Information Rights Management (IRM) enables you to limit the actions that users can take on files that have been downloaded from lists or libraries. IRM encrypts the downloaded files and limits the set of users and programs that are allowed to decrypt these files. IRM can also limit the rights of the users who are allowed to read files, so that they cannot take actions such as print copies of the files or copy text from them etc.
How and where would does a user protect information/documents in Office365?
- There are 2 ways to protect a document.
- Using Basic Rights Management features that can be activated in an O365 Admin Center for tenant’s List/Library. When activated this enables site owners to create Basic version of Information Rights Management Policies from the Lists/Library settings Page for the List/Library. Once Policy is created, user can upload and protect documents in a SharePoint List/Library.
- Using Advanced Rights Management features that needs an Azure Rights Management Services to be configured for the tenant. Once configured advanced Rights policy templates can be created for a user/group. The policy templates will then be propagated to user desktop’s and office client applications via your Active directory which will be synced with Azure Rights Management Server. From your desktop or office client application, you will then have the option to protect documents for a specific user/group using Rights Policy Template that will be available.
- Below are the user actions that can be used to protect Rights of the document created:
- Set Read-Only
- Disable copying of text
- Preventing from Saving a local Copy
- Preventing to print a file
- Supported File Types
- The 97-2003 file formats for the following Microsoft Office programs: Word, Excel, and PowerPoint
- The Office Open XML formats for the following Microsoft Office programs: Word, Excel, and PowerPoint
- The XML Paper Specification (XPS) format.
How RMS can help protect your content
- Helps to prevent an authorized viewer from copying, modifying, printing, faxing, or copying and pasting the content for unauthorized use
- Helps to prevent an authorized viewer from copying the content by using the Print Screen feature in Microsoft Windows
- Helps to prevent an unauthorized viewer from viewing the content if it is sent in e-mail after it is downloaded from the server
- Restricts access to content to a specified period of time, after which users must confirm their credentials and download the content again
How RMS cannot help protect content
- Erasure, theft, capture, or transmission by malicious programs such as Trojan horses, keystroke loggers, and certain types of spyware
- Loss or corruption because of the actions of computer viruses.
- Digital or film photography of content that is displayed on a screen
- Copying through the use of third-party screen-capture programs
Protect documents uploaded to SharePoint Lists/Libraries using Basic Features
- IRM Can be enabled on Lists and Libraries
- When enabled on Lists it only protects the documents attached to the list Items.
- The policy specified on the list/library settings gets applied to all documents uploaded to the list/library
- Document Rights Expiration can be set for documents that are downloaded from the libraries.
Protect Documents using Rights Policy Template with Advanced Features
What is Rights Policy Template?
Rights policy template is a set of rules that can be created in a Rights Management Server which will be applied to client desktop machines from the Active Directory.
The template can be created for User/Group that contains a subset of users or the entire organization.
For Office365 you have to use Azure Rights Management Server for Creating and Managing Rights policy templates.
Rights Policy Templates
1. The templates are created by Azure RMS Administrator who has rights to Azure RMS.
2. The templates are then published to end user desktops from Azure RMS. Once the templates are published, it can be also later modified when needed and the templates will be refreshed automatically in user desktops.
3. The Policy templates are then used by document authors to protect their content.
4. By Default the author or Content owner of the document will have full control permissions on the document.
5. There are 2 types of Template that can be applied.
Read or Modify with any or all of the Specific Permissions(View content, Save File, Edit Content, View Assigned Rights)
6. Additional Features include
Content Expiration Setting – This would be set an expiration duration for the content after the template is being applied on the document. You can specify a date or specify a number of days starting from the time that the protection is applied to the file.
Offline Access – This setting is used to allow users to open protected files when they don’t have an Internet connection. If not selected, the protected document will always validate with the Rights Management server to check for content expiration and rights allowed for the user. When offline access is selected for the template, the rights information will be cached in the user machines for offline viewing.
7. The Template is then applied to User or Groups.
Protect documents with Advanced Features using rights policy template created from Azure Rights Management Server in File Explorer of Windows
Protect Email with Advanced Features using rights policy template created from Azure Rights Management Server in the Microsoft Outlook Client
Protect Documents with Advanced Features using rights policy template created from Azure Rights Management Server in Office Client
Governance in IRM
You can build enterprise wide Rights policy templates based on information classification defined in your governance plan
You can build Department wise rights policy templates which allows group of the department to apply the templates for their documents.
Build Site templates with IRM policies setup on Lists/Libraries based on the Information classification defined by your organization.