CollabSpaces Administration


Learn how to set up and configure your CollabSpaces so you can work smoothly and securely with your team, clients or other third-parties.

CollabSpaces are the ideal way to share and collaborate on documents stored in NetDocuments with people outside your firm, whether clients or other third parties.

Discover how to share your documents using and administering CollabSpaces. 
Note: CollabSpaces are compatible with ndOffice 2.6+, not earlier versions of ndOffice. You can also perform all actions with documents in CollabSpaces using NetDocuments for Web.
To have CollabSpaces enabled in your repository, reach out to

Admin Topics

How to Enable CollabSpaces 

You can also follow this Quick Setup Guide, which has less detail than the rest of this page.

CollabSpaces do not appear by default in any repository but must be enabled by NetDocuments.

CollabSpaces Repository Configuration

Exceptions to Advanced Authentication Options

Before enabling CollabSpaces in any cabinet, determine whether your repository uses an additional security measure, such as restricting access from certain IP ranges (in other words, adding IP to inclusion list), which is done from the Advanced Authentication Options page. However, this type of restriction would likely bar external users from accessing your repository and accessing content shared with them via CollabSpaces, because external users will not be accessing NetDocuments from inside the permitted IP range (or will not satisfy any similar restrictions). To allow external users to use CollabSpaces while still enforcing these restrictions on internal users, an exception to these restrictions can be applied solely to external users. To apply this external user exception, select the Exclude external users from requirements check box on the Advanced Authentication Options page:


External users will have access only to the limited amount content to which they have been explicitly added.

Support the Creation of External Groups and Users

One of the primary benefits of CollabSpaces is the option to delegate to everyday internal users the ability to create external groups and create and add external users to those groups, without administrative assistance.  (These are referred to as CollabSpace Groups.)

However, you can create CollabSpace Groups only if the repository is configured to allow the creation of external groups at the cabinet level. 

Therefore, it is strongly recommended for Repository Administrators to go to the Users & Groups Repository Administration page:

and check the Cabinet administrators can create external groups in the cabinet and add external members to those groups and the repository check box:


If this setting is disabled, a red warning appears on the Cabinet Administration page next to the CollabSpaces setting:


After this Repository-level setting is enabled, an internal user can create CollabSpaces Groups and create external users to add to those groups in that cabinet ONLY if the internal user has been given VESA rights to a specific CollabSpace. If you do not want any regular internal users to be able to create external users and groups, then do not give regular internal users VESA rights to those CollabSpaces.

Configure CollabSpaces for a Cabinet

Impact of Enabling CollabSpaces in a Cabinet

Enabling CollabSpaces in a cabinet means that external document sharing in that cabinet typically will happen inside CollabSpaces, with certain exceptions noted below. Therefore, to share a document, add it to a CollabSpace. This principle is embodied by the fact that external groups in a CollabSpace-enabled cabinet can have no more than No Default Access rights to the cabinet.  In addition, workspaces in a CollabSpace-enabled cabinet will not be visible to external users; external users will have access only to the CollabSpaces.  Also, in a CollabSpace-enabled cabinet, a security template that contains external access rights cannot be created.  (Security templates with internal-only access rights can be created and any existing security templates will not be affected.)

There are a few exceptions to this rule about external access rights to the content in the cabinet:

  • If CollabSpaces have been enabled in a cabinet, secured links can still be created for documents in that cabinet. Secured links are a one-way, read-only, and ad hoc method of sharing individual documents, and they typically have an expiration date.
  • If any content was shared externally at the time CollabSpaces were enabled in a cabinet, the external access rights to that content would not be changed. However, it will not be possible to modify the access rights of that content to add more external access.
  • Profile-Based Security (PBS) is not directly impacted and external access can still be granted to workspaces and workspace content via PBS, although the ability of external users to navigate to content in the cabinet will be impinged.
  • Existing ShareSpaces will continue to work as before and access to ShareSpaces can be given to ShareSpace Personal Contacts and any external groups that have access to the cabinet (other than CollabSpace groups).  In addition, there is an option to disable the creation of new ShareSpaces in a cabinet where CollabSpaces have been enabled.

