Planning for Information Rights Management in the 2007 Office system
Updated: June 28, 2007
Applies To: Office Resource Kit
In many businesses, sensitive information such as employee medical and financial records, payroll information, and private personal data is protected only by limiting access to the networks or computers where the information is stored. Information Rights Management (IRM) technology in the 2007 Microsoft Office system helps organizations and information workers control sensitive information electronically by enabling users to specify permissions for accessing and using documents and messages.
This topic provides a summary of IRM technology and how it works in Office applications, together with links to more information about setting up and installing the required servers and software to implement IRM in Office.
What is IRM?
IRM is a persistent file-level technology from Microsoft that uses permissions and authorization to help prevent sensitive information from being printed, forwarded, or copied by unauthorized individuals. Once permission for a document or message is restricted by using this technology, the usage restrictions travel with the document or e-mail message as part of the contents of the file.
The ability to create content or e-mail messages with restricted permission using IRM is available in the following suites: Microsoft Office Professional Plus 2007, Microsoft Office Enterprise 2007, and Microsoft Office Ultimate 2007. IRM is also available in the stand-alone versions of Office applications.
IRM support in the 2007 Office system helps corporations and knowledge workers address two fundamental needs:
Restricted permission for sensitive information
IRM helps prevent sensitive information from unauthorized access and reuse. Corporations rely on firewalls, logon security-related measures, and other network technologies to help protect sensitive intellectual property. A basic limitation of using these technologies is that legitimate users with access to the information can share it with unauthorized people. This can lead to a potential breach of security policies.
Information privacy, control, and integrity
Information workers often work with confidential or sensitive information. By using IRM, employees need not depend on the discretion of others to ensure that sensitive materials remain inside the company. IRM eliminates users' ability to forward, copy, or print confidential information by helping to disable those functions in documents and messages with restricted permission.
For information technology (IT) managers, IRM helps enable the enforcement of existing corporate policies regarding document confidentiality, workflow, and e-mail retention. For CEOs and security officers, IRM reduces the risk of having key company information fall into the hands of the wrong people, whether by accident, thoughtlessness, or through malicious intent.
How IRM works in the Office system
Office users apply permissions to messages or documents by using options on the Ribbon: for example, by using the Protect Document command on the Review tab in Word. The protection options available are based on permission policies that you customize for your organization. Permission policies are groups of IRM rights that you package together to apply as one policy. The 2007 Office system also provides several predefined groups of rights, such as Do Not Forward.
Using IRM with an RMS server
Enabling IRM in your organization typically requires access to a rights management server running Microsoft Windows Rights Management Services (RMS) for Windows Server 2003 or later. (It is also possible to use IRM by using Microsoft Windows Live ID to authenticate permissions, as described in the next section.) The permissions are enforced by using authentication, typically by using Microsoft Active Directory directory service. Microsoft Windows Live ID can authenticate permission if Active Directory is not implemented.
Users do not need Office to be installed to read protected documents and messages. The Rights Management Add-on for Internet Explorer (a free download from Microsoft) enables Microsoft Windows users who have the correct permission to read e-mail messages and some documents with restricted permission, without using Office software.
In 2007 Office system, companies can create the permissions policies that appear in Office applications. For example, you might define a permission policy called Company Confidential, which specifies that documents or e-mail messages using that policy can only be opened by users inside the company domain. There is no limit to the number of permission policies that can be created.
Windows SharePoint Services 3.0 supports using IRM on documents stored in document libraries. By using IRM in Windows SharePoint Services, you can control which actions users can take on documents when they open them from libraries in Windows SharePoint Services 3.0. This is in contrast to IRM applied to documents stored on client computers, where the owner of a document can choose what rights to assign to each user of the document. For more information about using IRM with document libraries, see Plan document libraries.
For more information about installing and configuring RMS servers, see Enabling Information Protection in Microsoft Office 2003 with Rights Management Services and Information Rights Management. For more information about configuring IRM in the 2007 Office system and creating permissions policies, see Provide custom Information Rights Management rights policy templates in the 2007 Office system.
Using IRM without a local RMS server
In a typical installation, Windows Server 2003 with Windows Rights Management Services enables using IRM permissions with the 2007 Office system. If an RMS server is not configured on the same domain with users, Microsoft Windows Live ID can authenticate permission, instead of Active Directory. Users must have access to the Internet to connect to the Windows Live ID servers.
You can use Windows Live ID accounts when you assign permissions to users who need access to the contents of a restricted file. When you use Windows Live ID accounts for authentication, each user must specifically be granted permission to a file. Groups of users cannot be assigned permission to access a file.
Setting up IRM for the Office 2007 system
Applying IRM permissions to documents or e-mail messages requires:
Access to an RMS for Windows Server 2003 or later server to authenticate permissions. Alternatively, authentication can be managed by using the Windows Live ID service on the Internet.
Rights Management (RM) client software.
Microsoft Office 2003 or the 2007 Office system. Only specific versions of Office enable users to create IRM permissions (see earlier note).
Setting up RMS server access
Windows RMS manages licensing and other administrative server functions that work with IRM to provide rights management. An RMS-enabled client program, such as Office, enables users to create and view rights-protected content.
To learn more about how RMS works and how to install and configure an RMS server, see Enabling Information Protection in Microsoft Office 2003 with Rights Management Services and Information Rights Management. Although the content in the article was written for Office 2003, the RMS server content is also relevant for implementing IRM with the 2007 Office system. Up-to-date information about RMS releases is available at Windows Server 2003 Rights Management Services (RMS).
Installing the Rights Management client software
Though IRM is an integral part of the Microsoft Office System, separate installation and configuration of the necessary RMS client software is required to interact with the RMS for Windows Server 2003 or later server or the Windows Live ID service on the Internet.
Download the RMS Client Service Pack to enable users to run applications that restrict permission based on RMS technologies.
Defining and deploying permissions policies
As in Office 2003, the 2007 Office system includes predefined groups of rights that users can apply to documents and messages, such as Do Not Forward. You can also define custom IRM Permissions Policies to provide different packages of IRM rights for people in your organization. For more information about creating rights policy templates for Office and the rights that can be included in the templates, see Provide custom Information Rights Management rights policy templates in the 2007 Office system.