liquid machines gateway for sharepoint …...liquid machines gateway for sharepoint configuration...

Liquid Machines Gateway for SharePoint Configuration Guide for

Site Owners

Liquid Machines, Inc.

100 Fifth Avenue, 5th Floor

Waltham, MA 02451

1.877.88LIQUID (1.877.885.4784)

www.liquidmachines.com

mailto:[email protected]?subject=Contact%20from%20Web%20site

Liquid Machines Gateway for SharePoint Configuration Guide for Site Owners

Liquid Machines, Inc. Page ii

Copyright/Disclaimer

Copyright © 2003 - 2008 Liquid Machines, Inc. All rights reserved. Confidential and proprietary information of Liquid Machines, Inc.

The material in this document may not in whole or in part be copied, photocopied, reproduced, translated, or converted to any electronic or machine-readable form without the prior written consent of Liquid Machines. The information in this document is for informational use only, is subject to change without notice, and should not be construed as a commitment by Liquid Machines. Liquid Machines assumes no responsibility or liability for any errors or inaccuracies that may appear in this document.

This document and the software described in this document are furnished under a license accompanying the software and may be used only in accordance with the terms of such license. By using this document, you agree to the terms and conditions of that license.

>> For other copyright and trademark information, see the Liquid Machines Copyright, included in this document package.

How to Contact Liquid Machines, Inc. Liquid Machines, Inc.

100 Fifth Avenue, 5th Floor

Waltham, MA 02451

Phone: 1.877.88LIQUID (1.877.885.4784)

www.liquidmachines.com

mailto:[email protected]?subject=Contact%20from%20Web%20site


Liquid Machines, Inc. Page iii

Table of Contents

Copyright/Disclaimer ....................................................................................................................... ii

Preface ................................................................................................................................... v

Introducing the Gateway for SharePoint ...................................................................................... v

Using the Gateway for SharePoint with LMDC Client or LMDC Viewer .................................... v

Using the Gateway for SharePoint with LMDC Server .............................................................vi

Book Conventions .......................................................................................................................vi

Intended Audience ......................................................................................................................vi

Related Documents .................................................................................................................... vii

SharePoint Documents ........................................................................................................... vii

Using this Manual ....................................................................................................................... vii

Chapter 1: Configuring IRM when using the Microsoft RMS as the Policy Server ...................... 1-1

Configuring Information Rights Management (IRM) .................................................................. 1-2

Notifying SharePoint Users of the Gateway for SharePoint ...................................................... 1-8

Chapter 2: Configuring IRM when using the LMDC as the Policy Server ................................... 2-1

Site Level Configuration ........................................................................................................... 2-2

List (or Library) Level Configuration .......................................................................................... 2-8

Notifying SharePoint Users of the Gateway for SharePoint .................................................... 2-14

Chapter 3: Site Level Auditing ................................................................................................... 3-1

Overview .................................................................................................................................. 3-2

Generating an Audit Report ...................................................................................................... 3-2

Working with Audit Event Data ................................................................................................. 3-3

Chapter 4: Troubleshooting ....................................................................................................... 4-1

Common Problems ................................................................................................................... 4-2

Appendix A: Sample Email to Notify the SharePoint Users of the Gateway for SharePoint .......... A-1

Appendix B: Mapping SharePoint Permissions to IRM Rights on an RMS Policy Server ............. B-1

Index ......................................................................................................................... Index-1


Liquid Machines, Inc. Page iv


Liquid Machines, Inc. Page v

Preface

Welcome to the Liquid Machines Gateway for SharePoint Configuration Guide for Site Owners. This document describes how the SharePoint Site Owner enables and configures Information Rights Management (IRM). It also provides troubleshooting procedures related to configuring and using the Gateway for SharePoint.

Introducing the Gateway for SharePoint The Liquid Machines Gateway for SharePoint can be operated in a variety of different rights management configurations. Gateway set-up, management and functionality vary depending on whether or not the implementation includes the Liquid Machines Document Control Server, which provides policy management features and an extended Enterprise Rights Management permission set.

Using the Gateway for SharePoint with LMDC Client or LMDC Viewer Liquid Machines Gateway for SharePoint, working together with the Liquid Machines Document Control Client (LMDC Client) or the Liquid Machines Viewer (LM Viewer) extends Microsoft’s Information Rights Management (IRM) by adding support for additional file formats and enhancing the ability to securely collaborate outside of SharePoint. Like the IRM protectors built into SharePoint 2007, the Gateway for SharePoint applies Rights Management Service (RMS) protection to files when they are checked out of a list or library and removes the protection when the file is uploaded to SharePoint.

Additionally, the Gateway for SharePoint (and the LMDC Client or LM Viewer) enables the following additional features:

The Gateway for SharePoint allows SharePoint to protect additional file types, including .PDF. Users with LMDC Client or LM Viewer can work with these additional file types.

The Liquid Machines protector creates an issuance license which includes all authorized users, allowing all authorized users to share protected information outside of SharePoint, without requiring that each user download the files directly from SharePoint.


Liquid Machines, Inc. Page vi

Using the Gateway for SharePoint with LMDC Server When the Liquid Machines Gateway for SharePoint is used together with the Liquid Machines Document Control Server, all policies generated by the Gateway for SharePoint will be stored and managed by the LMDC policy server, which provides for additional capabilities:

Documents downloaded from SharePoint can be protected with Liquid Machines Advanced Enforcement policies, which include an extended permission set, including auditing and the ability to change or remove policies.

Enhanced offline management capabilities which allow users to work with content for a centrally configured amount of time disconnected from the network.

All IRM permissions (including print) can be varied by user or group for each document list or library.

Changes to SharePoint permissions dynamically update IRM permissions – even for documents already downloaded from SharePoint.

Book Conventions CAUTION: Cautions the user of actions that may result in operational issues or data

loss.

NOTE: Identifies important points, helpful hints, special circumstances, or alternative methods.

This guide also uses the following typographical conventions:

>> Blue indicates a cross-reference. A cross reference provides the location of additional information related to the topic. For example: >> For more information, see Intended Audience on page vi.

Bold Indicates a selection from a menu or a button name. For example:

From the Settings menu, select Document Settings Library.

Bold is also used for file names, field names and values, and emphasis.

Intended Audience This guide is intended for the SharePoint Site Owner (or Document Library Owner) who is responsible for configuring SharePoint and the Gateway for SharePoint.


Liquid Machines, Inc. Page vii

Related Documents This section lists documents related to the Gateway for SharePoint and SharePoint in general.

Liquid Machines Gateway for SharePoint Installation and Central Administration Guide

SharePoint Documents The following documents provide information on SharePoint:

MSDN’s Information Rights Management in Windows SharePoint Services Overview: http://msdn.microsoft.com/en-us/library/ms458245.aspx

Microsoft Technet Office SharePoint Server 2007:

http://technet.microsoft.com/en-us/library/cc303422.aspx

Microsoft Technet Plan Information Rights Management: http://technet.microsoft.com/en-us/library/cc261728.aspx

Microsoft Technet Configure Information Rights Management (Office SharePoint Server): http://technet.microsoft.com/en-us/library/cc262566.aspx

The following document provides information on Microsoft RMS:

Microsoft website: http://www.microsoft.com/windowsserver2003/technologies/rightsmgmt/default.mspx

Using this Manual This user guide contains the following chapters and appendices:

Chapter 1: Configuring IRM when using Microsoft RMS as the Policy Server – Describes how to configure IRM at the List level. At the List level, you configure lists to use IRM and specify the policy name to be used.

Chapter 2: Configuring IRM when using LMDC as the Policy Server – Describes how to configure IRM at the Site Level and List level. At the Site Level, you map SharePoint Permission Levels to LMDC Policy Roles so that dynamic policies can be created in LMDC Server. At the List level, you configure lists to use IRM and specify the policy name to be used.

Chapter 3: Site Level Auditing – Describes how to generate an audit report of IRM-related configuration events.

Chapter 4: Troubleshooting – Describes common problems you may encounter when configuring and using the Gateway for SharePoint.

Appendix A: Sample Email to Notify the SharePoint Users of the Gateway for SharePoint – Provides a sample email that you can use to notify SharePoint users of the capabilities of the Gateway for SharePoint.

Appendix B: Mapping SharePoint Permissions to IRM Permissions on an RMS Policy Server – Describes how SharePoint permissions map to IRM permissions when using the RMS Policy Server.

Index – Provides an index to aid you in locating information.

http://msdn.microsoft.com/en-us/library/ms458245.aspx




http://www.microsoft.com/windowsserver2003/technologies/rightsmgmt/default.mspx


Liquid Machines, Inc. Page viii


Liquid Machines, Inc. Page 1-1

Chapter 1: Configuring IRM when using the Microsoft RMS as the Policy Server

This chapter describes how the SharePoint Site Owner (or Document Library Owner) configures IRM for lists (or libraries) using the Liquid Machines Gateway for SharePoint. This section applies to installations which use Microsoft RMS as a policy server, rather than the LMDC Policy Server.

If you are using the LMDC Policy Server, skip this chapter and begin at Chapter 2: Configuring IRM when using the LMDC as the Policy Server. If you are not sure which Policy Server is used to manage policies, ask your SharePoint Central Administrator.

Topics included in this chapter are:

Configuring Information Rights Management (IRM)

Notifying SharePoint Users of the Gateway for SharePoint

NOTE: The information provided in this chapter assumes that the SharePoint Site Owner has full control as defined in SharePoint. The activities described in this chapter cannot be performed unless the Site Owner has full control.



Configuring Information Rights Management (IRM) For each document list or library containing documents to be protected using the Gateway for SharePoint, you must configure Information Rights Management (IRM).

>> For information on creating SharePoint lists or libraries, or adding users to lists or libraries, refer to the Microsoft SharePoint documentation listed in the Related Documents on page vii.

To configure IRM for a SharePoint list or library:

1. Access the SharePoint list or document library on which you would like to enable IRM.

2. Select a list or library from the Documents Setting page (see Figure 1-1). In this example, select Documents.

Figure 1-1: Select a List or Library from the Document Center Screen

3. From the Settings menu, select Document Settings Library (see Figure 1-2).

Figure 1-2: Select Document Library Settings from the Settings Menu



The SharePoint Customize Selected List or Library Screen displays (see Figure 1-3).

Figure 1-3: SharePoint Customize Selected List or Library Screen



4. If IRM has been enabled, select Information Rights Management from the Permissions and Management menu (see Figure 1-3) to configure permissions for the selected list or library.

NOTE: If this selection is not displayed, IRM has not been enabled and you cannot proceed until it is enabled. Contact your Central Administrator (the person responsible for installing and configuring SharePoint) for assistance.

The Information Rights Management Settings screen displays (see Figure 1-4).

Figure 1-4: Information Rights Management Settings

NOTE: If your screen does not look like Figure 1-4, then your organization is using the LMDC Policy Server. Proceed to Chapter 2: Configuring IRM when using the LMDC as the Policy Server to configure your SharePoint site and your lists and libraries.

5. Complete this screen to specify the IRM settings for the selected list or library. IRM must be set up for each list or library and the settings selected on this screen apply to all documents in the selected list or library. These settings apply to all users except those who have Full Control. Users with Full Control will not be restricted. For a description of each of the settings, see Table 1-1.



Table 1-1: IRM Settings for the Selected SharePoint List or Library

Setting Description

Restrict Permission to documents in this library upon download check box

Select this check box to turn on IRM for this list or library with the permissions described in the remaining fields on this screen. When you check this box, you must enter a permission policy title and description (see below).

Permission policy title A descriptive name for the policy being defined for the selected list or library. This is the name that will appear in the Liquid Machines Policy Droplet control when a document from this list or library is downloaded from the SharePoint list or library. An example of a policy title is Project Alpha.

NOTE: The Permission policy title appears in the Policy Droplet control if the LMDC Client or LM Viewer is installed on your system. If you are using Microsoft Office without the LMDC Client or LM Viewer, the Permission policy appears in the location provided by the version of Office you are using.

Permission policy description

A description of the policy being defined for the selected list or library. An example of a description is Allow access to all Project Alpha team members.

Allow users to print documents check box

Select this check box to allow users with access to this list or library to print documents from this list or library.

Allow users to access content programmatically check box

Select this check box to allow users the ability to run programs or scripts on files in the list or library. For example, if this check box is selected and an Office document contains a text box where information can be entered, the programs that process that added information are allowed to run, so the user can enter text. However, if this check box is not selected, the user could not enter text in the text box because the programs to manage that action would not be allowed to run.

Users must verify the credentials every check box

Select this check box to specify how often a user must supply his or her Windows credentials (user name and password). If you select this box, you must also enter a number of days in the days text box, after which the user must connect to the network to supply their credentials. It is this permission that allows users to work with protected documents when they are offline, and not connected to the server.

Do not allow users to upload documents that do not support IRM check box

Select this check box to specify that users cannot upload documents that cannot be protected and unprotected by the IRM policy associated with this list or library. This means that documents that are protected using some other method outside of SharePoint, documents that are of a file type that is not supported by IRM or the Gateway for SharePoint, and documents protected by another SharePoint list or library cannot be uploaded if this box is checked.

If this box is not checked, externally protected document may be stored in the document library, but they will be encrypted within SharePoint and they will retain their original encryption (not the document library policy), when they are accessed (or downloaded) from SharePoint.

Stop restricting permission to documents in this library on check box

Select this check box to set an expiration date after which the list or library will no longer protect documents with these permissions. If you select this box, you must enter a date in MM/DD/YYYY format.

NOTE: Documents protected with these permissions that have previously been downloaded from this list or library will remain protected until they are uploaded back to this list or library.



When IRM is enabled, in addition to the IRM permissions shown above, protected documents will also be controlled by additional IRM permissions automatically generated based on existing SharePoint permissions, as shown in Figure 1-5.

Figure 1-5: Additional IRM Permissions Mapped from Existing SharePoint Permissions

Details of the default SharePoint Permission mapping are described in Table 1-2.



Table 1-2: IRM Permissions Derived from SharePoint Permissions

SharePoint Groups

SharePoint Permission Level for this SharePoint Group

IRM Permissions Derived from SharePoint Permissions

<Site> Owners

Users who create and manage sites.

Full Control Full Control

<Site Members>

Collaborative users who add and modify content.

Contribute Read

Edit

Copy

Save

<Site Visitors>

Users who can access content, but cannot modify content.

Read Read

<Approvers>

Used in workflows.

Approve Read

Edit

Copy

Save

Hierarchy Managers

Users who create and manage sites. May be delegated down from a higher level person.

