配置 Azure 信息保护的使用权限Configuring usage rights for Azure Information Protection

适用于: Azure 信息保护Office 365Applies to: Azure Information Protection, Office 365

当你为加密配置敏感度标签或保护模板时,你可以选择在用户、管理员或配置的服务选择标签或模板时将自动应用的使用权限。When you configure sensitivity labels or protection templates for encryption, you select the usage rights that will then be automatically applied when the label or template is selected by users, administrators, or configured services. 例如,在 Azure 门户中,可以选择配置使用权限逻辑分组的角色,或者可以配置单个权限。For example, in the Azure portal you can select roles that configure a logical grouping of usage rights, or you can configure the individual rights. 另外,用户还可以选择并应用使用权限本身。Alternatively users might select and apply the usage rights themselves.

本文介绍如何为所使用的应用程序配置所需的使用权限,并了解这些权限是如何由应用程序进行解释的。Use this article to help you configure the usage rights you want for the application you’re using and understand how these rights are designed to be interpreted by applications. 但是,应用程序在实现权限的方式上可能会有所不同,因此请始终查阅其文档,并使用用户对应用程序进行测试,以便在生产环境中进行部署之前查看行为。However, applications might vary in how they implement the rights so always consult their documentation and do your own testing with the applications that users use to check the behavior before you deploy in production.

备注

为保持完整性,本文包括已在 2018 年 1 月 8 日停用的 Azure 经典门户中的值。For completeness, this article includes values from the Azure classic portal, which was retired January 08, 2018.

使用权限和说明Usage rights and descriptions

下表列出并说明了 Rights Management 支持的使用权限,以及它们的使用和解释方式。The following table lists and describes the usage rights that Rights Management supports, and how they are used and interpreted. 它们按公用名**** 列出,公用名通常是你看待使用权限作为在代码中使用的单字值(策略中的编码**** 值)的更友好版本进行显示或引用的方式。They are listed by their common name, which is typically how you might see the usage right displayed or referenced, as a more friendly version of the single-word value that is used in the code (the Encoding in policy value).

在此表中:In this table:

  • Api 常量或值是 MSIPC API 调用的 SDK 名称,可在编写用于检查使用权限的应用程序时使用,也可将使用权限添加到策略。The API Constant or Value is the SDK name for an MSIPC API call, used when you write an application that checks for a usage right, or adds a usage right to a policy.

  • 标签管理中心指的是在何处配置敏感度标签,可以是 Microsoft 365 符合性中心、Microsoft 365 安全中心或 Office 365 安全 & 符合性中心。The labeling admin center refers to where you configure sensitivity labels and can be either the Microsoft 365 compliance center, the Microsoft 365 security center, or the Office 365 Security & Compliance Center.

使用权限Usage right 说明Description 实现Implementation
公用名:编辑内容,编辑Common name: Edit Content, Edit

策略中的编码:DOCEDITEncoding in policy: DOCEDIT
允许用户对应用程序中的内容进行修改、重新排列、设置格式或排序。Allows the user to modify, rearrange, format, or sort the content inside the application. 它不会授权保存编辑过的副本。It does not grant the right to save the edited copy.

在 Word 中,除非 Office 365 专业增强版的最低版本为 1807,否则此权限不足,无法启用或禁用“跟踪更改”,也无法以审阅者身份使用所有跟踪更改功能****。In Word, unless you have Office 365 ProPlus with a minimum version of 1807, this right isn't sufficient to turn on or turn off Track Changes, or to use all the track changes features as a reviewer. 必须拥有“完全控制”**** 权限,才能使用所有跟踪更改选项。Instead, to use all the track changes options requires the following right: Full Control.
Office 自定义权限:作为“更改”******** 和“完全控制”选项的一部分。Office custom rights: As part of the Change and Full Control options.

Azure 经典门户中的名称:编辑内容Name in the Azure classic portal: Edit Content

标记管理中心和 Azure 门户中的名称:**编辑内容、编辑 (DOCEDIT) **Name in the labeling admin center and Azure portal: Edit Content, Edit (DOCEDIT)

AD RMS 模板中的名称:编辑Name in AD RMS templates: Edit

API 常量或值:不适用。API constant or value: Not applicable.
公用名:保存Common name: Save

策略中的编码:EDITEncoding in policy: EDIT
允许用户将文档保存到当前位置。Allows the user to save the document to the current location.

在 Office 应用程序中,如果所选文件格式以本机方式支持 Rights Management 保护,则此权限还允许用户修改文档并以新名称将其保存到新位置。In Office applications, this right also allows the user to modify the document and save it to a new location and a new name if the selected file format natively supports Rights Management protection. 文件格式限制可确保无法从文件中删除原始保护。The file format restriction ensures that the original protection cannot be removed from the file.
Office 自定义权限:作为“更改”******** 和“完全控制”选项的一部分。Office custom rights: As part of the Change and Full Control options.

Azure 经典门户中的名称:保存文件Name in the Azure classic portal: Save File

标记管理中心和 Azure 门户中的名称:**保存 (编辑) **Name in the labeling admin center and Azure portal: Save (EDIT)

AD RMS 模板中的名称:保存Name in AD RMS templates: Save

API 常量或值:IPC_GENERIC_WRITE L"EDIT"API constant or value: IPC_GENERIC_WRITE L"EDIT"
公用名:注释Common name: Comment

策略中的编码:COMMENTEncoding in policy: COMMENT
启用向内容添加批注或注释的选项。Enables the option to add annotations or comments to the content.

