Translate this site using Windows Live Translator:
Translation of Rights. Straight from the help files...somewhere.... - RMS: Protecting Your Assets. - Site Home - TechNet Blogs

RMS: Protecting Your Assets.

The Protecting 'My' Asset Disclaimer: This is my 'un-official', 'in my spare time', 'use at your own risk', all things RMS (Rights Management Services), IRM (Information Rights Management), IPP (Information Protection Pla

Translation of Rights. Straight from the help files...somewhere....

Translation of Rights. Straight from the help files...somewhere....

  • Comments 2
  • Likes

I've often wondered if we ever had documentation that explains what the rights you assign to a template actually translate to. I've travelled to the deepest, darkest corners of Microsoft searching for answers. Armed with a map of the mother ship, and the 'Staff of Ra', and with no lack of dangerous boobie traps and poisonous snakes, the tomb that held these ancient scripts for so long was revealed....and now I bring them to you. (Thanks Jim!!).  


Active Directory Rights Management Services (AD RMS) rights provide the means for controlling how a user can access, use, and redistribute rights-protected content. Some rights are enforced exclusively by AD RMS-enabled applications or browsers, while others are enforced primarily by the AD RMS client (although applications can still apply their own interpretation of the right). The rights enforced by the AD RMS client control how license information is used, such as whether the license can be used to re-encrypt previously decrypted content. Rights that control how content is used are interpreted and enforced by AD RMS-enabled applications, such as Microsoft Office applications. For example, Microsoft Office applications enforce the View right by allowing a user to decrypt and view the contents of a protected document if the user has been granted the View right.

The following table lists the rights that are available by default when you create a rights policy template and gives a brief description of how the right is enforced by the AD RMS client and interpreted by common AD RMS-enabled applications.

Note

AD RMS-enabled applications can interpret these rights differently. This is intended as a general description for how these rights are typically used. Consult the documentation of the specific application for information on how these rights are enforced.

Right

Description

Full control

If granted, this right allows a user to exercise all rights in the license, whether or not the rights are specifically granted to that user.

View

If this right is granted, the AD RMS client allows protected content to be decrypted. Typically, when this right is granted, the application will allow the user to view protected content.

Edit

If this right is granted, the AD RMS client allows protected content to be decrypted and then re-encrypted by using the same content key. Typically, when this right is granted, the application will allow the user to change protected content and then save it to the same file. This right is effectively identical to the Save right.

Save

If this right is granted, the AD RMS client allows protected content to be decrypted and then re-encrypted by using the same content key. Typically, when this right is granted, the application will allow the user to change protected content and then save it to the same file. This right is effectively identical to the Edit right.

Export (Save As)

If this right is granted, the AD RMS client allows protected content to be decrypted and then re-encrypted by using the same content key. Typically, when this right is granted, the application will allow the user to use the “Save As” feature to save protected content to a new file.

Print

Typically, when this right is granted, the application will allow the user to print protected content.

Forward

Typically, when this right is granted, the application will allow an e-mail recipient to forward a protected message.

Reply

Typically, when this right is granted, the application will allow an e-mail recipient to reply to a protected message and include a copy of the original message.

Reply All

Typically, when this right is granted, the application will allow an e-mail recipient to reply to all recipients of a protected message and include a copy of the original message.

Extract

Typically, when this right is granted, the application will allow the user to copy and paste information from protected content.

Allow Macros

Typically, when this right is granted, the application will allow the user to run macros in the document or use an editor to modify macros in the document.

View Rights

If this right is granted, the AD RMS client allows a user to view the user rights that are assigned by the license.

Edit Rights

If this right is granted, the AD RMS client allows a user to edit the user rights that are assigned by the license.

Comments
  • I am confused about what the "View Rights" and "Edit Rights" permissions actually do. On technet(http://technet.microsoft.com/en-us/library/dd996658%28WS.10%29.aspx), they are defined as:

    #  View Rights - If this right is granted, the AD RMS client allows a user to create a new publishing license from the existing license, but the content key is not preserved.

    # Edit Rights - If this right is granted, the AD RMS client allows a user to edit the user rights that are assigned by the license while keeping the same content key.

    The "Edit Rights" definition, both as stated by you and listed on technet, seems to be saying that any user granted this right can go in and change the rights on the document. This makes a certain amount of sense, but I have not been able to verify that granting this right actually changes anything about a user's access to a document or allows the user to change the permissions on the document.

    I can't make any sense out of "View Rights" at all, by the technet description, and by your description it would seem that "View Rights" would allow me to look at the "View Permissions" option in, say, Word, but I can do that regardless of whether I have the "View Rights" permission.

    Thoughts? Help?

  • I have an AD RMS server running on Windows Server 2008 R2 with a custom template. Our clients run either Windows XP or Windows 7. The template permissions are: View - yes, Edit - yes, Copy - no, Print - no, Save - yes, Export - no, Access the document programmatically - yes (which we needed to use the add-in), and Full control - no. Our goal for these documents is to allow users to make changes to the document (with track changes turned on) and save it, but not print it or save it as another document or in another location. In Word 2007 I understand that the export permission (save as) was not supported but it is in Word 2010. When I create and protect a Word 2010 document using this template, however, the save as option is available when, based on the template security, it shouldn't be. What am I missing here? For Office 2007 we had a custom add-in that enforced the missing permissions, but we would rather not have to use it with Office 2010, since it restricts us to one particular network location for all protected documents. Any help would be appreciated.

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment