2.5.4.11 Decommission Server - ISV Application

Goal

Stop using RMS, while still allowing RMS-protected content to be used.

Context of use

If an organization decides to stop using RMS entirely and to remove its deployment, it needs to remove RMS protection from content. One method is to have users with owner rights to each piece of content remove the protection. Realistically, however, it might not be possible to find these users because they might no longer belong to the organization in question. Another approach is to use the Decommissioning interface to extract the content key from a publishing license (PL) and return it so that it can then be used to decrypt the content. Because each protected document has a PL, and each PL has its own content key, this process is repeated for each protected document that will have its protection removed.

Note When servicing the request, the RMS server does not verify that the requestor is supposed to be granted access to the content as specified in the PL. Rather, the RMS server returns the content key to any requestor. As a result, the Decommissioning interface is disabled for normal operation by default.

Actors

  • Direct actor: The direct actor of this use case is the RMS administrator.

  • Primary actor: The primary actor is the RMS server.

  • Supporting actors: Any other RMS servers in the system.

Stakeholders and interests

  • RMS administrator, as described in section 2.5.1.

  • ISV application, as described in section 2.5.1.

  • Client computer, as described in section 2.5.1.

  • RMS server, as described in section 2.5.1.

Preconditions

The RMS server has been bootstrapped into the system and has not yet been decommissioned.

Minimal guarantees

The content key is extracted from the PL. The protected content that is secured by the PL can be decrypted by using the content key.

Success guarantee

Content keys are extracted from all PLs. All protected content can be decrypted by using the corresponding content keys.

Main success scenario

  1. Trigger: RMS is being decommissioned at the enterprise level.

  2. The RMS administrator enables decommissioning on the RMS server, so that the AcquireContentKey operation can be accessed.

  3. The RMS administrator uses the AcquireContentKey method to request the content key for a PL in RMS and decrypts the content that is safeguarded by that PL.

  4. For the success guarantee, the RMS administrator repeats step 2 for each PL in RMS.

Extensions

None.