IRM Framework Architecture in Windows SharePoint Services
This content is outdated and is no longer being maintained. It is provided as a courtesy for individuals who are still using these technologies. This page may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.
Following are the four basic components that interact to enable Information Rights Management (IRM) in Windows SharePoint Services:
IRM Protectors
IRM protectors control the conversion of documents to their encrypted, rights-managed format and the decryption of documents from their rights-managed format back to their original format. An IRM protector includes the appropriate rights management metadata in the rights-managed file when it is downloaded from a document library, and it extracts this information when the document is uploaded to the document library.
For example, an integrated IRM protector includes the issuance license (IL), the server end-user license (EUL), and optionally, a document template in the rights-managed file when it is downloaded from a document library, and it extracts those components when the document is uploaded to the document library.
You can create two types of IRM protectors: integrated protectors and autonomous protectors. Integrated protectors rely on Windows SharePoint Services for access to the Windows Rights Management Services (RMS) platform in order to generate protected versions of files, and to remove protection from rights-managed files. Autonomous protectors, on the other hand, must configure and execute the entire rights-management process by themselves.
You can associate each IRM protector with one or more file types. However, each file type can be associated with only one protector.
For information about creating IRM protectors for custom file types, and about integrated and autonomous protectors, see Custom IRM Protectors.
Windows Rights Management Services (RMS)
For integrated protectors, IRM can use RMS to authenticate users, create licenses, and encrypt document content.
Every computer that creates or uses rights-managed content using RMS must have the RMS client, version 1, Service Pack 2 (SP2) installed.
In addition, to enable IRM in Windows SharePoint Services, you must have at least one RMS server that is running RMS version 1, SP2.
For information about RMS, see the Windows Rights Management Services technology center.
Autonomous protectors do not need to use RMS services because they configure and execute the entire rights-management process.
Windows SharePoint Services
Windows SharePoint Services manages the process of uploading and downloading protected documents from a SharePoint document library.
When a user requests a rights-managed document, Windows SharePoint Services generates the appropriate rights management metadata and makes it available to the appropriate IRM protector for inclusion in the protected document. For integrated protectors, this metadata includes the IL and server EUL. For autonomous protectors, this metadata includes the specific rights that the user has to the document. After the protector has constructed the rights-managed file, Windows SharePoint Services passes it to the user.
When a user uploads a rights-managed document, Windows SharePoint Services passes it to the appropriate IRM protector, which extracts the necessary rights management metadata from the document. For integrated protectors, this includes IL and document library GUID, and the server EUL if it is present in the document. For autonomous protectors, this information includes only the document library GUID. Windows SharePoint Services examines this metadata to determine whether the document belongs in the specified library, and, if it does, instructs the IRM protector to decrypt the document, which Windows SharePoint Services then uploads to the specified library.
For a more detailed discussion of how Windows SharePoint Services processes rights-managed content, see IRM File Processing.
Client application
After the requested file is downloaded to the user's computer, the user requires an application that can remove protection from the rights-managed documents of that file type. In the case of Windows RMS, the client application decrypts the file by contacting the RMS server directly and requesting an EUL for the document.
The following figure shows the general steps that an integrated IRM protector takes when a user requests a rights-managed document from Windows SharePoint Services, and the functions that each component of the IRM framework performs.
The following figure shows the general steps that an integrated IRM protector takes when a user checks in a rights-managed document to a Windows SharePoint Services document library, and the functions that each component of the IRM framework performs.
The following figure shows the general steps that an autonomous IRM protector takes when a user requests a rights-managed document from Windows SharePoint Services, and the functions that each component of the IRM framework performs.
The following figure shows the general steps that an autonomous IRM protector takes when a user checks in a rights-managed document to a Windows SharePoint Services document library, and the functions that each component of the IRM framework performs.
See Also
Tasks
How to: Register an IRM Protector
Concepts
Information Rights Management in Windows SharePoint Services Overview