Share via


Create a New Rights Policy Template

Applies To: Windows Server 2008

When you create a new rights policy template, the Create Distributed Rights Policy Template or Create Archived Rights Policy Template wizard, depending on the desired type of rights policy template, steps you through the different elements of the template. These elements can be modified later by selecting the template and opening its properties sheet. A distributed rights policy template allows users to publish and consume rights-protected content, and an archived rights policy template only allows consumption once the rights policy template has been removed from the client computer. The properties included in these two rights policy templates are the same and are configured in the following procedure.

Membership in the local AD RMS Template Administrators, or equivalent, is the minimum required to complete this procedure.

To create a rights policy template

  1. Open the Active Directory Rights Management Services console and expand the Active Directory Rights Management Services (AD RMS) cluster.

  2. In the console tree, click Rights Policy Templates.

  3. In the Actions pane, click Create Distributed Rights Policy Template. The Create Distributed Rights Policy Template wizard appears.

  4. On the Add Template identification Information page, click Add.

  5. Specify a language, name, description, and for the template, and then click Add.

  6. Click Next.

  7. On the Add User Rights page do the following:

    1. Click Add. In the Add User or Group dialog box, click Browse to browse to a user or group in your Active Directory Domain Services directory or type the valid e-mail address of a user or group to add, and then click OK. Repeat to add additional users or groups as necessary.

      To specify that any user can acquire a use license for the protected content, select the Anyone option, which is a special group that is recognized by AD RMS.

    2. Under Users and rights, select a user or group to which to assign rights. Select the check box of each right to grant to the selected user or group.

      Select another user or group and repeat the process to grant rights to the remaining users and groups. If your AD RMS-enabled application has custom usage rights, you can assign those rights to users and groups by clicking Create Custom Right. In the Create Custom Right dialog box type the name of the right defined by your application. A check box will then be available for that right in your template.

    3. In the Rights request URL box, type the URL from which users can request additional rights to rights-protected content.

    4. Click Next.

  8. On the Specify Expiration Policy page, select one of the three expiration options, and then specify an expiration date or time. If appropriate, select Expires after the following duration (days), and specify the number of days between renewals.

    Click Next.

  9. On the Specify Extended Policy page:

    1. Click Enable users to view protected content using a browser add-on if you want user who do not have an AD RMS-enabled application installed to view rights-protected content.

    2. Click Request a new use license every time content is consumed (disable client-side caching) if you want the user to re-authenticate with AD RMS each time the rights-protected content is consumed.

    3. Click If you would like to specify additional information for your AD RMS-enabled applications, you can specify them here as name-value pairs if you want to add application-specific data as custom name value pairs in addition to the XrML rights supported by AD RMS. An application developer can add to an AD RMS-enabled application to limit interaction with the protected content. Application-specific data is enforced at the AD RMS-enabled application level and applies to all users who use the application.

    Click Next.

  10. To implement revocation, in the Specify Revocation Policy page, select the Require revocation check box, and then take the following steps:

    1. In Location where the revocation list is published (URL or UNC), type the URL where the revocation list file is posted. If you need to support disconnected users or external users, this URL should be accessible from both the internal organization's network and the Internet.

    2. In Refresh interval for revocation list (days), type the number of days that the revocation list remains valid. If a user has a copy of the revocation list that is older than this value, the user must obtain an updated revocation list to consume the content.

    3. In File containing public key corresponding to the signed revocation list, type the path and file name, or click Browse to locate the public key file for the revocation list.

Warning

Be careful when implementing revocation. Based on the refresh interval that you specify, you must renew a revocation list periodically or it will automatically expire, preventing users from consuming content that requires that list. To ensure that you do not inadvertently prevent users from consuming content, carefully evaluate the interval you require for refreshing the revocation list.

  1. Click Finish.

You can also create copies of rights policy templates. This can be useful if you have a template that you want to use as the basis for other templates with only minor modifications.

To copy a rights policy template

  1. Open the Active Directory Rights Management Services console and expand the AD RMS cluster.

  2. In the console tree, click Rights Policy Templates.

  3. In the results pane, select the rights policy template to be copied.

  4. Click Copy in the Actions pane. A new rights policy template will appear in the results pane.

Additional references