Collabora Online / Secure View

Introduction

Collabora Online allows you to work with all kinds of Collabora office documents directly in your browser. This application can connect to a Collabora Online (or other) server (WOPI-like client) where ownCloud is the WOPI host.

When Collabora Online is properly set up and integrated into ownCloud Server, secure view functionality is available. Secure view is a mode where users can place limitations on files and folders that are shared.

These limitations can include:

  • No copying

  • No downloading

  • No editing

  • Watermarking

  • Optional printing and exporting to PDF with watermarks included, which can be adjusted

Documents never leave the server when shared with secure view.

Collabora Online Server opens them and streams the files to the user’s browser with watermark applied (much like a video stream). Consequently, there’s no way to extract the original document from the browser.

Secure view is enforced on a received share if at least 1 share has secure view enabled.

If a file or folder has been shared multiple times to different groups with different permissions, secure view will be enforced if at least 1 received share has secure view enabled as a result of membership in the group. This restriction propagates to any reshares.

Prerequisites

  • ownCloud 10.3 or above

  • Enterprise Edition

  • ownCloud Collabora Online app version 2.2.0 or above

  • Collabora Online Server 4.0.10 or above, set up and integrated

This functionality does not work with public links.

Configure ownCloud for Collabora Online / Secure View

To configure ownCloud for use with Collabora, you need to set up a WOPI server and configure ownCloud to connect with this server. You can also configure the secure view option, the watermark pattern and the secure view default open action via the command line. To do so see the Collabora related occ command set.

How to Enable Secure View

To enable secure view, navigate to Settings  Admin  Additional (Admin)  Collabora Online. At the bottom of the Collabora Online section, check Enable Secure View.

Once enabled, default share permissions for all users can be enabled. Currently, these default share permissions are:

  • Secure View (with watermarks). When enabled, files are shared in secure view mode. In this mode, all the Secure View Limitations take effect. When this mode and "can edit" are disabled, the share is a regular "read-only" share.

  • Can print / export PDF.

    This option is only visible if Secure View (with watermarks) is enabled.

    When enabled, this mode allows documents to be printed or exported to PDF format — with a watermark — through Collabora Online.

Admins can specify that all shares are "secure view" by default and that the user has to intentionally change this setting.

Secure View Restrictions

When "Secure View (with watermarks)" is enabled, any attempts to download the file will be blocked as shown in the screenshot below. In addition, copy & paste is disabled.

Access denied to a document when it is protected by secure view

Limitations and Security Hardening

To make sure that the secure view feature is deployed securely and cannot be circumvented, it is important to disable the following extensions:

Additionally, you might want to disable public link sharing via Settings  Admin  Sharing  Allow users to share via link so that users cannot accidentally share files publicly without secure view protection.

Supported File Formats

Secure view only supports a limited number of file formats:

  • Microsoft Word (.docx)

  • Microsoft Excel (.xlsx)

  • Microsoft PowerPoint (.pptx)

  • OpenDocument Text Document (.odt)

  • OpenDocument Presentation Document (.odp)

  • OpenDocument Spreadsheet Document (.ods)

  • PDF

If a folder shared with Secure View contains unsupported file types (e.g., JPG), they will not be accessible.