IRM Framework Architecture in SharePoint Foundation
Applies to: SharePoint Foundation 2010
Following are the four basic components that interact to enable Information Rights Management (IRM) in Microsoft SharePoint Foundation:
IRM Protectors
IRM protectors control the conversion of documents to their encrypted, rights-managed format and the decryption of documents from their rights-managed format back to their original format. An IRM protector includes the appropriate rights management metadata in the rights-managed file when it is downloaded from a document library. It extracts this information when the document is uploaded to the document library.
For example, an integrated IRM protector includes the issuance license (IL), the server end-user license (EUL), and optionally, a document template in the rights-managed file when it is downloaded from a document library. It extracts those components when the document is uploaded to the document library.
You can create two types of IRM protectors: integrated protectors and autonomous protectors. Integrated protectors rely on SharePoint Foundation for access to the Windows Rights Management Services (RMS) platform to generate protected versions of files, and to remove protection from rights-managed files. Autonomous protectors must configure and execute the entire rights-management process independently.
You can associate each IRM protector with one or more file types. However, each file type can be associated with only one protector.
For information about creating IRM protectors for custom file types, and about integrated and autonomous protectors, see Custom IRM Protectors.
Windows Rights Management Services (RMS)
For integrated protectors, IRM can use RMS to authenticate users, create licenses, and encrypt document content.
Every computer that creates or uses rights-managed content by using RMS must have the RMS client, version 1, Service Pack 2 (SP2) installed.
To enable IRM in SharePoint Foundation, you must also have at least one RMS server that is running RMS version 1, SP2.
For information about RMS, see the Windows Rights Management Services technology center.
Autonomous protectors do not need to use RMS services because they configure and execute the entire rights-management process.
SharePoint Foundation
SharePoint Foundation manages the process of uploading and downloading protected documents from a SharePoint document library.
When a user requests a rights-managed document, SharePoint Foundation generates the appropriate rights management metadata and makes it available to the appropriate IRM protector for inclusion in the protected document. For integrated protectors, this metadata includes the IL and server EUL. For autonomous protectors, this metadata includes the specific rights that the user has to the document. After the protector has constructed the rights-managed file, SharePoint Foundation passes it to the user.
When a user uploads a rights-managed document, SharePoint Foundation passes it to the appropriate IRM protector, which extracts the necessary rights management metadata from the document. For integrated protectors, this includes the IL and the document library GUID, and the server EUL if it is present in the document. For autonomous protectors, this information includes only the document library GUID. SharePoint Foundation examines this metadata to determine whether the document belongs in the specified library. If it does, SharePoint Foundation instructs the IRM protector to decrypt the document, which SharePoint Foundation then uploads to the specified library.
For a more detailed discussion about how SharePoint Foundation processes rights-managed content, see IRM File Processing.
Client Application
After the requested file is downloaded to the user's computer, the user requires an application that can remove protection from the rights-managed documents of that file type. In the case of Windows RMS, the client application decrypts the file by contacting the RMS server directly and requesting an EUL for the document.
Figure 1 shows the general steps that an integrated IRM protector performs when a user requests a rights-managed document from SharePoint Foundation, and the functions that each component of the IRM framework performs.
Figure 1. Steps integrated IRM protector performs when user requests rights-managed document
.gif "Steps of autonomous IRM protector after request")
Figure 2 shows the general steps that an integrated IRM protector takes when a user checks in a rights-managed document to a SharePoint Foundation document library, and the functions that each component of the IRM framework performs.
Figure 2. Steps integrated IRM protector performs when user checks in rights-managed document
.gif "Steps of autonomous IRM protector after check-in")
Figure 3 shows the general steps that an autonomous IRM protector takes when a user requests a rights-managed document from SharePoint Foundation, and the functions that each component of the IRM framework performs.
Figure 3. Steps autonomous IRM protector performs when user requests rights-managed document
.gif "Steps of integrated IRM protector after request")
Figure 4 shows the general steps that an autonomous IRM protector takes when a user checks in a rights-managed document to a SharePoint Foundation document library, and the functions that each component of the IRM framework performs.
Figure 4. Steps autonomous IRM protector performs when user checks in rights-managed document
.gif "Steps of integrated IRM protector after check-in")
See Also
Tasks
How to: Register an IRM Protector