Important: You need a separate IRM
policy server for each eRoom site in which you want to enable rights management.
This topic is organized into the following sections:
The optional integration of rights management with eRoom requires a Documentum Information Rights Management (IRM) server plus Documentum IRM client bundle licenses (that include Adobe Acrobat and Microsoft Word clients), which must be purchased independently from eRoom.
With this integration, eRoom rights-management policies are defined in eRoom, not in the IRM policy server. The IRM policy server enforces the eRoom policy settings, which determine the rights you have to a file.
Important: You need a separate IRM
policy server for each eRoom site in which you want to enable rights management.
Some of the terms used to describe rights management in eRoom are as follows:
Eligible file - a type of file (currently, Microsoft Office and Adobe Acrobat files only) that can be protected by an eRoom rights-management policy. Eligible files may be at the top level of an eRoom or folder, in nested folders, in attachment boxes for any eRoom items, or attached to messages in eRoom inboxes.
Ineligible content - a type of file that cannot be protected by an eRoom rights-management policy. This includes eRoom Content Server-linked files as well as files that are neither Microsoft Office nor Adobe Acrobat files. Similarly, you cannot enable rights management for folders with default storage locations in a Documentum repository, or for eRoom linked folder items. However, even if rights management is not enabled for a site or eRoom, protected files linked to a repository location are shown in those types of folders.
Protected
file - an eligible file that is protected by an eRoom rights-management
policy. A file can inherit its policy from its container or an ancestor
folder, or you can define one for the file directly. Protected files are
identified (in large icon view) with a "protected" symbol (
),
and by notation on their Access Control pages. Once a file is protected,
it cannot be unprotected.
Policy editor - A member who can edit rights-management policy settings for a folder or file. In eRoom, anyone on the item's Edit list can also edit its policy. Only policy editors can copy rights-management-protected files or rights-management-enabled folders.
Ancestor container - a container in a folder’s or file’s hierarchy (including an eRoom), from which a folder or file inherits its policy.
If rights management is enabled for a site, you can optionally enable it for communities in the site. When rights management is enabled for a community, you can optionally enable it for eRooms in the community.
When you enable rights management in an eRoom, rights management is enabled in all folders in the eRoom. You decide whether all eligible content in the eRoom or folders will be automatically protected when its added, or if protection is optional. This decision affects only how eligible content is protected, not the type of content an eRoom or folder may contain. Even when eligible content in an eRoom or folder will automatically be protected, the eRoom or folder may also contain ineligible content.
A folder can either inherit (that is, refer to) its parent’s policy, or it can have its own policy, separate from its ancestor’s policy.
When you protect a file, its policy is initially copied from its container (the eRoom or a folder). This is a copy, not a reference, so changing the container’s policy only changes the effective policy of the items it contains, not their actual policies.
The Edit list, not the Open list, of a rights management-enabled/protected item determines who can copy that item. It also determines who can edit its policy.
The rights-management policy set for a particular folder or file is its actual policy. An eRoom in which rights management is enabled has its own policy. Eligible files and folders at the top-level of such an eRoom initially inherit that policy.
A file or folder's effective
policy is a combination of the most restrictive policy settings from
the folder's or file's actual policy and the policies of its ancestor
containers. The effective policy determines what members can actually
do with a protected file. For example:
As shown in the preceding example:
You cannot print My file.doc and Her file.doc because although their own policies allow printing, Folder 1 has a more restrictive policy, which does not allow printing.
My file.doc expires on 12/25/09 instead of on 4/30/10, the file's expiration date, because the container's policy specifies an earlier, more restrictive expiration date (12/25/09).
You cannot copy content from Her file.doc because although Folder 1 allows copying, Her file.doc has the more restrictive setting, which does not allow copying.
Her file.doc expires on 8/31/08 instead of on 12/25/09 because its expiration date is more restrictive (earlier) than the container's expiration date.
When you move a file or folder with its own
policy to another location, its actual policy remains unchanged. However,
depending on the policy in effect in the new location, its effective policy
might change. For example:
As shown in the preceding example, after moving from Folder 1 to Folder 2:
My file.doc can now be printed.
My file.doc now expires on the date its own policy specifies, since that is the more restrictive setting.
The setting labeled New Microsoft Office files and Adobe Acrobat files in this [room or folder] determines whether rights-management is enabled or, for an eRoom, disabled, and, if enabled, whether rights-management is optional or mandatory in the eRoom or folder. For an eRoom, this setting is located in the Rights Management area of the Options page in eRoom Settings. For a folder, the setting is on the item's Access Control page. This setting has the following options:
cannot be protected by a rights management policy (eRooms only) - Rights management is not enabled in the eRoom, and no new eligible files in the eRoom can be protected. If rights management was previously enabled in the eRoom, it is disabled. Existing protected files remain protected by their actual policies, which you can still edit. Once rights management is disabled, however, eRoom and folder policies no longer affect the files they contain. Therefore, actual policies for protected files might differ from their effective policies while rights management was enabled.
can
optionally be protected by a rights management policy
- If selected for an eRoom, rights
management is enabled in the eRoom and all existing folders in the eRoom.
When selected for either an eRoom or a folder, all existing, eligible
files (including files in nested folders, attachment boxes for any eRoom
items, and attached to messages in eRoom inboxes) are not automatically protected, but can be protected
by the eRoom's or the folder's policy. Likewise, new, eligible content
is not automatically protected when added to the eRoom or folder, but
can be protected. For a folder, if the effective policy is "will
automatically be protected", a restricted symbol
(
) appears
next to the radio button and you cannot
select this option.
will automatically be protected by a rights management policy - If selected for an eRoom, rights management is enabled in the eRoom and all existing folders in the eRoom. When selected for either an eRoom or a folder, all existing, eligible files (including those in nested folders, in attachment boxes for any eRoom item, and attached to messages in eRoom inboxes) in the eRoom or folder are automatically and permanently protected by the eRoom's policy or the folder's effective policy. Likewise, all folders and eligible files (including attachments to eRoom items or to email messages arriving in an eRoom inbox) added to the eRoom or folder after this setting is applied are automatically protected (files), or are rights-management-enabled (folders), as soon as they are added.
A folder can either inherit from its ancestor's policy, or define its own policy for protecting files. If a folder's policy is inherited, you cannot specify any rights-management settings for the folder. If you have Edit rights to the folder, however, and as long as the folder's effective policy is that eligible files "can optionally be protected", you can specify rights-management settings for the folder.
For an eRoom, rights-management policy settings are located in the Rights Management area of the Options page in eRoom Settings. For a folder or eligible file, these settings are on the Rights Management policy settings page that opens when you click "Policy settings" on the item's Access Control page. Rights-management policy settings for protecting files are as follows:
Members with access to a file that uses this policy can
Print it - Select to allow members with appropriate access to print the file.
Copy content from it - Select to allow members with appropriate access to copy content from the file.
Refresh access to offline files after n days - Specify the maximum number of days (n) members can access the file when they are disconnected from the network before offline access to the file must be refreshed. A protected document, however, cannot be edited while offline. When this setting is zero, offline access is disabled. For more information about offline access to protected documents, see IRM client Help.
Expire files on date at time - Specify a date and (optionally) a time when the policy expires for the protected file. Once a protected file expires, it remains in the eRoom but cannot be opened. If the date field is empty, the content has no expiration date.
Watermark - Pick a named watermark, if any, that will appear on printed pages of the protected file. Pick "(none)" to specify no watermark. Watermarks are unaffected by the effective policy. That is, a container's policy watermark choice is specific to that container, and does not also use its parent's watermark.
Only coordinators can modify policy settings for an eRoom, and only members on the Edit list for an item can modify policy settings for that item.
With rights management enabled in your eRoom, actions you perform (such as moving, copying, creating, uploading, deleting, and dragging and dropping) can have different results than when you perform the same actions with rights management not enabled, or disabled.
Two principles remain constant in all of the following scenarios:
Once a file is protected with rights management, it remains protected. While its effective policy might change depending on its location, it can never become unprotected.
Ineligible files (files that are neither Microsoft Office nor Adobe Acrobat files) are unaffected by rights-management in eRoom.
Only members on a protected file's Edit list can copy it. Similarly, only members with Edit rights to a rights-management-enabled folder can copy it.
The results of moving or copying an item to a rights-enabled location (folder or eRoom) depend on the rights-management settings or protection status of the source item (folder or file), and the rights-protection method and policy in effect for the target location.
If the target location is set to "can optionally be protected", unprotected, eligible files (including attachments) moved or copied there are not automatically protected.
If the target location is set to "will automatically be protected", unprotected, eligible files (including attachments) moved or copied there are automatically protected by the effective policy of the target location.
In either of the two preceding cases, folders keep their rights-protection method. That is, if a source folder inherits its policy, it inherits its new parent's policy; if a source folder has its own policy, its actual policy is unchanged, but its effective policy might change, depending on the effective policy of the new location.
Create new folder - If you create a new folder in a target location that is set to either "can optionally be protected" or "will automatically be protected", the newly created folder initially inherits its parent's policy.
Create new item - If you create a new item in a target location that is set to "can optionally be protected", any eligible files attached to it are not automatically protected. If you create a new item in a target location that is set to "will automatically be protected", any eligible files attached to it are automatically protected. In either case, any folders attached to the newly created item become rights-enabled by inheriting the parent's policy.
Create or upload new eligible file - An eligible file created in or uploaded to a target location set to "can optionally be protected" is not automatically protected. An eligible file created in or uploaded to a target location set to "will automatically be protected" is automatically protected.
Delete a folder - You delete a rights-enabled folder the same way you delete a non-rights-enabled folder. If the eRoom uses a recycle bin, the folder is placed in the recycle bin. Only coordinators can restore a rights-enabled folder. When you restore a folder, if it inherits its policy, it inherits the policy of the location you restore it to. If it defines its own policy, it keeps its original policy. In either case, its effective policy might change, depending on the effective policy of the location you restore it to. When the folder is deleted from the recycle bin, it, and the protected content in it, is removed from the policy server as well as from the eRoom.
Delete a file - You delete a rights-protected file the same way you delete an unprotected file. If the eRoom uses a recycle bin, the file is placed in the recycle bin. Restoring the file follows the same rules as copying it, and only coordinators can do it. When the file is deleted from the recycle bin, it’s removed from the policy server as well as from the eRoom.
Add folder with drag and drop - A folder added with drag-and-drop from the desktop to a target location that is set to either "can optionally be protected" or "will automatically be protected" is automatically rights-enabled by inheriting the parent's policy. Any unprotected, eligible files it contains are either automatically protected or not, depending on the rights-protection method in effect for the target location.
Replace file with drag and drop
A protected file (source) dropped onto another protected file (target) replaces the target file and changes its policy to match that of the target file.
A protected file dropped onto an unprotected file replaces the target file and remains protected with its existing policy.
An unprotected, eligible file dropped onto a protected file replaces the target file and is protected using the target file’s policy.
An unprotected, eligible file dropped onto another unprotected file replaces the target file and is not protected.
An ineligible file dropped onto an unprotected file replaces the file.
You cannot drop an ineligible file onto a protected file to replace it.
You can move or copy a protected file outside of the eRoom, and you can download it for viewing or editing. While the file is outside of the eRoom, it remains protected by the policy that protects it inside the eRoom, and only eRoom members can open the file (as long as they have the appropriate rights to do so).
When you move a rights-enabled eRoom (via a facility you are moving) from one community to another community that allows rights management, rights management works in the newly located eRoom the same as it did in the source community. If rights management is not enabled in the target community, protected content in the eRoom remains protected, but follows the rules for disabling rights management for an eRoom, a community, or a site.
If the eRoom you are moving is not rights-enabled, it remains that way if rights management is enabled in the target community.
When you import an eRoom or facility with protected files into the same site it was exported from, it is treated as a copy, and protection works as usual.
When you import an eRoom or facility with protected files into a different
site than it was exported from, the eRoom-related policy settings are
removed from the files and they are marked "not protected".
The files remain encrypted, but eRoom does not identify them as such.
For example, the files do not show the "protected" icon ()
and the Access Control page for such a file has no rights-management controls
or information. When you try to access such a file, the policy server
refers to the original file for its policy and ACL. If the file cannot
be found, you cannot open the file in the imported eRoom.
When you add a file that was originally protected in eRoom, the same rules described in the preceding section apply.
If the file was not originally protected in eRoom, it remains protected,
but eRoom does not identify it as such. For example, the file does not
show the "protected" icon () and the Access Control page for such a file
has no rights-management controls or information.
When you create an instance of a template database that has protected content or rights-enabled folders, it is treated as a copy, and protection works as it does for a copy.
Creating an eRoom from an template eRoom that has protected content or rights-enabled folders only works when the instance of the template is created in the same site in which the template was created.