You can use Information Rights Management (IRM) to help control and protect files that are downloaded from lists or libraries.
Apply IRM to a list or library
Microsoft Active Directory Rights Management Services (AD RMS) supports Information Rights Management for sites. No separate or additional installations are required.
Before you apply IRM to a list or library it must first be enabled in Central Administration for your site.
Additionally, a server administrator must install protectors on all front-end Web servers for every file type that the people in your organization want to protect by using IRM.
To apply IRM to a list or library, you must have at least the Design permission level for that list or library.
- Go to the list or library for which you want to configure IRM.
- On the ribbon, click the Library tab, and then click Library Settings (If you are working in a list, click the List tab, and then click List Settings).
- Under Permissions and Management, click Information Rights Management.
If the Information Rights Management link does not appear, IRM might not be enabled for your site. Contact your server administrator to see if it is possible to enable IRM for your site. The Information Rights Management link does not appear for picture libraries.
- On the Information Rights Management Settings page, select the Restrict permission to documents in this library on download check box to apply restricted permission to documents that are downloaded from this list or library.
- In the Create a permission policy title box, type a descriptive name for the policy that you can use later to differentiate this policy from other policies. For example, you can type Company Confidential if you are applying restricted permission to a list or library that will contain company documents that are confidential.
- In the Add a permission policy description box, type a description that will appear to people who use this list or library that explains how they should handle the documents in this list or library. For example, you can type Discuss the contents of this document only with other employees if you want to restrict access to the information in these documents to internal employees.
- To apply additional restrictions to the documents in this list or library, click Show Options, and do any of the following:
10. After you finish selecting the options you want, click OK.
What is Information Rights Management?
Information Rights Management (IRM) enables you to limit the actions that users can take on files that have been downloaded from lists or libraries. IRM encrypts the downloaded files and limits the set of users and programs that are allowed to decrypt these files. IRM can also limit the rights of the users who are allowed to read files, so that they cannot take actions such as print copies of the files or copy text from them.
You can use IRM on lists or libraries to limit the dissemination of sensitive content. For example, if you are creating a document library to share information about upcoming products with selected marketing representatives, you can use IRM to prevent these individuals from sharing this content with other employees in the company.
On a site, you apply IRM to an entire list or library, rather than to individual files. This makes it easier to ensure a consistent level of protection for an entire set of documents or files. IRM can thus help your organization to enforce corporate policies that govern the use and dissemination of confidential or proprietary information.
IRM helps to protect restricted content in the following ways:
- Helps to prevent an authorized viewer from copying, modifying, printing, faxing, or copying and pasting the content for unauthorized use
- Helps to prevent an authorized viewer from copying the content by using the Print Screen feature in Microsoft Windows
- Helps to prevent an unauthorized viewer from viewing the content if it is sent in e-mail after it is downloaded from the server
- Restricts access to content to a specified period of time, after which users must confirm their credentials and download the content again
- Helps to enforce corporate policies that govern the use and dissemination of content within your organization
IRM cannot protect restricted content from the following:
- Erasure, theft, capture, or transmission by malicious programs such as Trojan horses, keystroke loggers, and certain types of spyware
- Loss or corruption because of the actions of computer viruses
- Manual copying or retyping of content from the display on a screen
- Digital or film photography of content that is displayed on a screen
- Copying through the use of third-party screen-capture programs
- Copying of content metadata (column values) through the use of third-party screen-capture programs or copy-and-paste action
How IRM works for lists and libraries
IRM protection is applied to files at the list or library level. When you enable IRM for a list or library, you can protect any file type in that list or library for which a protector is installed on all front-end Web servers. A protector is a program that controls the encryption and decryption of rights-managed files of a specific file format.
SharePoint includes protectors for the following file types:
- Microsoft Office InfoPath forms
- The 97-2003 file formats for the following Microsoft Office programs: Word, Excel, and PowerPoint
- The Office Open XML Formats for the following Microsoft Office programs: Word, Excel, and PowerPoint
- The XML Paper Specification (XPS) format
If your organization plans to use IRM to protect any other file types in addition to those listed above, your server administrator must install protectors for these additional file formats.
When IRM is enabled for a library, rights management applies to all of the files in that library. When IRM is enabled for a list, rights management applies only to files that are attached to list items, not the actual list items.
When people download files in an IRM-enabled list or library, the files are encrypted so that only authorized people can view them. Each rights-managed file also contains an issuance license that imposes restrictions on the people who view the file. Typical restrictions include making a file read-only, disabling the copying of text, preventing people from saving a local copy, and preventing people from printing the file. Client programs that can read IRM-supported file types use the issuance license within the rights-managed file to enforce these restrictions. This is how a rights-managed file retains its protection even after it is downloaded from the server.
The types of restrictions that are applied to a file when it is downloaded from a list or library are based on the individual user's permissions on the site that contains the file. The following table explains how the permissions on sites correspond to IRM permissions.