Share via


Interpreting XrML Rights

The Active Directory Rights Management Services (AD RMS) system has only three built-in rights: EDIT, OWNER, and VIEWRIGHTSDATA. A publishing application is free to create additional rights. A content publisher can create a PLAY right, a PRINT right, or a FORWARD right, but how these rights are defined is up to the consuming application. The purpose of the AD RMS system is to determine whether a particular right in a license applies to the current user; that is, whether the right is assigned to the current user, whether the validity time has not been exceeded, whether all the environment requirements are satisfied, and so on. The AD RMS system treats rights in four ways.

Right Description
EDIT The AD RMS client allows a user granted the EDIT right to create a decrypting object and an encrypting object. This allows a user to decrypt content, then re-encrypt it with the same key. The application itself must know which additional rights will be granted along with it, and must enable or disable UI buttons appropriately.
OWNER The AD RMS client allows a user granted the OWNER right to exercise all rights in the license, whether or not they are specifically granted to that user. It also allows the creation of both a decrypting object and an encrypting object. Zero, one, or more users may be granted this right in a license.
VIEWRIGHTSDATA The AD RMS client allows a user granted the VIEWRIGHTSDATA right to reuse the issuance license information. It grants the right to make a decrypting object, but it should ideally be used only for reusing the rights information from an issuance license (for more information, see Reusing Issuance License Data).
All other rights If granted, allow a user to create only a decrypting object associated with that right. This means that the user has access to the content; what the user is permitted to do with this content (print, forward, and so on) is strictly controlled by the application. The user cannot re-encrypt the content by using the same content key unless granted the EDIT or OWNER right, so the content that is tied to the license is essentially static.

The task of deciding how the user interface should change depending on the rights granted to the user is strictly the job of the consuming application. So a user granted the EDIT right should have the Save button enabled, a user granted the VIEWRIGHTSDATA right should have buttons or menu options that allow the user to reuse license data, and a license granting the current user the custom PRINT right should enable the Print menu option or button. Once again, the AD RMS system allows only the rights to decrypt or encrypt data (or to reuse a license).

To learn more about what it means to bind to a right, see Exercising Rights.

See Also

About Active Directory Rights Management Services
Creating an Issuance License
Exercising Rights
Reusing Issuance License Data

Send comments about this topic to Microsoft

Build date: 3/13/2008