RMS has three major roles: the creator, the consumer, and the server. The creator builds content and chooses an access policy for that content. When the RMS creator protects the content, it is encrypted by using a randomly generated content key. Both this key and the access policy are bound to the content in the form of a publishing license (PL).
The consumer, upon receiving the document from the creator and opening it, supplies the server with the PL and the consumer's identity. If the consumer is granted access, according to the access policy in the license, the server issues the consumer a use license (UL) that specifies the access policy for the consumer and binds the content decryption key to the consumer's identity.
A client (or an ISV extension application) can play the role of a creator, a consumer, or both, depending on the type of implementation. The client is responsible for requesting certificates, licenses, and policies from the server. The client is also responsible for enforcing authorization policies as they apply to protected information and for encrypting or decrypting content as appropriate.
The server role in RMS is responsible for issuing certifications, keys, and authorization policies, and for signing these issued certificates and policies with keys that it holds in escrow. It is also responsible for evaluating and issuing authorization policies that are based on identity credentials that the client provides in protocol requests.