Manage Hierarchy Full Control

Restricted Readers

Users who are more restricted than Visitors. Restricted Readers cannot see version history of minor versions, if major and minor versions exist.

Restricted Read Read

Quick Deploy Users

Style Resource Readers

Designed to give access to a specific list, library, item, or document, without giving access to the entire site.

Limited Access None

There is no default SharePoint Group with the Design Permission Level.

Design Read

Edit

Copy

Save

>> For organizations which have changed the default permissions, refer to Appendix B: Mapping SharePoint Permissions to IRM Rights on page B-1 for detailed permissions mapping.

7. When you are done entering the IRM settings for the selected list or library, select OK.

8. The IRM rights for the selected list or library are saved and you are returned to the Documents page.



Notifying SharePoint Users of the Gateway for SharePoint When you have configured the IRM settings for the particular list or library, you may want to contact the SharePoint Users to advise them of the new capabilities provided by the Gateway for SharePoint.

A sample email that you can use as a model for your communication with the SharePoint Users is provided in Appendix A: Sample Email to Notify the SharePoint Users of the Gateway for SharePoint on page A-1.

If you prefer, this information could also be posted on your SharePoint site.

As SharePoint Site Owner, you may also choose to provide users with additional information on using the Gateway for SharePoint.



Chapter 2: Configuring IRM when using the LMDC as the Policy Server

This chapter describes how the SharePoint Site Owner enables and configures IRM. For each site, the Site Owner maps SharePoint Permission Levels to LMDC Policy Roles. Once this Site level configuration is complete, Site Owners (or Document Library Owners) can enable IRM for one or more lists or libraries.

This section applies to installations which use the LMDC Policy Server (with or without Microsoft RMS). Users who are using only Microsoft RMS as a Policy Server should refer to Chapter 1: Configuring IRM when using the Microsoft RMS as the Policy Server. If you are not sure which Policy Server is being used to manage policies, ask your SharePoint Central Administrator.


Site Level Configuration

Mapping Predefined LMDC Policy Roles to SharePoint Permission Levels

List Level Configuration

Enabling IRM at the List or Library Level

Notifying SharePoint Users of the Gateway for SharePoint

NOTE: The information provided in this chapter assumes that the SharePoint Site Owner has full control as defined in SharePoint. The activities described in this chapter cannot be performed unless the Site Owner has full control.



Site Level Configuration At the Site level, you map SharePoint Permission Levels to LMDC Policy Roles. Organizations which use the Microsoft RMS Security Service together with the LMDC Policy Server may also need to the security profile for the site.

To perform Site level configuration:

1. Navigate to the SharePoint site using the URL provided by your SharePoint Site Owner or Administrator.

2. Select the Site Actions button in the upper right corner. From that button, select Site Settings and then select Modify All Site Settings (see Figure 2-1).

Figure 2-1: Select Modify All Site Settings



The Site Settings page displays (see Figure 2-2).

Figure 2-2: Site Setting Page



3. Select Information Rights Management from the Users and Permissions menu. The Map SharePoint Permission Levels to LMDC Policy Roles page displays (see Figure 2-3).

Figure 2-3: Map SharePoint Permission Levels to LMDC Policy Roles Page

On this page, you map SharePoint Permission Levels to the Policy Group Level Roles and select the Security Profile (only if you are using the RMS Security Service along with the LMDC Policy Server).



IMPORTANT NOTE ABOUT MAPPING PERMISSIONS ON SUBSITES:

If you notice that the mapping fields are disabled (grayed out) as shown in Figure 2-4, you may have accessed a SharePoint subsite on which the mappings are inherited from the parent site. It is possible to “break” this inheritance if you want to define these permission mappings at the subsite level, rather than inheriting the permission mappings from the parent.

Figure 2-4: Map SharePoint Permission Levels to LMDC Policy Roles Page Selected From a Sub-site

A SharePoint subsite is a complete web site stored in a named subdirectory of the top-level (or parent) SharePoint site. Each subsite can have administration, authoring, and browsing permissions that are independent from the parent site and other subsites.

Steps 2 and 3 of this procedure describe how to access the Map SharePoint Permission Levels to LMDC Policy Roles page from the parent site (Home). If your SharePoint site includes subsites, you may want to map permissions at the subsite level, in addition to mapping at the parent site level.

By default, the permission mappings at a subsite are automatically inherited from the parent site. If you access the Map SharePoint Permission Levels to LMDC Policy Roles page from a subsite, rather than from the parent site, you will notice that the mapping fields are disabled and the following message displays near the top of the page (see Figure 2-4):

Information Rights Management: Permissions mapping is inherited from parent web. Modify permissions mapping on parent web.

(continued on next page)



IMPORTANT NOTE ABOUT MAPPING PERMISSIONS ON SUBSITES (continued)

To define the permissions mapping at the subsite level:

a. Break the inheritance of the permission membership.

b. Break the inheritance of the permission levels.

When you navigate to the Map SharePoint Permission Levels to LMDC Policy Roles page from a subsite after you break the inheritance, the mapping settings will be enabled and can be changed for the subsite.

c. Change the SharePoint Permission Level mappings at the subsite level as described in Step 4 below. These changes will affect the subsite itself and any children of the subsite.

>> For details on how to break inheritance, so you can map permissions at the subsite level, refer to the Microsoft SharePoint documentation listed in Related Documents on page vii.

4. The SharePoint Permission Levels and a description of each permission level for the Site

appear under the headings Permission Level and Permission Level Description on the Map SharePoint Permission Levels to LMDC Policy Roles screen. The LMDC Policy Roles appear under the heading LMDC Policy Role. These roles define a set of rights management permissions, like Read, Edit, offline time, expiration, and auditing defined on the LMDC Server. (It is a common practice for SharePoint Site Owners to have delegated administration privileges on the LMDC Server in order to manage the LMDC Policy Roles used in SharePoint; however, if you are not an LMDC Administrator, you should contact the LMDC Administrator for information on the permissions available in each role.) Map the SharePoint Permission Levels to LMDC Policy Roles by selecting the appropriate role for each SharePoint Permission Level from the drop-down boxes in the rightmost column. Typically, you will want to map a SharePoint Permission Level to a role with similar permissions; however, the Gateway for SharePoint allows you to map SharePoint Permission Levels to whichever role you want.

5. Select the security profile from the Security Profile field to protect sensitive information. (This field only appears if your site has been configured to use the Microsoft RMS Security Service and the Allow IRM Compatible Policies check box was selected during installation). The choices available for the Security Profile are described in Table 2-1.



Table 2-1: Security Profile Options (only required if you use RMS with the LMDC Policy Server)

Name Description

RMS: Advanced Security

This selection allows the organization to take advantage of Liquid Machines extended permission set, including user auditing and allows for dynamic updates of policy changes.

To use these features, all users of this site must have the LMDC Client or LMDC Viewer to open documents protected by this document library.

RMS: IRM Compatible

This option is for organizations for which some site users do not have the LMDC Client or the LMDC Viewer. Users without the LMDC Client or LMDC Viewer will use Microsoft Office 2003 or 2007 only to work with RMS-protected Office files.

6. Select Update Now in the Synchronize Roles field to immediately force an update of the

LMDC Policy Roles based on the SharePoint Permission Level mapping. If you do not choose Update Now, the roles will be updated at the interval set by your Central Administrator (default = 5 minutes).

7. When you have completed this screen, select Ok.

The Site level configuration is complete and you are returned to the Site Settings page.



List (or Library) Level Configuration At the list or library level, you specify enable IRM for individual lists or libraries. This activity may be performed by a Site Owner or a Document Library Owner.

To perform list or library level configuration:

1. Navigate to the SharePoint site using the URL provided by your SharePoint Site Owner or Administrator.

2. From the main SharePoint screen, select the Document Center tab (see Figure 2-5). All lists or libraries on the SharePoint site display.

Figure 2-5: Lists (or Libraries) on the SharePoint Site

3. Select one of the lists or libraries in the Site Hierarchy menu on the left side of the page for which you want to enable IRM (Documents in this example). A page displays listing all the files in the selected list or library (see Figure 2-6).

Figure 2-6: List of Files in the Documents List or Library



4. From the Setting tab, select Document Library Settings (see Figure 2-7).

Figure 2-7: Select Document Library Settings from the Settings Menu

The Customize Selected List or Library page displays (see Figure 2-8).

Figure 2-8: Customize Selected List or Library Page



5. Select Information Rights Management from the Permissions and Management menu (see Figure 2-8) to enable and configure IRM for the selected list or library.

The Liquid Machines Gateway for SharePoint Options screen displays (see Figure 2-9).

NOTE: If this selection is not displayed, IRM has not been enabled and you cannot proceed until it is enabled. Contact your Central Administrator (the person responsible for installing and configuring SharePoint) for assistance.

Figure 2-9: Liquid Machines Gateway for SharePoint Options

6. If you want to enable IRM for the selected list or library check the Restrict permissions to documents in this library on download check box in the Enable IRM on the Current Library field.



7. When you make that selection several additional fields display on this page (see Figure 2-10).

Figure 2-10: Additional Fields on the Liquid Machines Gateway for SharePoint Options Page

8. Complete these fields as described in Table 2-2 to configure the selected list or library for IRM.



Table 2-2: IRM Settings for the Selected SharePoint List or Library

Setting Description

Policy Information Enter user defined policy information for the following fields:

User defined policy name

Enter a descriptive name for the policy being defined for the selected list or library. This defines the name of the policy which will be created automatically on the LMDC Server. The policies will define the permissions for all users of this document list or library. This is the name that will appear in the Liquid Machines Policy Droplet control when a document from this list or library is downloaded from the SharePoint list or library. An example of a policy title is Project Alpha. The actual policy name that is created in the LMDC Server will have the letters GUID or another unique identification number appended to it.

NOTE: The Permission policy title appears in the Policy Droplet control if the LMDC Client or LM Viewer is installed on your system. If you selected the IRM Compatible option for the Security Profile, and are using Microsoft Office without the LMDC Client or LM Viewer, the Permission policy appears in the location provided by the version of Office you are using.

User defined policy description

Enter a description of the policy being defined for the selected list or library. An example of a description is Allow access to all Alpha team members.

Contact information

Enter the contact information for the person responsible for this list or library.

Additional Options Specify additional security options:

Do not allow user to upload document that do not support IRM

Select this check box to specify that users cannot upload documents that cannot be protected and unprotected by the IRM policy associated with this list or library. This means that documents that are protected using some other method outside of SharePoint, documents that are of a file type that is not supported by IRM or the Gateway for SharePoint, and documents protected by another SharePoint list or library cannot be uploaded if this box is checked.

If this box is not checked, externally protected documents may be stored in the document list or library, but they will be encrypted within SharePoint and they will retain their original encryption (not the document list or library policy), when they are accessed (or downloaded) from SharePoint.

Stop restricting permission to documents on:

Select this check box to set an expiration date after which the list or library will no longer protect documents with these permissions. If you select this box, you must enter a date in MM/DD/YYYY format.

NOTE: Documents protected with these permissions that have previously been accessed (or downloaded) from this list or library will remain protected until they are uploaded back to this list or library.

9. When you are done entering the IRM settings for the selected list or library, select Ok.

10. The IRM rights for the selected list or library are saved.

The configuration of the site and list or library is now complete. Any content downloaded from this site will be protected as configured using these procedures.

NOTE: Repeat this IRM setup for each list or library that will use IRM.



Figure 2-11 shows the relationship between the information configured at the Site Level (the Security Profile) and the List Level (Policy Name), and the information on the LMDC Server. Notice that there are two SharePoint sites represented (R&D and M&A) in this illustration and each has a different security profile.

There is one Policy Group on the LMDC Server for each Security Profile. Each Policy Group contains roles to be used to map SharePoint Permission Levels for the site. The LMDC also contains policies that are automatically created for each List that has IRM enabled. Notice that these policies are named based on the Permission Policy Name entered at the List Level (Specs in the R&D Site and DealA and DealB in the M&A Site).

Figure 2-11: Relationship between Information Configured at the Site and List Level, and Information on the LMDC Server (Policy Groups, Policy Level Roles, and Policies)



Notifying SharePoint Users of the Gateway for SharePoint When you have configured the IRM settings for the particular list or library, you may want to contact the SharePoint Users to advise them of the new capabilities provided by the Gateway for SharePoint.

A sample email that you can use as a model for your communication with the SharePoint Users is provided in Appendix A: Sample Email to Notify the SharePoint Users of the Gateway for SharePoint on page A-1.

If you prefer, this information could also be posted on your SharePoint site.

As SharePoint Site Owner, you may also choose to provide users with additional information on using the Gateway for SharePoint.



Chapter 3: Site Level Auditing

This chapter describes the site level auditing function available on the Gateway for SharePoint.


Overview

Generating an Audit Report

Working with Audit Event Data



Overview Windows SharePoint Services 3.0 and Microsoft Office SharePoint Server 2007 include built-in audit logging that you can enable and configure within the scope of a site collection. When you enable auditing, audit event entries are written into an internal audit log table that is stored in the content database. The audit event entries for a site collection are stored with all other content such as list items, documents, and Web Part customizations.

The Liquid Machines Gateway for SharePoint implements auditing of key IRM-related configuration events using this core SharePoint auditing functionality. Specifically, the following SharePoint Site level events are audited:

Enabling IRM on a list

Disabling IRM on a list

Changing IRM-related settings on a list

Modifying the SharePoint Permission Level to LMDC Policy Role mappings (site level)

Generating an Audit Report Reporting on these audit events is accomplished using the native SharePoint audit reports.

NOTE: You must be a Site Collection Administrator to have access to the audit reporting features.

To generate an audit report:

1. On the site collection home page, select Site Actions button, then select Site settings, and then select Modify All Site Settings.

2. On the Site Settings page, in the Site Collection Administration section, select Audit Log Reports.

3. Select Run a custom report.

4. On the screen that displays, select the events that you want included in your audit log. IRM-related events are considered Custom events, so be sure to select the Custom check box in the filter criteria to capture the IRM-related events in your audit report (log).

5. Click Ok.

The audit log is generated and the results are displayed in an Excel spreadsheet.



Working with Audit Event Data This standard SharePoint report includes the following useful data:

Site Id

User Id

Timestamp

Event Source

Name

Event Data

All Liquid Machines rights management-related events are logged with the Source Name:

Enterprise Rights Management.

The contents of the Event Data field are XML formatted, and include IRM configuration settings that are relevant to the event type. These events relate to 1 of 3 possible event types:

EnableProtection

DisableProtection

ChangeProtection

The following examples demonstrate typical entries in this field for each of these events.

