Any idea if Information Rights Management (IRM) will support additional file types in future versions
In Sharepoint 2007, IRM supports Excell, Word and PowerPoint out of box...
Any idea if there will be additional out of box support for filetypes such as PDF, TIFF, Outlook Emails (.msg)...?
I am hoping to avoid creating custom protectors to protect the files and building an add-ons to software such as Adobe Reader to understand the RMS licences...
Looking forward to additional suggestion as well...
Thanks,
Jef- Moved byMike Walsh MVPMVP, ModeratorFriday, October 30, 2009 6:48 AMMoving back as everyone continues to ignore the 2010 part of the question - considering removing 2010 from the title ! (From:SharePoint 2010 General Questions and Answers)
- Edited byMike Walsh MVPMVP, ModeratorFriday, October 30, 2009 6:50 AMSP 2010 replaced by "future versions". The 2010 aspecty was never answered here and leaving it in the Title would encourage other 2010 posts
- Edited byMike Walsh MVPMVP, ModeratorWednesday, September 16, 2009 2:32 PM... removed - pointless
- Moved byMike Walsh MVPMVP, ModeratorFriday, October 23, 2009 4:10 AMMoved because of the Title. The SP 2010 aspect was never answered (From:SharePoint - Enterprise Content Management)
All Replies
- As I understand it, IRM requires the client application to support IRM features. SharePoint knows how to unwrap and wrap IRM files for indexing and metadata purposes, but it still requires Word, Excel, etc. to be able to unwarp the IRM'd file returned by SharePoint to open it. So, you will need IRM support in Acrobat Reader, a TIFF viewer, Outlook, etc.
Mike Smith TechTrainingNotes.blogspot.com - Check out liquid machines to add support to ADRMS its not a SharePoint Issue... SharePoint integrates with RMS...
Liquid Machines PDF for RMS extends RMS policy protections to Adobe Reader. Protect PDF files with template or ad-hoc policies. Liquid Machines PDF for RMS requires no changes to your RMS policy server or additional server software, and works within Adobe Reader 7 or 8. You can even use previously defined or custom RMS policies, making it easy to extend the coverage of Microsoft RMS protection to your PDF content.
Click here for more information.
-Ivan
Ivan Sanders http://www.linkedin.com/in/iasanders http://dimension-si.com/blog - Mike, Ivan, SharePoint supports RMS but only adds the RMS certificate for Word, Excel and Powerpoint file types.
My understanding is that I would need to create my own Custom Protectors in SharePoint that add RMS certificates to PDF and TIFF documents as they are uploaded/downloaded from a SharePoint Document Library.
If an RMS certificate is added to a PDF file, will a software such as Adobe be able to handle it appropriately or do I need to add that functionality to the client software (like Liquid Machine)...?
If I need to add the RMS support to the client software, how would one go about it...? Can a third party (i.e myself) create the add-on or does is have to be done natively (i.e by Adobe)...?
-Jef - Whats up?
SharePoint actually changes the model of how ADRMS works. By using the protectors SharePoint actually unprotects the original protection template applied to the file and gives Vistors read Acces, Members Contribute or Modify...If an organization has deployed ADRMS and created templates, then yu may not want to use the integration features of SharePoint 2007
I have included a bit more information:
Microsoft Office Versions and AD RMS Features summary Default with SharePoint
AD RMS-enabled Applications
Microsoft Office 2003
Microsoft Office 2007
Microsoft Office Mobile
Microsoft Word
●
●
●
Microsoft Excel
●
●
●
Microsoft PowerPoint
●
●
●
Microsoft Outlook
●
●
●
Microsoft InfoPath
Not provided
●
Not provided
http://technet.microsoft.com/en-us/library/dd772697(WS.10).aspx
SharePoint Integration with AD RMS Cool article by Pat Cherny http://technet.microsoft.com/en-us/magazine/2009.04.insidesharepoint.aspx?pr=blog
With these facts in mind, let's approach SharePoint integration with AD RMS. First and foremost, Microsoft states in all relevant product documentation pieces that AD RMS-enabled document libraries store content items unencrypted. So, there is no bulk encryption when you move items into an AD RMS-enabled document library. More importantly, because the items are unencrypted, there is no AD RMS protection and no security gain in the SharePoint environment.
SharePoint administrators and users might believe that AD RMS end-to-end security exists, but SharePoint integration with AD RMS fully depends on SharePoint security. According to "Information Rights Management in Windows SharePoint Services Overview" in the WSS 3.0 SDK, Microsoft opted not to store the items in encrypted, rights-managed formats due to customer demand.
