Eksportēt (0) Drukāt
Izvērst visu
EN
Saturs nav pieejams izvēlētajā valodā, taču ir pieejama satura versija angļu valodā.

Plan Information Rights Management in Office 2013

 

Applies to: Office 365 ProPlus, Office 2013

Topic Last Modified: 2014-06-06

Summary: Use Information Rights Management (IRM) in Office 2013 to specify permissions for accessing and using sensitive documents and messages.

Audience: IT Professionals

This article contains a summary of IRM technology and how it works in Office applications, together with links to more information about how to set up and install the required servers and software to implement IRM in Office 2013.

ImportantImportant:
This article is part of the Roadmap for Office 2013 identity, authentication, and authorization for IT Professionals. Use the roadmap as a starting point for articles, downloads, posters, and videos that help you assess Office 2013 identity.
Are you looking for help about individual Office 2013 applications? You can find this information by searching on Office.com.

In this article:

Information Rights Management (IRM) is a persistent file-level technology from Microsoft. It uses permissions and authorization to help prevent sensitive information from being printed, forwarded, or copied by unauthorized people. After permission for a document or message is restricted by using this technology, the usage restrictions travel with the document or email message as part of the contents of the file.

NoteNote:
The ability to create content or email messages that have restricted permission by using IRM is available in Office Professional Plus 2013, and in the stand-alone versions of Excel 2013, Outlook 2013, PowerPoint 2013, InfoPath 2013, and Word 2013. IRM content that is created in Office 2013 can be viewed in Office 2003, Office 2007, Office 2010, or Office 2013.
For more information about IRM and Active Directory Rights Management Services (AD RMS) features that are supported in Office 2013, Office 2010, Office 2007, and Office 2003, see AD RMS and Microsoft Office Deployment Considerations.

IRM support in Office 2013 helps organizations and knowledge workers address two fundamental needs:

  • Restricted permission for sensitive information   IRM helps prevent sensitive information from unauthorized access and reuse. Organizations rely on firewalls, logon security-related measures, and other network technologies to help protect sensitive intellectual property. A basic limitation of using these technologies is that legitimate users who have access to the information can share it with unauthorized people. This could lead to a potential breach of security policies.

  • Information privacy, control, and integrity   Information workers often work with confidential or sensitive information. By using IRM, employees do not have to depend on the discretion of other people to ensure that sensitive materials remain inside the company. IRM eliminates users' ability to forward, copy, or print confidential information by helping to disable those functions in documents and messages that use restricted permission.

For information technology (IT) managers, IRM helps enable the enforcement of existing corporate policies about document confidentiality, workflow, and email retention. For CEOs and security officers, IRM reduces the risk of having key company information fall into the hands of the wrong people, whether by accident, thoughtlessness, or malicious intent.

Office users apply permissions to messages or documents by using options on the ribbon; for example, by using the Restrict Editing command, under Info, Protect Document. The protection options that are available are based on permission policies that you customize for your organization. Permission policies are groups of IRM rights that you package together to apply as one policy. Office 2013 also provides several predefined groups of rights, such as Do Not Forward in Outlook 2013.

NoteNote:
To IRM protect a document in Office 2013, you have to have an on-premises RMS server or Office 365 with RMS Online. You can still open IRM protected content created with a Microsoft Account in earlier versions of Office and edit those documents if you have permission, but you can’t create new protected documents by using a Microsoft Account.

Enabling IRM in your organization typically requires access to a rights management server that runs Windows Rights Management Services (RMS) for Windows Server 2003, or Active Directory Rights Management Services (AD RMS) for Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, or Windows Server 2012 R2. It is also possible to use IRM by using an individual’s Microsoft account to authenticate permissions, as described later in this article. The permissions are enforced by using authentication, typically by using Active Directory directory service (AD DS). A Microsoft account can be used to authenticate and grant permission if Active Directory is not implemented.

Users do not have to have a Microsoft account to read protected documents and messages. For users who run Windows XP or earlier versions, the Excel viewer and Word viewer enable Windows users who have the correct permission to read some documents that have restricted permission, without using Office software. Users who run Windows XP or earlier versions can use Outlook Web App or the Rights Management Add-on for Internet Explorer to read email messages that have restricted permissions, without using Outlook software. This functionality is already available for users who run, Windows 7, Windows 8, Windows 8.1, Windows Vista Service Pack 1, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012 or Windows Server 2012 R2. The Active Directory Rights Management Services client software is included with these operating systems.

