Have you created a document or file recently that you want to share, but with limited access to others? Sharepoint “View-Only” permissions have caused some confusion when it comes to file sharing. Let’s review what exactly is going on and how to achieve your goal.
The Download Dilemma
GOAL: In a SharePoint document library, you want a handful of users to have permission to view and open files without the ability to download them.
PRESUPPOSED SOLUTION: You configure a SharePoint group and add the selected users you want to block from downloading. You grant this SharePoint group the “View-Only” permission.
The problem with this “solution” is that it will not accomplish your end goal and cause additional issues in return.
View-Only Loopholes
If we read the documentation from Microsoft on SharePoint permission levels, we find this description for View-Only:
View pages, items, and documents. Any document that has a server-side file handler can be viewed in the browser but not downloaded. File types that do not have a server-side file handler (cannot be opened in the browser), such as video files, .pdf files, and .png files, can still be downloaded.
Meaning, users will be able to browse libraries and see the files, but they will not be able to open them using Word or Excel on their computer. Users will be able to open files if you have Office Online Server / Office Web Apps (the server-side handler mentioned), but this only applies to Office files. Other files, such as PDFs and certain images, will still prompt to open locally.
Additionally, “download here” does not mean any download will be blocked; it just means downloads will be made to the local Office application. The “download document” button will not be grayed out in the ribbon.
Other side effects to using View-Only include:
- Users will not be able to find these documents in search results.
- If users try to open a document via a “durable link” (where someone copied a link with the doc redirect path) it will not work.
- If users try to open a document via a real direct link (e.g. https://site/library/file.docx), they will get “Access Denied”.
Configure IRM to Protect Content and Prevent Downloads
If your goal is to prevent users from downloading files, but still let them open files, you need to configure Information Rights Management for SharePoint (IRM). As stated by Microsoft, IRM is used to “help control and protect files that are downloaded from lists or libraries.”
- SharePoint On-premises: IRM is a Windows Server feature in Active Directory. Configure in SharePoint to begin using it.
- Office 365: IRM simply needs to be turned on to begin using it.
Read more on each process here for SharePoint On-Premises and here for Office 365.
From the documentation:
IRM helps to protect restricted content in the following ways:
- Helps to prevent an authorized viewer from copying, modifying, printing, faxing, or copying and pasting the content for unauthorized use
- Helps to prevent an authorized viewer from copying the content by using the Print Screen feature in Microsoft Windows
- Helps to prevent an unauthorized viewer from viewing the content if it is sent in email after it is downloaded from the server
- Restricts access to content to a specified period of time, after which users must confirm their credentials and download the content again
- Helps to enforce corporate policies that govern the use and dissemination of content within your organization
If you need any help setting up IRM, have any questions on document management or other enterprise content management please contact us!