In addition, unlike ShareSpaces, only true external users can be given access to CollabSpaces. There is no concept of a CollabSpace Personal Contact. Restricting access to true external users means that administrators have full control over the external users, including which groups these external users are members of.  These creation of external users are subject to any limitation on the number of external users a client has licensed.

If you have given external users access to a cabinet where CollabSpaces are intended to be enabled, consider the impact that enabling CollabSpaces will have on them before enabling CollabSpaces. Determine a strategy for migrating the currently shared content and external users and groups to CollabSpaces.

Impact of Enabling CollabSpaces on ShareSpaces

Enabling CollabSpaces in a cabinet, by itself, has no impact on existing ShareSpaces in that cabinet or in other cabinets.  ShareSpaces may remain enabled after CollabSpaces are introduced. However, one of the primary benefits of CollabSpaces is the control and transparency it provides over external document sharing.  If  ShareSpaces continue to be enabled, that will undermine the benefits of CollabSpaces.

If both ShareSpaces and CollabSpaces are enabled at the same time and a user selects documents in a CollabSpace-enabled cabinet and selects Share Externally, the assumption is that the user wants to share the documents to a CollabSpace, not to a ShareSpace, and the Share Externally dialog box will list only CollabSpaces in that cabinet as possible destinations for those documents. To add documents to an existing ShareSpace, select Move/Copy or drag documents.

With or without CollabSpaces enabled, if ShareSpaces are disabled at the repository level, then new ShareSpaces can no longer be created in that repository and additional users and groups cannot be given access to existing ShareSpaces. Further, if ShareSpaces are disabled at the repository level and CollabSpaces are enabled in a cabinet, then for any ShareSpaces in that cabinet, no additional documents can be added.  In other words, after ShareSpaces are disabled, existing ShareSpaces in a CollabSpace-enabled cabinet will be static. That means neither new content nor the content already added to the ShareSpaces can be shared with anyone else. That will make CollabSpaces the sole mechanism for sharing new content externally in the cabinet.

It is also possible, when CollabSpaces are enabled in a cabinet, to disable the ability to create new ShareSpaces in that cabinet, but not affect existing ShareSpaces, using this setting:


Enable CollabSpaces in a Cabinet

By default, CollabSpaces are disabled in every cabinet in a repository. CollabSpaces must be enabled per cabinet by a Cabinet Administrator. Also, CollabSpaces work only with workspaces; therefore, there is no reason to enable CollabSpaces in a cabinet that is not configured to use workspaces.

To enable CollabSpaces in a cabinet, go to Cabinet Administration, and under Allow CollabSpaces to be created in this cabinet, select the Only in workspaces option.


If this setting is absent, then contact NetDocuments to have CollabSpaces enabled in your repository.

After you enable CollabSpaces, a confirmation prompt appears:


The changes mentioned in that prompt will not take effect until you select Submit at the bottom of the Cabinet Administration page.

Because one of the main principles of CollabSpaces is that CollabSpaces become the sole mechanism for sharing content externally in a cabinet where they have been enabled, external groups are not permitted to have more than No Default Access to a cabinet where CollabSpaces are enabled. Therefore, if there are any external groups – created either at the repository level or in the cabinet – that are currently given more than No Default Access to the cabinet, you must first reduce the access of those groups to No Default Access.  (It is already a NetDocuments best practice for external groups to be limited to No Default Access rights to a cabinet.)  If, after enabling CollabSpaces and submitting the page, you see an error message like this:


It is likely because one or more external groups have been given greater than No Default Access rights to the cabinet. To fix this, identify those groups and reduce their rights to the cabinet to No Default Access. If you do not see any external groups with greater than No Default Access, it is likely those group are configured to be hidden, so make sure to check the box to display hidden groups:


Configure CollabSpaces

Delegate the Creation of CollabSpaces

At the time CollabSpaces are enabled in a cabinet, the Cabinet Administrator alone will have the right to create CollabSpaces in that cabinet. However, it is possible for the Cabinet Administrator to delegate the ability to create CollabSpace to other internal users in the cabinet, like an Extranet Team. (External users are never permitted to create CollabSpaces.) 

