FileOpen Sharebot for Slack

Protect documents shared in Slack and Slack Connect

Add an additional layer of security to documents shared in Slack. FileOpen Sharebot encrypts your PDF at the moment of sharing in a conversation or channel. Your intended recipient won't notice the difference and can access the document as normal - but if it's accidentally downloaded or shared with someone else, access will be blocked.

You can limit document sharing and usage to specific Slack workspaces, channels, conversations, or users. Sharebot also works in secure Slack Connect channels, so you can protect confidential documents shared with partners, customers, law firms and other stakeholders outside of your workspace.

FileOpen Sharebot is an approved Slack app that leverages Slack's enterprise security infrastructure to control access according to the user’s Slack UserID and/or membership in a channel, conversation, or workspace.

Access Control

Protect PDF files uploaded to Slack by limiting access to specific end-users or members of a channel, conversation, or workspace. Prevent downloading/extracting. Do this for selected files or automatically for all files. Change or revoke permission after distribution.

Track Usage

Sharebot notifies the file owner each time the file is accessed and maintains a complete record of all actions related to that file.

Watermark

Each time a document is opened, the user’s name and other information is imposed onto each page. Different users opening the same document get personalized watermarks.

Upgraded Viewer

The FileOpen Sharebot viewer extends the functionality of the native Slack PDF viewer, adding tools to annotate, link, measure, edit and print (if permitted).

Readme.txt for Sharebot Version 1.0.1

This is the first public version of FileOpen Sharebot.

Here are some of the known issues with this release. Feel free to share your own observations with us via email to support@fileopen.com

Max file size:

The current implementation limits the size of PDFs to 28Mb. This is not a system limitation just a decision we made. Later versions may move this limit up or down depending on the reactions we get from testing.

Error handling:

The current implementation does not handle errors generated by the encryption process. So if you attempt to process a PDF that can’t be encrypted (because it is malformed, or already encrypted e.g. with Password Security) the job will fail and you will get an error but it will not explain the reason for the failure. If this happens check your PDF to make sure it doesn't already have Password encryption and, if possible, open in Acrobat or another PDF editor and perform SaveAs to a file with the same name (this optimizes the PDF).

Permission Changes:

Once a PDF has been encrypted and “bound” to some entity (Workgroup, Conversation, Channel, User) this binding can’t be changed. The FileOpen PermissionServer powering Sharebot does allow this kind of post-facto modification but we would need to connect Sharebot to the appropriate services which hasn’t happened yet. If you want to change binding you’ll have to upload another copy and process it again.

Permissions and Watermarks:

The underlying FileOpen PermissionServer has the ability to assign virtually any combination of permissions (open/print/text-copy/annotate/edit/etc.) and watermarks. We intend to expose tools to allow you to choose among these when you process a file, but for the MVP all files are read-only and have the same watermarks (that is, each copy has a unique watermark for the user opening the file but the format is the same for everyone).

Home Tab list:

The list in the Home Tab allows you to see usage data for all the files you have shared with Sharebot, and to revoke access (More Info>Manage). You can't remove items from the list or change binding. Additional functionality around file management and tracking is being added.

Sign-out-of-Slack:

The Workspace you sign-in to must be the one in which you clicked the link to the document. However, the sign-in-to-Slack page has a drop-down menu in the upper-right corner from which to select a Workspace, so it is possible to select a Workspace other than the one in which the PDF was created. If this happens you will probably not be allowed to open that PDF. In this case you can sign-out of the Slack Workspace by clicking your Slack User icon in the upper right corner of the browser and selecting “Sign Out”.

Enterprise Grid and Slack Connect:

Sharebot is built around the Workspace model, i.e. uses identifiers with single-workspace scope. Slack’s Enterprise Grid implementation allows for a single entity to contain many Workspaces so introduces global identifiers that are mapped to the identifiers within individual Workspaces. Support for these identifiers is in development. Likewise the Slack Connect implementation allows a single entity like a Channel to have one name in one Workgroup and another in a different Workgroup. The Sharebot architecture is designed to support all of this, but we haven’t tested all of the use cases so do not yet claim that the product supports all Enterprise Grids or Slack Connect instances.

What is FileOpen Sharebot?

FileOpen Sharebot enables the controlled distribution of PDF files within the Slack environment. The app allows an author or administrator to create a PDF that can only be opened by members of a specific Workspace, Conversation, Channel, or end-user. All users and documents are identified by their Slack IDs. The system also provides the ability to track usage of documents and to revoke/change permissions. PDFs processed by the system are displayed in a full-featured, in-browser PDF viewer that requires no additional installation or customization and works on all platforms. The app enables more secure and informed distribution of documents within Slack.

