AD RMS Bulk Protection tool released……..

Microsoft never ceases to surprise….does it??

The Product team has released a new RMS Bulk Protection tool that can -

• Rights Protect the file/s on desktop or Server using a defined RMS Template
• Decrypt the rights protected file/s
• Bulk decrypt RMS supported files and items within Outlook PSTs
• Extensible to other file formats via IRM protector implementation or custom plug-ins
• can be used with FCI to classify and rights protect the documents

Much desired and awaited utility that can help thousands of users like us.

File Classification index

Windows 2008 R2 server has the feature called File Classification Index (FCI).

FCI allows organizations to scan the Files/folders for content, pattern, keywords, etc and classify them. For e.g. there are certain folders on the Windows 2008 R2 server.

The folder may have documents related to Project A. FCI can be configured to search the folder for document with keyword “Project A” and classify these files are Project A confidential.

Once the FCI has classified the files, RMS Bulk Protection utility can be executed to rights protect these classified files with relevant RMS Template.

So what do we get – completely automated RMS protection with document classification :)

 

More details on FCI can be availed at

http://www.microsoft.com/windowsserver2008/en/us/fci.aspx

 

System Requirements to use the AD RMS Bulk protection tool -

• Windows XP, Windows Vista, Windows 7, and Windows Server 2008 R2
• Note:  The tool requires installation of RMS Client SP2 and .NET Framework 2.0 SP2 on Windows XP
• Outlook 2007 is needed for decrypting items within PST files

 

Syntax to use AD RMS Bulk protection tool

The syntax to execute the RMS Bulk Protection tool is -

RMSBulk [/decrypt location] [/encrypt location rms_template [owner_email]] [/log log_file [/append] [/simple]] [/preserveattributes] [/silent]

 

where -

  /decrypt location: Decrypt all RMS protected content under location

  /encrypt location rms_template [owner_email]: Encrypt all content under location to rms_template and grant owner_email OWNER right

  /log log_file: Log output to log_file

  /append: Append output to log_file

  /simple: Simple single-line logging

  /preserveattributes: Preserve all file attributes

  /silent: Disable console output

 

Example of this commands are available help file….

• RMSBulk.exe /decrypt \\Share\Folder /log RMSBulk.log
• RMSBulk.exe /encrypt C:\Documents\Folder C:\RMSTemplates\Template.xml  /log C:\Logs\RMSBulk.log
• RMSBulk.exe /encrypt \\Share\file.doc ContosoConfidential.xml joe@contoso.com  /log C:\Logs\RMSBulk.log /append /simple /preserveattributes

 

In coming few days, I am going to put in steps to show you the FCI and RMS Bulk protection tool integration and some video demonstrating the same too.

Keep looking for the update to this blog… :)

FIM 2010 RC1 released

Forefront Identity Manager RC1 bits has been released and can be downloaded from -

 

http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=4bb3f16b-27f8-4c1d-922f-2c7b522d9ad6

 

The system requirements are mentioned in the same link.

Please note: Support for Windows 2008 R2 has been added and there would be need to apply hotfix KB958611 for SQL 2008.

Creating Custom endpoint detection policy and script for IAG

I happened to create a sample endpoint detection policy and script which I am posting for your reference. You can use this in your deployment.

------------------------------------------------------------

• Create a custom registry key.
• I had created RIL_Corp in HKLM\Software\RIL_Corp with value Corporate and data 1.

· Create a vbscript that would perform the detection. The sample is as shown in the figure below.

• Copy this vbs script in the following folder –

<Whale_installation_folder>\e-Gap\von\InternalSite\CustomUpdate

• Copy Detect.inc file from C:\Whale-Com\e-Gap\von\InternalSite\samples folder in to C:\Whale-Com\e-Gap\von\InternalSite\inc\CustomUpdate folder.
• Open the Detect.inc and make the following changes –
• Update the name of registry checking vbs script in the line –

g_scriptList("/InternalSite/CustomUpdate/registrycheck.vbs") = false

• Save the file as “<TrunkName><https:1/http:0>Detect.inc”. My Trunk was called Portal1 hence I saved the file as “portal11detect.inc”.

• Ensure that the “<TrunkName><https:1/http:0>Detect.inc” file is saved in the correct path.

• Create PolicyDefinition.xml and Policytemplate.xml as shown below –

• These files needs to be saved in C:\Whale-Com\e-Gap\von\conf\CustomUpdate folder.

• Upon completing this activity, you can Activate the configuration by clicking on in the IAG Configuration.
• After the activation is complete, Close and then reopen the IAG Configuration console.
• In the console tree, click the trunk to which you want to apply the new endpoint detection setting, and then click Configure next to Advanced Trunk Configuration.
• On the Session tab, click Manage Policies, and then click Add.
• In the Policy Editor window, provide appropriate details like Name, Explanatory text etc.

 

• Select Manage Windows Policies => Add Policy.
• Manage Windows Policies and Expression window appears.

• You would notice your Policy definition, select the Group and enable it. Also select the value you had set.

• Save the policy and assign it as Session Access or Privileged Endpoint Policy or Endpoint Policy for Application Access. :)
• Note- Don’t forget to activate the configuration again :)

Checks:

• Connect from Client system where the registry is updated with new Key.
• Open Webmonitor in IAG console => Active Sessions è Session details.

You would see the policy that you created (Shown in the above figure), or the name of registry key as shown below.

This implies that you reg check is working.

Do’s and Don’t in RMS

Jason Tyler had published a very good post Do’s and Don’t in RMS. I am merely replicating that….very useful information and should be considered  :)

• DO use CNAME records for your RMS cluster URL. This will allow you to load balance, and or do disaster recovery by simply changing the A record that the CNAME record points to.
  
• DON'T use the NetBIOS name of the machine as the cluster URL.
  
• DO make a back-ups of your SLC and Publishing Certificate located in the 'Trust Policies' section of your RMS Admin UI, *immediately* after provisioning. There is an Export button for the SLC, and an Export link for the publishing cert. Put these in a safe place. If your RMS installation blows up, and you don't have these, you will be in a lot of trouble.
  
• DO write down your private key password, and create a document with screenshots detailing the entire setup process
  
• DO use a CNAME for your SQL server. In a disaster recovery situation, it is easier to change the single A record of the CNAME to point to a backup server, than to change the 6 or 7 places within RMS that need to be changed.
  
• DON'T install RMS without a detailed plan, including whether or not you want to use HTTPS, or HSMs.
  
• DO make sure that your superusers group is a Universal Distribution group. The RMS server needs to be able to expand the group with a GC query, and this is the only group type whos full membership is replicated to the GC. This really goes for any group, with members in different domains, that you need to use RMS.
  
• DON'T enable the superusers group unless you have to, and only put 2 or 3 people in this group for redundency.
  
• DO make a backup of your DRMS_Config_Cluster_80 database regularly. It can be used for disaster recovery.
  
• DON'T forget or lose your RMS software private key you used to provision the server. This should be in the paper that your *good* admin who followed the DO's and DON'Ts of RMS made for you before he was given the cardboard box, and walked to his car by security.
  
• DO download the RMS Administration Toolkit form http://www.microsoft.com/rms, and keep it handy. IRMCheck is a great tool for troubleshooting client issues.
  
• DON'T put RMS on a server that is hosting multiple services. The more things you put on a server, the larger the attack surface of that machine becomes. Since this machine will be responsible for the security of your companies intellectual property, keep it clean and free of excess services.
  
• DO remember that by default ServerCertification.asmx, and MobileDeviceCertification.asmx have no-one assigned to their access control lists. In order to use things like MOSS, or Mobile Devices, you need to go into the Properties of these files, and the Security tab, click the 'Advanced' button, and check the box to allow permission from parent to propogate. For MOSS integration you also need to add the MOSS$ machinename account, and the identity that the MOSS service is running as (if it is anything other than Network Service), with Read/Read & Execute rights to the ServerCertification.asmx file in c:\InetPub\wwwroot\_wmcs\Certification directory.
  
• DO use strong passwords.
  
• DON'T put RMS on a domain controller. You have to give the RMS_Service account admin rights on the machine to do this.
  
• DON'T forget to set an extranet URL if you plan on people using RMS outside of your environment. If you don't set this, all of the CLC (offline publishing certificates) issued will not have this link, and all of the users with those CLCs will be creating content with no extranet URL embedded into them. Once that happens, you can't open that content from outside the domain (i.e. from the internet). This would be bad if you have people that need to work from home.
  
• DO set the IIS permissions on the License.asmx, and the ServiceLocator.asmx in the licensing pipeline to 'anonymous access' only, on your Internet facing RMS machine, if you have a TUD (Trusted User Domain) with another company, or are trusting Passport RACs.
  
• DO remember that you can read RMS protected content with any version of Office 2003 or higher (there are exceptions to this if you use the HTTP option), but you can only create content with Office 2003 Professional, and Office 2007 Professional *Plus* and above.
  
• DON'T forget that in order for your users on the internet (or intranet users if you aren't registering an SCP in the AD) to use RMS you need to have them put these registry settings on their machine (changed of course to reflect your environment). Just copy and paste this into a text file, and change the extension to .reg, give it to them and tell them to double-click on it.

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSDRM]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSDRM\ServiceLocation]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSDRM\ServiceLocation\Activation]
@="https://rms.yourdomain.com/_wmcs/certification"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSDRM\ServiceLocation\EnterprisePublishing]
@="https://rms.yourdomain.com/_wmcs/licensing"

• DO check the time on the RMS server and the clients to ensure that everything is right. Otherwise you will get time expiration related errors (Well, you'll get a generic error, but if you use DebugView, the actual error code will be a time synch error).

------------------------------

Use these tips on Do’s and Don’t to have trouble free RMS deployment.

Troubleshooting in RMS

After a long time, I am getting some time to post on how to Troubleshoot RMS. You can use this as pointers in troubleshooting RMS…..

In case you have deployed RMS Server, and RMS clients are deployed on the Workstations, desktops & laptops and you are encountering following issues -

• When opening the rights protected document or creating a rights protected document, RMS displays ”Verifying your credentials….” for long time and then opens up dialog box to register to RMS using Windows live account.

Cause: Error is caused due to RMS client not being able to get the RMS Server details when querying AD, or unable to resolve DNS of RMS Server after querying AD.

Resolution: Using nslookup tool verify yourselves that DNS resolution for RMS Server happens from client machine. If not, you know what to fix :)

If resolution is happening, try pining the RMS server and see the connectivity.

• Always use IE and key in the RMS server details to check if RMS web service is available -

https://<intranet net or extranet pipeline>/_wmcs/licensing/license.asmx

https://<intranet net or extranet pipeline>/_wmcs/certification/certification.asmx

if you are not able to browse to the pipelines then RMS client would also not be able to connect.

• Error: Cannot use this feature without credentials

Usually, this issue occurs the user’s account in Active Directory does not have an e-mail attribute value populated or when the user abruptly cancels the request during the silent certification process.

Check AD for email address attribute population or check event viewer application logs on RMS Server in case of any server related issues.

• For easy troubleshooting on client side, always run IRMcheck utility. This gives indications as to where the error might be occurring. Latest version of IRMcheck available on following link -

www.joectzn.com\irmcheck.zip

 

• Outlook unable to create message without any permissions.

Using IE verify if you are able to access the license and certification.asmx for intranet & extranet pipelines. Run IRMcheck utility to get more details.

• Error: Problem occurred while contacting the restricted permission service. Please try again later or contact your administrator for more details.

This occurs when you are attempting 1) RMS Server is being access via Proxy server or 2) expired RAC is submitted by client to RMS server.

Run IRMcheck and verify for any expired or invalid certificates….also check on bypassing the RMS Server via proxy by editing the connections options in IE or browser.

These are some of the tips that can be used to troubleshoot RMS…

Creating and Using Templates

In this post, we would see how to create RMS templates, Distribute them across the organization and Use them.

Configure GPO RMS Settings – Configure Office RMS Settings

a. Log on to AD Server as <Domain>\Administrator

b. Click Start, Run, and type GPMC.MSC

c. Click Group Policy Objects, and then right-click the GPO called ISD – Configuration Settings v1.0 and then select Edit.

d. Click the User Configuration\Policies\Administrative Templates \Classic Administrative Templates (ADM)\Microsoft Office 2007 System, and then click Manage Restricted Permissions.

e. In the details pane, double-click Specify Permission Policy Path, click Enabled, and then type \\FQDN of AD Server\ADRMSTemplates as the path. Click OK.

f. Close all Windows

g. Log off.

 

Prepare the AD RMS Server to Share the Rights Policy Templates (for XP)

a. Log on to AD Sever as Domain\Administrator

b. Click the Start menu, and then click Computer.

c. Create a folder called ADRMSTemplates in the Root Directory (C:\).

d. Right-click the ADRMSTemplates folder and select Share...

e. In the ADRMSTemplates Properties Windows, assign the following permissions, and then click the Share button:

· Add Everyone as reader,

· Add ADRMSSvc as Co-owner

f. Click Done when finished.

g. Close the Windows Explorer.

 

 

Create a standard rights policy template.

a. Open the MMC Console called AD RMS located in the Administrator Desktop.

b. Expand Active Directory Rights Management Services, expand xxxxx, and select Rights Policies Templates.

c. Click the Change distributed rights policy templates file location, select Enable Export, and then specify \\<FQDN of AD Server>\ADRMSTemplates\ and click OK.

d. Click Create distributed rights policy Template.

e. On the Create distributed rights policy Template window click Add, in the Template name field, type XXXX Confidential – Read Only.

f. Type the following in the Template description field:

This is a template used to assign read-only rights to the content it is protecting.

g. Click Add and then Click Next.

h. On the Users and Rights click Add

i. In the Add users or groups field, type AllUsers@xxxxx.com, and then click Add.

j. Select AllUsers@xxxxx.com and select the View and View Rights check boxes.

k. In the Rights request URL field, type mailto:administrator@xxxx.com.

l. Click Finish.

 

 

Create a custom rights policy template.

a. Click the Create distributed rights policy Template link

The Rights policy template settings page appears.

b. On the Create distributed rights policy Template window click Add, in the Template name box, type xxxxxx – Financial Department.

c. In the Template description box, type “This Document is for xxxxx Financial Department Employees use only”.

d. Click Add and then click Next.

e. Click the Add... button.

f. In the Add users or group field type administrator@xxxxx.com, click OK.

g. In the Add users or groups, click Add, type FinancialUsers@xxxxx.com. Click OK.

h. Select Financialusers@xxxxx.com and then enable the following rights:

· View Rights

· Export (Save as)

· Reply

· Reply All

i. Select administrator@xxxxxx.com and then enable the following rights:

· View Rights

· Export (Save as)

· Print

· Reply

· Reply All

j. Click Finish

k. Repeat the steps A to I for the Sales Department with the email address: SalesUsers@xxxxx.com

l. Log off.

 

Note – Sales Users and Financial Users are security groups in AD. You can specify your own groups. But ensure that the email address field in the Group/user property in AD is populated.

 

Configure Offline Folders for Rights Policy Templates Path for XP

 

a. Log on to AD Server as Administrator

b. Click the Start menu, then click Run, next type gpmc.msc and press Enter

c. Expand Root node

d. Expand the Domains node.

e. Expand the xxxx node and then click Group Policy Objects.

f. Right-click XP – AD RMS Clients GPO and then click Edit

g. In the Group Policy Object Editor, expand the User Configuration node, then Policies, then Administrative Templates, then Network, then Offline Files, and then proceed to configure the following information

 

Setting	State
Synchronize all offline files when logging on	Enabled
Action on server disconnect	Enabled, and select Work offline as the action
Non-default server disconnect actions	Enabled, click Show, and use the Add… button to add Name with \\<FQDN of AD Server>\ADRMSTemplates, and Value with 0
Administratively assigned offline files	Enabled, click Show, and use the Add… button to add Name with \\<FQDN of AD Server>\ADRMSTemplates (DON’T assign any data to the Value option)

The objective of above step is to cache the templates so that they are available even if the user is in disconnected mode or not in Organization’s LAN.

Follow the steps below in case you use Windows 2008 AD

h. Click on User configuration => Preferences => Windows settings => Registry

i. On right hand pane, right click and select new => Registry item

j. In General tab of New registry properties, Select Action as New.

k. In Hive, Select HKEY_CURRENT_USER, in Key Path please browser to Software\Microsoft\Office\11\Common\DRM

Please note – 11 is for Office 2003 and 12 for office 2007.

l. In Value name, type AdminTemplatePath (default should not be selected)

m. In Value type, select REG_EXPAND_SZ

n. In Value data, key in \\<FQDN of AD Server> \ADRMSTemplates

o. Close the Group Policy Object Editor and then the Group Policy Management console.

p. Log off.

Follow the steps below in case you use Windows 2003 AD

h. Open registry editor on a system where RMS Client is installed

i. Browse to HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Common

j. Create Key called DRM

k. Select DRM and right-click on the right hand pane to create New è Expandable String Value

l. Provide Name as “AdminTemplatePath”

m. Provide data as \\<FQDN of AD Server> \ADRMSTemplates

n. Now right click the DRM key and select option export.

o. Save the file as Templatepath.reg in ADRMS templates folder itself.

p. Go to AD, open Group Policy Editor, and create logon script –

Go to User Configuration => Windows Settings => Scripts (Logon/Logoff) => Logon

q. Define logon script to call the registry editor to import the templatepath.reg file using below mentioned command.

regedit.exe /s \\ADserver\shared_folder\file.reg

where –

ADserver – your AD server name

Shared_folder – shared folder name

File.reg – extracted reg file.

Now when the users logon to AD, the logon script would execute the reg file to create/update AdminTemplatePath to point to ADTemplates folder shared on ADRMS Server. The initial steps would ensure that the template files are available offline.

 

Configure the rights policy templates path for Windows Vista

a. On the Group Policy Management console, expand the xxxxx node and then click Group Policy Objects.

b. Right-click the right panel and select New.

c. On New GPO, type VISTA – AD RMS Clients, and click OK.

