Information Rights Management (IRM) technology in Microsoft® Office 2003 helps to give organizations and information workers greater control of their sensitive information. IRM is a persistent file-level technology from Microsoft that allows the user to specify permission for who can access and use documents or e-mail messages, and it helps to prevent sensitive information from being printed, forwarded, or copied by unauthorized individuals. Once permission for a document or message has been restricted with this technology, the usage restrictions travel with the document or e-mail message as part of the contents of the file.
Note The ability to create content or e-mail messages with restricted permission using Information Rights Management is available only with the Microsoft Office Professional Edition 2003 version of the following applications — Microsoft Office Word 2003, Microsoft Office Excel 2003, Microsoft Office PowerPoint® 2003, and Microsoft Office Outlook® 2003. IRM is also available in the stand-alone versions of those applications.
IRM support in Office 2003 helps corporations and knowledge workers address two fundamental needs:
- Restricted permission for sensitive information
Most corporations today rely on firewalls, logon security-related measures, and other network technologies in an effort to help protect their sensitive intellectual property. The fundamental limitation of these technologies is that, once legitimate users have access to the information, they can share it with unauthorized people, potentially breaching security policies. IRM helps prevent the sensitive information itself from unauthorized access and reuse.
- Information privacy, control, and integrity
Information workers often deal with confidential or sensitive information, relying on the discretion of others to keep sensitive materials in-house. IRM eliminates any temptation to forward, copy, or print confidential information by helping to disable those functions in documents and messages with restricted permission.
For information technology (IT) managers, IRM helps enable the enforcement of existing corporate policies regarding document confidentiality, workflow, and e-mail retention. For CEOs and security officers, it significantly reduces today's risk of having key company information in the hands of the wrong people, whether by accident, thoughtlessness, or through malicious intent.
When enabled by the organization by using Microsoft Windows® Rights Management Services for Windows Server™ 2003 (RMS), users of Office 2003 can easily take advantage of this technology. A simple user interface based on customizable permission policies (available from the File menu) makes IRM convenient and approachable. Integration with Microsoft Active Directory® directory service provides a level of convenience not seen on today's document-specific passwords. Finally, the Rights Management Add-in for Microsoft Internet Explorer allows the users of Microsoft Windows — if they have the proper permission — to read e-mail messages and some documents with restricted permission whether or not they have Office 2003. Organizational policy
Using IRM technology, Office 2003 allows companies to create permission policies that appear in Office applications. For example, a company might define a policy called Company Confidential, which specifies that documents or e-mail messages using that policy can be opened by users inside the company domain only. There is no limit to the number of policies that can be created. Rights Management Add-in for Internet Explorer
Since permissions are granted at the application level, Office documents with restricted permission can only be opened by Office 2003 or later. However, the Rights Management Add-in for Internet Explorer allows users without Office 2003 to read content with restricted permission. Additional server requirements for IRM
Windows Server 2003 with Windows Rights Management Services is required to enable IRM with Office 2003. This service enables users to share documents and messages with restricted permission using Microsoft .NET Passport as the authentication mechanism, as opposed to Active Directory. Passport
If an RMS server is not in place on the domain, but use of the IRM feature is required, access to the Internet from each client workstation must be provided to allow users access to the Microsoft Passport servers. Passport accounts can be used when assigning permissions to the various users who will need access to the contents of the file. However, this does not allow for groups of users to gain access to a file. Each user must be specifically granted permission to the file when using Passport accounts. Usage and enforcement of permissions
IRM uses various levels of permissions to restrict access to the content of a file.
The following rights are enforced by the Office applications. These rights are grouped into three levels of permission and a list of custom settings in the Office applications.
Office bases all of its permission enforcement on these rights defined in the Microsoft Windows Rights Management Services for Windows Server 2003.
- Full Control
Gives the user every right listed below, and the right to make changes to the permissions associated with the content. Expiration does not apply to users with Full Control.
- View
Allows the user to open IRM content. This maps to the Read Access in the Office user interface.
- Edit
Allows the user to edit the IRM content.
- Save
Allows the user to save the file.
- Extract
Allows the user to make a copy of any portion of the file and paste it into the work area of another application.
- Export
Allows the user to save the content in another location or format that may or may not support IRM.
- Print
Allows the user to print the contents of the file.
- Allow Macros
Allows the user to run macros against the contents of the file.
- Forward
Allows e-mail recipients to forward an IRM e-mail message.
- Reply
Allows e-mail recipients to reply to an IRM e-mail message.
- Reply All
Allows e-mail recipients to reply to all users on the To: and CC: lines of an IRM e-mail message.
- View Rights
Allows users permission to view the rights associated with the file. Office ignores this right.
A user can specify one of several predefined groups of rights when creating IRM content:
- Read
User with Read permission only have the View right.
- Do Not Forward
In Outlook, the author of an IRM e-mail message can apply Do Not Forward permission to the users in the To:, Cc:, and Bcc: lines.
This permission includes the View, Reply, and Reply all rights.
- Change
Users with Change permission have View, Edit, Extract, Export, and Save rights.
Additional permissions in Office documents
In addition to the permission groups mentioned above, specific rights can be specified in the advanced user interface of Word, Excel, and PowerPoint. Outlook always enables messages to be viewed by a browser that supports Rights Management.
The following options are available on the Permission dialog for Word, Excel, and PowerPoint:
- This document expires on
This option allows the author to specify a date after which the IRM content becomes unreadable for everyone but users with Full Control.
- View content in trusted browsers
This option allows the author to specify whether or not users without Office 2003 can view the content in the Rights Management Add-in for Internet Explorer.
- Require a connection to verify a user's permission
This option gives the author the ability to force users to connect to the Windows Rights Management server every time content is opened. This is useful if permissions to a shared document change over time and the author wants to make sure every user is verified prior to opening the document.
|
IN THIS CHAPTER
Printer-friendly version
