4.1 Accessing Protected Information as a Member of an Authorized Group
An end user requires an authorization token (use license (UL)) issued by an RMS server to access protected content. One of the conditions evaluated by the server when generating such an authorization token is the user's current membership in any groups that are authorized to consume the information, as specified by the policy of the protected content.
The following example applies to the IsPrincipalMemberOf operation for either the Binary Group Expansion interface or the Group Expansion over SOAP port type.
Usage policy is extracted from protected content by the application.
The application extracts (or retrieves) the usage policy (publishing license (PL)) from wherever the application has stored it. Storage of the usage policy associated with protected information (or content) is the responsibility of the application.
AcquireLicense method is called.

Figure 7: AcquireLicense method is called
-
The PL acquired in step 1 represents the complete usage policy issued by the author of the protected content. For the protected content to be consumable by an individual user, an authorization token (UL) must be issued by the server. This authorization token expresses what an individual user can do with the protected content.
-
The client calls the AcquireLicense web method, providing the requesting user's RMS account certificate (RAC) and the protected content PL, and passing any application-specific data provided by the application.
-
The server verifies that the RAC and PL were issued from an entity or entities it trusts. It then evaluates the full usage policy as it applies to the specific user named in the RAC, including verifying if the user is a member of any groups specified by the author as having authorization to access the protected information (or content).
-
To verify group membership, the server will either invoke a local IsPrincipalMemberOf procedure call to consult the directory in the local domain, or it will contact an RMS server located in an external domain to consult that domain's directory by way of the IsPrincipalMemberOf remote procedure call (RPC). The result of either is a Boolean response indicating if the named user is a member of a named group (or groups).
-
The server then issues a UL containing a set of usage policies for the user, and signs the UL. The UL is then returned to the client.
Decryption of protected information (or content) using client APIs and authorization policy keys occurs.
The client receiving the UL from the server then uses the UL to decrypt and consume the protected content.