此权限可用于 SDK、在 AzureInformationProtection 和适用于 Windows PowerShell 的 RMS 保护模块中作为即席策略提供,并且已在一些软件供应商应用程序中实现。This right is available in the SDK, is available as an ad-hoc policy in the AzureInformationProtection and RMS Protection module for Windows PowerShell, and has been implemented in some software vendor applications. 但是,它并未广泛使用,并且不受 Office 应用程序支持。However, it is not widely used and is not supported by Office applications.
Office 自定义权限:未实现。Office custom rights: Not implemented.

Azure 经典门户中的名称:未实现。Name in the Azure classic portal: Not implemented.

标记管理中心和 Azure 门户:未实现的名称。Name in the labeling admin center and Azure portal: Not implemented.

AD RMS 模板中的名称:未实现。Name in AD RMS templates: Not implemented.

API 常量或值:IPC_GENERIC_COMMENT L"COMMENTAPI constant or value: IPC_GENERIC_COMMENT L"COMMENT
公用名:另存为、导出Common name: Save As, Export

策略中的编码:EXPORTEncoding in policy: EXPORT
启用将内容保存到其他文件名的选项(另存为)。Enables the option to save the content to a different file name (Save As).

对于 Azure 信息保护客户端,文件可在不受保护的情况下进行保存,也可使用新设置和权限重新保护。For the Azure Information Protection client, the file can be saved without protection, and also reprotected with new settings and permissions. 这些允许的操作意味着,具有此权限的用户可以从受保护的文档或电子邮件对 Azure 信息保护标签进行更改或删除。These permitted actions mean that a user who has this right can change or remove an Azure Information Protection label from a protected document or email.

此权限还允许用户在应用程序中执行其他导出选项,如“发送至 OneNote”****。This right also allows the user to perform other export options in applications, such as Send to OneNote.
Office 自定义权限:作为“完全控制”选项的一部分****。Office custom rights: As part of the Full Control option.

Azure 经典门户中的名称:导出内容(另存为)Name in the Azure classic portal: Export Content (Save As)

标记管理中心和 Azure 门户中的名称:**另存为、导出 (导出) **Name in the labeling admin center and Azure portal: Save As, Export (EXPORT)

AD RMS 模板中的名称:导出(另存为)Name in AD RMS templates: Export (Save As)

API 常量或值:IPC_GENERIC_EXPORT L"EXPORT"API constant or value: IPC_GENERIC_EXPORT L"EXPORT"
公用名:转发Common name: Forward

策略中的编码:FORWARDEncoding in policy: FORWARD
启用此选项以转发电子邮件,并将收件人添加到“收件人”**** 和“抄送”**** 行。Enables the option to forward an email message and to add recipients to the To and Cc lines. 此权限不适用于文档;仅适用于电子邮件。This right does not apply to documents; only email messages.

不允许转发器授予其他用户权限作为转发操作的一部分。Does not allow the forwarder to grant rights to other users as part of the forward action.

授予此权限时,同时授予“编辑内容,编辑”**** 权限(通用名称),另外授予“保存”**** 权限(通用名称),以确保受保护的电子邮件不作为附件发送。When you grant this right, also grant the Edit Content, Edit right (common name), and additionally grant the Save right (common name) to ensure that the protected email message is not delivered as an attachment. 向使用 Outlook 客户端或 Outlook Web App 的其他组织发送电子邮件时,也指定这些权限。Also specify these rights when you send an email to another organization that uses the Outlook client or Outlook web app. 或者,对于组织中免于使用 Rights Management 保护的用户,因为你已实现了载入控件Or, for users in your organization that are exempt from using Rights Management protection because you have implemented onboarding controls.
Office 自定义权限:**** 使用“不要转发”标准策略时拒绝。Office custom rights: Denied when using the Do Not Forward standard policy.

Azure 经典门户中的名称:转发Name in the Azure classic portal: Forward

标记管理中心和 Azure 门户中的名称:**向前 (向前) **Name in the labeling admin center and Azure portal: Forward (FORWARD)

AD RMS 模板中的名称:转发Name in AD RMS templates: Forward

API 常量或值:IPC_EMAIL_FORWARD L"FORWARD"API constant or value: IPC_EMAIL_FORWARD L"FORWARD"
公用名:完全控制Common name: Full Control

策略中的编码:OWNEREncoding in policy: OWNER
授予对文档的所有权限,并且所有可用操作都可以执行。Grants all rights to the document and all available actions can be performed.

包括删除保护和重新保护文档的功能。Includes the ability to remove protection and reprotect a document.

请注意,此使用权限不等同于 Rights Management 所有者Note that this usage right is not the same as the Rights Management owner.
Office 自定义权限:**** 作为“完全控制”自定义选项。Office custom rights: As the Full Control custom option.

Azure 经典门户中的名称:完全控制Name in the Azure classic portal: Full Control

标记管理中心和 Azure 门户中的名称:**完全控制 (所有者) **Name in the labeling admin center and Azure portal: Full Control (OWNER)

AD RMS 模板中的名称:完全控制Name in AD RMS templates: Full Control

API 常量或值:IPC_GENERIC_ALL L"OWNER"API constant or value: IPC_GENERIC_ALL L"OWNER"
公用名:打印Common name: Print

策略中的编码:PRINTEncoding in policy: PRINT
启用打印内容的选项。Enables the options to print the content. Office 自定义权限:**** 作为自定义权限中的“打印内容”选项。Office custom rights: As the Print Content option in custom permissions. 不是特定于收件人的设置。Not a per-recipient setting.

