Securing SharePoint documents that you take offline

SharePoint 2010 lets you configure security settings for individual documents or an entire library of documents so that you can protect confidential or personal content by limiting access to a specific group of users. You can further protect documents by applying Information Rights Management (IRM) policies that encrypt the content of specific documents so that they can only be read with a key granted to specific users or groups.

When you use SharePoint Workspace 2010 to take SharePoint content offline, you’ll find that it honors these settings and policies, but with some provisos. Here’s some information about how to best set permissions and policies to protect SharePoint documents and lists that may be taken offline in SharePoint workspaces.

Creating a SharePoint workspace lets SharePoint users download selected libraries and lists from a SharePoint site to a local computer so that they can access and work with this content any time, wherever they are, whether online or offline. However, a user’s ability to access or update the SharePoint content to begin with depends on the permissions and other security settings that are defined on the hosting SharePoint site. Site or content owners protect content by defining permissions and rights management settings on the SharePoint site, and these are applied in the associated SharePoint workspace.

Defining group access permissions for SharePoint libraries, lists, and documents is a mainstay of document protection. These settings determine the extent to which specific users or groups can access and work with content on the site.

For example, suppose that field researcher John needs to draft an article of his findings and get it reviewed before publishing on the web. John knows that he'll have no network access at his field location.  Fortunately, he has full permissions for a library on a SharePoint 2010 team site (granted by the site owner), so before going out into the field he synchronizes the library with a local SharePoint workspace on his laptop.  While offsite, he finishes the piece, strikes camp, and returns to town where he regains network access The document synchronizes automatically with the SharePoint site and John uses the Document Settings option on the SharePoint Ribbon to restrict document access to himself and his home-based colleague. An hour later, John receives his colleague’s updated document in his synchronized workspace, and he completes a final pass for his colleague’s signoff. Document permissions remain restricted until he resets them in SharePoint to allow broader viewing. John can do the same thing for any library of documents that he owns and wants to protect.

Setting Information Rights Management policies for libraries or documents on a SharePoint site provides another level of content protection. SharePoint Workspace respects IRM document settings that have been defined in a SharePoint site, but be aware that IRM-protected libraries are prohibited from download into a local workspace. In the case of Document-level policies (set from the associated Office application), SharePoint Workspace accepts IRM encrypted documents and handles them as expected. In the case of SharePoint Library-level policies (set from the Library Tools tab, in Library/Library Settings), SharePoint Workspace does not synchronize library content that is protected with IRM, limiting propagation of protected content.

The following table summarizes SharePoint Workspace behavior in the context of IRM protection for individual documents and libraries:

IRM setting

Result in SharePoint Workspace

IRM is enabled for individual SharePoint documents.

Upon synchronization, SharePoint Workspace updates affected documents in the local workspace so that they are IRM-protected (encrypted on disk). Only users with the necessary IRM permissions on the SharePoint site can access the documents locally or from the site. Document synchronization occurs as usual.

IRM is enabled for a SharePoint library.

None of the library content will be downloaded or synchronized with a SharePoint workspace. If local versions of the affected content already exist in the SharePoint workspace, that content remains as is, with no changes, but it cannot synchronize with SharePoint library.

For information about setting access permissions for SharePoint content, see https://technet.microsoft.com/en-us/library/cc262690.aspx and https://technet.microsoft.com/en-us/library/cc263239.aspx.

For information about setting IRM policies for SharePoint content, see https://office.microsoft.com/en-us/sharepoint-server-help/apply-information-rights-management-to-a-list-or-library-HA010154148.aspx.

 

Mena Paton