Take a look at Figure 2. It illustrates the IRM framework architecture in an unsecure SharePoint environment that permits unauthorized users direct access to the content databases. The key point is that integrated document protectors apply AD RMS protection dynamically when you download a document through SharePoint. This means that you perceive an unprotected content item as an AD RMS-protected document. When you upload changes, however, SharePoint removes the AD RMS protection again.
.gif)
Figure 2 An AD RMS-protected document that is, in fact, a non-AD RMS-protected content item
It's important that you make sure that this decryption behavior is consistent with your security and compliance requirements. Just imagine a scenario where you host sensitive HR documents in an AD RMS-enabled document library and fail to inform the HR department that all SQL Server and SharePoint farm administrators as well as any SharePoint developers outside of the HR department have unrestricted access to the content items in unencrypted form. Don't neglect this issue in your solution design and in your compliance documentation. For example, you might have to deploy separate SQL Server instances and SharePoint farms that are maintained by HR-internal administrators only.
When designing security and compliance solutions, keep in mind that SharePoint integration with AD RMS does not eliminate the need to protect your SharePoint environment as described in the Office SharePoint Server Security guide and the Windows SharePoint Services Security Account Requirements worksheet. If you don't protect your security accounts and passwords, if you deploy unverified code from questionable sources, or even enable server-side scripts on your SharePoint servers, then an IRM framework and AD RMS integration won't save you when an unauthorized person gets access to the content items, as explained in the January column titled "SharePoint Security Accounts."
AD RMS Policy Settings Override
Another important issue you must address in your compliance solutions and documentation is that content protection in an AD RMS-enabled document library is not the same as when working in Microsoft Office Word outside of document libraries. Check out Figure 3 and the worksheet titled "Specifying AD RMS Permissions in Microsoft Office Word inside and outside of Document Libraries" in the companion material..gif)
Figure 3 Document library’s policy overrides owner’s policy.
-Ivan
Ivan Sanders http://www.linkedin.com/in/iasanders http://dimension-si.com/blog- Marked As Answer byLambert QinMSFT, ModeratorThursday, September 10, 2009 3:32 AM
- Unmarked As Answer byFrenchy_Jef Thursday, September 10, 2009 11:28 PM
- Ivan,
Thanks for reply... I do understand the concept you illustrated above.
Nonetheless, in the case of a PDF file stored in a ADRMS enabled document library, I will need to create a custom protector that will encrypt/decrypt the PDF file as it is downloaded/uploaded to the document library. SharePoint does not provide a PDF protectors out of box. Therefore PDF files are never encrypted/decrypted even in a ADRMS enabled document library.
So, once I have created that custom PDF protector, I still have work to do to enhance Adobe Reader as a ADRMS-enabled application so it is able to interpret the ADRMS Policy attached to the PDF file... that is where I am seeking guidance...
How do we enhance an external application such as Adobe Reader to make it ADRMS-enabled...? - Or you could try using Oracle IRM which supports both Office documents (even in Office 2000 which RMS doesn't) and PDF documents out of the box. Oracle IRM also can allow share point to search inside the protected documents. Have a look at http://blogs.oracle.com/irm/2009/08/enabling_sharepoint_to_search.html
- Thanks for all the replies regarding IRM Protectors, I believe I understand the concept well now.
The only unanswered question is regarding how to go about enhancing, say, Adobe Reader to make it a ADRMS-enabled application so it is able to interpret the ADRMS Policy attached to the PDF file... does Adobe has to do the work or is their something I can do...?
Let me know if this should be moved to a different forum...
Thanks,
Jef - Thats where liquidMachines comes in, they extend RMS to work with the document types that RMS does not... they do a lot more now than they used to but that is prettymuch where they started..
-Ivan
Ivan Sanders http://www.linkedin.com/in/iasanders http://dimension-si.com/blog My client would like to create the RMS extension for Adobe Reader as opposed to use a third-party tool... how would a developer get started to build this custom RMS extension for a software such as Adobe Reader...?
I understand I would be recreating the same functionality than Liquid Machine but for my client's internal use only...- Hi Jef,
I encountered the same problem. my understanding is that we can use RMS SDK to create RMS enabled application, which could be a plug in for Adobe reader. when an encrypted PDF file in client machine, Adobe reader will triger the plug-in to fire the decrypt process.
Still doing invesigation, have you solve it up? - I've successfully deployed IRM solutions for PDF with SharePoint in a couple of ways. One is with LockLizard, the other is a combination of RMS and Foxit's latest pdf secure solution. It uses a PDF reader other than Adobe's so that it can work client side.
Dan Lewis
SharePoint Comic
