When an Authenticated user attempts to opens an IRM protected document, the RMS client sends the IRM policy together with users' public key to AD RMS.
7. Extract User Rights
AD RMS uses the organisations private key to decrypt the IRM policy.
At first the use policy is extracted and evaluated. From the evaluation, a list of that users rights is created.
C. THE ADRMS PROCESS
8. Create Use License
Second, the Content key is extracted. This together with Use Policy and User rights which produced on previous step are encrypted with users' public key to create something called a "use license".
This use license is then sent back to the RMS client.
D. CONSUME PROTECTED DOCUMENT
9. Extract User Rights and Key
The RMS client decrypts the Use License and extracts the user rights and the content key.
10. Decrypt Content with IRM Rights
The content key is used to decrypt the body so that the content can be consumed.
The application will use the list of user rights to enforce the IRM policy.
The Use policy and the Cont. Key is then encrypted together using the organisations public key.This is then signed by the earlier obtained "user certificate". As a result an IRM policy is generated.
5. Protect content with IRM policy
RMS Client then inserts the IRM policy in to a file together with the encrypted body from step 3. to create the IRM protected document.
In other words, the IRM protected file contains two pieces, the Encrypted body and the IRM policy.
3. Encrypt body
A random key (Content Key) is generated through the RMS client. This key is used to encrypt the body of the file using AES symmetric Encryption Algorithm.
4. Create signed and encrypted policy
A use policy certificate is created through the RMS client which contains defined IRM permissions. The "use policy" defines who can access the document and what can be done with it and can either be set manually or through a policy template.
B. PROTECT DOCUMENT
The RMS client at first, establishes a connection to Azure RMS which authenticates the user account with Active Directory.
There are no need for users to enter in any credentials as the process is seamless and integrated in the background.
2. RMS Client CertificateA successful authentication allows the connection to proceed to the AD RMS server whereupon a "user Certificate" is generated and issued to the RMS client. A copy of the User certificate is stored in AD RMS to allow for the same keys to be used if the user moves to another device. The issued "use license" gives the user the ability to authenticate with AD RMS when consuming IRM protected content.
It also provides support for protecting content with IRM offline.
A. RMS CLIENT AUTHENTICATES
AD RMS - High Level
Each step is explained in detail below:
AD RMS - Low Level
Below is a Low Level illustration on how AD RMS works. It illustrates the Rights Management Work Flow from the start to end. You can follow the process from the beginningwhere the content becomes protected to the end when the content becomes consumed.
Continue to read the low level section to get a better "detailed" understanding how the AD RMS technology works from beginningto end.
At first the document owner authenticates with the AD RMS server.
The owner then can protect a file with IRM.
When a user consumes the protected document, it authenticates with the AD RMS server and receives the IRM rights which the Author have set. As a result,the user can open the document with applied rights.
This is a High Level illustration on how AD RMS works.