Section 6.7. Use Identity-Based Security (a.k.a. IRM)

Previous page
Table of content
Next page


6.7. Use Identity-Based Security (a.k.a. IRM)

Earlier sections discuss protecting workbooks using passwords. The problems with passwords are:

  • They are susceptible to guessing attacks.

  • There is no secure way to share them among a group.

  • They tend to proliferate and become hard to remember. You can use the same password for all items, but that reduces security.

The solution to this problem is identity-based security. The preceding section showed how you could allow specific users to edit protected worksheets without the worksheet password. The larger solution is to define workbook permissions based on the user's identity.

Note: Two key features make IRM worth using: you can add expiration dates to documents and you can prevent users from forwarding, printing, or copying the document. That's great for copywritten or time-sensitive materiallike early drafts of this book!

6.7.1. How it works

Identity-based security solves the password problem because users maintain their own passwordusually it's the one they use to sign on to the networkand then their identity travels with them wherever they go on a network. You don't have to set workbook passwords, share those with your workmates, and hope you don't lose or forget them.

Excel provides identity-based security through Microsoft Information Rights Management (IRM). This new feature comes at a cost, however. In order to use IRM, you must have a Windows 2003 server running Microsoft Windows Rights Management (RM) Services on your network. If you don't have that, or if you want to share a workbook outside of your network, you can use Microsoft Passport identities instead of network identities. Figure 6-15 shows how IRM works.

Figure 6-15. IRM uses identities rather than passwords to control access


6.7.2. How IRM compares

There are some huge advantages to IRM over other types of document protection:

  • Identities are not susceptible to guessing attacks.

  • You can control a wide variety of permissions, such as the ability to print, forward, edit, copy, save, etc.

  • Documents can have an expiration date.

  • Permissions can be assigned to roles.

  • Users can request additional permissions from the author, as needed.

  • Users who don't have network accounts inside your organization can use Microsoft Passport accounts for authentication.

The disadvantages are significant, too:

  • Using Passports for IRM is a trial service according to Microsoft and so might be discontinued. Microsoft pledges to give 90-days notice before discontinuing support for this.

  • The RM service for Windows 2003 requires a significant per client license fee.

  • All users need an identitythere's no mechanism for an anonymous user with limited rights.

6.7.3. How to do it

To set IRM permissions on a workbook for the first time:

  1. Choose File Permission Do Not Distribute. Excel starts the Windows Rights Management Wizard, which walks you through creating Rights Management credentials and downloading them to your computer. When you are done, Excel displays the Permission dialog box as shown in Figure 6-16.

    Figure 6-16. Restricting permissions


  2. Select Restrict permission to this workbook to set permissions. Excel activates the dialog box so that you can enter data.

  3. Enter a list of the users allowed to read and/or change the workbook. Users are identified by email address. Separate multiple addresses with semicolons.

  4. To set the expiration date, restrict printing, and other capabilities, click More Options. Excel displays the expanded Permission dialog box (Figure 6-17).

    Figure 6-17. Setting an expiration date


  5. Set the additional permissions by selecting the user and then changing the permission settings in the Permissions dialog box. Click OK when done.

6.7.4. How it works

As the author of the workbook, you always have permission to open, edit, and distribute your document. The workbook will not expire for you because the author always has full control.

When someone other than the author opens a workbook with permissions enabled, several things may happen:

  • If they are included in the workbook's users list and have Office 2003 installed, the workbook opens in Excel and they may perform the actions specified by their permissions.

  • If they are not included in the workbook's users list and they have Office 2003 installed, they will see a description of where to send email to get permission to use the workbook (Figure 6-18).

    Figure 6-18. Users without permissions are told how to request access to an IRM-protected document


  • If they do not have Office 2003 installed, they will see a description of how to get the IRM add-ins for Internet Explorer so they can view the workbook (Figure 6-19).

    Figure 6-19. Users without Office 2003 are told how to get the IRM-add-ins for Internet Explorer


6.7.5. What about...

To learn aboutLook here
Information Rights Management www.microsoft.com/windowsserver2003/technologies/rightsmgmt/default.mspx



    Previous page
    Table of content
    Next page
    Excel 2003 Programming. A Developer's Notebook
    Excel 2003 Programming: A Developers Notebook (Developers Notebook)
    ISBN: 0596007671
    EAN: 2147483647
    Year: 2004
    Pages: 133
    Authors: Jeff Webb
    BUY ON AMAZON
    Metrics and Models in Software Quality Engineering (2nd Edition)
    Ruby Cookbook (Cookbooks (OReilly))
    Microsoft VBScript Professional Projects
    Web Systems Design and Online Consumer Behavior
    Telecommunications Essentials, Second Edition: The Complete Global Source (2nd Edition)
    .NET System Management Services
    flylib.com © 2008-2017.
    If you may any questions please contact us: flylib@qtcs.net
    Privacy policy