Azure 经典门户中的名称:打印Name in the Azure classic portal: Print

标记管理中心和 Azure 门户中的名称:**打印 (打印) **Name in the labeling admin center and Azure portal: Print (PRINT)

AD RMS 模板中的名称:打印Name in AD RMS templates: Print

API 常量或值:IPC_GENERIC_PRINT L"PRINT"API constant or value: IPC_GENERIC_PRINT L"PRINT"
公用名:答复Common name: Reply

策略中的编码:REPLYEncoding in policy: REPLY
启用邮件客户端中的“答复”选项,但不允许更改“收件人”**** 或“抄送”******** 行。Enables the Reply option in an email client, without allowing changes in the To or Cc lines.

授予此权限时,同时授予“编辑内容,编辑”**** 权限(通用名称),另外授予“保存”**** 权限(通用名称),以确保受保护的电子邮件不作为附件发送。When you grant this right, also grant the Edit Content, Edit right (common name), and additionally grant the Save right (common name) to ensure that the protected email message is not delivered as an attachment. 向使用 Outlook 客户端或 Outlook Web App 的其他组织发送电子邮件时,也指定这些权限。Also specify these rights when you send an email to another organization that uses the Outlook client or Outlook web app. 或者,对于组织中免于使用 Rights Management 保护的用户,因为你已实现了载入控件Or, for users in your organization that are exempt from using Rights Management protection because you have implemented onboarding controls.
Office 自定义权限:不适用。Office custom rights: Not applicable.

Azure 经典门户中的名称:答复Name in the Azure classic portal: Reply

Azure 经典门户中的名称:答复Name in the Azure classic portal: Reply (REPLY)

AD RMS 模板中的名称:答复Name in AD RMS templates: Reply

API 常量或值:IPC_EMAIL_REPLYAPI constant or value: IPC_EMAIL_REPLY
公用名:全部答复Common name: Reply All

策略中的编码:REPLYALLEncoding in policy: REPLYALL
启用邮件客户端中的“全部答复”**** 选项,但不允许用户将收件人添加到“收件人”**** 或“抄送”**** 行。Enables the Reply All option in an email client, but doesn’t allow the user to add recipients to the To or Cc lines.

授予此权限时,同时授予“编辑内容,编辑”**** 权限(通用名称),另外授予“保存”**** 权限(通用名称),以确保受保护的电子邮件不作为附件发送。When you grant this right, also grant the Edit Content, Edit right (common name), and additionally grant the Save right (common name) to ensure that the protected email message is not delivered as an attachment. 向使用 Outlook 客户端或 Outlook Web App 的其他组织发送电子邮件时,也指定这些权限。Also specify these rights when you send an email to another organization that uses the Outlook client or Outlook web app. 或者,对于组织中免于使用 Rights Management 保护的用户,因为你已实现了载入控件Or, for users in your organization that are exempt from using Rights Management protection because you have implemented onboarding controls.
Office 自定义权限:不适用。Office custom rights: Not applicable.

Azure 经典门户中的名称:全部答复Name in the Azure classic portal: Reply All

标记管理中心和 Azure 门户中的名称:全部**答复 (全部答复) **Name in the labeling admin center and Azure portal: Reply All (REPLY ALL)

AD RMS 模板中的名称:全部答复Name in AD RMS templates: Reply All

API 常量或值:IPC_EMAIL_REPLYALL L"REPLYALL"API constant or value: IPC_EMAIL_REPLYALL L"REPLYALL"
公用名:查看、打开、读取Common name: View, Open, Read

策略中的编码:VIEWEncoding in policy: VIEW
允许用户打开文档,并查看内容。Allows the user to open the document and see the content.

在 Excel 中,此权限不足,无法对数据进行排序。必须拥有“编辑内容、编辑”**** 权限,才能执行此操作。In Excel, this right isn't sufficient to sort data, which requires the following right: Edit Content, Edit. 必须拥有“编辑内容、编辑”**** 和“复制”**** 这两项权限,才能在 Excel 中筛选数据。To filter data in Excel, you need the following two rights: Edit Content, Edit and Copy.
Office 自定义权限:**** 作为“读取”**** 自定义策略的“查看”选项。Office custom rights: As the Read custom policy, View option.

Azure 经典门户中的名称:查看Name in the Azure classic portal: View

标记管理中心和 Azure 门户中的名称: "**查看"、"打开"、"读取" (视图) **Name in the labeling admin center and Azure portal: View, Open, Read (VIEW)

AD RMS 模板中的名称:读取****Name in AD RMS templates: Read

API 常量或值:IPC_GENERIC_READ L"VIEW"API constant or value: IPC_GENERIC_READ L"VIEW"
公用名:复制Common name: Copy

策略中的编码:EXTRACTEncoding in policy: EXTRACT
启用将数据(包括屏幕捕获)从文档复制到同一文档或其他文档的选项。Enables options to copy data (including screen captures) from the document into the same or another document.

在某些应用程序中,它还允许以不受保护的形式保存整个文档。In some applications, it also allows the whole document to be saved in unprotected form.

在 Skype for Business 和类似屏幕共享应用程序中,演示者必须拥有此权限,才能成功展示受保护文档。In Skype for Business and similar screen-sharing applications, the presenter must have this right to successfully present a protected document. 如果演示者没有此权限,与会者便无法查看文档,且文档显示为对与会者禁用。If the presenter does not have this right, the attendees cannot view the document and it displays as blacked out to them.
Office 自定义权限:作为“允许具有读取权限的用户复制内容”自定义策略选项****。Office custom rights: As the Allow users with Read access to copy content custom policy option.

