AD RMS Rights Policy Templates Best Practices

AD RMS Rights Policy Templates Best Practices

Rights policy templates enable content authors to quickly apply a standard level of protection for content across your organization.  Furthermore, templates offer additional security options that are not available in normal protection.  If you are unfamiliar with rights policy templates read the TechNet articles, AD RMS Rights Policy Templates Deployment Step-by-step Guide and AD RMS Policy Templates Considerations.  The following paragraphs provide some best practices for using rights policy templates in your organization.

If you decide that you no longer want to make a template available to your users, do not delete it.  Rather, archive the template.  This allows users to still access content created by that template, though they will no longer be able to protect content using that template. 

Use the local Template Administrators group to delegate the rights to manage rights policy templates.  Create a corresponding universal security group in Active Directory and add that group to the local Template Administrators group on each server in your AD RMS cluster.

When creating a rights policy template, you can define the template name and description in multiple languages.  This allows the name and description to appear in the user's native language.

When specifying the users and groups that will have rights over content protected by the created template, you can use anyone to grant permissions to all authenticated users.  This means that any user with a valid rights account certificate (RAC) will have the permissions specified.  However, we recommend that you create an all company group in Active Directory instead, especially if you have a federated environment or if there is a trust relationship with another company.

When specifying the rights that users will have, remember that permissions are cumulative.   The Rights Summary will report the rights as you have specified them, not the effective permissions.

As long as the user works with the same Windows account and there is no major change (such as the switch to Mode-2) on the AD RMS cluster, the creator can always open his Office documents with full rights. The default setting of templates ensures that this also applies to protected XPS documents and also after a switch to Mode-2 on the AD RMS Cluster. But you can turn off this feature by by clearing the 'Grant owner (author) full control right with no exception' option in the Add User Rights step when creating or editing the template - in this case e.g. the creator of a protected XPS document can't change the rights of it afterwards.

If you need to enable access to Office 2003 content using the Rights Management Add-on client, you must select the option Enable users to view protected content using a browser add-on in the Specify Extended Policy step when creating or editing the template.

If you have enabled AD RMS for a specific application you can specify additional rights for that application in the Specify Extended Policy page.  The implementation of custom rights is completely up to the application, so they can be anything that can be expressed in XrML.

Remember that rights policy templates are dynamically updated.  There is no need to reapply a rights policy template to previously protected content after you edit a template.

Remember that Microsoft Office SharePoint Server 2007 does not support rights policy templates.  In addition, Windows Mobile 6.0 and later users can consume content protected by a rights policy template on their mobile device; however, they are unable to create content using a rights policy template on their mobile device.

Remember that Microsoft Office applications can display up to 20 rights policy templates.

Use a descriptive naming convention for your templates.  The name of the template might be all that the author sees when choosing a template to use.

Distribute templates to local machines.  Remote users with portable computers might want to protect content with a template while they are working offline.  Having a local copy of the templates allows users to protect content with templates, even while they are offline.  If you are using Windows Vista SP1 or later this template distribution is performed automatically.

Sort by: Published Date | Most Recent | Most Useful
Comments
  • Great!!!

  • Thanks but is there an article on best practices on the choice of Email RMS options of Read only, do not Forward, Reply, Reply All, Print, Copy?

    Please email to me if possible at v.mschu@gmail.com.  

Page 1 of 1 (2 items)