Q: How can I set up RMS-based protection to the documents users store in SharePoint?
Windows Rights Management Services (RMS) can provide access control for common document types in SharePoint, but there are some restrictions and complexities to be aware of.
September 20, 2012
A: You can use Windows Rights Management Services (RMS) to protect SharePoint documents in the two most recent releases of SharePoint; SharePoint Server 2010 and SharePoint Server 2007 both include RMS support. However, there are some restrictions and complexities you should be aware of if you plan to set up RMS with your SharePoint installations.
An important thing to know is that RMS can only encrypt SharePoint documents and subject them to RMS access control restrictions when they are downloaded from a SharePoint 2010 or SharePoint 2007 document library. RMS doesn't leave SharePoint documents encrypted while they're stored on the SharePoint server. This restriction exists so that SharePoint can index and scan the documents on a SharePoint storage provider. RMS applies its restrictions to a document only right before it's downloaded to a client computer. Similarly, when an RMS-protected document is uploaded to a SharePoint site, RMS removes all protection from the document until a new download request is received.
SharePoint-RMS integration ensures that security restrictions are enforced even after a document has left a SharePoint server, which is something that can't be achieved using the standard SharePoint permissions. SharePoint-RMS integration also automatically enforces an organization's RMS document security policies. A SharePoint administrator can centrally define different RMS policies for the document libraries hosted on a SharePoint server. Therefore, individual users don't have to decide what protection they need to apply to documents they post in SharePoint libraries. RMS permissions are defined at the SharePoint document library level: Documents in a library automatically inherit the library's RMS permissions. This protection applies to both existing and new documents in the SharePoint library.
The RMS protection of SharePoint data is, just like the RMS protection that's bundled with Windows and Microsoft Office, only possible for certain file formats. Out of the box, it supports Word, Excel, PowerPoint, InfoPath, and XPS files. Extensions to apply RMS protection to other file formats (e.g., .pdf, .cad) can be added through special software from Microsoft partners such as Liquid Machines (now part of Check Point Software Technologies) and GigaTrust.
RMS support for SharePoint can be set up using either RMS SP2 or RMS V2, which is bundled with Windows Server 2008. Provided you already have a functioning RMS infrastructure, enabling RMS protection in SharePoint is relatively straightforward. The main configuration actions are
enabling RMS support on the SharePoint server
setting the actual RMS restrictions in the configuration of a given document library
You can enable RMS support in SharePoint by selecting either the Use the default RMS server specified in Active Directory or Use this RMS server option in the Information Rights Management section of the SharePoint Central AdministrationOperations configuration section.
To set RMS restrictions on a SharePoint document library you must use the Information Rights Management section in the Permissions and Management configuration section of the document library. When you select the Restrict permission to documents in this library on download check box, you can further refine the RMS protection as follows:
Allow users to print documents.
Enforce users to verify their credentials every x number of days. This setting can be useful when someone who has access to RMS-protected confidential data leaves your organization; the individual will retain access to the data only for x days after his or her last successful authentication to an RMS server.
Reject files that don't support Microsoft Information Rights Management (IRM). Selecting this option results in SharePoint rejecting the upload of document formats that don't support RMS.
Remove RMS protection on a particular date. This setting is useful for publishing company financial results, for instance. After the quarterly results are published, the RMS protection policy on the quarterly results SharePoint library automatically changes -- meaning that the RMS restrictions are removed.
Microsoft provides more detailed guidance on how to set up SharePoint-RMS integration in the article "Deploying Windows Rights Management Services with Microsoft Office SharePoint Server 2007 Step-By-Step Guide," which is available from Microsoft's website.
About the Author
You May Also Like