Right-click VISTA – AD RMS Clients GPO and then click Edit.

d. On Group Policies Management Editor, under Computer Configuration, expand Policies, then right-click Administrative Templates.

e. Click Add/Remove Templates, and then click Add.

f. In the File name box, type \\<AD Servername>\adrms\adm\, select the office12.adm, and then click Open.

g. Click Close to close the Add/Remove Templates dialog box.

h. Click the User Configuration\Policies\Administrative Templates \Classic Administrative Templates (ADM)\Microsoft Office 2007 System, and then click Manage Restricted Permissions.

i. In the details pane, double-click URL for location of document templates displayed when applications do not recognize rights-managed documents, click Enabled, and then type %localappdata%\Microsoft\DRM\templates\ and click OK.

j. Close the Group Policy Management Editor window.

k. On the left panel, right-click WMI Filters, and select New...

l. On New WMI filter, on Name box, type “OS Vista”, and on Description box, type “Only target computers running Vista Professional”.

m. Click Add.

n. In the WMI Query window, on Namespace box, verify the value root\cimv2, and under Query type the following line:

select * from Win32_OperatingSystem where Version like "6.0%"

o. Click OK and then click Save.

p. Expand Group Policy Objects, and select VISTA – AD RMS Clients GPO. On the right panel, under WMI Filtering, click the drop-down box and select OS Vista.

q. In the Group Policy Management window, click Yes.

r. On the left panel, right-click on xxxxxx and select Link an Existing GPO…

s. On the Select GPO window, select Vista – AD RMS Clients, and click OK.

t. On the right panel, right-click Vista – AD RMS Clients link, select Enforced, and click OK.

u. Close all windows.

v. Log off AD Server

w. Log on to Client machine as <Domain_name>\Administrator

x. On the Start menu, type Task Scheduler, and then press Enter.

y. In the Task Scheduler window, in the console tree, expand Task Scheduler Library, then expand Microsoft, expand Windows, and click Active Directory Rights Management Services Client.

z. In the details pane, click AD RMS Rights Policy Template Management (Automated), and then review the schedule task properties.

The AD RMS client requests rights policy templates from the AD RMS cluster by using a scheduled task, which is configured to query the template distribution pipeline on the AD RMS cluster. Two scheduled tasks are available on computers running Windows Vista SP1: one automated and one manual. The automated scheduled task is configured to run up to one hour after a user logs on to the computer and every morning at 3:00 A.M., but this scheduled task is disabled by default. You can enable and change the default configuration by using the Task Scheduler control panel.

aa. In the Actions pane, click Enable.

bb. In the Actions pane, click Properties.

cc. In the AD RMS Rights Policy Template Management (Automated) Properties dialog box, click the Triggers tab.

dd. Click At logon, and then click Edit.

ee. In the Delay task for list, click 30 Seconds. Click OK twice.

 

Note:

In the lab environment, you want this task to execute shortly after logon, but after group policies are enforced on the computer. In a production environment, the one-hour delay should work for most implementations, and the settings can be deployed using Group Policy.

ff. Close all open windows.

Protect the MS Word document using the template

 

a. Log on to Client machine as Enduser

b. Start Microsoft Office Word 2007 proplus or Word 2003 professional.

c. Type the following text in the new document: This is a document that should not be altered by anyone besides the author.

d. On the Office menu, select Prepare and then Restrict Permission.

e. Confirm that you can see the templates listed, and select xxxx Confidential – Read Only.

f. Save the file as xxxxx Confidential.docx.

g. Log off of Client machine.

Deploying RMS Client

This post would talk on deploying RMS Client, Activating the client and Rights protect the document :)

 

The RMS client can be deployed manually or via GPO or any software installation solution.

The manual installation of client is pretty simple and need not be documented. The following section describes automatic deployment of RMS Client (for XP Machines) using GPO.

Download the RMS client from the following link

http://www.microsoft.com/downloads/details.aspx?FamilyId=02DA5107-2919-414B-A5A3-3102C7447838&displaylang=en

 

Installing the RMS Client via GPO

This section would describe the steps involved in deploying RMS Client via GPO. The initial step would be to create GPO and checkin the installer.

Creating GPO

a. On AD server, log on as <Domain Name>\Administrator.

b. Click the Start menu, click Run, then type c:\adrms\install\rms client v1.0 sp2\windowsrightmanagementservicessp2-KB917275-client-enu-x86.exe /extract and click OK.

c. Under Choose Directory for Extracted Files, verify the path is c:\adrms\install\rms client v1.0 sp2\ and click OK.

d. In the Extraction Complete window, click OK.

e. Click the Start menu, click Run, then type gpmc.msc and press Enter.

f. Expand forest: xxxxx node.

g. Expand the Domains node.

h. Expand the xxxxx node and then click Group Policy Objects.

i. Right-click and select New.

j. Under New GPO, type XP – AD RMS Clients and click OK.

k. Select the Group Policy object called XP – AD RMS Clients, right-click the GPO, and then click Edit.

l. In the Group Policy Management Editor, click Computer Configuration node, expand Policies, and expand Software Settings.

m. Right-click Software Installation, select New, and then select Package.

n. In the File name box, type \\<FQDN of AD Serer>\ADRMS\install\RMS Client V1.0 SP2, and then click Open.

o. Select the file msdrmclient.msi and then click Open. Also perform the same steps for RMClientBackCompat.msi

p. In the Deploy Software dialog box, select the option Assigned and click OK.

q. Wait for several seconds, and then refresh the page.

r. Verify that the installation package appears in the right-hand panel.

s. Close the Group Policy Management Editor.

t. On the Group Policy Management left panel, right-click WMI Filters, and select New.

u. Under New WMI filter, in the Name box, type “OS XP”. In the Description box, type “Only target computers running Windows XP Professional”.

v. Click Add.

w. In the WMI Query window, in the Namespace box, verify the value root\CIM\v2, and under Query type the following line:

Select * from Win32_OperatingSystem where Caption = "Microsoft Windows XP Professional"

x. Click OK, and then click Save.

y. Expand Group Policy Objects and select XP – AD RMS Clients. In the right panel under WMI Filter, click the drop-down box and select OS XP.

z. On Group Policy Management Windows, click Yes.

aa. On the left panel, click xxxxx, xxx OU, Workstation OU, and then right-click XP and select Link on Exist GPO.

bb. On Select XP OU, select XP – AD RMS Clients, and click OK.

cc. Under xxxxx, right-click XP – AD RMS Clients link, and select Enforced.

dd. Close all windows.

ee. Log off.

 

Installing the client

The AD RMS client software is deployed using GPO.

a. Logon on as User.

The installation process begins at the time that the GPOs are applied to the computer in the start-up process.

b. Click Start, then Control Panel, double-click Add or Remove Programs, and verify that Windows Rights Management Client with Service Pack 2 appears in the Currently installed programs list.

c. If the AD RMS client doesn’t appear in the list, click Start, click Run and type “gpupdate /force”. At the message prompt click “Y”, then restart client machine.

d. Close all open windows.

 

This would ensure the clients are deployed in your organization automatically. But if you need to test out manually, you can just execute the RMS Client installer and it would get installed.

Now, next logical step after client deployment is to activate the RMS Client……

 

Activating the RMS Client.

a. After opening Word, open the Office menu, select Prepare, and then Restrict Access.

b. Check Restrict Permission to this Document and click OK. This should trigger the AD RMS client activation. After that, close Word without saving the document.

c. Log on to client machine as end user.

d. Click the Start menu, click Run, then type WinWord and press Enter.

Microsoft Word opens with a blank default page.

e. Click the Office button, then select Prepare, Restrict Permission, and then click Restricted Access.

Notice the message configuring your computer for Information Rights Management.

Notice the message verifying your logon information for opening content with restricted permission.

This process installs a machine certificate, a rights account certificate, and a client licensor certificate for the user profile.

f. After the activation messages are complete, select the Restrict permission to this document check box, and then click the All users button (the button with the icon depicting two people) to the right of the Read box

 

Note: This restricts access to all AD RMS-enabled users in your RMS domain.

g. Click Cancel and close word.

 

If you select OK, the document gets rights protected :)

In case you want to mass activate the client, the best way is to send across rights protected mail to all users…the moment the users open the mail, RMS Client would contact RMS Server and activate it. The activation is nothing but generating the Machine certificates and RACs

 

Verifying that the Certificates (Machine and RACs) are generated

The client licensor certificate named CLC-<username>@xxxxx, the machine certificate named CERT-Machine.drm, and the RAC named GIC-<user_name>@xxxxx are all visible in User’s profile.

a. Click Start, and point to Computer to start Windows Explorer.

b. Press the ALT key and click Tools menu, then click Folder Options.

c. On the View tab, enable Show hidden files and folders.

d. Click OK.

e. Browse to C:\Users\<user name>\App Data\Local\Microsoft\DRM.

f. Verify that the following files exist:

· CLC – <user_name>@xxxx.com

· CERT –Machine.drm

· GIC – <User_name>@xxxxx.com

g. Close Windows Explorer.

 

Now your organizational users can start sending across the rights protected mails, documents, excel spreadsheets, presentation and many more stuff that you intent to protect.

 

But incase you want to have classification of information like confidential, read only etc and want to assign rights uniformly at Enterprise Level, then you need to look at RMS Templates and configure them.

I would describe steps to create templates and distribute them automatically in my next post………..

Step by Step Guide to deploy RMS Server

So, today we shall see how to deploy RMS rapidly :)

 

Prerequisites

 

AD RMS would require the following –

· RMS Service account

· Ensure that the user has email address attribute filled in.

· Ensure that the RMS server is a member server in the Domain.

· RMS server is reachable using DNS name.

· Ensure that RMS Server is included in the Trusted Sites of IE.

· Office 2003 Professional or Office 2007 Professional Plus for authors. The end-user can be on Office 2003 standard / Office 2007 standard

 

• Creating AD RMS Service Account

a. If necessary, log onto the AD server as Administrator.

b. In the Server Manager window, expand Roles, then expand Active Directory Domain Services, and click Active Directory Users and Computers.

c. Create New User with the following parameters:

     i. First name: ADRMSSvc

     ii. User logon name: ADRMSSvc

     iii. Password: Str0ngPassw0rd

     iv. User must change password at next logon: Not Selected

     v. Password never expires: Selected

d. Select Next, and then Finish.

Close Active Directory Users and Computers

 

• Creating GPO to include RMS Server is included in Trusted sites of IE

  a. In the Group Policy Management Editor, expand User Configuration, expand Policies, and then select Windows Settings.

  b. Expand the Internet Explorer Maintenance node and then click Security.

  c. In the details pane, double-click Security Zones and Content Ratings and click Continue in the pop-up window.

  d. In the Security Zones and Content Ratings dialog box, in the Security Zones and Privacy section, click Import the current security zones and privacy settings.

  e. Click Modify Settings.

  f. Click Trusted Sites, and then click Sites.

  g. Verify that the following entries have been added to the list:

  · *. xxxxx.com (This would be your domain name)

  h. Click Close.

  i. Click Local Intranet, and then click Sites.

  j. Click the Advanced button.

  k. Verify that the following entries have been added to the list:

  · *.xxxx.com

  l. Click Close, and then click OK in the local Intranet window.

  m. Click OK twice to return to the Group Policy Object Editor and close the Group Policy Object Editor.

  n. Close the Group Policy Management Console.

  o. Close all windows and log off

The other prerequisites do not require my help :)

I am sure, you can check if RMS server is reachable by pining it from client machines.

**** But don’t forget to ensure that the AD user accounts have email address field populated with valid email IDs.

 

Note: For Production environment, It is highly recommended that the databases are installed on a separate machine or SQL cluster.

n. The Add Role Wizard – Specify Service Account page appears; click the Specify... button and assign the following attributes to the account:

i. Username: AD RMSSvc

ii. Password: ********* (some strong password you can provide)

o. Click Next.

 

Note: This account doesn’t require any additional privileges (domain user only).

 

p. The Add Role Wizard – Configure AD RMS Cluster Key Storage page appears; click Use AD RMS centrally managed key storage, and then click Next.

q. The Add Role Wizard – Specify AD RMS Cluster Key Password page appears; specify the following strong password: Sup3r$Str0ngP@$$w0rd& and then click Next.

 

Note: The key password is sensitive because it protects all encryption key services. The sample password is only for example.

r. The Add Role Wizard – Select AD RMS Cluster Web Site page appears; verify that Default Web Site is selected and then click Next.

s. The Add Role Wizard – Specify Cluster Address page appears; select the option Use an SSL-encrypted connection (https://), and then specify the following FQDN: adrms.xxxxxx.com. Verify that the port specified is 443, click Validate and then click Next.

t. The Add Role Wizard – Name the Server Licensor Certificate page appears; assign a friendly name that represents your AD RMS organization, such as “xxxxx – AD RMS”, and then click Next.

(where xxxx is your company name)

u. The Add Role Wizard – Register AD RMS Service Connection Point page appears; select the option Register the AD RMS service connection point now, and then click Next.

v. The Add Role Wizard – Confirm Installation Selections page appears; verify that all the parameters are as you specified them to be configured, and then click Install. The installation process begins.

w. The Add Role Wizard – Installation Results page appears; verify that all components have been installed successfully, and then click Close.

x. Open the IIS Console.

y. Close all the windows and then restart the server

 

Create AD RMS Console

a. Log on to RMS Server as the Administrator.

b. Click Start, click Run, type mmc, and press Enter.

c. The MMC Console appears.

d. Click the File menu and then select Add or Remove Snap-ins.

e. In the Add or Remove Snap-ins window, select Active Directory Rights Management Services. Click the Add button and then click OK.

f. Select the Active Directory Rights Management Services snap-in and select the option Add Cluster in the right pane.

g. In the Add Cluster window, select the option called Connect To, and then select local machine and then click Finish.

h. In the File menu, select the option called Save. Put the MMC file on the computer desktop and assign the following name to the console: AD RMS

i. Do not close the AD RMS Console.

 

Configuring Extranet Pipelines

If you want your rights-protected document to be accessible from outside your organization, you must configure the external URLs immediately. The URL should not change after it is configured. The rights-protected documents contain this information within the non-encrypted header of the document. If you change the URL or configure the URL at a later time, none of the previously protected documents will be accessible from the extranet. These changes will not propagate to previously protected documents.

 

a. In the AD RMS MMC, expand Active Directory Rights Management Services, right-click AD RMS.xxxxxx.com, and then click Properties. Click the Cluster URLs tab, and then click the Extranet URLs check box.

b. For Licensing, click https://, and then type adrms.xxxxx.com

c. For Certification, click https://, and then type adrms.xxxxx.com

d. Click OK.

e. Close all the windows .

f. On the Microsoft Management Console, click No so that changes to the console will not be saved.

 

On the AD Domain Controller - Verify that the AD RMS service connection point is registered in Active Directory:

a. Log on to AD Domain Controller as the <Domain_name>\Administrator.

b. Click Start, click Run, and then type dssite.msc in the Open box. Click OK.

c. Expand Services and select RightManagementServices. In the right panel, select SCP, then right-click and select Properties. In the SCP Properties dialog box, select the Attribute Editor tab, then select Distinguished Name and click View.

On String Attribute Editor view, verify the following value: CN=SCP, CN=RightsManagementServices,CN=Services, CN=Configuration, DC=xxxxx,DC=com

Notice the various attributes registered in the service connection point. The keywords attribute is used by the clients to help query this object.

d. Click OK twice.

e. Close Active Directory Sites and Services. Don’t log off

 

Note - In order to enable external users or employee who are accessing the rights protected information from extranet, following should be performed –

• Allow TCP port 443/80 on Firewall for RMS Server i.e. Firewall to allow inbound and outbound traffic to RMS Server on TCP 443 & TCP 80
• Publish Extranet URL of RMS in DNS server. i.e. External user should be able to resolve the extranet URL of RMS.

Back up the AD RMS Private Key

Back up the AD RMS private key using following steps:

a. On the Desktop, click AD RMS.msc.

b. Expand Active Directory Rights Management Services.

c. Expand adrms.xxxx.com.

d. Expand Trust Policy and then select Trusted Publishing Domains.

e. Select xxxxx AD RMS and click Export Trusted Publishing Domain.

f. Click Save as, navigate to the desktop, and type xxxxx-Private-Key in the file name field.

g. Click Save, type pass@word1 as the password, and confirm the password.

h. Click Finish and do not save the changes.

i. Close the AD RMS Management Console.

 

Note: It is highly recommended that you store this file in a very secure place. In case of disaster recovery, this file is used to restore the service with a database backup.

How RMS Works??

This post is going to talk about components of RMS technology and How it works.

 

Components of RMS:

RMS has following components -

 

• RMS Server
• RMS Client
• RMS Aware applications

RMS Server -

• Is the heart of RMS Solution. RMS Server has set of web services that run on top of IIS (internet information services) and perform three major functions
• Certification: RMS Server validates the user and provides RMS user credential called “RAC”.  User is able to access the rights protected information using this RAC. More about RAC later.
• Publishing: RMS server uses RAC and protects information using the “publishing” service i.e. encrypts the information and attaches a “publishing license” containing the information protection policy (i.e. who can view, edit, copy, etc)
• Licensing: RMS server provides “Use License” to the recipient to access the protected information (document, email, etc) using Licensing service. The “use license” permits access to rights protected information based on the policy that was applied during the Publishing stage.
• The RMS server provides administrative console based on MMC-snap in, which allows administrators to configure the RMS Server for policies, templates, Certificate validity, Trusts etc.
• The Backend Database, which can be SQL Server or Windows Internal Database (in case of windows 2008 or MSDE in case of Windows 2003) is used for storing all the policies, certificates, keys etc. MSDE or Windows Internal Database is not recommended for Production environment. They are meant for test environment only.

RMS client -

• The RMS client runs on the client machine fall into 2 major categories: the RMS client api’s and “lockbox”
• The RMS client API’s are invoked by the applications to protect information: for example to create publishing licenses or request use licenses
• The lockbox performs the low-level encryption operations on behalf of the user and application, so that things like encryption keys are always protected and RMS policies cannot be breached
• Additionally, a set of credentials are stored on the client machine. These credentials establish the trust model
• The machine certificate ensures that the RMS client running on the client machine is the true and legitimate RMS software from Microsoft, and not some rogue application
• The user certificate, also called a “RAC” or rights account certificate, establishes to the RMS server and client that the user is who they say they are i.e. non-repudiation
• The client licensor certificate (CLC) allows an RMS user to protect information without a live connection to an RMS server (i.e. “offline”)
• Each of these credentials has an associated public/private key pair, the private keys are protected in the system using DPAPI or data protection API, a standard set of Microsoft interfaces

RMS Aware applications

The RMS aware applications calls RMS client APIs to enable information protection features such as the “do not forward” email or the “company confidential” document etc.

RMS client uses credential called an “application manifest” from any application that calls it to ensure that the calling application is a trusted RMS enabled application, and not a rogue app. The application manifest attests that the calling app is the same application (based on a hash of executables) for which Microsoft signed a rights management license agreement, based upon the developer of that application following certain security and tamper resistance requirements required by RMS. The purpose of the application manifest is to ensure that rogue applications do not surface and degrade the value of RMS protection.

 

A very good component diagram of RMS, which I generally refer to in my presentations for easy understanding is as follows -

 

How RMS Works????

 

Again a very easy to understand pictorial representation of how RMS works -

 

 

 

In order to rights protect a document, or use a rights protected document, the user must talk to the RMS server. The above diagram talks about flow of information exchange in RMS environment.