Example 1 – “EnableProtection” Audit Entry

<CustomData>

<ActivityType>EnableProtection</ActivityType>

<EnableERM>True</EnableERM>

<ExpirePolicy>False</ExpirePolicy>

<RejectPolicy>True</RejectPolicy>

<IrmTitle>Policy Title</IrmTitle>

<IrmDescription>Policy Description</IrmDescription>

<IrmPrint>0</IrmPrint>

<IrmVBA>0</IrmVBA>

<IrmOffline>0</IrmOffline>

<IrmOfflineDays>0</IrmOfflineDays>

<IrmExpireDate></IrmExpireDate>

<irm_lasttimemodified></irm_lasttimemodified>

<irm_policyContact>[email protected]</irm_policyContact>

<irm_PolicyId>Documents</irm_PolicyId>

</CustomData>



Example 2 – “DisableProtection” Audit Entry

<CustomData>

<ActivityType>DisableProtection</ActivityType>

<EnableERM>False</EnableERM>

<ExpirePolicy>True</ExpirePolicy>

<RejectPolicy>True</RejectPolicy>

<IrmTitle>71e8db46-e58d-47d6-84d9-0c70f51dd690</IrmTitle>

<IrmDescription>Policy Description</IrmDescription>

<IrmPrint>0</IrmPrint>

<IrmVBA>0</IrmVBA>

<IrmOffline>0</IrmOffline>

<IrmOfflineDays>0</IrmOfflineDays>

<IrmExpireDate>Wed, 01 Jul 2009 00:00:00 GMT</IrmExpireDate>

<irm_lasttimemodified></irm_lasttimemodified>

<irm_policyContact>[email protected]</irm_policyContact>

<irm_PolicyId>Documents</irm_PolicyId>

</CustomData>

Example 3 – “ChangeProtection” Audit Entry

<CustomData>

<ActivityType>ChangeProtection</ActivityType>

<erm_PolicySecurityProfile>RMS</erm_PolicySecurityProfile>

<erm_RolesMappings>

<mappings lasttimemodified='6/2/2009 4:47:49 PM'>

<mapping key='Full Control' value='25b5a987-c1ff-44f1-85fc-77dc82264804' />

<mapping key='Design' value='25b5a987-c1ff-44f1-85fc-77dc82264804' />

<mapping key='Manage Hierarchy' value='25b5a987-c1ff-44f1-85fc-77dc82264804' />

<mapping key='Approve' value='25b5a987-c1ff-44f1-85fc-77dc82264804' />

<mapping key='Contribute' value='b4f215b4-7515-4e5c-8eb0-3e3f20032311' />

<mapping key='Read' value='3d5cf061-1d18-49d9-ad1e-2d812828bf9c' />

<mapping key='Restricted Read' value='3d5cf061-1d18-49d9-ad1e-2d812828bf9c' />

<mapping key='Limited Access' value='3d5cf061-1d18-49d9-ad1e-2d812828bf9c' />

</mappings>

</erm_RolesMappings>

</CustomData>

NOTE: The value attribute of the mapping field in Example 3 represents the GUID of the LMDC Role to which the specified SharePoint Permission Level is mapped (see Figure 2-3 for more information on this mapping)..



Chapter 4: Troubleshooting

This chapter describes common problems and suggested actions for the SharePoint Site Owner. These problems may be reported by a SharePoint User to a SharePoint Site Owner.


Common Problems



Common Problems Table 4-1 lists some common problems, their possible causes, and suggested actions.

Table 4-1: Common Problems for the Gateway for SharePoint

Symptom (Problem) and Possible Causes

Suggested Actions

One or more file types that you expect to be protected are not being protected.

Possible Causes:

IRM is not enabled.

OR

Files are being opened from the cache.

OR

The file extension for the selected file type was not selected during the installation of the Gateway for SharePoint.

Try the following actions:

Verify that IRM is enabled for the server.

To verify that IRM is enabled server, the SharePoint Site Owner (or any other user with Full Control access) can perform the following steps:

Open SharePoint.

Select the list or library of interest.

Open the Settings menu and select Document Library Settings. The Customize Selected Library or List screen displays.

If the Information Rights Managements selection appears in the Permissions and Management menu, then IRM has been enabled. If the Information Rights Managements selection does not appear, refer to the Microsoft SharePoint documentation listed in Related Documents on page vii for information on how to enable IRM.

If IRM is enabled for the server, verify that IRM is enabled for the SharePoint list or library containing the file in question.

To verify that IRM is enabled for the selected list or library, the SharePoint Site Owner (or any other user with Full Control access) can perform the following steps:

Open SharePoint and select the list or library of interest.

Open the Settings menu and select Document Library Settings. The Customize Selected Library or List screen displays.

Select Information Rights Managements from the Permissions and Management menu and select the permissions you wish to grant users of the list or library.

If IRM is enabled, but the file is still unprotected, verify that the file is still unprotected when it is downloaded from its original source by performing the following steps:

Clear your Internet cache.