Azure 经典门户中的名称:复制并提取内容Name in the Azure classic portal: Copy and Extract content

标记管理中心和 Azure 门户中的名称:**复制 (提取) **Name in the labeling admin center and Azure portal: Copy (EXTRACT)

AD RMS 模板中的名称:提取Name in AD RMS templates: Extract

API 常量或值:IPC_GENERIC_EXTRACT L"EXTRACT"API constant or value: IPC_GENERIC_EXTRACT L"EXTRACT"
公用名:查看权限Common name: View Rights

策略中的编码:VIEWRIGHTSDATAEncoding in policy: VIEWRIGHTSDATA
允许用户查看已应用到文档的策略。Allows the user to see the policy that is applied to the document.

不受 Office 应用或 Azure 信息保护客户端支持。Not supported by Office apps or Azure Information Protection clients.
Office 自定义权限:未实现。Office custom rights: Not implemented.

Azure 经典门户中的名称:查看分配的权限Name in the Azure classic portal: View Assigned Rights

标记管理中心和 Azure 门户中的名称: ** (VIEWRIGHTSDATA) 的查看权限**。Name in the labeling admin center and Azure portal: View Rights (VIEWRIGHTSDATA).

AD RMS 模板中的名称:查看权限Name in AD RMS templates: View Rights

API 常量或值:IPC_READ_RIGHTS L"VIEWRIGHTSDATA"API constant or value: IPC_READ_RIGHTS L"VIEWRIGHTSDATA"
公用名:更改权限Common name: Change Rights

策略中的编码:EDITRIGHTSDATAEncoding in policy: EDITRIGHTSDATA
允许用户更改已应用到文档的策略。Allows the user to change the policy that is applied to the document. 包括删除保护。Includes including removing protection.

不受 Office 应用或 Azure 信息保护客户端支持。Not supported by Office apps or Azure Information Protection clients.
Office 自定义权限:未实现。Office custom rights: Not implemented.

Azure 经典门户中的名称:更改权限Name in the Azure classic portal: Change Rights

标记管理中心和 Azure 门户中的名称:**编辑权限 (EDITRIGHTSDATA) **。Name in the labeling admin center and Azure portal: Edit Rights (EDITRIGHTSDATA).

AD RMS 模板中的名称:编辑权限Name in AD RMS templates: Edit Rights

API 常量或值:PC_WRITE_RIGHTS L"EDITRIGHTSDATA"API constant or value: PC_WRITE_RIGHTS L"EDITRIGHTSDATA"
公用名:允许宏Common name: Allow Macros

策略中的编码:OBJMODELEncoding in policy: OBJMODEL
启用运行宏或执行其他编程或远程访问文档内容的选项。Enables the option to run macros or perform other programmatic or remote access to the content in a document. Office 自定义权限:**** 作为“允许编程访问”自定义策略选项。Office custom rights: As the Allow Programmatic Access custom policy option. 不是特定于收件人的设置。Not a per-recipient setting.

Azure 经典门户中的名称:允许宏Name in the Azure classic portal: Allow Macros

标记管理中心和 Azure 门户中的名称:**允许宏 (OBJMODEL) **Name in the labeling admin center and Azure portal: Allow Macros (OBJMODEL)

AD RMS 模板中的名称:允许宏Name in AD RMS templates: Allow Macros

API 常量或值:未实现。API constant or value: Not implemented.

权限级别中包括的权限Rights included in permissions levels

某些应用程序会将使用权限组合成不同的权限级别,这样可以更容易地选择那些通常在一起使用的使用权限。Some applications group usage rights together into permissions levels, to make it easier to select usage rights that are typically used together. 这些权限级别可帮助减少用户操作的复杂性,用户只需按角色选择相应选项即可。These permissions levels help to abstract a level of complexity from users, so they can choose options that are role-based. 例如,审阅者合著者For example, Reviewer and Co-Author. 虽然这些选项通常会向用户显示这些权限的摘要,但可能并不包括前一表中列出的每个权限。Although these options often show users a summary of the rights, they might not include every right that is listed in the previous table.

可通过下表查看这些权限级别的列表,以及这些权限级别所含使用权限的完整列表。Use the following table for a list of these permissions levels and a complete list of the usage rights that they contain. 使用权限按各自的公用名列出。The usage rights are listed by their common name.

权限级别Permissions level 应用程序Applications 包含的使用权限Usage rights included
查看器Viewer Azure 经典门户Azure classic portal

Azure 门户Azure portal

适用于 Windows 的 Azure 信息保护客户端Azure Information Protection client for Windows
查看、打开、读取;查看权限;答复 [1];全部答复 [1];允许宏 [2]View, Open, Read; View Rights; Reply [1]; Reply All [1]; Allow Macros [2]

注意:对于电子邮件,请使用审阅者级别而不是此权限级别,确保接收到的电子邮件答复为电子邮件而不是附件。Note: For emails, use Reviewer rather than this permission level to ensure that an email reply is received as an email message rather than an attachment. 向使用 Outlook 客户端或 Outlook Web App 的其他组织发送电子邮件时,也需要审阅者权限。Reviewer is also required when you send an email to another organization that uses the Outlook client or Outlook web app. 或者,对于组织内无需使用 Azure Rights Management 服务的用户来说,也需要此权限,因为已实施加入控制机制Or, for users in your organization that are exempt from using the Azure Rights Management service because you have implemented onboarding controls.
审阅者Reviewer Azure 经典门户Azure classic portal

Azure 门户Azure portal

适用于 Windows 的 Azure 信息保护客户端Azure Information Protection client for Windows
查看、打开、读取;保存;编辑内容、编辑;查看权限;答复:全部答复 [3];转发 [3];允许宏 [2]View, Open, Read; Save; Edit Content, Edit; View Rights; Reply: Reply All [3]; Forward [3]; Allow Macros [2]
合著者Co-Author Azure 经典门户Azure classic portal