What is FileOpen Systems?

FileOpen Systems has been developing DRM software for PDF files since 1997, when it was the first security partner to Adobe Systems. The company has hundreds of licensees in virtually all segments of industry, government and education. Most FileOpen implementations are standalone systems; Sharebot is the company's first integration with a communications ecosystem like Slack. See https://www.fileopen.com/

Doesn't Slack already have a PDF viewer?

Slack does include a PDF viewer and offers options to view PDFs in a browser or to download to a local machine. However, none of these offer control over who can open or share the PDF or any details about usage.

Why only PDF?

The PDF format includes a native security layer that enables robust and transparent control over document viewing and usage. The format is secure and widely adopted, and almost any file format can be converted to PDF. The kinds of document-creation and collaboration workflows that use formats other than PDF, e.g. MSOffice or Google Docs, usually include their own identity and access-control mechanisms. Those tools also operate outside of Slack, while Sharebot is designed to operate within Slack on documents that have been imported into Slack.

What is the Sharebot app, what permissions does it need?

The Sharebot app has two parts, one for controlling documents and one for viewing those documents. You can view documents without installing the authoring app, and could use the authoring app without the viewer. They are both the same app but require different information from Slack, aka
"Scopes". At a high level, the Viewer app needs to get basic information about your Slack UserID/name and the list of Groups you have access to, so that it can determine whether you should be allowed to view a document. The Sharebot part of the app, the "authoring" app, needs to also be able to add/delete files and to send various types of messages.

What can I do with Sharebot?

The Sharebot app is an extension of FileOpen's DRM solution, which allows a publisher to control which users get to open documents, where and when, and what those users can do with the documents (print/copy/edit/annotate/screenshot/etc.) The Sharebot system uses Slack to manage and deliver files and to identify users and the conversations to which they have access. The most basic function of the system is to place a virtual fence around a Slack workgroup, i.e. to ensure that only users who are members of a Slack workgroup can access files stored in that workgroup. In addition to that the system can restrict access to members of a specific Channel or to specific Slack Users. All documents controlled by the system are tracked and every action logged. Even where access restriction is not important it may be useful to know how many times a document was opened, where and when.

What will I be able to do with Sharebot in the future?

Sharebot is new and the current app only includes core functionality. A variety of features that exist in the FileOpen DRM solution will be exposed by Sharebot in later versions. These include detailed analytics and charting of usage, ability to share annotations and other collaborative elements from within documents, control over collections of documents with different permissions for different users/groups, support for controlled printing, expiration and concurrent-usage control, ability to download documents for use on the desktop including offline usage, and more.

How does Sharebot work?

The Sharebot app detects upload/sharing of PDFs in any Slack channel to which it has been added. If invoked, the app extracts and encrypts the PDF and creates a database record in the Sharebot server for that document containing metadata (especially the rules for opening the PDF, e.g. what Workspace/Channel/User should be permitted). The app then puts the encrypted PDF back into Slack and creates a Slack "remote" file linking to that encrypted PDF. Neither the original nor the encrypted copy is ever stored outside of Slack. When a user clicks the Sharebot link to the PDF a browser window is loaded which asks the user to Sign-in-to-Slack. When this is done the app compares the identity of the signed-in user with the record stored in the database and if the action is permitted loads a PDF viewer into that browser which retrieves the encrypted PDF from Slack, gets the decryption key from the Sharebot server, then decrypts and displays the PDF for the user with the associated permissions and watermarks.

Can Sharebot documents be revoked?

Yes, the PDF can only be opened if/when the Sharebot server releases the decryption key. So if the Sharebot server is instructed to deny all requests for that document it can no longer be opened, even if it has been removed from the browser or otherwise intercepted. Each author using the Sharebot app can get a list of his/her documents with a button revoke (or restore) any document.

Can permissions be changed after documents have been delivered?

Because each document-open event involves a new interaction with the Sharebot server the rules governing that interaction can be changed at any time. That is, a document could open for one group of users today and a different group tomorrow, or with one set of permissions today and a different set tomorrow, or with one set of permissions for one group and a different set for another group, etc. Note however, that not all FileOpen DRM functionality is currently enabled in Sharebot so some of these dynamic permission features will become available in future Sharebot releases.

Control access to important documents, without leaving Slack.

End-to-end document security for every team in Slack.

Keep documents safe in Slack

Track document usage

Set policies and permissions

Easy end-user experience