locked
General ADRMS question RRS feed

  • Question

  • Hi ,

    I need some clarification about ADRMS please

    If USER1 , protects a MS Office file (lets say a word file) by applying a RMS template , and USER2 opens this document , he will be asked to enter his credentials

    i need the exact process , what happens ? , how will he be given the rights ? , on what checks will the system do ?

    it's a vague question ... all in all i want to know the exact process the system will do ...

    Thanks


    Regards, Costa Mitri
    Monday, May 9, 2011 8:46 PM

Answers

All replies

  • Depends on what you have configured on the RMS template really.

    But basically if USER2 has permissions on the file he will be allowed to open it. For user credentials, really depends on where you are logging in from, for domain based users there should be no prompts.

    But have a read thru the following links, should cover the last few q's

    http://blogs.msdn.com/b/rms/archive/2011/03/28/ad-rms-under-the-hood-server-bootstrapping.aspx

    http://blogs.technet.com/b/information_protection/archive/2011/03/13/licenses-and-certificates-and-how-ad-rms-protects-and-consumes-documents.aspx

    http://technet.microsoft.com/en-us/library/cc720212(WS.10).aspx

     


    Blog Link: http://blogs.cyquent.ae | Follow us on Twitter: @cyquent

    Tuesday, May 10, 2011 12:54 PM
  • Depends on what you have configured on the RMS template really.

    But basically if USER2 has permissions on the file he will be allowed to open it. For user credentials, really depends on where you are logging in from, for domain based users there should be no prompts.

    But have a read thru the following links, should cover the last few q's

    http://blogs.msdn.com/b/rms/archive/2011/03/28/ad-rms-under-the-hood-server-bootstrapping.aspx

    http://blogs.technet.com/b/information_protection/archive/2011/03/13/licenses-and-certificates-and-how-ad-rms-protects-and-consumes-documents.aspx

    http://technet.microsoft.com/en-us/library/cc720212(WS.10).aspx

     


    Blog Link: http://blogs.cyquent.ae | Follow us on Twitter: @cyquent


    Hello Adnan ,

    Thanks for the links :)

    basically , i f user1 creates an ADRMS protected word file , only users in the adrms-users group should be able to open them right ?

    so if the template policy , lets say that enables other to read ONLY , is applied to the word file , then this template will be applied on all users in the adrms-users group who will open this file right ?

    lets say user1 creates this file and put it on a shared drive (while he is in the company) , user2 comes and opens this file , will he be prompted for credentials ? of course we are considering that all users are logged in to the domain ...

    same question applies for a file sent via outlook (outlook or owa) and on which we integrated ADRMS , user1 send an email to user2 with a template of read only and do not forward , and a word file as attachment , the word file will inherit the permissions right ? so lets say user2 downloads and opens the file , will he be prompted for the credentials ?

    another thing , ADRMS can protect files from people within the organization right ? not from people not members on the domain to whom the files were sent ... am i correct ?


    Regards, Costa Mitri
    Tuesday, May 10, 2011 5:31 PM
  • basically , i f user1 creates an ADRMS protected word file , only users in the adrms-users group should be able to open them right ?

    Assuming user1 gave permissions to a mail enabled group called "adrms-users", then yes. To protect the file user1 will come to a screen where he has to choose the users or groups to which to assign permissions to.

    so if the template policy , lets say that enables other to read ONLY , is applied to the word file , then this template will be applied on all users in the adrms-users group who will open this file right ?

    Assuming the template has permissions assigned to a mail enabled group called "adrms-users" for View (Read Only) and then this template is applied to word file, then yes.

    lets say user1 creates this file and put it on a shared drive (while he is in the company) , user2 comes and opens this file , will he be prompted for credentials ? of course we are considering that all users are logged in to the domain ...

    user2 won't be prompted for credentials provided the configuration on client side is done correctly, but his domain user will be processed to check whether he explicitly been assigned permissions to view the doc or he is part of a mail enabled group that has access permissions

    same question applies for a file sent via outlook (outlook or owa) and on which we integrated ADRMS , user1 send an email to user2 with a template of read only and do not forward , and a word file as attachment , the word file will inherit the permissions right ? so lets say user2 downloads and opens the file , will he be prompted for the credentials ?

    Same answer as previous question. Plus any permissions applied to outlook mail items get inherited by MS office files which are attached. Assuming you are using Exchange 2007 SP1 and above - you will need to enable the prefetch feature to make it even more invisible for the users 

    another thing , ADRMS can protect files from people within the organization right ? not from people not members on the domain to whom the files were sent ... am i correct ?

    RMS is meant to prevent data leaks from the organization. But if you are look at a collaboration scenario with partners external to organization then might to consider RMS authentication via Windows Live cloud. But then every external partner user needs to have a Live ID


    Blog Link: http://blogs.cyquent.ae | Follow us on Twitter: @cyquent

    Tuesday, May 10, 2011 7:11 PM
  • basically , i f user1 creates an ADRMS protected word file , only users in the adrms-users group should be able to open them right ?

    Assuming user1 gave permissions to a mail enabled group called "adrms-users", then yes. To protect the file user1 will come to a screen where he has to choose the users or groups to which to assign permissions to.

    so if the template policy , lets say that enables other to read ONLY , is applied to the word file , then this template will be applied on all users in the adrms-users group who will open this file right ?

    Assuming the template has permissions assigned to a mail enabled group called "adrms-users" for View (Read Only) and then this template is applied to word file, then yes.

    lets say user1 creates this file and put it on a shared drive (while he is in the company) , user2 comes and opens this file , will he be prompted for credentials ? of course we are considering that all users are logged in to the domain ...

    user2 won't be prompted for credentials provided the configuration on client side is done correctly, but his domain user will be processed to check whether he explicitly been assigned permissions to view the doc or he is part of a mail enabled group that has access permissions

    same question applies for a file sent via outlook (outlook or owa) and on which we integrated ADRMS , user1 send an email to user2 with a template of read only and do not forward , and a word file as attachment , the word file will inherit the permissions right ? so lets say user2 downloads and opens the file , will he be prompted for the credentials ?

    Same answer as previous question. Plus any permissions applied to outlook mail items get inherited by MS office files which are attached. Assuming you are using Exchange 2007 SP1 and above - you will need to enable the prefetch feature to make it even more invisible for the users 

    another thing , ADRMS can protect files from people within the organization right ? not from people not members on the domain to whom the files were sent ... am i correct ?

    RMS is meant to prevent data leaks from the organization. But if you are look at a collaboration scenario with partners external to organization then might to consider RMS authentication via Windows Live cloud. But then every external partner user needs to have a Live ID


    Blog Link: http://blogs.cyquent.ae | Follow us on Twitter: @cyquent

    yes , actually what i did is create a template , chose the rights , then specified the email of the group

    the when asked :

    type the e-mail address of a user or a group or which you want to specify rights to content protected using this template.
    To specify everyone in an organization, select "Anyone".

    i chose "rms-clients@domain.com" which is a group email  , so if a user creates a word file protected with this template , only users of the group "rms-clients" will be able to use this file , and of course , the template will be applied on them ... am i correct ?

    what if the one who protects the file using this same template is a member of the "rms-clients" group ? he will get full access while the others are bound by the template ?

    another thing , if a user log in via owa to his company mailbox , and tries to open a protected file sent via mail ... the authentication and the permissions will still apply right ?

     


    Regards, Costa Mitri

    Wednesday, May 11, 2011 5:53 PM