9. Extract User Rights and Key
The RMS client decrypts the Use license and extracts the User rights and the content key.
10. Decrypt Content with IRM Rights
The content key is used to decrypt the body so that the content can be consumed.
The application will use the list of user rights to enforce the IRM policy.
D. CONSUME PROTECTED DOCUMENT
C. THE AZURE RMS PROCESS
When an Authenticated user attempts to opens an IRM protected document, the RMS client sends the IRM policy together with users' public key to AD RMS.
In an Hybrid solution the authentication is redirected through a RMS connector which forwards the request to Azure RMS.
7. Extract User Rights
Azure RMS uses the organisations private key to decrypt the IRM policy. At first the Use Policy is extracted and evaluated. From the evaluation, a list of that users rights is created.
8. Create Use License
Second, the Content key is extracted. This together with Use Policy and User rights which produced on previous step are encrypted with users public key to create something called a "use license".
This use license is then sent back to the RMS client.
The Use policy and the Cont. Key is then encrypted together using the organisations public key. This is then signed by the earlier obtained "user certificate". As a result, an IRM policy is generated.
5. Protect content with IRM policy
RMS Client then inserts the IRM policy in to a file together with the encrypted body from step 3. to create the IRM protected document. In other words the IRM protected file contants two pieces, The Encrypted body and the IRM policy.
3. Encrypt body
A random key (Content Key) is generated through the RMS client. This key is used to encrypt the body of the file using AES symmetric Encryption Algorithm.
4. Create signed and encrypted policy
A use policy certificate is created through the RMS client which contains defined IRM permissions. The "use policy" defines who can access the document and what can be done with it and can either be set manually or through a policy template.
B. PROTECT DOCUMENT
The RMS client at first, establishes a connection to Azure RMS which authenticates the user account with Active Directory.
There are no need for users to enter in any credentials as the process is seamless and integrated in the background.
A. RMS CLIENT AUTHENTICATES
2. RMS Client Certificate
A successful authentication allows the connection to proceed to the Azure RMS server whereupon a "user Certificate" is generated and issued to the RMS client. A copy of the User certificate is stored in Azure RMS to allow for the same keys to be used if the user moves to another device. The issued "use license" gives the user the ability to authenticate with Azure RMS when consuming IRM protected content.
It also provides support for protecting content with IRM offline.
Azure RMS - High Level
Each step is explained in detail below:
Azure RMS - Low Level
Below is a low level illustration on how Azure RMS works. It illustrates the Azure Rights Management Work Flow from the start to end. You can follow the beginning where the content becomes protected to the end when the content becomes consumed.
Continue to read the low level section to get a better "detailed" understanding how the Azure RMS technology works from beginningto end.
A High Level illustration on how AZURE RMS works.
At first the document owner authenticates with the Azure RMS server.
The owner then can protect a file with IRM.
When a user consumes the protected document, it authenticates with the Azure RMS server and receives the IRM rights which the Author have set. The content can then be consumed with applied IRM rights.