Understanding usage restrictions

All RMS enabled applications must enforce usage restrictions. A usage restriction is a condition that results when a user tries to take an action (ex. printing a document), but the RMS policy for that document does not grant them permission or right to perform that action (ex. the PRINT right).

A user's permissions for a document can be queried by using the IpcAccessCheck function.

Designing with usage restrictions

  • Familiarize yourself with standard RMS rights

    For the full set of RMS rights your application may enforce, see Usage restriction reference.

    Note that application defined rights specific to your situation and that go beyond the standard RMS rights may be created.

  • Identify usage restriction enforcement points

    A usage restriction enforcement point is a place in your application's control flow where you need to enforce a usage restriction. The Usage restriction reference topic gives several examples of common enforcement points.

    Evaluate your own application to determine which usage restriction enforcement points apply.

    Your application may not need all enforcement points described in Usage restriction reference. For example, if your application does not allow users to print content, it does not need to check for the IPC_GENERIC_PRINT right.

  • Update your code to perform an access check at each enforcement point

    For guidance about how to enforce specific rights, see Usage restriction reference.

Usage restriction reference

Usage restrictions are defined by the following constants.

Each user right, listed in the AD RMS right column, has a description, an enforcement point, and suggested methods for enforcement.

AD RMS right/description How to enforce
IPC_GENERIC_ALL

Grants all rights to the user.

Common Enforcement Points: None
This right is used by the system and generally should not be checked directly.

IpcAccessCheck uses this right to determine whether to grant the user other rights as in this example.

/* fAccessGranted is set to TRUE if either the IPC_GENERIC_WRITE or the IPC_GENERIC_ALL right is granted */

IpcAccessCheck(hKey, IPC_GENERIC_WRITE, &fAccessGranted);
IPC_GENERIC_READ

The right to read document contents.

Common Enforcement Points: Document load
Don't load or present document contents
IPC_GENERIC_WRITE

The right to edit document contents

Common Enforcement Points: Document modification
Make any UI controls that can be used to modify document contents non-editable.

Disable any menu items that trigger document changes. Edit > Cut, Edit > Paste, and Insert are typical examples.

Disable any shortcut menu items that trigger document changes.
No AD RMS right

No description

Common Enforcement Points: Save
Disable the File > Save menu.

Note This right does not control File > Save As because that right does not represent a change to the original document.

Disable any keyboard shortcut that can be used to trigger a save (for example, Ctrl+S).

Tip A best practice is to update your core File > Save code to fail if the user doesn't have this right. This acts as a safety net if you miss any UX mechanisms that can be used to trigger a save.
IPC_GENERIC_EXTRACT

The right to extract content from a protected format and place it in an unprotected format.

Common Enforcement Points: Copy-to-clipboard
Disable the Edit > Copy menu. Disable the Edit > Cut menu.

Disable Copy and Cut from any shortcut menus.

Disable any keyboard shortcut that can be used to trigger a copy (for example, Ctrl+C or Ctrl+X).

Update window message handlers for WM_CUT to reject copying of data if the user does not have this right. If the window is using the default Windows-provided message handler, subclass this window and provide your own handlers for WM_COPY and WM_CUT.
No AD RMS right

No description

Common Enforcement Points: Save As
In your Save As dialog box, disable any file formats that would result in the document being saved without RMS protection.
No AD RMS right

No description

Common Enforcement Points: Alt+PrtScn
Call IpcProtectWindow on any windows that render document contents.
IPC_GENERIC_EXPORT

The right to extract content from a protected format and place it in a different AD RMS-protected format.

Common Enforcement Points: Save As
In your Save As dialog box, disable the ability to save to any other file formats.

TipA best practice is to update your core File > Save As code to fail if the user attempts to save this file to a different format and doesn't have this right. This acts as a safety net if you miss any UX mechanisms that can be used to trigger a save as.
IPC_GENERIC_PRINT

The right to print document contents.

Common Enforcement Points: Print
Disable the File > Print menu.

Disable any keyboard shortcut that could be used to trigger a print (for example, Ctrl+P).

Disable shortcut menu items that could be used to trigger a print.

Tip A best practice is to update your core File > Print code to fail if the user doesn't have this right. This acts as a safety net if you miss any UX mechanisms that can be used to trigger a print.
IPC_GENERIC_COMMENT

Some applications support the ability to add comments and annotations to the document without updating core document contents.

This right grants the user access to this capability.

Common Enforcement Points:

Review > Insert comment

Review > Delete Comment
Disable any menu items that can be used to modify document comments or annotations. Review > Insert comment and Review > Delete Comment are examples.

Disable any keyboard shortcut that could trigger modification of document comments.

Note A default implementation requires both IPC_GENERIC_COMMENT and IPC_GENERIC_WRITE to persist new comments to a file. Applications may choose to add support for the case where the IPC_GENERIC_COMMENT right is granted and the IPC_GENERIC_WRITE right is not. In this case, it is permitted to allow Save, as long as document modifications are restricted to comments only.
IPC_VIEW_RIGHTS

No description

Common Enforcement Points: N/A
Enforced by the system. The system will not allow the developer to query the user rights list from a license unless this right is granted.
IPC_EDIT_RIGHTS

Some applications allow users to modify the set of users and rights for AD RMS-protected content.

This right grants the user access to this capability.

Common Enforcement Points: Application rights editing UI control
Disable user access to any UI that can be used to edit the RMS policy for a document.

Comments

Before commenting, we ask that you review our House rules.