Azure 门户Azure portal

适用于 Windows 的 Azure 信息保护客户端Azure Information Protection client for Windows
查看、打开、读取;保存;编辑内容、编辑;复制;查看权限;允许宏;另存为、导出 [4];打印;答复 [3];全部答复 [3];转发 [3]View, Open, Read; Save; Edit Content, Edit; Copy; View Rights; Allow Macros; Save As, Export [4]; Print; Reply [3]; Reply All [3]; Forward [3]
共有者Co-Owner Azure 经典门户Azure classic portal

Azure 门户Azure portal

适用于 Windows 的 Azure 信息保护客户端Azure Information Protection client for Windows
查看、打开、读取;保存;编辑内容、编辑;复制;查看权限;更改权限;允许宏;另存为、导出;打印;答复 [3];全部答复 [3];转发 [3];完全控制View, Open, Read; Save; Edit Content, Edit; Copy; View Rights; Change Rights; Allow Macros; Save As, Export; Print; Reply [3]; Reply All [3]; Forward [3]; Full Control

脚注 1Footnote 1

不包括在标签管理中心或 Azure 门户中。Not included in the labeling admin center or Azure portal.

脚注 2Footnote 2

对于适用于 Windows 的 Azure 信息保护客户端,Office 应用中的信息保护栏需要此权限。For the Azure Information Protection client for Windows, this right is required for the Information Protection bar in Office apps.

脚注 3Footnote 3

对适用于 Windows 的 Azure 信息保护客户端不适用。Not applicable to the Azure Information Protection client for Windows.

脚注 4Footnote 4

不包括在标签管理中心、Azure 门户或适用于 Windows 的 Azure 信息保护客户端中。Not included in the labeling admin center, the Azure portal, or the Azure Information Protection client for Windows.

默认模板中包括的权限Rights included in the default templates

下表列出了创建默认模板时包含的使用权限。The following table lists the usage rights that are included when the default templates are created. 使用权限按各自的公用名列出。The usage rights are listed by their common name.

这些默认模板是在购买订阅时创建的,并且可以在 Azure 门户和PowerShell更改名称和使用权限。These default templates are created when your subscription was purchased, and the names and usage rights can be changed in the Azure portal and with PowerShell.

模板的显示名称Display name of template 2017 年 10 月 6 日到当前日期的使用权限Usage rights October 6, 2017 to current date 2017 年 10 月 6 日之前的使用权限Usage rights before October 6, 2017
<*organization name>-仅查看机密 *<*organization name> - Confidential View Only*

oror

高度机密\所有员工Highly Confidential \ All Employees
查看、打开、读取;复制;查看权限;允许宏;打印;转发;答复;全部 答复;保存;编辑内容、编辑View, Open, Read; Copy; View Rights; Allow Macros; Print; Forward; Reply; Reply All; Save; Edit Content, Edit 查看、打开、读取View, Open, Read
<*organization name>信息<*organization name>- Confidential*

oror

机密\所有员工Confidential \ All Employees
查看、打开、读取;另存为、导出;复制;查看权限;更改权限;允许宏;打印;转发;答复;全部 答复;保存;编辑内容、编辑;完全控制View, Open, Read; Save As, Export; Copy; View Rights; Change Rights; Allow Macros; Print; Forward; Reply; Reply All; Save; Edit Content, Edit; Full Control 查看、打开、读取;另存为、导出;编辑内容、编辑;查看权限;允许宏;转发;答复;全部答复View, Open, Read; Save As, Export; Edit Content, Edit; View Rights; Allow Macros; Forward; Reply; Reply All

电子邮件的“不得转发”选项Do Not Forward option for emails

Exchange 客户端和服务(例如,Outlook 客户端、网页版 Outlook、Exchange 邮件流规则和 Exchange 的 DLP 操作)具有电子邮件的附加信息权限保护选项:不得转发****。Exchange clients and services (for example, the Outlook client, Outlook on the web, Exchange mail flow rules, and DLP actions for Exchange) have an additional information rights protection option for emails: Do Not Forward.

尽管不得转发看似用户(和 Exchange 管理员)可选择的默认 Rights Management 模板,但此选项并不是模板。Although this option appears to users (and Exchange administrators) as if it's a default Rights Management template that they can select, Do Not Forward is not a template. 因此在 Azure 门户中查看和管理保护模板时,你看不到此选项。That explains why you cannot see it in the Azure portal when you view and manage protection templates. 相反,“不得转发”选项是用户对其电子邮件收件人动态应用的一组使用权限****。Instead, the Do Not Forward option is a set of usage rights that is dynamically applied by users to their email recipients.

当“不要转发”选项应用于一封电子邮件后,此电子邮件会被加密,且收件人必须要进行身份验证****。When the Do Not Forward option is applied to an email, the email is encrypted and recipients must be authenticated. 然后,收件人将无法转发、打印它或从中进行复制。Then, the recipients cannot forward it, print it, or copy from it. 例如,在 Outlook 客户端中,“转发”按钮将不可用,“另存为”**** 和“打印”**** 菜单选项将不可用,并且无法添加或更改“收件人”****、“抄送”**** 或“密件抄送”**** 框中的收件人。For example, in the Outlook client, the Forward button is not available, the Save As and Print menu options are not available, and you cannot add or change recipients in the To, Cc, or Bcc boxes.

附加到该电子邮件的未受保护 Office 文档自动继承相同的限制。Unprotected Office documents that are attached to the email automatically inherit the same restrictions. 应用于这些文档的使用权限是“编辑内容,编辑”、“保存”、“查看,打开,读取”和“允许使用宏”****************。The usage rights applied to these documents are Edit Content, Edit; Save; View, Open, Read; and Allow Macros. 如果附件需要不同的使用权限或者你的附件不是支持此继承保护的 Office 文档,请先保护文件,然后再将其附加到电子邮件。If you want different usage rights for an attachment, or your attachment is not an Office document that supports this inherited protection, protect the file before you attach it to the email. 然后,你可以为该文件分配所需的特定使用权限。You can then assign the specific usage rights that you need for the file.

“不得转发”与不授予使用权限之间的区别Difference between Do Not Forward and not granting the Forward usage right

应用“不得转发”选项和应用不授予电子邮件“转发”权限的模板有重要区别:“不得转发”选项使用基于原始电子邮件用户所选收件人的授权用户动态列表;而模板中的权限使用由管理员事先指定的授权用户静态列表************。There's an important distinction between applying the Do Not Forward option and applying a template that doesn't grant the Forward usage right to an email: The Do Not Forward option uses a dynamic list of authorized users that is based on the user's chosen recipients of the original email; whereas the rights in the template have a static list of authorized users that the administrator has previously specified. 区别是什么?What's the difference? 让我们举个例子:Let's take an example:

某名用户想要通过电子邮件向营销部门的特定人员发送不应与其他任何人共享的信息。A user wants to email some information to specific people in the Marketing department that shouldn't be shared with anybody else. 她应该使用将(查看、答复和保存)权限限制于营销部门的模板来保护邮件吗?Should she protect the email with a template that restricts rights (viewing, replying, and saving) to the Marketing department? 还是她应该选择不得转发选项?Or should she choose the Do Not Forward option? 这两种选择都将使收件人无法转发电子邮件。Both choices would result in the recipients not able to forward the email.

  • 如果她应用模板,收件人仍可与营销部门中的其他人共享该信息。If she applied the template, the recipients could still share the information with others in the marketing department. 例如,收件人可使用资源管理器将电子邮件拖放到共享位置或 U 盘。For example, a recipient could use Explorer to drag and drop the email to a shared location or a USB drive. 现在,营销部门中有权访问此位置的任何人(和电子邮件所有者)都可以查看该电子邮件中的信息。Now, anybody from the marketing department (and the email owner) who has access to this location can view the information in the email.

  • 如果她应用了不得转发选项,则收件人将无法通过将电子邮件移动到其他位置来与营销部门中的其他任何人共享信息。If she applied the Do Not Forward option, the recipients will not be able to share the information with anybody else in the marketing department by moving the email to another location. 在这种情况下,将只有原始收件人(和电子邮件所有者)能够查看该电子邮件中的信息。In this scenario, only the original recipients (and the email owner) will be able to view the information in the email.

备注

当要求只有发件人选择的收件人才能看到电子邮件中的信息时,请使用不得转发Use Do Not Forward when it's important that only the recipients that the sender chooses should see the information in the email. 使用模板,使电子邮件将权限限制于管理员提前指定的、与发件人所选收件人相互独立的一组人员。Use a template for emails to restrict rights to a group of people that the administrator specifies in advance, independently from the sender's chosen recipients.

电子邮件的“仅加密”选项Encrypt-Only option for emails

当 Exchange Online 使用 Office 365 邮件加密的新功能后,一项新的电子邮件选项将变为可用:“仅加密”****。When Exchange Online uses the new capabilities for Office 365 Message Encryption, a new email option becomes available: Encrypt-Only.

此选项可供使用 Exchange Online 的租户使用,可以在网页版 Outlook 中作为邮件流规则的另一个权限保护选项(作为 Office 365 DLP 操作)选择,如果安装了最低版本为 1804 的 Office 365 专业增强版,且具有支持 Azure RMS 的 Office 365 应用的最低版本为 1805 时,还可以从 Outlook 中选择。This option is available to tenants who use Exchange Online and can be selected in Outlook on the web, as another rights protection option for a mail flow rule, as an Office 365 DLP action, and from Outlook (minimum version of 1804 for Office 365 ProPlus, and minimum version of 1805 when you have Office 365 apps that support Azure RMS. 有关 "仅加密" 选项的详细信息,请参阅以下博客文章: Office 团队中的 "仅加密 365"For more information about the Encrypt-Only option, see the following blog post announcement from the Office team: Encrypt only rolling out in Office 365 Message Encryption.

选择此选项后,电子邮件会被加密,且收件人必须要进行身份验证。When this option is selected, the email is encrypted and recipients must be authenticated. 收件人将具有除“另存为,导出”和“完全控制”以外的所有使用权限********。Then, the recipients have all usage rights except Save As, Export and Full Control. 此使用权限的组合意味着除了无法删除保护外,收件人不会有任何限制。This combination of usage rights means that the recipients have no restrictions except that they cannot remove the protection. 例如,收件人可以复制、打印和转发此电子邮件。For example, a recipient can copy from the email, print it, and forward it.

同样,默认情况下,附加到电子邮件的未受保护 Office 文档也会继承相同的权限。Similarly, by default, unprotected Office documents that are attached to the email inherit the same permissions. 这些文档会自动受到保护,收件人可以在 Office 应用程序中保存、编辑、复制和打印已下载的这些文档。These documents are automatically protected and when they are downloaded, they can be saved, edited, copied, and printed from Office applications by the recipients. 当收件人保存文档时,可以将其保存为新的名称,甚至保存为不同的格式。When the document is saved by a recipient, it can be saved to a new name and even a different format. 但是,只有支持保护的文件格式才可用,以确保在没有原始保护的情况下无法保存文档。However, only file formats that support protection are available so that the document cannot be saved without the original protection. 如果附件需要不同的使用权限或者你的附件不是支持此继承保护的 Office 文档,请先保护文件,然后再将其附加到电子邮件。If you want different usage rights for an attachment, or your attachment is not an Office document that supports this inherited protection, protect the file before you attach it to the email. 然后,你可以为该文件分配所需的特定使用权限。You can then assign the specific usage rights that you need for the file.

或者,也可以通过使用 Exchange Online PowerShell 指定 Set-IRMConfiguration -DecryptAttachmentForEncryptOnly $true 来更改文档的此保护继承。Alternatively, you can change this protection inheritance of documents by specifying Set-IRMConfiguration -DecryptAttachmentForEncryptOnly $true with Exchange Online PowerShell. 如果无需在用户通过身份验证后保留文档的原始保护,请使用这种配置。Use this configuration when you don't need to retain the original protection for the document after the user is authenticated. 当收件人打开电子邮件时,文档将不受保护。When recipients open the email message, the document is not protected.

如果确实需要附加的文档以保留原始保护,请参阅使用 Azure 信息保护来保护文档协作If you do need an attached document to retain the original protection, see Secure document collaboration by using Azure Information Protection.

注意:如果看到对DecryptAttachmentFromPortal的引用,则此参数现已不推荐用于set-irmconfigurationNote: If you see references to DecryptAttachmentFromPortal, this parameter is now deprecated for Set-IRMConfiguration. 除非之前设置了此参数,否则它不可用。Unless you have previously set this parameter, it is not available.

通过 Exchange Online 自动加密 PDF 文档Automatically encrypt PDF documents with Exchange Online

当 Exchange Online 使用 Office 365 邮件加密的新功能时,如果将未受保护的 PDF 文档附加到加密电子邮件,则可以自动对其进行加密。When Exchange Online uses the new capabilities for Office 365 Message Encryption, you can automatically encrypt unprotected PDF documents when they are attached to an encrypted email. 该文档继承了电子邮件的相同权限。The document inherits the same permissions as those for the email message. 若要启用此配置,请使用set-irmconfiguration设置EnablePdfEncryption $TrueTo enable this configuration, set EnablePdfEncryption $True with Set-IRMConfiguration.

如果收件人没有安装支持 PDF 加密 ISO 标准的读取器,则可以安装 Pdf 读取器中列出的一个支持 Microsoft 信息保护的读取器。Recipients who don't already have a reader installed that supports the ISO standard for PDF encryption can install one of the readers listed in PDF readers that support Microsoft Information Protection. 或者,收件人可以阅读 OME 门户中受保护的 PDF 文档。Alternatively, recipients can read the protected PDF document in the OME portal.

Rights Management 颁发者和 Rights Management 所有者Rights Management issuer and Rights Management owner

使用 Azure Rights Management 服务保护文档或电子邮件时,保护该内容的帐户自动成为该内容的 Rights Management 颁发者。When a document or email is protected by using the Azure Rights Management service, the account that protects that content automatically becomes the Rights Management issuer for that content. 使用情况日志中,此帐户记录为“颁发者”**** 字段。This account is logged as the issuer field in the usage logs.

始终向 Rights Management 颁发者授予文档或电子邮件的“完全控制”使用权,此外:The Rights Management issuer is always granted the Full Control usage right for the document or email, and in addition:

  • 如果保护设置中包括过期日期,该日期到期后,Rights Management 颁发者仍然可以打开和编辑文档或电子邮件。If the protection settings include an expiry date, the Rights Management issuer can still open and edit the document or email after that date.

  • Rights Management 颁发者可始终脱机访问文档或电子邮件。The Rights Management issuer can always access the document or email offline.

  • 撤消权限后,Rights Management 颁发者仍可打开文档。The Rights Management issuer can still open a document after it is revoked.

默认情况下,此帐户也是该内容的“Rights Management 所有者”****,当创建文档或电子邮件的用户启动保护时便是如此。By default, this account is also the Rights Management owner for that content, which is the case when a user who created the document or email initiates the protection. 但是,某些情况下,管理员或服务可以代表用户保护内容。But there are some scenarios where an administrator or service can protect content on behalf of users. 例如:For example:

  • 管理员批量保护文件共享上的文件:Azure AD 中的管理员帐户保护用户文档。An administrator bulk-protects files on a file share: The administrator account in Azure AD protects the documents for the users.

  • Rights Management 连接器保护 Windows Server 文件夹上的 Office 文档:Azure AD 中为 RMS 连接器创建的服务主体帐户保护用户文档。The Rights Management connector protects Office documents on a Windows Server folder: The service principal account in Azure AD that is created for the RMS connector protects the documents for the users.

在这些情况下,Rights Management 颁发者可使用 Azure 信息保护 SDK 或 PowerShell 将 Rights Management 所有者分配给另一个帐户。In these scenarios, the Rights Management issuer can assign the Rights Management owner to another account by using the Azure Information Protection SDKs or PowerShell. 例如,将 Protect-RMSFile PowerShell cmdlet 与 Azure 信息保护客户端配合使用时,可以指定 OwnerEmail 参数,将 Rights Management 所有者分配给另一个帐户。For example, when you use the Protect-RMSFile PowerShell cmdlet with the Azure Information Protection client, you can specify the OwnerEmail parameter to assign the Rights Management owner to another account.

如果权利管理颁发者代表用户提供保护,分配 Rights Management 所有者可确保原始文档或电子邮件所有者对其受保护内容拥有同一级别的控制,就如同由其自己启动保护一样。When the Rights Management issuer protects on behalf of users, assigning the Rights Management owner ensures that the original document or email owner has the same level of control for their protected content as if they initiated the protection themselves.

例如,即使文档现在受不含打印使用权限的模板的保护,创建该文档的用户仍可打印文档。For example, the user who created the document can print it, even though it's now protected with a template that doesn't include the Print usage right. 同一用户始终可访问其文档,而无需考虑离线访问设置或可能在该模板中配置的到期日期。The same user can always access their document, regardless of the offline access setting or expiry date that might have been configured in that template. 此外,由于 Rights Management 所有者具有完全控制使用权限,因此该用户还可以重新保护文档以向更多用户授予访问权限(此时该用户成为 Rights Management 颁发者以及 Rights Management 所有者),甚至可以删除保护。In addition, because the Rights Management owner has the Full Control usage right, this user can also reprotect the document to grant additional users access (at which point the user then becomes the Rights Management issuer as well as the Rights Management owner), and this user can even remove the protection. 但是,只有 Rights Management 颁发者可跟踪和撤销文档。However, only the Rights Management issuer can track and revoke a document.

使用情况日志中,文档或电子邮件的 Rights Management 所有者记录为“所有者-电子邮件”**** 字段。The Rights Management owner for a document or email is logged as the owner-email field in the usage logs.

请注意,Rights Management 所有者独立于 Windows 文件系统所有者。Note that the Rights Management owner is independent from the Windows file system Owner. 两者通常是相同的,但也可以不同,即使不使用 SDK 或 PowerShell 也是如此。They are often the same but can be different, even if you don't use the SDKs or PowerShell.

Rights Management 使用许可证Rights Management use license

用户打开已受 Azure Rights Management 保护的文档或电子邮件时,会向该用户授予 Rights Management 使用许可证。When a user opens a document or email that has been protected by Azure Rights Management, a Rights Management use license for that content is granted to the user. 此使用许可证是一个证书,它包含用户对文档或电子邮件的使用权限,以及用于加密内容的加密密钥。This use license is a certificate that contains the user's usage rights for the document or email message, and the encryption key that was used to encrypt the content. 此使用许可证还包含一个到期日期(如果已设置)及其有效时长。The use license also contains an expiry date if this has been set, and how long the use license is valid.

除了权限帐户证书 (RAC),用户还必须具有一个有效的使用许可证才能打开内容,这是在初始化用户环境时授予的证书,然后每隔 31 天续订一次。A user must have a valid use license to open the content in addition to their rights account certificate (RAC), which is a certificate that's granted when the user environment is initialized and then renewed every 31 days.

使用许可证有效期内,无需对用户重新进行身份验证或重新授权即可获取内容。For the duration of the use license, the user is not reauthenticated or reauthorized for the content. 这样,用户就可以在没有 internet 连接的情况下继续打开受保护的文档或电子邮件。This lets the user continue to open the protected document or email without an internet connection. 使用许可证有效期到期后,用户下次访问受保护的文档或电子邮件时就必须重新进行身份验证并重新进行授权。When the use license validity period expires, the next time the user accesses the protected document or email, the user must be reauthenticated and reauthorized.

如果文档和电子邮件是通过标签或定义保护设置的模板进行保护,可更改标签或模板中的这些设置,而无需重新保护内容。When documents and email messages are protected by using a label or a template that defines the protection settings, you can change these settings in your label or template without having to reprotect the content. 如果用户已访问过内容,则所做的更改将在他们的使用许可证过期后生效。If the user has already accessed the content, the changes take effect after their use license has expired. 但如果用户应用了自定义权限(也称为临时权限策略),且这些权限需要在保护文档或电子邮件后更改,则必须使用新权限再次保护该内容。However, when users apply custom permissions (also known as an ad-hoc rights policy) and these permissions need to change after the document or email is protected, that content must be protected again with the new permissions. 通过“不转发”选项实现电子邮件的自定义权限。Custom permissions for an email message are implemented with the Do Not Forward option.

租户的默认使用许可证有效期为30天,你可以使用 PowerShell cmdlet AipServiceMaxUseLicenseValidityTime来配置此值。The default use license validity period for a tenant is 30 days and you can configure this value by using the PowerShell cmdlet, Set-AipServiceMaxUseLicenseValidityTime. 可使用标签或模板,为何时应用保护配置限制性更强的设置:You can configure a more restrictive setting for when protection is applied by using a label or template:

  • 在 Azure 门户中配置标签或模板时,使用许可证有效期从“允许脱机访问设置”取得其值****。When you configure a label or template in the Azure portal, the use license validity period takes its value from the Allow offline access setting.

    有关在 Azure 门户中配置此设置的详细信息和指导,请参阅如何为 Rights Management 保护配置标签的说明中的保护设置相关信息表。For more information and guidance to configure this setting in the Azure portal, see the Information about the protection settings table from the instructions how to configure a label for Rights Management protection.

  • 使用 PowerShell 配置模板时,使用许可证有效期从AipServiceTemplatePropertyAipServiceTemplate cmdlet 中的LicenseValidityDuration参数获取其值。When you configure a template by using PowerShell, the use license validity period takes its value from the LicenseValidityDuration parameter in the Set-AipServiceTemplateProperty and Add-AipServiceTemplate cmdlets.

    有关使用 PowerShell 配置此设置的详细信息和指南,请参阅每个 cmdlet 的帮助。For more information and guidance to configure this setting by using PowerShell, see the help for each cmdlet.

另请参阅See Also

配置和管理 Azure 信息保护的模板Configuring and managing templates for Azure Information Protection

为 Azure 信息保护和发现服务或数据恢复配置超级用户Configuring super users for Azure Information Protection and discovery services or data recovery