 

1. An Author wants to rights protect the document. The first time author rights protects the information, he/she receives the  RAC (“rights account certificate”) and “client licensor certificate” (machine cert).
2. The author would apply a RMS policy to their file or define the rights protection. The application works with the RMS client to create a “publishing license”, encrypt the file, and appends the publishing license to it.
3. Now the author would share or distribute the document with other users.
4. The receipt tries to open the rights protected document. The appropriate application would send the recipient’s credentials and the publish license to the RMS server, which validates the user and issues a “use license”. The RMS Server will check the user’s privileges and if he/she is allowed the access, it would send back a use license to the user to allow them to work with the document.
5. The recipient’s application would render the file and enforce the rights defined in the publishing license. Now the user can decrypt and work with the document.

Authorized Users can access the rights protected information within the organization & outside the organization.

RMS provide facility of defining 2 URLs. Internal URL – for internal access, and Extranet URL – for internet based clients (users accessing remotely or external users etc).

The internal name is the url or NetBIOS name that intranet clients will use to connect to the RMS server. The external name is an internet-resolvable name that external recipients or home/traveling users will use to connect to the RMS server. At publishing time, the RMS client places both names into the publishing license of content it protects. The recipient’s RMS client reads the internal and external names out of the publishing license of content it tries to consume. It attempts to connect to an RMS server via the internal name first, and if this does not work it tries the external name second.

Tip –

• Always specify FQDN for both Internal and Extranet URL.
• Even if you don’t intend to publish Extranet URL, its advisable to populate the URL as RMS Client would try to connect to RMS server on Extranet URL in case it is not able to connect on Internal URL.

In my next post, I am going to provide some step-by-step guide in deploying RMS on Windows 2008. This would enable you to deploy and start using RMS.

Various Links to ILM 2

Tech.ed 2009 ILM 2 session was good and thanks to all the attendees for making it a nice interactive one.

As I had mentioned, please find the various links for ILM 2 a.k.a Forefront identity manager 2010 as below -

 

· www.microsoft.com/ilm

· http://technet.microsoft.com/en-us/library/cc561136.aspx => ILM 2 TechNet Library

· http://technet.microsoft.com/en-us/library/cc561134.aspx => Getting Started

· http://technet.microsoft.com/en-us/ilm/default.aspx => Tech Center Home for ILM

· Tech Center has MS Blogs for ILM

· http://social.technet.microsoft.com/forums/en-US/identitylifecyclemanager/threads/ => ILM Forum

 

I would be posting some RMS stuff in subsequent posts…

Rights Management Services

One of the key components in Microsoft’s IDA stack is Rights Management Services a.k.a RMS.

RMS offers protection to the information / data in terms of who can access it, what access etc. RMS should not be mixed with Access Management Solutions.

Access Management solutions, that I described in my earlier posts, performs Access Control / Authorization decision on Enterprise level to the various Enterprise applications. That means, you would be displayed the portal which has list of applications that you as an individual are “Entitled” to access based on your “Job Function a.k.a Role”. Access Management solution would control the access to these applications.

 

However, RMS move few steps forward. After all, what is that you are using application for? Accessing or viewing data? Updating / Modifying data?

RMS protects this data in a way and sets permission for users to access.

 

What is Rights Management??

RMS is information protection technology that helps safeguard digital information from unauthorized use–in an online and offline environment, inside and outside of the firewall i.e. within your organization and outside your organization's network boundary.

RMS can define as to how a recipient can use the information, such as who can open, modify, print, forward, and/or take other actions with the information. If you have not provided permission to the recipient, he/she would not be able to open the document or mail or file. RMS can be applied to documents, mails, HTML and with solution framework – to various kinds of file formats and applications. The Application needs to be RMS aware. in case of home-grown application, RMS provides SDK to integrate or make them in RMS aware.

 

Using RMS, organizations can create custom usage rights templates such as “Confidential - Read Only” that can be applied directly to information such as financial reports, product specifications, customer data, and e-mail messages. For example, RMS can help protect information in a wide range of situations, including the following:

· Intranet content. A manager within a large multinational pharmaceuticals company has been granted access to the online sales system. She navigates to the year-over-year sales information on the enterprise information portal, and the information is displayed on-screen within her RMS-enabled browser. Because the information is sensitive, specific usage restrictions have been applied to the report she sees. The manager gets the information she needs, conveniently, but because she does not have rights to print, copy, or paste the information on screen, the company’s sensitive sales data is better protected from inadvertent or deliberate sharing with an unauthorized individual.

· E-mail communications. A CEO needs to send an e-mail message that contains confidential information about an upcoming reorganization to his executive staff. In his RMS-enabled e-mail application, he selects a template to specify that recipients can only read the e-mail message, and that they cannot copy, paste, edit, or forward the information. The recipients receive the e-mail message and view it in an RMS-enabled e-mail application or browser, which transparently enforces the permissions. The CEO has a new level of confidence that this sensitive information will not be shared beyond his executive staff.

· Documents. Using a simple on-screen toolbar button or menu prompt built into her RMS-enabled word processor, a research manager at a manufacturing company rights-protects a new product research report to allow selected members of the product development team to preview and comment on the information for exactly one week. She sends the rights-protected document to multiple people via e-mail. When each person opens the document, their RMS-enabled word processor or browser enforces the rights assigned to the document, including the time-based conditions; after a week, the rights expire and these individuals can no longer open the document. The research manager then rights-protects and distributes the final version as company confidential read-only to the entire product development team. The research manager feels confident that the product development team only has access to the final information and that it is protected from unauthorized individuals, such as a competitor, viewing this information.

Above just some of the examples.

 

The protection offered by RMS is persistent i.e. even if the information is archived or leaked via some media, the rights protection is always enforced. This feature helps organizations in preventing sensitive information from falling in to wrong hands either intentionally or accidently.

Why RMS?

Loss of information has always being a trouble for Organizations. Hence we had Information Security to secure it.

With the economic downturn, the problem has got aggravated. Disgruntled employee pass on sensitive information like customer data (in case of Finance & Banking industries), Engineering drawings and designs in case Manufacturing Industry, Source code or Customer data in case IT or ITES, Medical formulae's or patient information in case of Pharma & Healthcare etc. This loss of data not only impacts the organizations in Monetary or Financial aspects but also competitive edge, loss of reputation and other intangible damages….

Furthermore, the regulatory bodies & auditors have started questioning the basis of Information security and demand protection of information.

Obviously, Solution like RMS is required to protect the information from unauthorized access and protect the interests of the organizations and Industries.

 

In my next post, I am going to talk more on the technology and how it works.

Demo on ILM 2

As I had mentioned in my earlier post, I am attaching the Video of the demo I conducted at Virtual Tech Day.

