IRM - EMC Community Network

More documents

Recommendations

Info

Connecting to the IRM Server without opening a protected documentUsing any application with an IRM plugin already installed, the user logs in by providing the IRM Server host nameand port number, as well as the credentials with which to authenticate. The client then establishes a TLS (FIPS) orSSL (non-FIPS) connection with the server. If this succeeds, the IRM Server validates the client then together theynegotiate the IRM protocol version that establishes which capabilities each supports. The IRM Server concludes byauthenticating the user.For certificate user authenticationThe user logs in by providing the IRM Server host name and port number, but also selects the certificate that is to beused. The client establishes a TLS (FIPS) or SSL (non-FIPS) connection with the server. If this succeeds, the IRMClient sends an authentication message to the IRM Server, which contains the entire certificate chain that the user isattempting to use to authenticate. If the certificate chain is trusted (meaning that there is a certificate authenticationdomain defined on the server that trusts the certificate chain), the server responds with a randomly generatedchallenge string that is encrypted with the user‘s certificate. The client decrypts the value from the challenge andsends it back to the server. The server verifies that the value was decrypted properly. If not, then an error isdisplayed.IRM Server PermissionsWhen determining to allow or deny access to the IRM Server itself and subsequently to the keys for protectedcontent, the IRM Server checks a hierarchy of authorization, which governs different levels of server access. Thefollowing sections describe each level and show how administrators can be very specific on granting access towhom, where, and when.An IRM Server administrator sets the login restrictions, group rights, and server restrictions. The administrator or aninformation owner with permission can also set the document policy. Users sending e-mail set the e-mail policy forthe messages they send.Login RestrictionsThe login restrictions govern when, and from where, users can connect to the IRM Server. The IRM Server enforcesany networks and times set in the login restrictions for every user who accesses the server. For example, if the loginrestrictions specify that only one network entity (company.com) can access the server on weekdays, only users whoconnect from computers on the company.com network on weekdays can access protected content. If a network has atime set to allow or deny access, the IRM Server enforces that time for every user accessing that server over thatnetwork. Even if another type of policy specifically states that users can access content from a specific network at aparticular time, if the login restrictions on the server do not allow it, users cannot connect to open protected content.Users and GroupsOnce you create authentication domains and individual shared secret accounts, you can add users or groups to anytype of policy. This allows you to control authorization. While an authentication domain or shared secret accountallows users to authenticate to the IRM Server, a group identifies one or more users and specifies what those usershave the authority to do.Every user who accesses the IRM Server must belong to at least one group. You can also query an LDAP directoryservice for users and groups or add an LDAP query to a group if you set up an LDAP authentication domain or anauthentication domain with LDAP capabilities. You can specify that users or groups can access the IRM Serverfrom a particular network entity or at a particular time, view, print, or copy from protected content, protect contentwith or without guest access, delete or expire protected content they own, or allow users to work offline.If a user is in more than one group, permissions to print and edit content are evaluated as a logical ‗OR’ of grouppermissions and the resultant permission is that with the least restrictive rights independent of document policyassignment. Let‘s look at a scenario. John Smith is a member of the Sales group, which has only the Viewpermission, and the Management group, which has the Print permission. Now an information owner protects adocument, called SALES REPORT, with a policy that includes only the Sales Group. The expectation might be thatOverview of Technical Architecture Page 16
John Smith can only view the document. However, John Smith can view and print the document since he inheritedthat permission from another user group.The IRM SDK contains a Group Policy Server Extension that provides extra granularity over the assignment of printand edit rights at the Group level. This extension can modify the behavior of how permissions are granted in usergroups.The IRM Server also provides various levels of administrator permissions.Server RestrictionsServer restrictions govern the entire IRM Server. The IRM Server enforces any authorizations set in the serverrestrictions for every user who accesses the server and all content protected by the server. For example, if the serverrestrictions do not allow printing, users cannot print any of the content protected by the server, regardless of thepolicy protecting that content.The server restrictions govern permissions such as how users can perform actions on protected content (print, copyfrom, edit, guest access, offline access, watermark, and custom permissions). Server restrictions also dictate whenthe IRM Server will be allowed to destroy keys for expired content.Server ExtensionsApplications that use the IRM Server Extension API can also grant and deny permissions in conjunction with thedocument policy. A server extension application may not override any restrictions already placed on the document(e.g., through server restrictions or the document policy), but additional users may be given access to the document.In the case of IRM Services for Documentum, the administrator creates a global document policy on the IRM Serverthat allows all the permissions that any particular user may ever need. Permission sets configured by Documentumusers can further restrict those permissions for specific documents (e.g., by only allowing certain users to print). TheDocumentum Server Extension can also grant access to Documentum users not listed in the document policy on theIRM Server.Version ExclusionYou can control which versions of IRM client applications can access the IRM Server. You may want to do this soyou can deny access to previous clients. If you do not specify client versions, the IRM Server allows access to allcurrent and future versions of clients that exist when you purchase your IRM Server.Client BrandingThis feature allows customers to change the EMC logo on many of the IRM client dialog boxes, to one of their ownchoosing. Branding affects only those IRM clients running on a Windows platform. The ability to change the logorequires creating a resource-only DLL branding file, then uploading this file to the IRM Server using the IRMServer Configure utility. The procedure is documented in the IRM Server Installation Guide.PoliciesInformation owners authorize access to their content through the use of policies. Policies determine how protectedcontent can be accessed, when it can be accessed, and by whom. It also defines the actions a user can perform on thecontent.An IRM Server administrator creates and maintains the policies; however, an administrator can grant informationowners the permission to make their own customized policies.Policy TypesAn e-mail policy restricts access to specific protected e-mail messages. A document policy determines access to theprotected document. A document policy is generated from either a named policy created by an administrator or froma custom policy created by an information owner.There are two types of named policies. One is a document policy template, which allows an administrator to createstandard policies that can be selected by users when protecting documents. Once applied, a copy of the template iscreated, which becomes the document policy. The document policy applies to a single document. Any changes tothe template after the document is protected do not affect the document. However, a document owner withOverview of Technical Architecture Page 17
Page 1 and 2: EMC CORPORATIONEMC Documentum Infor
Page 3 and 4: Abstract:EMC Documentum solutions f
Page 5 and 6: Users and Groups ..................
Page 7 and 8: Once the content is registered (enc
Page 9 and 10: Separation of Keys and ContentMany
Page 11 and 12: When protected content is opened in
Page 13 and 14: configured to leverage existing aut
Page 15: One of the goals of the IRM system
Page 19 and 20: writing a custom program to grab th
Page 21 and 22: IRM can be configured in an active-

IRM - EMC Community Network

Create successful ePaper yourself

Delete template?

Save as template?