To delegate this right to others, select an internal group of users in the Select the internal group… drop-down box, which is just below the setting to enable CollabSpaces, by starting to type the name of the group:


Any internal group can be selected, from the default Internal Users group that includes all internal users to a small group of administrative users dedicated to managing CollabSpaces. The internal users in the selected group will also be able to create CollabSpaces in that cabinet, subject to the following restrictions:

  • Each user in that group must have access to the cabinet. Adding the group in this setting alone does not add that group to the cabinet. Therefore, either add this group to the cabinet in addition to selecting it here (giving that group No Default Access rights is sufficient) or ensure that all of the users in that group have access to the cabinet via other groups.
  • In order to create a CollabSpace in any particular workspace, a user must also have VES rights to that workspace.

Therefore, for an internal user who is not a Cabinet Administrator to create CollabSpaces in a workspace, the user must both (a) have VES rights to that workspace and (b) be a member of the internal group selected in the setting above.

Route Requests to Create CollabSpaces

The other CollabSpace-specific setting that can be configured at the cabinet level involves handling requests that come from internal users to create a CollabSpace. It is possible, if not likely, that many internal users in a cabinet will not have the right to create CollabSpaces. In those circumstances, and in those workspaces, where an internal user cannot create a CollabSpace, that internal user can request that a CollabSpace be created. That request will be routed by default to all of the Cabinet Administrators for that cabinet. To route those requests to a different set of users, like a firm’s Support Desk or a designated Extranet Team, enter the email address(es) to which these requests should be routed in CollabSpace administrative email address(es):


An example of the request email is shown below (the user requesting the CollabSpace will be cc’d on this email):


That email includes the following information:

  • the name of the person who requested the CollabSpace
  • a link to the workspace where the CollabSpace should be added
  • the name of the CollabSpace to be created
  • a suggestion to give the requesting user administrative rights to the CollabSpace

The recipient of the request email can select the link, which will open the workspace to the CollabSpaces tab:


If the recipient has sufficient rights to create a new CollabSpace, they can select Add CollabSpace and create a new CollabSpace with the requested name. In the Access List dialog box that appears after the CollabSpace is created, add the user who requested the CollabSpace and give that user VESA rights to the CollabSpace to give that user the ability to manage the CollabSpace, then apply the changes:


Next, in the CollabSpace menu, select Email link to send an email to the requesting user to let them know that the CollabSpace has been created:


The email will automatically include a link to the new CollabSpace. (The email will be generated using the native email application if desktop email integration is enabled.)

Display the CollabSpaces Tab

All of the CollabSpaces in a workspace will be listed in a new CollabSpaces tab.

By default, the CollabSpaces tab does not appear in any workspace in the cabinet. There are two ways to make the CollabSpaces tab visible in a workspace.

Workspace Templates

In a workspace template, under CollabSpaces, select the Enable CollabSpaces check box.


After this change has been applied to the workspace template, any newly created workspaces based on this template will display the CollabSpaces tab, and any existing workspaces tied to that template that are later refreshed will also display the CollabSpaces tab.

Workspace Dialog Box

To enable or hide the CollabSpaces tab for an individual workspace, select Customize Workspace and then select the CollabSpaces check box. 


