This documentation is archived and is not being maintained.

Information Rights Management in Windows SharePoint Services Overview

Windows SharePoint Services 3

This content is outdated and is no longer being maintained. It is provided as a courtesy for individuals who are still using these technologies. This page may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.

Traditionally, sensitive information can only be controlled by limiting access to the networks or computers where the information is stored. After access is given to users, however, there are no restrictions on what can be done with the content or to whom it can be sent. Microsoft Information Rights Management (IRM) enables you to create a persistent set of access controls that live with the content, rather than a specific network location, which will help you control access to files even after they leave your direct control.

With Windows SharePoint Services, IRM is available for files that are located in document libraries and stored as attachments to list items. Site administrators can elect to protect downloads from a document library with IRM. When a user attempts to download a file from the library, Windows SharePoint Services verifies that the user has permissions to the given file, and issues a license to the user that enables access to the file at the appropriate permissions level. Windows SharePoint Services then downloads the file to the user's computer in an encrypted, rights-managed file format.

IRM is enabled at the document-library level by an administrator, and includes the following settings:

  • Information rights policy name and description.

  • Whether or not users can print documents that are rights managed.


    A user must have View or higher level permissions in order to print documents that are rights-managed.

  • Whether the user can run Microsoft Visual Basic for Applications (VBA) and other custom code in the file.

  • The number of days for which the license is valid. After the specified number of days has passed, the license expires, and the user must download the file again from the document library.

  • Whether to allow users to upload file types that do not support IRM.

    If this option is enabled, Windows SharePoint Services does not allow users to upload files that it cannot rights-manage. For this reason, users cannot upload the following:

    • Documents of a given file type to this document library, unless an IRM protector for that file type has been registered with Windows SharePoint Services.

    • Documents that have been rights-managed by any application other than Windows SharePoint Services. For example, Windows SharePoint Services would not allow a user to upload files that have been protected by a client application.

  • Optionally, the date to stop restricting permissions to the document library. After the specified date passes, Windows SharePoint Services removes all rights-management restrictions from the documents in the library.

    Rights-managed documents that are downloaded before the specified stop date stay rights-managed in the client application, even after the specified date, because the document itself does not include this setting. After the user checks the document back in after the specified date, however, the document protection is removed.

    For example, a financial institution may be required to make certain information public on a quarterly basis. Before such a date, however, the institution might want to restrict access to the files containing that information, to prevent premature disclosure.

Because companies often have restrictions that require their files to be stored in nonencrypted formats, Windows SharePoint Services does not store files in encrypted, rights-managed file formats. However, Windows SharePoint Services calls an IRM protector to convert the stored file to an encrypted format each time a user downloads the file. Similarly, when a user uploads a rights-managed copy of a file, Windows SharePoint Services calls the appropriate IRM protector to convert that copy to a nonencrypted format before it is stored.

As a result, you don't need to create custom solutions to enable searching or archiving of document libraries where IRM is enabled. Storing the files in nonencrypted format ensures that the current Search indexing service is able to crawl content stored on the servers. Search results are already scoped to user permissions, so the user never sees search results that include content to which they do not have some level of access.

Windows SharePoint Services determines the access privileges to grant a user based on the access control list (ACL) entry of that user. The following table lists the user's permission level in the ACL, and the corresponding permissions for IRM-protected files.


The permissions listed are additive; each permission level includes the access rights of the permission level below it.

ACL Rights

IRM Permissions

Manage Permissions

Manage Web

Full control of the documents, as defined by the client application. This generally permits the user to read, edit, copy, save, and modify permissions of the document.

Edit List Items

Manage List

Add and Customize Pages

Edit, copy, and save permissions. The user can only print the document if the document library IRM settings have been configured to allow document printing.

View List Item

Read permissions. The user can read the document, but not copy or edit its content. The user can only print the document if the document library IRM settings have been configured to allow document printing.

All other ACL rights settings, such as Edit User Info.

Not applicable; no corresponding IRM permissions.

When a user requests a rights-managed document, Windows SharePoint Services downloads the protected file to the user, based on his access permissions. At this point, Windows SharePoint Services becomes the primary owner of the protected content; specifically, the owner of the process under which Windows SharePoint Services becomes the owner of the rights-managed document. The user who requested the document is added as a consumer of the document, and is able to obtain an end-user license (EUL) that grants the correct permissions. Only Windows SharePoint Services and this user have any rights to the downloaded file. For example, the user cannot send the rights-managed file to someone else, even if that person also has access to the file in the Windows SharePoint Services document library. Instead, that person would need to access the document library and download the document directly.

IRM is enabled at the document-library level. However, IRM must be configured for Windows SharePoint Services as a whole in order for it to be an option at the document-library level. Enabling IRM for Windows SharePoint Services generally requires installing the rights management platform(s) on each front-end Web server, and making sure Windows SharePoint Services and any associated service account has the necessary permissions on that platform.

After you take these steps, site and document library administrators are able to enable IRM on any document library to which they have the appropriate permissions.

For detailed information about how to accomplish these steps, see the Windows SharePoint Services IT Professional documentation.

For more information about integrated and autonomous protectors, see Custom IRM Protectors.