How to block downloading and printing from Xoralia

How to block file downloads in SharePoint Online at a site level

“View Only” permissions in SharePoint online allows users to view document content while restricting the possibility of downloading documents from the site. If the permission level is not visible, this is because of the “SharePoint Server Enterprise Site Collection” feature is not active.

To activate “SharePoint Server Enterprise Site Collection features”

  1. Site settings > Site collection features
  2. Select “activate”

Permissions > Permission Level

After activating the Server Enterprise feature, the “View Only” permission should now be available.

  1. Site settings
  2. Site permissions
  3. Permissions Levels

Create a new permission group

  1. Site settings > People and groups
  2. Click on “More” from the left menu
  3. Click on “New”. Provide it with a name. For example, “View Only members”
  4. Select “View Only” as permission level

Assign members to the newly create group

  1. Site settings > Site permissions
  2. Select the newly create group “View Only members”
  3. New > Add users to this group

Notes: If the user is part of a different group with higher permission level. The higher group permission will take priority

Download option no longer available

  1. Site contents
  2. Select the document within the document library
  3. Click on the three dots (ellipsis)
  4. The download option should no longer be available for the users added to the custom group created

How to print a document

Firstly, its worth mentioning that only Microsoft Word documents within SharePoint can be printed by the document reader from Xoralia. PDF’s are not printable from the Xoralia interface.

Many might think having policies and such regulated documentation as Microsoft Word documents might not be secure. However, with the right SharePoint document library permissions, word documents are just as secure as PDFs.

By limiting the permissions available to the general user, they will no longer be able to download documents from Xoralia nor download the documents from SharePoint.

It is also worth mentioning that SharePoint’s version control is very powerful. Even after removing access to download or edit documents to the general user, even if a more senior user with the edit access were to amend the document or its metadata, this can always be tracked using SharePoint’s version history feature.

However, if you are not familiar with SharePoint permissions and do not want any risk of editing or downloads from the live library the main advantage of having critical documents as PDFs, are that it provides more control in that no-one, even the M365 administrator will be able to edit the document. Although there are tools online that allow for the conversion of PDF documents to Microsoft Word documents if the user were to download the PDF directly from SharePoint.

For a greater understanding and assistance on SharePoint permissions, Content Formula can provide consultancy during a Xoralia implementation on this topic with our enhanced implementation package.

AD groups and how we use them in Xoralia

It would be an unmanageable task to assign documents to your wider organisation by individual. To resolve that problem, Xoralia uses Active Directory (AD) and O365 Groups to help target a document for attestation.

When assigning a document, the document will allow the document owner to select as many Groups or individuals as they want within the Assign to audience field. This field is smarter than it looks, when using an AD group it is also dynamic and will adapt to changes made within the Active Directory automatically.

For example, if you assign a document to an AD group of people to read and they have 30 days to read the document, as and when new people are added to the group Xoralia will assign the document to them too. When using the relative read by date field, this also gives the new user the amount of time specified to read the document as to when they were added. It may be the case everyone needs to read the document by a fixed date, lets say 31/03/2023 – but we think that would be less likely than a relative date as to when the document was requested to be read by each user.

Subsequently, if a user is removed from the Active Directory group the opposite happens – the assignment for the user to attest to the document is cancelled. However, users and their read records will always remain. If an individual leaves the organisation, their read audit log is not lost and will still be available within the document read reports ‘log’ tab.

User reports for everyone will also always be available in the reports tab for Xoralia system admi users.

Reporting

If a document is assigned to an audience as a must read, then owners and admins can view reports for that document. The reports show who in the target audience has and hasn’t read the document. There is no reporting for documents that have not been assigned.

Reports can be accessed via any of the document owner views in Xoralia.

The ‘Read’ tab

In the ‘Read’ tab the document owner can override a user’s read state by selecting one or more users and clicking the ‘Mark as not read’ button. This will remove the user from the ‘Read’ tab and put them back into the ‘Not read’ tab. It will also trigger reminder notifications for that user as if the document had just been assigned to them. For auditing purposes, the action of overriding a user’s state, whether it is for ‘read’ or ‘not read’, is written to the backend database along with the name of the document owner who overrode the status.

The ‘Version read’ column shows the manual version number of the document that the document owner has assigned to the document, not the SharePoint version history number which is automatically assigned by SharePoint as part of version control.

The ‘Not read’ tab



In the ‘Not read’ tab the document owner can override a user’s read state by selecting one or more users and clicking the ‘Mark as read’ button. This will remove the user from the ‘Not read’ tab and put them into the ‘Read’ tab. It will also cancel the assignment for that document and trigger a notification for that user telling them that they no longer need to read the document. For auditing purposes, the action of overriding a user’s state, whether it is for ‘read’ or ‘not read’, is written to the backend database along with the name of the document owner who overrode the status.

The document owner can also send a personal email message to one or more users in the ‘Not read’ tab. Other users (e.g. the user’s line manager) can also be added to the message in the CC field.

Download user guide:

Attesting to a document

A user will need to attest to reading a document when a document is assigned to them to read by a document owner.

Once the document has been assigned, the document reader will receive an email and Teams message (if notifications are switched on and Teams is in use) notifying them of their task.

The link in the email will take the user straight to the specific document within Xoralia, where they can consume the content of the document.

Once the user has finished reading the document, attestation is simple. Simply click the ‘I can confirm that I have read and understood this document’.

Then, the user is prompted to click again to acknowledge confirmation that their attestation is non-reversible.

All attestations are tracked within the read report against the document for the document owners auditing.

Download user guide:

Notifications

Notification channels

Xoralia sends notifications via email and/or Microsoft Teams (if the Xoralia app has been embedded into your organisation’s Teams app. Emails are sent and received from notifications@xoralia.com via the Xoralia SMTP service, and Teams notifications come via the Activity panel. Regarding email notifications, you can customise the email address that users will see in the from field for Xoralia notifications from within the Xoralia settings > Notification settings.

  • IMPORTANT: Ensure that notifications@xoralia.com is white-listed on your email service to prevent messages from being marked as spam.
  • IMPORTANT: The from email requires an email address with a password associated to it for authentication purposes. Shared mailbox set ups without it’s own authentication cannot be used.

Notifications and frequency

For attestation tasks:

On assignment: When a document is assigned to a user, they will receive an immediate notification. This notification includes a default message, the document name, a link, and a due date.
Automated reminder notifications: are sent at the following intervals before the read by date: 30, 15, 7, 3, 2, 1, and 0 days. Notifications are then sent every 7 days following the read by deadline. Notification reminders will cease as soon as the pending attestation task has been completed by the reader.

For documents with an expiry date (notifications received by Document Owners):

Expiring document reminders: Alerts sent when a document is nearing its expiration date, 90, 30, 15, 7, 3, 2, 1, and 0 days ahead of expiry date. Notifications are then sent every 7 days following the expiry date of the document(s)
Expiry date set notices: Notifications informing users when an expiry date has been set for a document.

Throughout the document update process

Review/Approval notifications: Alerts related to review and approval processes are immediate and automated reminders are also sent.
Weekly Line Manager reports: Summarizing document-related updates for the Manager’s direct reports and their direct reports, sent every Wednesday.
Cancellation notification: If a user is removed from a group with current assignments, they receive a cancellation notification for attestation tasks. Their name is removed from the ‘Not read’ tab in reporting, but prior read records remain intact within the Log tab of the Read Report.
Deleted documents: If an assigned document is deleted or removed from the document library, all related read tasks are cancelled, and a notification is sent to assignees. Deleted document records are not retained in Xoralia. If you do want to delete documents, it is recommended that first you download the Read Report and all information required for an audit.

Further information

  • If a user reads the assigned document, they will stop receiving reminders immediately.
  • For multiple document assignments due at the same time, a single notification consolidates all document read tasks.
  • The system de-duplicates assignments for users belonging to multiple groups to prevent duplicate notifications.

Customisation options

Currently, notifications are pre-configured, but Xoralia allows some level of customization:

  • Delivery channels: Notifications can be sent via Teams and/or email. It is recommended both are kept on, naturally there is a higher character limit and space for appropriate task description within emails compared with a Teams notification that is limited to 60 characters.
  • Frequency control: Specify whether notifications are sent or muted on weekends.
  • Granularity: Control which user roles receive specific notifications (Assignees (mandatory read tasks), Document Owners and contributors (inclusive of reviewers and approvers), Line Managers

At the moment, Xoralia is not able to accommodate for custom email wording per client. The email text is generic, while being specific to the task and cannot be amended.

Download user guide:

Bulk assignments

There may be times when you want to assign multiple documents at once with the same assignment settings (i.e. due dates, target audience etc.). This could be especially true when you are first setting up Xoralia.

To bulk assign several docs at once go to the ‘All my documents’ view in Xoralia and select the documents you want to assign. Then click the ‘Assign documents’ button in the top right. This will launch a pop-up. The fields in the pop-up are the same as those in a single document assignment.

To bulk assign, select the relevant docs and click the ‘Assign to employees’ button.

The bulk assignment pop-up is very similar to single assignments.

Note that you can’t bulk assign documents that already have assignments set up (in fact, Xoralia won’t even allow you to select docs that already have assignments). If you wanted to do that you would need to clear the existing assignments first.

Download user guide:

Assigning documents to users to read

Document owners and admins can assign read tasks to users and groups. When a task is set, all the users who have been assigned the task will receive an email informing them that they have to read the document.

A Document Owner has the abilty to assign a document to a user or group/s to read in Xoralia. The metadata field that drives these permissions can be found in SharePoint.

How to assign yourself or others as Document Owners

1. Navigate to your SharePoint site and document library associated with Xoralia.
You should see 3 columns which drive the access and data displayed in Xoralia, Document Contact, Document Owner and Document Version. Edit these columns using grid view.
2. The Document Owner column is a ‘People Picker’ field.
Select as many Document Owners as you need within your Active Directory to manage the document within Xoralia. Giving people the Document Owner permission means they will be able to set expiry dates, assign documents, set read by dates and access document read history in Xoralia.
3. Exit grid view once done…
then wait a few minutes for Xoralia to sync and pull through the new permission level.

How to assign a document to a person or group

Once the user has the correct permissions from SharePoint as described above, an admin menu ‘Documents you manage’ will appear in the navigation within Xoralia. To assign a document click ‘All my documents’ in the left hand navigation and find the document you want to assign from the list that is presented. Clicking the document will launch a pop-up. Within this pop-up you can set the target audience, the read by date and whether it is a recurring or one-off assignment. Note that the document must also have an expiry date.

1. Expiry date
In order to be assigned, a document must first have an expiry date set. If there is already an expiry date you can skip this step.
2. The audience
In the ‘Assign to’ field you can build the audience that will be assigned the document. Simply enter the names of the people you want to assign it to. As you type the system will auto suggest names in a drop-down for the you to select from. The system will also suggest Active Directory Groups and Office 365 Groups. To find all the groups available in your organisation type the word ‘group’ in the field. A document can be assigned to a mixture of groups and individuals.
3. The read by date
The read by date, which can be a fixed (i.e. specific) date or a relative date. Choosing relative date is best if you are assigning a document to a group. This is because if you choose a fixed date then new group members could join after this fixed date and therefore receive an assignment where the due date has already past. By choosing relative date you are setting:
  1. The number of days after the assignment date that existing group members have to read the document
  2. The number of days after the join date that any new group members must read the document.
Example:
On 1st January, John assigns his document to the AD Group ‘Finance team’ and sets the read by date as ‘relative’ and 31 days. All members of the group receive an email notification on 1st January telling them they have to read the document by 31st January. On 1st March, Susan joins the Finance team and is added to the ‘Finance team’ AD Group by the IT admin. Although no change has been made in Xoralia, it automatically sends Susan an email notification telling her that she needs to read the document by 31st March. This is because Xoralia monitors groups to see if there are new joiner or leavers.
4. Recurring assignments
If your assignment is a recurring one, check the ‘Make this recurring’ checkbox and specify the number of days after which you want it to repeat. For example, if I am assigning the IT Security Policy and I want readers to re-read it once a year I set the number of days as 365.

Notes and details about using groups

Note that if a user joins a group that has a document assigned to it, then that new group member will be assigned the document from that point. The document owner does not have to worry about assigning the document to new joiners provided that groups are being properly managed inside your organisation (this is typically done by IT or HR). On joining a group the new member will receive an email notification telling them about the assignment, due date etc. Bear in mind that if you are using groups for assignments then be sure to select ‘Relative date’ when setting the due date for the assignment. The due date will be relative to the date when the user joined the group.

Similarly, if a group member leaves or is removed from the group then any assignments set for the group will be cancelled for that individual. The user will receive an email notification telling them that their assignments have been cancelled.

The above notes are both true for AD Groups and Office 365 Groups.