In Office 2013, organizations can create the permissions policies that appear in Office applications. For example, you might define a permission policy named Company Confidential, which specifies that documents or email messages that use the policy can only be opened by users inside the company domain. There is no limit to the number of permission policies that can be created.

NoteNote:
SharePoint Foundation supports use of IRM on documents that are stored in document libraries. By using IRM, you can control which actions users can take on documents when they open them from libraries in SharePoint Foundation. This differs from IRM applied to documents stored on client computers, where the owner of a document can choose which rights to assign to each user of the document. For more information about how to use IRM with document libraries, see Document library planning (SharePoint Foundation 2010).

With AD RMS on Windows Server 2008, Windows Server 2008 R2, and Windows Server 2012, users can share rights-protected documents between companies that have a federated trust relationship. For more information, see Active Directory Rights Management Services Overview and Federating AD RMS.

Also with AD RMS, Exchange Server 2013 offers IRM-protected email functionality including AD RMS protection for Unified Messaging voice mail messages and Outlook protection rules that can automatically apply IRM-protection to messages in Outlook 2013 before they leave the Outlook client. For more information, see What’s New in Exchange 2013 and Understanding Information Rights Management.

For more information about Active Directory Rights Management Services.

In a typical installation, Windows Server 2003 that is deployed with RMS or Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, or Windows Server 2012 R2 that is deployed with AD RMS enables use of IRM permissions with Office 2013. If an RMS server is not configured on the same domain as the users, users’ Microsoft accounts can be used to authenticate permission, instead of Active Directory. Users must have access to the Internet to connect to the Microsoft account servers.

You can use Microsoft accounts when you assign permissions to users who need access to the contents of a restricted file. When you use Microsoft accounts for authentication, each user must specifically be granted permission to a file. Groups of users cannot be assigned permission to access a file.

Applying IRM permissions to documents or email messages requires the following:

  • Access to RMS for Windows Server 2003, or AD RMS for Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, or Windows Server 2012 R2, to authenticate permissions. Or, authentication can be managed by using the Microsoft account service on the Internet.

  • Rights Management (RM) client software. RM client software is included in Windows Vista and later versions or available as an add-in for Windows XP and Windows Server 2003.

  • Microsoft Office 2003, 2007 Microsoft Office system, Office 2010, or Office 2013. Only specific versions of Office enable users to create IRM permissions.

Windows RMS or AD RMS manages licensing and other administrative server functions that work with IRM to provide rights management. An RMS-enabled client program, such as Office 2013, lets users create and view rights-protected content.

To learn more about how RMS works and how to install and configure an RMS server, see, Active Directory Rights Management Services.

RM client software is included in Windows Vista, Windows 7, Windows 8 and Windows 8.1. Separate installation and configuration of the necessary RMS client software is required on Windows XP and Windows Server 2003 to interact with RMS or AD RMS on the computer that is running Windows or the Microsoft account service on the Internet.

Download the RMS Client Service Pack to enable users on Windows XP and Windows Server 2003 to run applications that restrict permission based on RMS technologies.

As in Office 2003, Office 2007 and Office 2010, Office 2013 includes predefined groups of rights that users can apply to documents and messages, such as Read and Change in Word 2013, Excel 2013, and PowerPoint 2013. You can also define custom IRM permissions policies to provide different packages of IRM rights for users in your organization.

You create and manage rights policy templates by using the administration site on your RMS or AD RMS server. For information about how to create, configure, and post custom permissions policy templates, see AD RMS Rights Policy Templates Deployment Step-by-Step Guide. For Exchange Server 2010 Outlook protection rules, see Understanding Outlook Protection Rules.

The rights that you can include in permissions policy templates for Office 2013 are listed in the following sections.

Each IRM permissions right that is listed in the following table can be enforced by Office 2013 applications that are configured on a network that includes a server that runs RMS or AD RMS.

IRM permissions rights

IRM right Description

Full Control

Gives the user every right that is listed in this table, and the right to change permissions that are associated with content. Expiration does not apply to users who have Full Control.

View

Allows the user to open IRM content. This corresponds to Read Access in the Office 2013 user interface.

Edit

Allows the user to configure the IRM content.

Save

Allows the user to save a file.

Extract

Allows the user to make a copy of any part of a file and paste that part of the file into the work area of another application.

Export

Allows the user to save content in another file format by using the Save As command. Depending on the application that uses the file format that you select, the content might be saved without protection.

Print

Allows the user to print the contents of a file.

Allow Macros

Allows the user to run macros against the contents of a file.

Forward

Allows an email recipient to forward an IRM email message and to add or remove recipients from the To: and Cc: lines.

Reply

Allows email recipients to reply to an IRM email message.

Reply All

Allows email recipients to reply to all users on the To: and Cc: lines of an IRM email message.

View Rights

Gives the user permission to view the rights associated with a file. Office ignores this right.

Office 2013 provides the following predefined groups of rights that users can choose from when they create IRM content. The options are available in the Permission dialog box for Word 2013, Excel 2013, and PowerPoint 2013. In the Office application, select the File tab, choose Info, choose the Protect Document button, select Restrict Access, and then choose from the options listed, which are populated by the Digital Rights Management server template. The following table lists the predefined permission groups.

Predefined read/change permissions groups

IRM predefined group Description

Read

Users who have Read permission have View rights.

Change

Users who have Change permission have rights to View, Edit, Extract, and Save.

In Outlook 2013, users can select the following predefined group of rights when they create an email item. To access the option from the email item, choose File, Info, and then Set Permissions. Choose from the listed options, which are populated by the Digital Rights Management server template. The following table lists the predefined email permission groups.

Predefined “Do not forward” group

IRM predefined group Description

Do Not Forward

In Outlook, the author of an IRM email message can apply Do Not Forward permission to users on the To:, Cc:, and Bcc: lines. This permission includes the View, Edit, Reply, and Reply All rights.

Other IRM permissions can be specified in Word 2013, Excel 2013, and PowerPoint 2013. From Info, Protect Document, choose Editing Restrictions. For even more restriction options, choose Restrict permission at the bottom of the Restrict Editing panel. For example, users can specify an expiration date, restrict other users from printing or copying content, and so on.

By default, Outlook enables messages to be viewed by a browser that supports Rights Management.

When the rights policy templates are complete, post them to a server share where all users can access the templates or copy them to a local folder on the user's computer. The IRM policy settings that are available in the Office Group Policy template (Office15.admx) file can be configured to point to the location where the rights policy templates are stored (either locally or on an available server share). For information, see Office 2013 Administrative Template files (ADMX, ADML) and Office Customization Tool.

You can lock down many settings to customize IRM by using the Office Group Policy template (Office15.admx). You can also use the Office Customization Tool (OCT) to configure default settings, which enables users to configure the settings. In addition, there are IRM configuration options that can only be configured by using registry key settings.

The settings that you can configure for IRM in Group Policy and by using the OCT are listed in the following table. In Group Policy, these settings are under User Configuration\Administrative Templates\Microsoft Office 2013\Manage Restricted Permissions. The OCT settings are in corresponding locations on the Modify user settings page of the OCT.

IRM settings for Group Policy or the OCT

IRM option Description

Active Directory time-out for querying one entry for group expansion

Specify the time-out value for querying an Active Directory entry when you expand a group.

Additional permissions request URL

Specify the location where a user can obtain more information about how to access the IRM content.

Allow users with earlier versions of Office to read with browsers…

Enable users without Office 2013 to view rights-that are managed content by using the Rights Management Add-in for Windows Internet Explorer.

Always expand groups in Office when restriction permission for documents

Group name is automatically expanded to display all the members of the group when users apply permissions to a document by selecting a group name in the Permission dialog box.

Always required users to connect to verify permission

Users who open a rights-managed Office document must connect to the Internet or local area network to confirm by RMS, or through their Microsoft account, that they have a valid IRM license.

Never allow users to specify groups when restricting permission for documents

Return an error when users select a group in the Permission dialog box: ''You cannot publish content to Distribution Lists. You may only specify email addresses for individual users.''

Prevent users from changing permission on rights managed content

If enabled, users can consume content that already includes IRM permissions, but cannot apply IRM permissions to new content nor configure the rights on a document.

Turn off Information Rights Management user interface

Disable all Rights Management-related options within the user interface of all Office applications.

For more information about how to customize these settings, see Configure Information Rights Management in Office 2013.

The settings that you can configure for IRM in the registry are listed in the following tables.

The following IRM registry settings are located in HKCU\Software\Microsoft\Office\15.0\Common\DRM.

IRM registry key options

Registry entry Type Value Description

RequestPermission

DWORD

1 = The box is checked.

0 = The box is cleared.

This registry key toggles the default value of the Users can request additional permissions from check box.

DoNotUseOutlookByDefault

DWORD

0 = Outlook is used

1 = Outlook is not used

The Permission dialog box uses Outlook to validate email addresses that are entered in that dialog box. This causes an instance of Outlook to be started when restricting permissions. Disable the option by using this key.

The following IRM registry setting is located in HKCU\Software\Microsoft\Office\15.0\Common\DRM\LicenseServers. There is no corresponding Group Policy setting.

IRM registry setting for license servers

Registry entry Type Value Description

LicenseServers

Key/Hive. Contains DWORD values that have the name of a license server.

Set to the server URL. If the value of the DWORD is 1, Office will not prompt to obtain a license, it will only get the license.

If the value is zero or there is no registry entry for that server, Office prompts for a license.

Example: If ‘http://contoso.com/_wmcs/licensing = 1’ is a value for this setting, a user who tries to obtain a license from that server to open a rights-managed document will not be prompted for a license.

The following IRM registry setting is located in HKCU\Software\Microsoft\Office\15.0\Common\Security. There is no corresponding Group Policy setting.

IRM registry settings for security

Registry entry Type Value Description

DRMEncryptProperty

DWORD

1 = The file metadata is encrypted.

0 = The metadata is stored in plaintext. The default value is 0.

Specify whether to encrypt all metadata that is stored inside a rights-managed file.

For Open XML Formats (for example, docx, xlsx, pptx, and so on), users can decide to encrypt the Office metadata that is stored inside a rights-managed file. Users can encrypt all Office metadata. This includes hyperlink references, or leave content as not encrypted so other applications can access the data.

Users can choose to encrypt the metadata by setting a registry key. You can set a default option for users by deploying the registry setting. There is no option for encrypting some of the metadata: all metadata is encrypted or none is encrypted.

In addition, the DRMEncryptProperty registry setting does not determine whether non-Office client metadata storage, such as the storage that is created in SharePoint 2013, is encrypted.

This encryption choice does not apply to Microsoft Office 2003 or other previous file formats. Office 2013 handles earlier formats in the same manner as it does in Office 2007 and Microsoft Office 2003.

In Outlook 2013, users can create and send email messages that have restricted permission to help prevent messages from being forwarded, printed, or copied and pasted. Office 2013 documents, workbooks, and presentations that are attached to messages that have restricted permission are also automatically restricted.

As an Outlook administrator, you can configure several options for IRM email, such as disabling IRM or configuring local license caching.

The following IRM settings and features can be useful when you configure rights-managed email messaging:

  • Configure automatic license caching for IRM.

  • Help enforce an email message expiration period.

  • Do not use Outlook for validating email addresses for IRM permissions.

NoteNote:
To disable IRM in Outlook, you must disable IRM for all Office applications. There is no separate option to disable IRM only in Outlook.

You can lock down most settings to customize IRM for Outlook by using the Outlook Group Policy template (Outlk15.admx) or the Office Group Policy template (Office15.admx). Or, you can configure default settings for most options by using the Office Customization Tool (OCT), which enables users to configure the settings. The OCT settings are in corresponding locations on the Modify user settings page of the OCT.

Outlook IRM options

Location IRM option Description

Microsoft Outlook 2013\Miscellaneous

Do not download rights permissions license information for IRM email during Exchange folder sync

Enable to prevent license information from being cached locally. If enabled, users must connect to the network to retrieve license information to open rights-managed email messages.

Microsoft Outlook 2010\Outlook Options\Email Options\ Advanced Email Options

When sending a message

To enforce email expiration, enable and enter the number of days before a message expires. The expiration period is enforced only when users send rights-managed email and then the message cannot be accessed after the expiration period.

For more information about how to customize these settings, see Configure Information Rights Management in Office 2013.

The Permission dialog box uses Outlook to validate email addresses that are entered in that dialog box. This causes an instance of Outlook to start when permissions are restricted. You can disable this option by using the registry key that is listed in the following table. There is no corresponding Group Policy or OCT setting for this option.

The following IRM registry setting is located in HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Common\DRM.

Outlook IRM registry key options

Registry entry Type Value Description

DoNotUseOutlookByDefault

DWORD

0 = Outlook is used

1 = Outlook is not used

Disable the option by using this key.

Vai šī informācija bija noderīga?
(Atlikušās rakstzīmes: 1500)
Pateicamies par atsauksmēm!
Rādīt:
© 2014 Microsoft