Home > Work > #O365 #SharePoint Online–Information Rights Management #IRM–what works, what doesn’t in a business context-Part 4

#O365 #SharePoint Online–Information Rights Management #IRM–what works, what doesn’t in a business context-Part 4

September 24, 2015 Leave a comment Go to comments

This article is part of a series:

In the first article of this series we discussed what IRM was, some scenarios and high level device supportability.

Part 1: https://spandps.com/2015/09/21/o365-sharepoint-onlineinformation-rights-management-irmwhat-works-what-doesnt-in-a-business-context-part-1/

In the second article we covered file type support.

Part 2: https://spandps.com/2015/09/22/o365-sharepoint-onlineinformation-rights-management-irmwhat-works-what-doesnt-in-a-business-context-part-2/

In the third article we covered file type support in detail as well as the document library experience.

Part 3: https://spandps.com/2015/09/23/o365-sharepoint-onlineinformation-rights-management-irmwhat-works-what-doesnt-in-a-business-context-part-3/

So we have talked about what IRM in SharePoint is, file type support and limitations, document library experiences etc. lets get down to permissions.  What can you restrict…

A good place to start is here: https://support.office.com/en-us/article/Apply-Information-Rights-Management-to-a-list-or-library-3bdb5c4e-94fc-4741-b02f-4e7cc3c54aa1

To quote specifically from the site:

How IRM can help protect content

IRM helps to protect restricted content in the following ways:

  • Helps to prevent an authorized viewer from copying, modifying, printing, faxing, or copying and pasting the content for unauthorized use
  • Helps to prevent an authorized viewer from copying the content by using the Print Screen feature in Microsoft Windows
  • Helps to prevent an unauthorized viewer from viewing the content if it is sent in e-mail after it is downloaded from the server
  • Restricts access to content to a specified period of time, after which users must confirm their credentials and download the content again
  • Helps to enforce corporate policies that govern the use and dissemination of content within your organization

How IRM cannot help protect content

IRM cannot protect restricted content from the following:

  • Erasure, theft, capture, or transmission by malicious programs such as Trojan horses, keystroke loggers, and certain types of spyware
  • Loss or corruption because of the actions of computer viruses
  • Manual copying or retyping of content from the display on a screen
  • Digital or film photography of content that is displayed on a screen
  • Copying through the use of third-party screen-capture programs
  • Copying of content metadata (column values) through the use of third-party screen-capture programs or copy-and-paste action

So seems pretty straight forward and of course this applies to the file types mentioned in the previous posts on this subject.

  • Word
  • Excel
  • PowerPoint
  • XPS

Interestingly, this Microsoft article mentions InfoPath but at the time of writing for this article, that did not appear to be the case in SharePoint Online (2015-09-23)

At the bottom of the article is starts talking about how list / library permissions compare to IRM permissions.  Again to quote from the site (just for completeness):

image

So I hear what you are saying… come on Giles… now you are just copying content from a web site and re-purposing it.  To a degree that is true… but lets put the above into something that makes more sense to the standard Business User that doesn’t really know what permission levels mean etc.

So we can essentially translate the above to the following:

image

Now it makes a bit more sense.

So lets get some users together in these groups and see what effect that has on the IRM permissions when you open a document…

Owner:

So we can see as an owner of the site, I own the document and have full permissions to Copy, Print, Save, Export etc.

If you notice, I also have no expiry on this document either.  Which means downloading the document offline means that the permissions will stay with me as long as I am on a domain controlled PC logged in as the user mentioned in the pop up.

image

Member:

As a member, we can View, Edit, Copy, Print and Save.  This makes sense since as a member you are likely to be creating documentation in the first place.

image

Remember you can also control who can see versions of documents within SharePoint as well as the ability to control if you can only see your only content.

You can find these configurations in the Library Settings under Versioning Settings:

image

So what we are seeing here is IRM permissions layered on top of SharePoint’s standard permissions working hand in hand!

Also notice that the expiry for these permissions come into effect on Thursday, September 24, 2015.  At this point, the document (if it is offline from SharePoint), will be entirely locked down, even if you are authorized and you would have to go back to the source library to get a new copy.

When something has expired, this is what you see in the application:

image

Visitor:

Lastly, as a Visitor to my site, you can only view the document.  Now as mentioned earlier, it does not control any other application.  So you could still print screen potentially or use a tool like Snag It to capture the information.  The rules below only pertain to the application implementing the IRM rights.

image

Conclusions

On a high level, it would appear IRM really comes into its own when you want to prevent your content from leaving the organization.  It stops the content being shown to unauthorized users and since this is implemented at a file level, USB drives and Email Attachments cannot circumvent the protection in place.

However, at the end of the day, if you have an authorized user that wants to be malicious then they can open the documentation, copy the content from the screen and re-produce it in an un-protected form.  So just to confirm, this isn’t a magic bullet to solve all your IP protection woes and lets not forget, content is created in an unprotected form first and is only protected once it is uploaded into SharePoint.

Next Post(s):

  • The Client Experience. Windows, OSX (if I can find a mac), Mobile, Web – you name it, I will endeavor to try it
  • Unsupported Files – A look at the desktop RMS client and how that works with SharePoint

Useful Links:

Apply IRM to a list or library: https://support.office.com/en-us/article/Apply-Information-Rights-Management-to-a-list-or-library-3bdb5c4e-94fc-4741-b02f-4e7cc3c54aa1

Advertisement
Categories: Work Tags: , , , , , ,
  1. Simón
    October 24, 2016 at 05:49
    Reply

    Hi, Giles.
    I hope you can help me.

    I have configured a library for “only users who can edit items” should view minor versions.
    Too, I have configured IRM on this library.

    The documents need to be approved using a custom workflow.

    My problem is:
    Reader users are involved on this process and should view drafts for it.

    Is it possible?

    Thanks,
    Regards,

  1. No trackbacks yet.

Leave a Reply

Please log in using one of these methods to post your comment:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s

%d bloggers like this: