Updated: 2007-03-26

The 2007 Office system includes predefined groups of Information Rights Management (IRM) permissions, such as Do Not Forward, that users can apply to documents or e-mail messages. As an Office administrator, you can also define custom IRM rights policy templates to provide different packages of IRM rights for information workers to use in Office applications.

Before users can apply IRM permissions in Office applications, rights management services and software must be installed. For specific requirements, see Planning for Information Rights Management in the 2007 Office system.

NoteNote:

The ability to create content or e-mail messages with restricted permission using IRM is available in the following suites: Microsoft Office Professional Plus 2007, Microsoft Office Enterprise 2007, and Microsoft Office Ultimate 2007. IRM is also available in the stand-alone versions of Office applications.

For corporations, administrators can create a custom permission policy that configures various people and groups with customized IRM permissions. In some cases, this can greatly simplify the process of setting permissions: a single custom permission policy can replace the user's need to select multiple permission settings.

Creating rights policy templates

You create and manage rights policy templates by using the administration site on your Windows RMS server.

The steps are as follows:

  1. On the RMS administration site, under Administration Links, select Create a policy rights template.

  2. Specify the settings for the template, including its name, which users or groups (via distribution lists) receive which permissions, expiration policies, and so on.

  3. Submit the template information to create the template.

For specific instructions on how to create, edit, and post custom permissions policy templates that include groups of Office permissions rights, see "Rights Policy Templates" in Enabling Information Protection in Microsoft Office 2003. The instructions are for Office 2003, but the process works the same in the 2007 Office system. In addition, more detailed information is available in RMS Help.

The rights that you can include in permissions policy templates for the 2007 Office system are listed in the next section.

Permissions rights

Each IRM permissions right listed in the following table can be enforced by Office applications configured on a network that includes a server running RMS.

IRM right Description

Full Control

Gives the user every right listed below, and the right to make changes to permissions associated with content. Expiration does not apply to users with Full Control.

View

Allows the user to open IRM content. This corresponds to Read Access in the Office user interface.

Edit

Allows the user to edit the IRM content.

Save

Allows the user to save a file.

Extract

Allows the user to make a copy of any portion of a file and paste that portion of the file into the work area of another application.

Export

Allows the user to save content in another location or format that may or may not support IRM.

Print

Allows the user to print the contents of a file.

Allow Macros

Allows the user to run macros against the contents of a file.

Forward

Allows e-mail recipients to forward an IRM e-mail message.

Reply

Allows e-mail recipients to reply to an IRM e-mail message.

Reply All

Allows e-mail recipients to reply to all users on the To: and Cc: lines of an IRM e-mail message.

View Rights

Gives the user permission to view the rights associated with a file. Office ignores this right.

Predefined groups of permissions

The 2007 Office system provides the following predefined groups of rights that users can choose from when they create IRM content. The options are available on the Permission dialog box for Word, Excel, and PowerPoint. In the Office application, click the Microsoft Office Button, point to Prepare, point to Restrict Permission, and select Restriction permission to this document to enable the permission options listed below.

IRM predefined group Description

Read

Users with Read permission only have the View right.

Do Not Forward

In Outlook, the author of an IRM e-mail message can apply Do Not Forward permission to users in the To:, Cc:, and Bcc: lines. This permission includes the View, Reply, and Reply all rights.

Change

Users with Change permission have View, Edit, Extract, Export, and Save rights.

Advanced permissions

Other IRM permissions can be specified in the advanced Permission dialog box in Word, Excel, and PowerPoint. In the initial Permission dialog box, click More Options. For example, users can specify an expiration date, allow other users to print or copy content, and so on.

In addition, Outlook by default enables messages to be viewed by a browser that supports Rights Management.

Deploying rights policy templates

When the rights policy templates are complete, post them to a server share where all users can access the templates or copy them to a local folder on the user's computer. The IRM policy settings available in the 2007 Microsoft Office system ADM (Office12.adm) file can be configured to point to the location where the rights policy templates are stored (either locally or on an available server share).

NoteNote:

The 2007 Microsoft Office system template and other ADM files can be downloaded from 2007 Office System Administrative Templates (ADM) on the Microsoft Download Center. For more information about how to use Group Policy with Office applications, see Enforce settings by using Group Policy in the 2007 Office system.

When the rights policy templates are available, complete the IRM policy Specify Permission Policy Path. IRM locates the rights policy templates stored in the location specified.

To configure the IRM rights policy templates location in Group Policy

  1. In Group Policy, load the Office Outlook 2007 template (Outlk12.adm) and go to User Configuration\Administrative Templates\Microsoft Office 12 system\Manage Restricted Permissions.

  2. Double-click Specify Permission Policy Path.

  3. Click Enabled.

  4. In the Enter path to policy templates for content permission text box, type the complete path to the IRM permission policy templates.

  5. Click OK.

See Also