diff --git a/cmd/reva/common.go b/cmd/reva/common.go
index 1e27141e46..ed630c1128 100644
--- a/cmd/reva/common.go
+++ b/cmd/reva/common.go
@@ -30,11 +30,11 @@ import (
 )
 
 const (
-	viewerPermission  string = "viewer"
-	readerPermission  string = "reader"
-	editorPermission  string = "editor"
-	coownerPermission string = "coowner"
-	denyPermission    string = "denied"
+	viewerPermission string = "viewer"
+	readerPermission string = "reader"
+	editorPermission string = "editor"
+	collabPermission string = "collab"
+	denyPermission   string = "denied"
 )
 
 type config struct {
diff --git a/cmd/reva/share-create.go b/cmd/reva/share-create.go
index 15dd58f49e..9911c4884b 100644
--- a/cmd/reva/share-create.go
+++ b/cmd/reva/share-create.go
@@ -181,7 +181,7 @@ func getSharePerm(p string) (*provider.ResourcePermissions, error) {
 			RestoreFileVersion:   true,
 			Move:                 true,
 		}, nil
-	case coownerPermission:
+	case collabPermission:
 		return &provider.ResourcePermissions{
 			GetPath:              true,
 			InitiateFileDownload: true,
diff --git a/internal/http/services/owncloud/ocs/conversions/permissions_test.go b/internal/http/services/owncloud/ocs/conversions/permissions_test.go
index 59d39903fc..719025e388 100644
--- a/internal/http/services/owncloud/ocs/conversions/permissions_test.go
+++ b/internal/http/services/owncloud/ocs/conversions/permissions_test.go
@@ -145,7 +145,7 @@ func TestPermissions2Role(t *testing.T) {
 	table := map[Permissions]string{
 		PermissionRead: RoleViewer,
 		PermissionRead | PermissionWrite | PermissionCreate | PermissionDelete: RoleEditor,
-		PermissionAll:                     RoleCoowner,
+		PermissionAll:                     RoleCollaborator,
 		PermissionWrite:                   RoleLegacy,
 		PermissionShare:                   RoleLegacy,
 		PermissionWrite | PermissionShare: RoleLegacy,
diff --git a/internal/http/services/owncloud/ocs/conversions/role.go b/internal/http/services/owncloud/ocs/conversions/role.go
index 8437b1371c..404fb6f7aa 100644
--- a/internal/http/services/owncloud/ocs/conversions/role.go
+++ b/internal/http/services/owncloud/ocs/conversions/role.go
@@ -40,14 +40,16 @@ const (
 	RoleLegacy string = "legacy"
 	// RoleDenied grants no permission at all on a resource
 	RoleDenied string = "denied"
-	// RoleViewer grants non-editor role on a resource
+	// RoleViewer grants a view-only role (no download) on a resource
 	RoleViewer string = "viewer"
+	// RoleReader grants non-editor role on a resource
+	RoleReader string = "reader"
 	// RoleEditor grants editor permission on a resource, including folders
 	RoleEditor string = "editor"
 	// RoleFileEditor grants editor permission on a single file
 	RoleFileEditor string = "file-editor"
-	// RoleCoowner grants owner permissions on a resource
-	RoleCoowner string = "coowner"
+	// RoleCollaborator rgrants editor+resharing permissions on a resource
+	RoleCollaborator string = "collaborator"
 	// RoleUploader FIXME: uploader role with only write permission can use InitiateFileUpload, not anything else
 	RoleUploader string = "uploader"
 )
@@ -125,12 +127,14 @@ func RoleFromName(name string) *Role {
 		return NewDeniedRole()
 	case RoleViewer:
 		return NewViewerRole()
+	case RoleReader:
+		return NewReaderRole()
 	case RoleEditor:
 		return NewEditorRole()
 	case RoleFileEditor:
 		return NewFileEditorRole()
-	case RoleCoowner:
-		return NewCoownerRole()
+	case RoleCollaborator:
+		return NewCollaboratorRole()
 	case RoleUploader:
 		return NewUploaderRole()
 	}
@@ -174,6 +178,25 @@ func NewViewerRole() *Role {
 	}
 }
 
+// NewReaderRole creates a reader role
+func NewReaderRole() *Role {
+	return &Role{
+		Name: RoleViewer,
+		cS3ResourcePermissions: &provider.ResourcePermissions{
+			// read
+			GetPath:              true,
+			GetQuota:             true,
+			InitiateFileDownload: true,
+			ListGrants:           true,
+			ListContainer:        true,
+			ListFileVersions:     true,
+			ListRecycle:          true,
+			Stat:                 true,
+		},
+		ocsPermissions: PermissionRead,
+	}
+}
+
 // NewEditorRole creates an editor role
 func NewEditorRole() *Role {
 	return &Role{
@@ -232,10 +255,10 @@ func NewFileEditorRole() *Role {
 	}
 }
 
-// NewCoownerRole creates a coowner role
-func NewCoownerRole() *Role {
+// NewCollaboratorRole creates a collaborator role
+func NewCollaboratorRole() *Role {
 	return &Role{
-		Name: RoleCoowner,
+		Name: RoleCollaborator,
 		cS3ResourcePermissions: &provider.ResourcePermissions{
 			// read
 			GetPath:              true,
@@ -296,7 +319,7 @@ func RoleFromOCSPermissions(p Permissions) *Role {
 	if p.Contain(PermissionRead) {
 		if p.Contain(PermissionWrite) && p.Contain(PermissionCreate) && p.Contain(PermissionDelete) {
 			if p.Contain(PermissionShare) {
-				return NewCoownerRole()
+				return NewCollaboratorRole()
 			}
 			return NewEditorRole()
 		}
@@ -404,9 +427,9 @@ func RoleFromResourcePermissions(rp *provider.ResourcePermissions) *Role {
 		if r.ocsPermissions.Contain(PermissionWrite) && r.ocsPermissions.Contain(PermissionCreate) && r.ocsPermissions.Contain(PermissionDelete) {
 			r.Name = RoleEditor
 			if r.ocsPermissions.Contain(PermissionShare) {
-				r.Name = RoleCoowner
+				r.Name = RoleCollaborator
 			}
-			return r // editor or coowner
+			return r // editor or collaborator
 		}
 		if r.ocsPermissions == PermissionRead {
 			r.Name = RoleViewer
diff --git a/internal/http/services/owncloud/ocs/handlers/apps/sharing/shares/shares.go b/internal/http/services/owncloud/ocs/handlers/apps/sharing/shares/shares.go
index 624df6bcf9..37a7e56637 100644
--- a/internal/http/services/owncloud/ocs/handlers/apps/sharing/shares/shares.go
+++ b/internal/http/services/owncloud/ocs/handlers/apps/sharing/shares/shares.go
@@ -243,23 +243,23 @@ func (h *Handler) createShare(w http.ResponseWriter, r *http.Request) {
 
 	switch shareType {
 	case int(conversions.ShareTypeUser):
-		// user collaborations default to coowner
-		if role, val, err := h.extractPermissions(w, r, statRes.Info, conversions.NewCoownerRole()); err == nil {
+		// user collaborations default to collab
+		if role, val, err := h.extractPermissions(w, r, statRes.Info, conversions.NewCollaboratorRole()); err == nil {
 			h.createUserShare(w, r, statRes.Info, role, val)
 		}
 	case int(conversions.ShareTypeGroup):
-		// group collaborations default to coowner
-		if role, val, err := h.extractPermissions(w, r, statRes.Info, conversions.NewCoownerRole()); err == nil {
+		// group collaborations default to collab
+		if role, val, err := h.extractPermissions(w, r, statRes.Info, conversions.NewCollaboratorRole()); err == nil {
 			h.createGroupShare(w, r, statRes.Info, role, val)
 		}
 	case int(conversions.ShareTypePublicLink):
 		// public links default to read only
-		if _, _, err := h.extractPermissions(w, r, statRes.Info, conversions.NewViewerRole()); err == nil {
+		if _, _, err := h.extractPermissions(w, r, statRes.Info, conversions.NewReaderRole()); err == nil {
 			h.createPublicLinkShare(w, r, statRes.Info)
 		}
 	case int(conversions.ShareTypeFederatedCloudShare):
 		// federated shares default to read only
-		if role, val, err := h.extractPermissions(w, r, statRes.Info, conversions.NewViewerRole()); err == nil {
+		if role, val, err := h.extractPermissions(w, r, statRes.Info, conversions.NewReaderRole()); err == nil {
 			h.createFederatedCloudShare(w, r, statRes.Info, role, val)
 		}
 	default: