Information Rights Management in SharePoint 2007

Previously, I posted on IRM in MOSS.  I continue to get a number of questions so I thought I would summarize a couple of things.

Why should you care?

Well, in SharePoint 2003 we didn't have item-level security so IRM was necessary if you wanted to lock-down individual documents.  This IRM-protected document could then be uploaded into a document library but unfortunately it could not be indexed since it was encrypted.  In SharePoint 2007 we have item-level security.  This is great news.  But what happens when I download this document from the library?  What if I want to secure the document outside of SharePoint as well?  Excellent thought and I'm glad you asked.  That's where IRM comes in and SharePoint 2007's new policy capability.

What's new?

SharePoint 2007 has the concept of an IRM-protected document library (and for list item attachments in general).  Basically, IRM creates a set of access controls that live with the content and therefore control access even when the document is outside of the SharePoint library.  What about custom file types?  Good question.  You can create IRM protectors that consist of custom assemblies that plug into the IRM framework and manage the conversion between encrypted and rights-managed formats.


When an RMS policy is applied to a document library, the documents stored inside the library are IRM protected but they are not encrypted; they are stored inside SQL Server non-encrypted but they are tagged as IRM documents.  When a user attempts to download a file from the IRM-protected library, WSS   verifies the user's permissions and grants access according to the user's ACLs.  Upon downloading, WSS calls an IRM protector to convert the stored file to an encrypted format and stores the document on the user's computer in a rights-managed format.  WSS becomes the primary owner and the user a consumer of the document.  A second user would have to download the document themselves since the first user cannot send the document to another person even if that person also has access to the file in the document library.  If the downloaded document is opened, edited and saved back to the library, the IRM protection is removed by the IRM protector.  The non-encrypted storage format ensures that the Search indexing service is able to "crawl" the content.  Since search results are already scoped to user permissions, the results are permission filtered.  Therefore, the document remains searchable and can still be archived, plus other features like property promotion / demotion will continue to work as expected.  One key point: this described capability does not apply to documents that are IRM protected outside of SharePoint and then uploaded.