Applying Information Rights Management

Information rights management. The phrase can sound a little menacing. What information, which rights, and who exactly is doing the managing? In practice, however, some information needs to be treated confidentially and some information needs to be controlled so that it isn’t shared more widely than it should be. Information Rights Management, or IRM, provides a tool with which you (and often your network administrators) can specify rights that users have for documents, workbooks, and presentations. These rights can help prevent sensitive information from being printed, forwarded, or copied by someone who doesn’t have the responsibility or authority to do so. IRM helps individuals control where their personal or private information goes. It helps organizations manage policies for the use of their confidential and proprietary information. For example, an administrator can configure IRM policies for a company that define who can access content and the level of editing that is permitted for a document, workbook, or presentation. An administrator might define a rights template that specifies that documents, workbooks, or presentations that use that template can be opened only by people inside the company’s domain.

The access and usage restrictions that you apply with IRM are enforced no matter where the information goes. In other words, the permission for a file is stored in the file itself; the access rights aren’t a matter of where the file is stored. If a document with restricted permission is sent to someone who doesn’t have the authority to read or change it, that person sees a message that contains the e-mail address of the document’s author (or possibly an address to a Web site), which lets that individual request permission to work with the document. If the document’s author chooses not to include an e-mail address, users who aren’t authorized to work with the information receive an error message.

Here are some of the ways you can use IRM to protect information:

• Prevent an authorized recipient from forwarding, copying, modifying, printing, faxing, or pasting the information for unauthorized use.

• Prevent restricted content from being copied by using the Print Screen key.

• Set an expiration date so that content in documents can no longer be viewed after a specified period of time.

You should also be mindful of what IRM can’t do. For example, IRM doesn’t prevent information from being erased, stolen, or captured and transmitted by malicious programs such as Trojan horses, keystroke loggers, and certain types of spyware. IRM doesn’t detect and neutralize the actions of computer viruses. It doesn’t prevent someone from copying confidential information by hand or from sitting down at the computer of someone who is authorized to view the document and typing the contents of a document into a new document that isn’t protected. IRM also doesn’t prevent someone from taking a photograph of restricted content while it’s displayed on a screen, or prevent restricted content from being copied by third-party screen-capture programs.

Configuring Your Computer to Use Information Rights Management

To use IRM with the 2007 release of Office, you need to install Windows Rights Management Services Client with Service Pack 1. You can install this software yourself from Microsoft’s download center, or it might be installed on your computer by an administrator, especially if you work for an organization that’s using IRM. If you haven’t installed Windows Rights Management Services Client software before you first try to open a file that has been managed with IRM, you’ll be prompted by Microsoft Office to download and install it.

The first time you begin to open a document, workbook, or presentation with restricted permission, you must connect to a licensing server to verify your credentials and to download a use license. This process is required for each file with restricted permission. The use license defines the level of access that you have to a file. Content with restricted permission cannot be opened without a use license. Downloading permissions requires that Microsoft Office send your credentials (including your e-mail address) and information about your permission rights to the licensing server. Information contained in the document is not sent to the licensing server.

Restricting Permissions

To restrict access permissions to a document, workbook, or presentation, follow these steps:

1. Save the document, workbook, or presentation.

2. Click the Microsoft Office Button, point to Prepare, point to Restrict Permission, and then click Restricted Access.

3. Select the Restrict Permission To This Document check box.

In the Permission dialog box, shown in Figure 3–10, you can specify users (or groups of users, if your organization’s network is set up to use Active Directory) who will have Read access to this document and those users who will have Change access. Users to whom you grant Read permission can read a document, workbook, or presentation, but they don’t have permission to edit, print, or copy it. Users granted Change permission can read, edit, and save changes to a document, workbook, or presentation, but they don’t have permission to print it. You specify a user by entering the e-mail address for that user. To specify more than one user, separate e-mail addresses with semicolons. You can also click the Read or Change button and select names from your address book or list of contacts.

Figure 3–10: The Permission dialog box is used to restrict what a user can do with the content that a document contains.

The More Options button in the Permission dialog box leads you to the Permission dialog box, shown in Figure 3–11, which you can use to specify other types of restrictions, such as an expiration date for a document. For example, you might limit access to this document for five days, after which point permission to the document expires. You can also use this dialog box to allow users to print a document, to let users with Read access copy the content of a document, and to allow the content in a document to be accessed through a macro or another type of program. Notice also that you can enter an e-mail address for the person who unauthorized users can contact to request permissions for the document. By clicking the Insert Hyperlink button at the right of the text box, you can insert the address of a Web site rather than an e-mail address to serve as the point of contact.

Figure 3–11: Specify IRM details in this dialog box.

The author of a document always has Full Control permission. Other users to whom Full Control is granted can do anything with the document, workbook, or presentation that the document’s author can do-and that includes adding or updating IRM restrictions, such as granting permission to other users, specifying whether a document can be printed, and setting or changing an expiration date. After permission for a document has expired for authorized users, the document can be opened only by the document author or by users with Full Control permission to the document. To grant Full Control to a user, use the drop-down list that appears when you move your mouse over the Access Level column.

Your choices for how you can restrict permissions using IRM might be limited if an administrator has set custom permission policies that individuals cannot change.