Wednesday, April 7, 2010

Enabling Information Rights Management in SharePoint 2007 by Integrating with AD RMS

Recently we have been asked to enable Information Rights Management (IRM) capability in our SharePoint infrastructure, which consists of three web front-end servers, one excel calculation server, one index server, and two clustered database servers.  All servers are running on Windows Server 2008 64 bit environment.
The original plan is to prepare our SharePoint infrastructure to store IRM-protected documents, where the protection capabilities are embedded in the document.  However, it will make these protected documents unsearchable since they cannot be tagged or indexed while the document contents are encrypted.  This is no longer the case with AD RMS and SharePoint 2007 since the IRM policies are only applied when the documents are downloaded and they are stored unencrypted in the libraries, hence making them indexable and later searchable.

With SharePoint, IRM protection is available for files that are located in document libraries and stored as attachments to list items. SharePoint uses the access control list (ACL) on the library or list to determine the permissions that it applies to a document for the user downloading it. Protection includes the following options:
  • Whether or not users can print documents that are rights managed.
  • Whether the user can run Microsoft Visual Basic for Applications (VBA) and other custom code in the file.
  • The number of days for which the license is valid; after the specified number of days, the license expires and the user must download the file again from the document library.
  • Whether to let users upload file types that do not support IRM.
  • Optionally, the date to stop restricting permissions to the document library; after the specified date passes, Office SharePoint Server removes all rights-management restrictions from the documents in the library.
There are basically three simple steps to integrate AD RMS with SharePoint 2007 as follows:
(Notes: since we are using Windows Server 2008, which already includes AD RMS client, there is no need to install a separate Windows RMS client as in Windows Server 2003)
1. Add permissions for the SharePoint server to the AD RMS certification pipeline

  • Log on to the AD RMS server as a local administrator
  • Click Start, and then click Computer
  • Navigate to c:\Inetpub\wwwroot\_wmcs\Certification
  • Right-click ServerCertification.asmx, click Properties, and then click the Security tab
  • Click Advanced, click Edit, select the Include inheritable permissions from this object's parent check box, and then click OK two times
  • Click Edit
  • Click Add
  • Click Object Types, select the Computers check box, and then click OK
  • Type the name of the SharePoint web front-end server, and then click OK twice. 
  • Repeat the above three steps for other web front-end servers
  • Click OK to close the ServerCertification.asmx Properties sheet. By default the Read & Execute and the Read permissions are configured
  • Reset IIS
2. Specify RMS server location in SharePoint using Central Administration

  • Open SharePoint 3.0 Central Administration site
  • Click Operations, and then click Information Rights Management
  • Select Use the default RMS server specified in Active Directory checkbox
  • Click OK
3. Enable IRM policy to control access to the contents of a document library
  • Open a SharePoint site and go to the document library where we want to enable the IRM policy
  • Click Settings, and then click Document Library Settings
  • Under Permissions and Management, click Information Rights Management
  • Select the Restrict permission to documents in this library on download check box
  • In the Permissions policy title box, type in the policy title
  • In the Permission policy description box, type in the policy description
  • Click OK
SharePoint will now automatically apply AD RMS rights to the document when it is downloaded from the document library. These rights are determined by the the user permission for that library. For example, a user who has Read permission will not be able to modify the document when it is downloaded from the document library.

Notes: When AD RMS protected documents (created outside SharePoint environment) are uploaded to the library with IRM policy enabled, the original document protection policy will supercede the library protection policy when those documents are downloaded or accessed by users.  AD RMS end-to-end security prevents SharePoint from decrypting documents created outside of the SharePoint environment, hence applying the SharePoint library IRM policy to those documents.

1 comment:

  1. Great, Thanks! Interestingly written review. Using industry automation solutions it is the best way to get mobile apps development.