 

Watch out for more in this space…. :)

ILM 2 : A powerful Identity Management solution

Microsoft has had been Identity Management via MIIS and ILM 2007.

MIIS – Microsoft Identity Integration Server 2003, has been provides various customers a capability to -

• synchronize the identities across various data sources
• Synchronize the password
• user provisioning, de-provisioning, managing users etc.

However, MIIS lacked the workflows, reporting, powerful self-service capabilities that makes Identity Management solution a complete solution.

ILM 2007 provides MIIS capabilities as well as Certificate Lifecycle Management capabilities. Certificate Lifecycle Management allows organizations to -

• Manage the life cycle of digital certificates and smart cards
• Centralized administration of certificates and smart cards
• Workflow and policies for activities -
  • Configurable policy-based workflows for common tasks
  • Enroll/renew/update
  • Recover/card replacement
  • Revoke
  • Retire/disable smart card
  • Issue temporary/duplicate smart card
  • Personalize smart card
• Self-service capabilities to end-users to reset the PINs, request for above activities
• auditing and reporting; and
• Integration with Active Directory Certificate Services.

ILM 2 provides more capabilities than its predecessor. The capabilities of ILM 2 includes -

• Extensible Windows Workflow Foundation based workflows -
  • allow IT professional to quick create, update and modify the Workflow based on business processes
  • Does not require any languages or coding / scripting.
  • The workflow are based on WF (Windows Workflow Foundation) which enables organizations to import and reuse the workflows
  • Provides WS* APIs to enable customization at product & solution level.
    

• Enforces policies from a centralized Server. The interface is Windows SharePoint Services (WSS).
• Management of 3rd Party CAs and OTPs.
• Credential Management using workflows for e.g. automatically provision a user account, set their initial password, and kick off the process to issue smart cards and digital certificates to the user.
• Powerful Self-Service Password Reset – Allows users to reset the password at Desktop logon. Additionally portal based password reset is also available.
• Self-service Profile management – allows users to manage their profiles, raise request for additional accounts, access etc.
• Codeless User Provisioning – Unlike MIIS, ILM 2 does not require writing any codes to perform Identity Management.
• Group Management – Capability to manage the Security groups, DLs in the target systems
• Tighter integration with Office -
  • Group Management via Office - Users can use Outlook to raise request for group memberships, DL subscription etc.
  • Offline approvals - The Managers can approve the request on mails instead of logging on to portal and approving the request.

 

These are few of the capabilities that makes ILM 2 a more powerful solution.

High Level Architecture of ILM 2 is as below -

In order to understand how ILM 2 works and have a quick peek look at various scenarios, I would attach the Video of my session in recent Virtual Tech Day, in my next post.

IDA for Dummies – Part III

Access Management

 

Access Management aka Authorization Management enforces the policies for Access Control specified at Enterprise Level. Does this mean that you would not require authorization within the Applications????

Well, there has been lot of debates and views on this topic. Lots of people feel that the native authorization (embedded within application) can be eliminated when Access Management Solution is deployed.

 

Its easy said than done.

 

Firstly, let me clarify what I mean.

When any organization deploys Access Management Solution, they can -

• Perform the enterprise wide access control to the application from central system
• eliminate the broader authorization decisions from the application logic and let it be governed centrally
• provide enhanced user experience by facilitating SSO (Single Sign On) to the users- off course for web-based applications

 

How would access management work???

 

Deploying access management would typically mean that you would -

• Use Access Management as a security layer to perform access control / authorization at Enterprise Level. Which implies that -
• the user would first hit the Access Management layer when they browse for applications….
• Access Management would intercept the request and validate the user credentials
• If the user credentials are valid, then based on the role of user, the entitled applications are displayed in the portal
• User clicks on the application in portal and gets SSO to the application.
• The control is passed to the application and then the application would perform the granular access control.
• If the user is not entitled to access the application, the application is not displayed in the Access Management portal interface.

 

Challenges

With existing applications that has been deployed in any organization for years, it is difficult to strip off the authorization layer and pass it to something which is external. The Application logic needs to recoded and compiled to support this, which is not very well received by the Application teams/owners.

 

Also, no Access Management solution can provide you granular authorization control from central system which the built-in application authorization module would provide.

So, How do we use Access Management at Enterprise level?

The Access Management solution and applications needs to coexist currently…as you cannot strip off authorization module from apps. But the future apps can rely completely on Access Management Framework. But to what granular level, its a question of organizations decision :)

 

What are benefits of Access Management?

As I mentioned earlier -

• Centralized control of access rather than native
• Faster time to deploy as new applications may have limited authorization module and rely on Access Management framework.
• SSO to users…hence less credentials to remember
• Centralized audit trails of activities performed by users
• Hide the applications from users which they are not entitled to access…

IDA for Dummies – part II

This is not my favorite header though…but I chose this for only reason that “XXXX for Dummies” was pretty successful series :)

 

What Does Identity Management Help in-

• Set house in order: Frankly, I have been to one the very big financial organizations in India. And guess what?? They have loads of user accounts of the employees who no longer work for them. They have no information about which ids to keep and which to delete.

Identity Management is very useful in deleting the orphan or ghost accounts :)

• Provision new users rapidly:
• Imagine you joining an organization and your IDs are given to you by your manager on your first day along with password. What’s your impression…?? Who cares about employees impression…well firstly, employee gets on job day one….saves money for company…and don’t forget the “feel good factor” of employee about the organizations.
  
• Management of users – Changes in roles, promotions, demotions, acquisitions, mergers / demergers etc are handled in automated manner. Again saves money for organizations…
  
• User IDs are created based on the roles and hence no extra authorizations provided. Makes environment safe.
  
• Faster time to rollout for new applications – When new applications are out, the organization can just integrate with the Identity Management framework and Identities are populated into new application. This decreases the time to market for organizations…giving them competitive edge.
  
• If your organizations are subjected to Audits, this would definitely help you get compliance…
  
• Users would reset their own password using self-service mechanism….again IT Teams involvement reduced..they can work on something more useful…saving money for organizations again.
  
• Users can request for additional access/authorization which can be tracked based on audit  trails.
  
• All approvals / rejections are tracked, creating sense of accountability in organization.

 

These are some of the benefits of Identity Management. There are more and they depend on organization to organization too.

Access Management is a step above Identity Management, which states that once you cleanse your user data i.e. how the policies should be enforced. I would talk more in this Access Management later.