Information Rights Management in SharePoint Foundation
Published: May 2010
Traditionally, sensitive information can be controlled only by limiting access to the networks or computers where the information is stored. After access is given to users, however, there are no restrictions on what can be done with the content or to whom it can be sent. Microsoft Information Rights Management (IRM) enables you to create a persistent set of access controls that live with the content, rather than a specific network location, which can help you control access to files even after they leave your direct control.
With Microsoft SharePoint Foundation 2010, IRM is available for files that are located in document libraries and stored as attachments to list items. Site administrators can choose to protect downloads from a document library with IRM. When a user attempts to download a file from the library, SharePoint Foundation verifies that the user has permissions to the given file, and issues a license to the user that enables access to the file at the appropriate permissions level. SharePoint Foundation then downloads the file to the user's computer in an encrypted, rights-managed file format.
IRM is enabled at the document-library level by an administrator, and includes the following settings:
Information rights policy name and description
Whether users can print documents that are rights-managed
A user must have View or higher level permissions to print documents that are rights-managed.
Whether the user can run Microsoft Visual Basic for Applications (VBA) and other custom code in the file.
The number of days for which the license is valid. After the specified number of days has passed, the license expires, and the user must download the file again from the document library.
Whether to allow users to upload file types that do not support IRM.
If this option is enabled, SharePoint Foundation does not allow users to upload files that it cannot rights-manage. For this reason, users cannot upload the following:
Documents of a given file type to this document library, unless an IRM protector for that file type has been registered with SharePoint Foundation.
Documents that have been rights-managed by any application other than SharePoint Foundation. For example, SharePoint Foundation would not allow a user to upload files that have been protected by a client application.
Optionally, the date to stop restricting permissions to the document library. After the specified date passes, SharePoint Foundation removes all rights-management restrictions from the documents in the library.
Rights-managed documents that are downloaded before the specified stop date stay rights-managed in the client application, even after the specified date, because the document itself does not include this setting. After the user checks the document back in after the specified date, however, the document protection is removed.
For example, a financial institution may be required to make certain information public on a quarterly basis. Before such a date, however, the institution might want to restrict access to the files containing that information, to prevent premature disclosure.
Because companies often have restrictions that require their files to be stored in nonencrypted formats, SharePoint Foundation does not store files in encrypted, rights-managed file formats. However, SharePoint Foundation calls an IRM protector to convert the stored file to an encrypted format each time a user downloads the file. Similarly, when a user uploads a rights-managed copy of a file, SharePoint Foundation calls the appropriate IRM protector to convert that copy to a nonencrypted format before it is stored.
As a result, you do not need to create custom solutions to enable searching or archiving of document libraries where IRM is enabled. Storing the files in nonencrypted format ensures that the current Search indexing service is able to crawl content stored on the servers. Search results are already scoped to user permissions, so the user never sees search results that include content to which they do not have some level of access.
SharePoint Foundation determines the access privileges to grant a user based on the access control list (ACL) entry of that user. Table 1 lists the user's permission level in the ACL, and the corresponding permissions for IRM-protected files.
The permissions listed are additive; each permission level includes the access rights of the permission level below it.
Full control of the documents, as defined by the client application. This generally permits the user to read, edit, copy, save, and modify permissions of the document.
Edit List Items
Add and Customize Pages
Edit, copy, and save permissions. The user can print the document only if the document library IRM settings are configured to allow document printing.
View List Item
Read permissions. The user can read the document, but not copy or edit its content. The user can print the document only if the document library IRM settings are configured to allow document printing.
All other ACL rights settings, such as Edit User Info
Not applicable; no corresponding IRM permissions.
When a user requests a rights-managed document, SharePoint Foundation downloads the protected file to the user, based on the user’s access permissions. At this point, SharePoint Foundation becomes the primary owner of the protected content; specifically, the owner of the process under which SharePoint Foundation becomes the owner of the rights-managed document. The user who requested the document is added as a consumer of the document, and is able to obtain an end-user license (EUL) that grants the correct permissions. Only SharePoint Foundation and this user have any rights to the downloaded file. For example, the user cannot send the rights-managed file to someone else, even if that person also has access to the file in the SharePoint Foundation document library. Instead, that person would need to access the document library and download the document directly.
IRM is enabled at the document-library level. However, IRM must be configured for SharePoint Foundation as a whole for it to be an option at the document-library level. Enabling IRM for SharePoint Foundation generally requires installing the rights management platform(s) on each front-end Web server, and ensuring that SharePoint Foundation and any associated service account has the necessary permissions on that platform.
After you take these steps, site and document library administrators are able to enable IRM on any document library to which they have the appropriate permissions.
For detailed information about how to accomplish these steps, see the SharePoint Foundation IT Pro documentation.
For more information about integrated and autonomous protectors, see Custom IRM Protectors.