How RMS Works
Updated: November 30, 2006
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
The term "Rights Management Services (RMS)" encompasses all of the server and client technologies that are required to support information rights management in an organization. The servers used for RMS certification and licensing, or RMS root clusters, in the organization along with the Microsoft-hosted RMS services (that run the Enrollment, Activation, and RMS account certification services) certify trusted entities that are in the RMS system. In addition, the RMS licensing-only servers in the organization issue publishing and use licenses that control how rights-protected content is consumed by the RMS client applications. RMS client technologies, including the RMS client, lockbox, and RMS-enabled applications, run on client computers and allow users to create, publish, and consume rights-protected content.
The different RMS client and server technologies work together to support the following functions:
Creation of rights-protected content. Users who are trusted entities in an RMS system can easily create and manage protected files by using applications and tools that incorporate the features of RMS technology. In addition, RMS-enabled applications can use centrally defined and officially authorized rights policy templates to help users efficiently apply a predefined set of corporate usage policies. RMS-enabled applications are developed by Microsoft and other non-Microsoft developers to be used with an RMS installation.
Licensing and distribution of rights-protected content. Certificates that are issued by the RMS system identify the trusted entities that can publish and consume rights-protected content. Users who are trusted entities in an RMS system can assign usage rights and conditions to content that they author and want to protect. These usage policies specify who can use the content and what they can do with it. Authors can request publishing licenses, which bind the usage policies to the specified content. They can then distribute the content, for example, by sending it to other users who are in their organization, posting it to internal servers for company use, or distributing it to trusted external partners.
In a process that is transparent to users, the RMS system validates the trusted entities in a publishing licensing request, and then issues a license that contains the specified usage rights and conditions for the content. The RMS-enabled application then generates the symmetric keys and uses them to encrypt the content. After the content is protected by this mechanism, only the users who are specified in the publishing licenses can decrypt and consume that content. Those users must also be trusted entities in the RMS system.
Acquiring licenses to decrypt rights-protected information and enforcing usage policies. Users who are trusted entities can consume rights-protected content by using trusted clients. These clients are RMS-enabled computers and applications that allow users to view and work with rights-protected content, to preserve that content's integrity, and to enforce usage policies. When users attempt to gain access to rights-protected content, requests are sent to an RMS server to issue use licenses for the user to consume that content.
In a process that is transparent to users, the RMS system issues unique use licenses that the RMS client can read and interpret. The RMS client inspects the certificate chain of the content, reviews the content revocation list if required to make sure that all of the criteria that establish the validity of the content are in place. Then subsequently, the RMS client enforces the usage rights and conditions specified for the user as specified in the publishing license. Provided that all of the usage rights and conditions are met, the RMS-enabled application uses the content key issued by the RMS system to decrypt the content. The usage rights and conditions are persistent and can be enforced wherever that the content goes.
For more information about creating rights-protected content, see RMS-enabled Applications in RMS: Technical Reference in this documentation collection.
For more information about the hierarchy of trusted entities in an RMS system, see RMS Trust Hierarchy in RMS: Technical Reference in this documentation collection.
For more information about publishing and consuming rights-protected content, see RMS Publishing in RMS Publishing in this documentation collection.