IRM File Processing
This content is outdated and is no longer being maintained. It is provided as a courtesy for individuals who are still using these technologies. This page may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.
You can understand how the various components of the Information Rights Management (IRM) system in Windows SharePoint Services work together to enable rights-managed content in document libraries by examining the two basic processes for rights-managed content:
Downloading a protected document
Uploading that document back to the document library
The following scenarios are designed to give you a general understanding of how Windows SharePoint Services processes rights-managed documents. They do not provide end-to-end procedures, and the actual process may vary for you, depending on the IRM settings you specify for the document library.
Downloading IRM-Protected Documents from Windows SharePoint Services
When a user requests a file from a document library that has IRM enabled, Windows SharePoint Services first performs its standard processing, such as synching document metadata. If the document is rights-managed, Windows SharePoint Services determines if an IRM protector associated with the document's file type is registered. If not, Windows SharePoint Services downloads the document to the user without rights management protection.
If an appropriate IRM protector is registered, and that protector is an integrated protector, Windows SharePoint Services generates an issuance license (IL) for the document. The IL includes:
A document key specific to the document. This private key is used to encrypt data in the rights-managed document.
A list of users who can access the document, and their corresponding permissions. Windows SharePoint Services adds itself and the user who downloaded the document to this list.
The GUID of the document library from which this document is being downloaded.
Windows SharePoint Services then calls the IRM protector to determine if the document is already rights-managed. For example, the document might have had rights management applied to it in a client application before it was uploaded to the document library. If the file is already rights-managed, Windows SharePoint Services downloads the document to the user without additional rights management protection.
Note
If you set your document library to accept only documents that Windows SharePoint Services can rights-managed, the user will not be able to upload documents that have had rights-management protection applied by an application other than Windows SharePoint Services.
If the document requires protection, Windows SharePoint Services calls the IRM protector to create a file stream that represents an IRM-protected version of the document:
If the protector is an integrated protector, Windows SharePoint Services provides the IRM protector with access to the RMS encryption process. Windows SharePoint Services also provides the IRM protector access to the IL of the document, as well as the server end-user license (EUL). The IRM protector includes both in the protected file.
If the protector is an autonomous protector, Windows SharePoint Services provides the IRM protector rights data and other metadata about the document. The autonomous protector must then configure and execute its own rights-management process to produce a rights-managed version of the requested file. The autonomous protector may use RMS directly, or some other rights-management process to create the protected document.
In either case, if the IRM protector succeeds, Windows SharePoint Services downloads the protected document to the user. If the protector cannot rights-manage the document, Windows SharePoint Services downloads the document to the user without rights-management protection. If the IRM protector encounters a major error, Windows SharePoint Services cancels the download of the document.
Specifically, Windows SharePoint Services downloads the document to the user without rights-management protection if the IRM protector returns one of the following error codes:
MSOIPI_STATUS_ALREADY_PROTECTED The file is already IRM protected.
MSOIPI_STATUS_CANT_PROTECT A general failure of the protector.
MSOIPI_STATUS_NOT_MY_FILE The specified file is not of a file type associated with this IRM protector.
Errors of these types should be rare; for example, Windows SharePoint Services selects the appropriate protector based on file type, and calls the protector to determine if the file is already rights managed, before processing reaches the points where Windows SharePoint Services would call the protector to encrypt the file.
It is the responsibility of the developer who creates the custom protector to determine when to return the above error codes, or if the protector should ever return those codes. If you never want to provide an unencrypted file, then do not program your protector to return these codes to Windows SharePoint Services.
For more information on these error codes, see I_IrmProtector.HrProtectRMS Method and I_IrmProtector.HrProtect Method.
After the requested file is downloaded to the user's computer, the client application decrypts the file by directly contacting the rights management service used by the protector, whether it is an RMS server or other rights-management server. In the case of RMS, the client application requests a EUL for the document. In the case of other rights-management services, the client application would need to request analogous permissions to the file.
The following figure shows the general process flow that occurs when a user requests a rights-managed document from a document library.
Uploading IRM-Protected Documents to Windows SharePoint Services
When a user checks a protected file into a document library, Windows SharePoint Services again determines if there is a registered IRM protector that handles the document's file type. If there is not, Windows SharePoint Services uploads the document as is, without performing any further decryption or processing. However, if the document library is configured to reject items that cannot be rights-managed, Windows SharePoint Services cancels the file upload instead.
If Windows SharePoint Services finds an appropriate IRM protector, Windows SharePoint Services calls it to generate a file stream that represents an unprotected version of the document:
The IRM protector returns the IL to Windows SharePoint Services. Windows SharePoint Services compares the document library GUID stored in the document IL with that of the library to which the document is being uploaded.
If the protector is an integrated protector, the IRM protector may request that Windows SharePoint Services provide it with access to the RMS decryption process.
If the protector is an autonomous protector, the IRM protector configures and executes the decryption process itself. It returns the document library GUID for the document directly to Windows SharePoint Services. Windows SharePoint Services then compares the document library GUID returned by the autonomous protector with that of the library to which the document is being uploaded.
In each case, Windows SharePoint Services does the following:
If the document library GUIDs match, the IRM protector successfully generates the file stream, and Windows SharePoint Services consumes the file stream to generate an unprotected version of the document.
Windows SharePoint Services then performs its standard processing, such as synching document metadata, and stores the document.
If the document library GUIDs do not match, Windows SharePoint Services cancels the document upload.
The following figure shows the general process flow that occurs when a user checks in a rights-managed document.
See Also
Tasks
How to: Register an IRM Protector
Concepts
Information Rights Management in Windows SharePoint Services Overview