Any user with VES rights to a workspace can access this dialog and enable CollabSpaces. Disabling the CollabSpaces tab will NOT delete any previously created CollabSpaces in that workspace, but those existing CollabSpaces will not be viewable from the workspace page. However, an existing CollabSpace can still be accessed from a link to the CollabSpace (such as a link added to the Home page), in a search result, or from the Navigation Pane where the CollabSpace appears as a child of the workspace:


Permit Multi-Document Downloads

One of the most common reasons to share content externally is to allow external users to download that content. Therefore, to make sure that is allowed, it is strongly recommended that you enable the External users are not subject to restrictions on multi-document downloads cabinet-level setting:


The alternative approach would be to give the right to perform multi-document downloads one at a tmie to every external group created in the cabinet, which will not be easy to do if most of those are CollabSpace groups created by everyday internal users who do not have access to the Cabinet Administration page.

Restrict External Access to History

The External members are allowed to access the history of objects in this cabinet cabinet-level setting governs whether any external user, regardless of their rights to content, can access the history of documents and containers in that cabinet:


Object history might contain sensitive information and will list actions performed by any user. This information typically should not be exposed to external users. By default, this option is disabled in all cabinets. It is strongly recommended to keep it disabled.

Manage CollabSpaces, External Users, and External Groups

After CollabSpaces have been enabled in a cabinet, these CollabSpaces can be managed in several ways by a Cabinet Administrator.

Search for CollabSpaces

On the Advanced Search page, if one or more CollabSpace-enabled cabinets are selected, a CollabSpaces Only file-extension filter appears:


Although this search filter is available to any user, a Cabinet Administrator will be able to use this filter to find any CollabSpace in their cabinet. The CollabSpaces-only search results can be refined with other search filters.

Access and Configure a CollabSpace

A Cabinet Administrator has full access to all content in a cabinet, including every CollabSpace.

A Cabinet Administrator can change the configuration of any CollabSpace, even if the Cabinet Administrator did not create the CollabSpace.

The configuration of a CollabSpace can be managed in the CollabSpace drop-down menu by the Customize, Edit Profile, and Modify Access options:


  • Customize – To rename the CollabSpace, update its description and icon and change the default sort order.
  • Edit profile – To change the profile values associated with the CollabSpace, which will be inherited by default when new content is added directly to it.
  • Modify access – To change the access rights of the CollabSpace, including creating and modifying CollabSpace groups.

Manage External Users and Groups

By enabling CollabSpaces in a cabinet, three types of external groups can be given access to a cabinet:

  • Repository-level groups. The membership and configuration of these groups are controlled by a Repository Administrator. It is a Cabinet Administrator’s choice whether to add a repository-level group to a cabinet.
  • Cabinet-level groups. The membership and configuration of these groups are controlled solely by a Cabinet Administrator, which automatically have access to the cabinet.
  • CollabSpace groups. The membership and configuration of these groups are controlled jointly by the everyday internal user(s) given VESA rights to the corresponding CollabSpace and by Cabinet Administrators, although typically these groups are created by every internal user.

A Cabinet Administrator has full control over cabinet-level and CollabSpace groups, including the membership of those groups, how those groups are configured and whether those groups should be removed from the cabinet. (Removing a CollabSpace group from the cabinet will delete the group entirely.)

A Cabinet Administrator can manage all of these types of groups from the Cabinet Administration page.  That page lists all of the groups and indicates whether each group has been added to the cabinet: 


The list also indicates the type of each group:

  • Internal – A repository-level internal group
  • External – A repository-level or cabinet-level external group
  • CollabSpace - A CollabSpace group

In the case of a CollabSpace group, the Cabinet Administrator can hover over the word CollabSpace to determine which CollabSpace and workspace the group is associated with:


Select View Members for that group, and the Modify CollabSpace Group dialog appears. It displays the CollabSpace and workspace the group is associated with, including a link to the CollabSpace itself:


In addition, from the Cabinet Administration page a Cabinet Administrator has access to the full list of external members of the repository:


The Cabinet Administrator can select an external user and determine whether that user is a member of the cabinet (which means that the user is a member of the group added to the cabinet) and which groups the user is a member of, limited to repository-level external groups where the membership is not hidden and any cabinet or CollabSpace group in that cabinet:


For any CollabSpace group the user is a member of, the Cabinet Administrator can select the group, and then select Details to see the name of the associated CollabSpace, which will be a link to open the CollabSpace page in a new tab.

