Plan information management policies

Updated: February 26, 2009

Applies To: Office SharePoint Server 2007

This Office product will reach end of support on October 10, 2017. To stay supported, you will need to upgrade. For more information, see , Resources to help you upgrade your Office 2007 servers and clients.


Topic Last Modified: 2017-01-24

In this article:

An information management policy is a set of rules for a type of content. Each rule in a policy is a policy feature. For example, an Information Management policy feature could specify how long a type of content should be retained, or it could provide document auditing. Information management policies enable you to control who can access your organizational information, what they can do with it, and how long the information should be retained.

In this topic, the term "policy" refers to information management policy unless otherwise specified.

Policies can be implemented to help an organization comply with legally mandated requirements, such as the need to retain records. For example, a Human Resources policy, used in an organization to ensure that employee records are handled in accordance with legally recommended guidelines, could include the following policy features:

  • Auditing, to record the editing and viewing history of each employee-related document.

  • Retention, to ensure that work-in-progress content is not kept for an unnecessarily long period of time.

  • Labels, to ensure that physical copies of each document are properly identifiable.

  • Print Restrictions, to ensure that sensitive employee-related documents are only printed on secure printers. Note that this is an example of a custom policy that must be implemented using the Office SharePoint Server 2007 object model or acquired from a 3rd-party software vendor.

Policy features are implemented as programs that run on the Office SharePoint Server 2007. They can be enabled and configured by a server administrator and, once enabled, they can be used by site administrators to define policies. Office SharePoint Server 2007 includes five policy features to help you manage your content. By using the Office SharePoint Server 2007 object model, you can design and install custom policy features that meet unique enterprise needs.

A policy feature may use one or more policy resources, which are programs that provide some functionality to a policy feature. For example, a policy resource for a Barcode Generation policy feature could provide the unique barcode value. You can develop custom policy resources and install them to support policy features.

When your organization uses 2007 Microsoft Office system client applications along with Office SharePoint Server 2007, policies are enforced both on the server and in the client applications. This is done transparently; policy features that apply to a document are described in a policy statement associated with the document, and policy-aware applications prevent users from doing tasks that violate the document's policy.

To implement a policy, associate it with content types, libraries, or lists in sites.

In the Site Content Type Gallery, you can apply a policy to any custom content type, but you cannot apply a policy directly to a core content type.

You can associate a policy with a library, list, or content type in the following ways:

  • Associate policy features with a site collection policy, and then associate that policy with a content type or with a list or library.   The top-level site of a site collection includes a Site Collection Policies gallery where administrators of the top-level site can create new policies. After creating a Site Collection policy, you can export it so that administrators of other site collections can import it into their Site Collection Policy galleries. This enables you to standardize policies across your organization.

    When a Site Collection policy is associated with a content type and that content type is associated with a list or library, the owner of the list or library will not be able to modify the Site Collection policy in the list or library. This ensures that policies assigned to a content type are enforced at each level of the site hierarchy.

  • Associate a set of policy features directly with a content type, and then add that content type to one or more lists or libraries.   To ensure that a policy created using this method will be used in an entire site collection, associate it with a content type in the top-level site collection's Site Content Type gallery. Then every item in the site collection of that content type, and every item of a content type that inherits from the original content type, will have the policy. When you use this method of associating a policy with a content type, it is harder to reuse the policy in other site collections, because policies created using this method cannot be exported.

    To more tightly control which policies are in use in a site collection, site collection administrators can disable the ability to set policy features directly on a content type. When setting policy features on a content type is restricted, content type designers can only associate policies from the Site Collection Policies gallery with content types.
  • Associate a set of policy features directly with a list or library.   You can only use this method if the list or library does not support multiple content types. This method of creating a policy is only useful for a narrowly defined policy that applies to a single list or library.

    To more tightly control which policies are in use in a site collection, site collection administrators can disable the ability to set policy features directly on a library. When setting policy features on a library is restricted, content type designers can only associate policies from the Site Collection Policies gallery with libraries.

To track how policies are being used in each Web application in your solution, you can configure information management policy usage reporting using Microsoft Office SharePoint Server 2007 Central Administration. Information management policy reports help you monitor how well your organization uses policies. Because policies are often implemented to help an organization comply with particular regulations, frequent monitoring of policy usage can help you ensure that your organization is compliant.

Office SharePoint Server 2007 includes a default policy report template in XML-SS format, and you can create a custom report template based on the XML-SS schema. You can specify a schedule for policy reporting and you can generate reports manually.

A policy report is generated for each site collection in a Web application. For each list and library, a report records:

  • The number of items using each policy.

  • For each policy in use, either based on a Site Collection policy or configured in a content type, a summary of that policy — its description, along with a description of each policy feature.

For more information about creating and deploying a custom Site Collection policy report, see the Deployment for Office SharePoint Server 2007 guide.

Office SharePoint Server 2007 information management policies are exposed in 2007 Office system clients. When you configure an information management policy on the server, you can write a policy statement that informs information workers about the policies that are enforced on documents. For example, the policy statement might indicate that a document will expire after a certain period of time, or that it is sensitive information that should not be communicated outside the company. The statement might even provide a contact name if the information worker needs more information about the policy.

The policies that are included in Office SharePoint Server 2007 are exposed to information workers through 2007 Office system client features. For example, when a label is defined as part of a policy, users can insert labels into documents from the Insert menu of most 2007 Office system client applications. If a label is required, users are prompted when saving documents in which a label has not been inserted. Similarly, users will be able to insert barcodes from client applications if that policy feature is part of the document's policy.

Custom policy features can also be integrated in 2007 Office system clients. However, you must implement policy-specific behaviors that you want to be available from 2007 Office system client programs, and you must give users a way to install these behaviors on their client computers via mechanisms such as add-ins to make them available from 2007 Office system client programs. For example, if you implement a custom policy feature that restricts the printers that can be used to print a content type, you must provide a custom add-in for Microsoft Office clients to enforce the restriction from Office client applications.

This section describes the policy features that are included in Office SharePoint Server 2007.

  • Expiration   The Expiration policy feature helps dispose of content in a consistent way that can be tracked and managed. You can set content of a specific type to expire on a particular date, or within a calculated amount of time after some document activity (such as creating the document).

  • Auditing   The Auditing policy feature logs events and operations performed on documents and list items. You can configure Auditing to log events such as:

    • Editing a document or item

    • Viewing a document or item

    • Checking a document in or out

    • Changing the permissions for a document or item

    • Deleting a document or item

  • Labeling   The Labeling policy feature specifies a label to associate with a type of document or list item. Labels are searchable text areas that Office SharePoint Server 2007 generates based on properties and formatting that you specify. For example, in a law firm, a document related to a legal matter could include a label containing the clients' names, the case number, the attorney assigned to the matter, and so forth. Labels are particularly useful in printed versions of documents as a way to display document properties in printed copy. Along with using labels for documents, you can associate a label with a list item and include that label in views of the list.

  • Barcode   The Barcode policy feature enables you to track a document in physical copies by creating a unique identifier value for a document and inserting a barcode image of that value in the document. By default, barcodes are compliant with the common Code 39 standard (ANSI/AIM BC1-1995, Code 39), and you can plug in other barcode providers using the policies object model.

When planning your solution's policies, first determine organization-wide policy needs, and then design Site Collection policies to meet those needs and distribute those policies for inclusion in all relevant site collections' Site Collection Policy galleries. This might require planning custom policy features. Note that, if your policy requires custom policy features and resources, those features and resources must be installed and enabled on all server farms on which your solution is used. See the Deployment for Office SharePoint Server 2007 guide for more information about deploying and enabling Office SharePoint Server 2007 features and resources.

A typical example of an organization-wide policy is one designed to promote best practices in auditing and expiring product specifications across the divisions of an organization. A single Site Collection policy is designed to be applied to all product specifications so that they are consistently audited and retained. After defining the Site Collection policy and testing it, it is exported and then imported to Site Collection Policy galleries of other site collections in which product specifications are stored. It is then associated with all product specification content types in the various site collections to impose the policy on all product specification documents.


Worksheet action

Create a separate worksheet for each policy you are planning, and in each worksheet record:

  • The purpose of the policy, such as "Policy to apply to all product specifications."

  • The site collection in which the policy is being designed.

  • The scope at which the policy is being defined. If the policy is to be used across multiple site collections, define it in the Policy Template gallery. Define a policy for a content type if the policy is more narrowly targeted to a single content type in a site collection.

  • Each policy feature, such as "Expiration" or "Auditing." Optionally enter configuration notes for a policy feature. For example, for Auditing, you could specify which actions to audit, such as "Editing Items." If the feature is custom, list all resources that must be installed for the feature to work.

  • All content types that the policy will be applied to and list all site collections in which the content types are in use.