IRM - EMC Community Network

More documents

Recommendations

Info

IRM Server Extension APIThe API provides an events-based interface allowing software engineers to extend or override the IRM Server'spolicy-handling logic or enable authentication for users in unsupported authentication systems. For example, theIRM Services are applications that use the IRM Server Extension API.A Group Policy Server Extension is provided as an example with the IRM SDK kit. It uses the IRM ServerExtension API to provide extra granularity over the assignment of print and edit rights for users who are members ofmultiple user groups.IRM Client Integration APIThis API allows software engineers to build applications that use the IRM Server to protect content in differentformats, such as CAD. It supports GUI applications on Windows using the same dialogs as the IRM clients and alsosupports batch applications on Windows. The IRM SDK includes a sample IRM-enabled imaging application thatallows developers to learn more about the extensibility framework.The features of this API include:•Enables protection of additional file formats.•Provides a consistent user experience and feature set with EMC IRM clients.•Provides high-level calls for encryption and decryption.IRM Client Decryption APIThe IRM Client Decryption API allows programmers to develop applications that can programmatically decryptIRM protected content. This is especially useful when protected content is stored in a repository, where full indexingis desired or required.The API enables decryption capabilities without interfering with compliance rules, enables eDiscovery (searchingencrypted content), allows full-text indexing of protected content, and supports integration with Content/InformationManagement applications.Additional InformationAn application developed using the Client Integration or Content Decryption API is considered to be an IRMenabledapplication. Each IRM-enabled application must be registered with an IRM Server. To do this, theapplication developer must generate an XML file that contains the application name, a certificate chain, types ofcontent, any custom permission, and any language support. Afterwards, the XML file must be registered with theIRM Server in order for IRM users to protect or decrypt content with the application.In addition, the IRM Server administrator can allow or prevent content protected by the IRM Server to be decryptedby a registered application. This setting resides in a document policy. If allowed, the information owner can alsoconfigure this setting.We recommend that you visit the EMC IRM community network at the following web site:https://community.emc.com/docs/DOC-3503This is a place where partners and customers can share information and helpful tips, collaborate on issues, downloadthe latest version of the IRM SDK, and more. It also has the newer IRM-enabled applications, developed bypartners, which protect content in formats such as Auto-CAD and Open Office.DatabaseThe IRM Server requires tablespace in a database. Depending on the OS platform where the IRM Server is installed,the database could be Oracle, MS SQL Server, or MS SQL Express. The database is used to store such informationas the various keys, some configuration settings, policies, and groups. A single tablespace can be used for multipleinstances of the IRM Server that are working together.AuthenticationCentral to any access control system is the ability to reliably determine the identity of the access requestor.Enterprises have invested heavily in establishing authentication infrastructures. In order for a new access controlproduct to be effective, it must integrate cleanly with and leverage the existing authentication infrastructure. TheIRM Server has been designed to do just that. In addition to using shared secret, the IRM Server can easily beOverview of Technical Architecture Page 12
configured to leverage existing authentication systems including Windows login, LDAP, certificate-basedauthentication, and RSA SecurID.The IRM Server Extensions API may be used to provide additional authentication mechanisms; like authenticatingusers against a custom in-house application.WindowsWhen a user authenticates to an IRM Server via (transparent), the client sends Standard SSPIauthentication information to the server. The information is the same that Internet Explorer and IIS would exchangefor "Integrated Windows Authentication," except the IRM product does not use HTTP as the transport medium.Instead IRM uses its own proprietary protocol. This transparent Windows authentication is subject to the samelimitations as the IE/IIS authentication scheme.An IRM Server administrator can allow users from a Windows domain to automatically log in to IRM clientapplications without entering an IRM Server user name and password. If they already logged in to the Windowsdomain through their operating system, the IRM Server uses their Windows domain user name and password to logthem in to the IRM Server.For Windows Single Sign-On (SSO) (aka Integrated Windows Authentication) to work, the client and server mustboth be in the same domain or they need to be in domains with a trust relationship that would permit theauthentication.LDAPThe IRM Server supports using an LDAP directory service to authenticate and authorize users connecting to theIRM Server. The users must be members of an authentication domain that you set up to use the directory service.There are three types of IRM Server authentication domains that you can set up to use an LDAP directory service:•Windows domain with LDAP capabilities•LDAP password domain•Certificate domain with LDAP capabilitiesAs part of adding a Windows domain or a certificate domain, you can add LDAP authentication and authorizationcapabilities to the domain. You may want to do this if your organization has users that log in to their computersusing a Windows domain and password or a certificate, but you also have an LDAP directory service set upcontaining users and groups in your organization. You can also add an LDAP password domain if you want to useLDAP authentication and authorization and your organization does not use Windows domains and passwords orcertificates.Using LDAP with authentication domains allows you to query the LDAP directory service for users and groupswhen you set up server restrictions, groups, e-mail policies, or named policies on the IRM Server. The IRM Serveruses queries to retrieve user information from the LDAP directory server. You can then add this information to thepolicy, or you can place a query in the policy.When a user accesses protected content, the IRM Server checks the Windows domain or certificate to authenticatethe user. If the domain is an LDAP password domain, the IRM Server checks the LDAP directory service to makesure the user name and password are valid. Since there are all types of LDAP domains, the IRM Server also checksthe validity of the user by locating the user in the LDAP directory service and retrieving the user‘s distinguishedname, and that the user is mapped to exactly one entry in the LDAP directory. The IRM Server then checks theappropriate levels of the policy hierarchy and executes any LDAP queries added to the policies in the hierarchy. TheIRM Server also checks that the policies allow the distinguished name of the user or group or the full IRM Serveruser name at each level of the policy hierarchy. The full IRM Server user name for a user is the authenticationdomain name followed by the user name.The LDAP protocol allows directory servers to specify referrals. These referrals allow a directory server to have anentry that references another entry on that server, or even an entry on another directory. When retrieving userinformation from a directory server, the IRM Server automatically follows referrals that reference local entries. Forexample, the IRM Server follows referrals to directory entries that reside in that directory service. The IRM Serverdoes not follow any referral that references entries on a different directory service.Overview of Technical Architecture Page 13
Page 1 and 2: EMC CORPORATIONEMC Documentum Infor
Page 3 and 4: Abstract:EMC Documentum solutions f
Page 5 and 6: Users and Groups ..................
Page 7 and 8: Once the content is registered (enc
Page 9 and 10: Separation of Keys and ContentMany
Page 11: When protected content is opened in
Page 15 and 16: One of the goals of the IRM system
Page 17 and 18: John Smith can only view the docume
Page 19 and 20: writing a custom program to grab th
Page 21 and 22: IRM can be configured in an active-

IRM - EMC Community Network

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?