Cabinet External Groups Tied to a Top-Level Workspace Attribute

Overview and Best Practices

Any repository external group or cabinet external group can be added to any CollabSpace.  Therefore, an internal user managing a CollabSpace could potentially add the wrong group to a CollabSpace.  For example, a cabinet external group populated with users from client Northwest Central Bancorp might mistakenly be added to a CollabSpace in another client’s workspace.

NetDocuments has added support for a new variation of cabinet external group, which has been created expressly to minimize this risk and to give Cabinet Administrators greater control over the external sharing experience.  With this new variation, cabinet external groups can be tied to the top-level workspace attribute for that cabinet.  (For most NetDocuments customers, the top-level workspace attribute is "Client," as in a Client-Matter workspace.)  This new variation of cabinet external group can be created only in CollabSpace-enabled cabinets.

For example, if a NetDocuments customer represents Northwest Central Bancorp, which has its own Client key, then a cabinet external group can be created that is tied to the Northwest Central Bancorp Client key.  (Presumably, that group will include only external users who work for or are associated with Northwest Central Bancorp.)  That Northwest Central Bancorp cabinet external group can be given access only to CollabSpaces in Northwest Central Bancorp workspaces.  That eliminates the risk that the Northwest Central Bancorp group will mistakenly be added to a CollabSpace for a different client.

And because these are cabinet external groups, they have the benefit of reusability across different CollabSpaces.  That way, the same group can safely be added to multiple CollabSpaces, so that it is not necessary to create multiple CollabSpaces groups across multiple CollabSpaces, each of which has the same set of users.

With this enhancement, NetDocuments recommends as a best practice that only two types of external groups be added to a CollabSpace-enabled cabinet:

  1. CollabSpace groups (each of which is tied to a specific CollabSpace)
  2. Cabinet external groups tied to the cabinet’s workspace top-level attribute

(An exception might be made for: (a) external groups that need access to a broad range of workspaces, like a customer’s auditor, which can be access to workspaces via Profile-Based Security (to add external groups to existing workspaces, the POST /v1/Search/{cabinetid} action=changeAcl REST call can be used, running with Cabinet Administrator rights); and (b) groups previously added to that cabinet, which over time can be phased out.)

A Cabinet Administrator controls which groups are added to a cabinet.  Therefore, a Cabinet Administrator can choose not to add repository-level external groups to the cabinet and can ensure that any cabinet-level external groups created in the cabinet are tied to the workspace's top-level attribute.  And because the Cabinet Administrator alone manages the membership of cabinet external groups, they can be certain that the membership of those groups is always correct and has not been changed by others.

Creating Cabinet Groups Tied to a Top-Level Workspace Attribute

To create a cabinet external group tied to the top-level workspace attribute, the Cabinet Administrator will access the Cabinet Administration page and click on the Create External Group button. That will display the Create Cabinet Group dialog.  If the cabinet has CollabSpaces enabled, there will be a new, optional field on that dialog with the label: “Enter [Name of Top-Level Workspace Attribute] Key”:

(In the screenshot above, the top-level workspace attribute key is “Client”, so the label is “Enter Client Key”.)

Configure the cabinet group settings the way you would configure any other group:  enter a group name, check the group options and add members to the group.  In addition, you have the option to associate this group with a specific top-level workspace attribute value.  In the screenshot above, the value would be a particular Client key listed in the Client lookup table for that repository.  Simply enter the exact Client key value for the Client that the group will be associated with and click “Validate”:


If the value entered exactly matches a Client key in the lookup table, the corresponding description for that Client key will be displayed below (in green):


If the value entered does not match any key in the lookup table, you will be informed that there is no matching key (in red):


You can click the “Clear” button to clear out the value, whether validated or not.

If an invalid or not-yet-validated key value is entered in that field and you try to save the new group, an error message will be shown and you will not be able to proceed unless you clear out the value or enter and validate a key:


Staring with the web refresh to be released on February 27, you can also take an existing cabinet external group (as long as it is not already tied to a top-level workspace attribute) and associate it with a top-level workspace attribute value. The Modify Cabinet Group form looks like this:


Tying an existing group to a top-level workspace attribute value can be achieved in an identical way to taking the same action on a new group, except you will see this message when saving your changes:


This alert informs you that the existing group may have already been given access to content and tying this group to a top-level workspace attribute value will not change those existing access rights. 

Also, if you create a cabinet group that is tied to a top-level workspace attribute value, you cannot change that value later to be associated with a different top-level workspace attribute value.  In the Modify Cabinet Group dialog, the selected top-level workspace attribute value is shown as read only: 


Nor can a group associated with a top-level workspace attribute value be disassociated from that value later.  If necessary, simply create a new cabinet external group that is not tied to a top-level workspace attribute.

Managing Cabinet Groups Tied to a Top-Level Workspace Attribute

As shown above, when accessing the Modify Group dialog for a cabinet group tied to a top-level workspace attribute, the key and description of the associated top-level workspace attribute value is displayed.  Also, the name of that dialog will be labeled “Modify [Name of Top-Level Workspace Attribute]-Centric Group”, to make it clear what type of group it is.  And on the Cabinet Administration page, in the “Type” column where all of the groups are listed, cabinet external groups associated with a top-level workspace attribute will be listed as “[Name of Top-Level Workspace Attribute]-Centric”:


Hover over that language and the key associated with the group will be displayed:


In addition, it is possible to filter just for this new type of group using the Type of group filter:


In all other ways, cabinet external groups tied to a top-level workspace attribute can be managed in the same way as any other group:  you can change the group’s name or options, update the group’s membership or remove the group, if necessary.

Using Cabinet Groups Tied to a Top-Level Workspace Attribute

Cabinet external groups tied to a top-level workspace attribute can be used like any other cabinet external group, with the exception that they can be given access only to CollabSpaces added to workspaces that are associated with the same top-level workspace attribute value that the group is associated with.  Using the example above, the Northwest Central Bancorp cabinet group can be added only to CollabSpaces in Northwest Central Bancorp workspaces.

For example, if you open the Modify Access dialog for a CollabSpace in a different client’s workspace and view the list of available External Groups, the “Northwest Central Bancorp” group will not be listed:


But in a CollabSpace in a Northwest Central Bancorp workspace, that group will be listed:


Management of External Users and Groups by a Repository Administrator

A Repository Administrator will be able to manage all external members of the repository from the Users & Groups page. In managing external users, the role of the Repository Administrator is different from the Cabinet Administrator. The Repository Administrator’s role is mostly limited to evaluating the scope of the external user’s access to the entire repository so that the Repository Administrator can decide whether or not to remove the external user from the repository. For example, the Repository Administrator can determine the last time the external user signed into NetDocuments, whether the external user is still a member of any group, which groups those are, and the type of each group.

Also, the Repository Administrator can generate a User Group report, which will list every group – repository, cabinet or CollabSpace – in the repository, the membership of each group, the type of group and whether the group is internal or external.

Best Practices for External Access to a Cabinet

When CollabSpaces are enabled in a cabinet, it is a best practice to give external access to that cabinet exclusively through (a) CollabSpace groups, because each CollabSpace group is limited to a single CollabSpace, and (b) cabinet external groups tied to a top-level workspace attribute. 

Other types of groups, like repository groups and regular cabinet groups, that are added to a cabinet increase the risk that the wrong group of external users will be given access to the wrong content. Adding repository-level external groups to a CollabSpace-enabled cabinet is rarely recommended. 

Consolidated Activity Log Entries

If an action is taken on a document that would be logged to the consolidated activity log, and that document is part of a CollabSpace, then an extra attribute will be included in the corresponding consolidated activity log entry, indicating which CollabSpace the document is part of.  In the XML version that log entry looks as follows:


And in the JSON version it looks as shown below: