, 2, 1 and 0 days before the due date. A final notification is sent the day after the due date. If an assignment is sent with a due date say, 14 days away, they will receive notifications 7, 3, 2, 1 and 0 days before the due date.
  • If a user reads a document they have been assigned, they will stop receiving reminders.
  • If a user has multiple document reads set at the same time, they will receive just one notification that lists all the documents they have to read.
  • If a user is removed from a group that has current assignments then they will receive a notification telling them that the assignment has been cancelled. Their name will be removed from the ‘Not read’ tab in reporting. However, if they have already read the document this record will remain intact in the read report.
  • If a user belongs to more than one group that is assigned a document they will only get the one notification. The system de-duplicates the assignment so as not to flood users with duplicate notifications.
  • When a document is first assigned Xoralia sends out a notification right away. Reminder notifications are sent once a day.
  • If an assigned document is deleted or removed from the document library, all read tasks for that document will be cancelled and assignees will receive a notification.

Download user guide: Notifications

Bulk assignments

Bulk assignments

There may be times when you want to assign multiple documents at once with the same assignment settings (i.e. due dates, target audience etc.). This could be especially true when you are first setting up Xoralia.

To bulk assign several docs at once go to the ‘All my documents’ view in Xoralia and select the documents you want to assign. Then click the ‘Assign documents’ button in the top right. This will launch a pop-up. The fields in the pop-up are the same as those in a single document assignment.

To bulk assign, select the relevant docs and click the ‘Assign to employees’ button

The bulk assignment pop-up is very similar to single assignments

Note that you can’t bulk assign documents that already have assignments set up (in fact, Xoralia won’t even allow you to select docs that already have assignments). If you wanted to do that you would need to clear the existing assignments first.

Download user guide: Bulk assignments

Assigning documents to users to read

Assigning documents to users to read

Document owners and admins can assign read tasks to users and groups. When a task is set, all the users who have been assigned the task will receive an email informing them that they have to read the document.

A Document Owner has the abilty to assign a document to a user or group/s to read in Xoralia. The metadata field that drives these permissions can be found in SharePoint.

How to assign yourself or others as Document Owners

1. Navigate to your SharePoint site and document library associated with Xoralia. You should see 3 columns which drive the access and data displayed in Xoralia, Document Contact, Document Owner and Document Version. Edit these columns using grid view.

2. The Document Owner column is a 'People Picker' field. Select as many Document Owners as you need within your Active Directory to manage the document within Xoralia. Giving people the Document Owner permission means they will be able to set expiry dates, assign documents, set read by dates and access document read history in Xoralia.

3. Exit grid view once done, then wait a few minutes for Xoralia to sync and pull through the new permission level.

How to assign a document to a person or group

Once the user has the correct permissions from SharePoint as described above, an admin menu 'Documents you manage' will appear in the navigation within Xoralia. To assign a document click 'All my documents' in the left hand navigation and find the document you want to assign from the list that is presented. Clicking the document will launch a pop-up. Within this pop-up you can set the target audience, the read by date and whether it is a recurring or one-off assignment. Note that the document must also have an expiry date.

1. Expiry date

In order to be assigned, a document must first have an expiry date set. If there is already an expiry date you can skip this step.

2. The audience

In the ‘Assign to’ field you can build the audience that will be assigned the document. Simply enter the names of the people you want to assign it to. As you type the system will auto suggest names in a drop-down for the you to select from. The system will also suggest Active Directory Groups and Office 365 Groups. To find all the groups available in your organisation type the word ‘group’ in the field. A document can be assigned to a mixture of groups and individuals.

2. The read by date

The read by date, which can be a fixed (i.e. specific) date or a relative date. Choosing relative date is best if you are assigning a document to a group. This is because if you choose a fixed date then new group members could join after this fixed date and therefore receive an assignment where the due date has already past. By choosing relative date you are setting:

  1. The number of days after the assignment date that existing group members have to read the document
  2. The number of days after the join date that any new group members must read the document.


On 1st January, John assigns his document to the AD Group ‘Finance team’ and sets the read by date as ‘relative’ and 31 days. All members of the group receive an email notification on 1st January telling them they have to read the document by 31st January. On 1st March, Susan joins the Finance team and is added to the ‘Finance team’ AD Group by the IT admin. Although no change has been made in Xoralia, it automatically sends Susan an email notification telling her that she needs to read the document by 31st March. This is because Xoralia monitors groups to see if there are new joiner or leavers.

3. Recurring assignments

If your assignment is a recurring one, check the ‘Make this recurring’ checkbox and specify the number of days after which you want it to repeat. For example, if I am assigning the IT Security Policy and I want readers to re-read it once a year I set the number of days as 365.

Notes and details about using groups

Note that if a user joins a group that has a document assigned to it, then that new group member will be assigned the document from that point. The document owner does not have to worry about assigning the document to new joiners provided that groups are being properly managed inside your organisation (this is typically done by IT or HR). On joining a group the new member will receive an email notification telling them about the assignment, due date etc. Bear in mind that if you are using groups for assignments then be sure to select ‘Relative date’ when setting the due date for the assignment. The due date will be relative to the date when the user joined the group.

Similarly, if a group member leaves or is removed from the group then any assignments set for the group will be cancelled for that individual. The user will receive an email notification telling them that their assignments have been cancelled.

The above notes are both true for AD Groups and Office 365 Groups.

PHP Code Snippets Powered By :

We use cookies to give you the best experience on our site. By continuing to use our website, you are agreeing to our use of cookies. To find more about the cookies, please see our Cookie notice

You can also read about our Privacy policy

Contact Support

If you have a question about Xoralia software, please fill out the form below and a member of our support team will be in contact with you shortly.