Close and then restart your Browser.

Open the file again.

If you try these actions and the file is still unprotected, contact your System Administrator, who may be able to further troubleshoot the problem or add the missing file extension to this instance of Gateway for SharePoint.



Symptom (Problem) and Possible Causes

Suggested Actions

The Edit in <application> selection (for example, Edit in Adobe Acrobat selection does not open the file. An error message displays.

Possible Cause(s):

The Edit in <application> option in SharePoint is not configured correctly.

Contact your System Administrator who will need to configure this option properly.

Clicking a link fails to open a file. An error message displays indicating the file is corrupt or invalid.

Possible Cause(s):

The file is protected, but the application trying to open it is not enabled in IRM.

For Office 2003 or 2007, verify that RMS is installed on your computer, and has been properly enabled.

For other applications, verify that the Liquid Machines Document Control Client (LMDC Client) is installed and enabled,

OR

Download a local copy of the file and open it using the LM Viewer.

When you are trying to open a file, a message displays indicating you need the LMDC Client or LM Viewer.

Possible Cause(s):

The file is protected and you do not have the LMDC Client or LM Viewer installed.

Install the LMDC Client or LM Viewer.

When you are trying to open a file, a message displays indicating that you have the LMDC Client installed, but it is not enabled.

Possible Cause(s):

The LMDC Client is installed, but disabled or in Standby mode.

Enable the LMDC Client.

NOTE: If the LMDC Client is disabled and not just in Standby mode, this action will require a reboot of the Client machine.

A file fails to open or download and a message displays indicating that the file name or path name is invalid.

Possible Cause(s):

The RMS Certificate has expired and must be renewed.

Log onto the RMS machine and start the RMS Administration Console.

If a warning displays indicating that RMS certificate has expired, then you must renew the RMS certificate.

Renew the RMS Certificate.


Liquid Machines, Inc. Page A-1

Appendix A: Sample Email to Notify the SharePoint Users of the Gateway for SharePoint

This appendix provides a sample email that can be used to notify SharePoint users of the new capabilities provided by the Gateway for SharePoint.

To: SharePoint Users

From: SharePoint Site Owner

Subject: New Capabilities Provided by Liquid Machines Gateway for SharePoint

A new product called Liquid Machines Gateway for SharePoint has been installed on the SharePoint server. This product allows for some additional capabilities that you should be aware of when using IRM-protected SharePoint lists or libraries.

In general, IRM protection in SharePoint will work exactly as before, except that you now can upload and download the following file types in addition to Microsoft Office files:

.pdf

In addition, this new product allows all users who have access to the same SharePoint list or library to collaborate on SharePoint IRM-protected documents outside of SharePoint.

For example, you can download a file from SharePoint and review and edit it as needed. Instead of having to upload it back to SharePoint so another user can access it, you can now email that SharePoint IRM-protected document to another user (assuming he or she also has access to the SharePoint list or library). The second user can review and edit the document as needed, and then send the document back to you or upload it directly back to SharePoint.

This maintains the protections provided by IRM, but allows you to work on documents with other users without requiring each user to download and upload the document back to SharePoint after each use.

(continued on the next page)


Liquid Machines, Inc. Page A-2

[For SharePoint users on Document Libraries configured with the LMDC Policy Service and the LMDC Security Service or the RMS Security Service with Advanced Security selected: The configuration that has been set up for your SharePoint Document Library requires that you view and/or open non-Microsoft Office protected documents using the LMDC Client or LMDC Viewer. If you do not have access to these products, contact the IT Help Desk for assistance.]

If you have any questions regarding this information, please contact me at X1234.

Thank you,

John Doe

SharePoint Site Owner


Liquid Machines, Inc. Page B-1

Appendix B: Mapping SharePoint Permissions to IRM Rights on an RMS Policy Server

This appendix describes how SharePoint rights are mapped to IRM rights.

NOTE: This appendix only applies to the Gateway for SharePoint when it is configured to use the RMS Policy Server.

Previous examples in this document have assumed that your organization is using the default SharePoint Groups and SharePoint Permission Levels. If that is not the case, then the following section will help you to understand how permissions are mapped and how use licenses are constructed. For additional details on customizing SharePoint Groups and SharePoint Permission Levels, see your System Administrator or documentation from Microsoft.

When documents are accessed from an IRM-enabled list or library, an IRM license is generated that includes all authorized users, with each user’s specific permissions including a combination of the IRM rights specified on the list’s or library’s Information Rights Management settings page, and some additional IRM rights derived from the user’s SharePoint Permissions.

There are 33 SharePoint Permissions, six of which grant user permissions which are mapped to IRM Permissions. Table B-1 describes how these six SharePoint user permissions map to IRM Permissions.

Table B-1: SharePoint User Permissions that Map to IRM Permission

Office SharePoint Server 2007 Permissions IRM Permissions

1. Manage Permissions

2. Manage Web

Full control, as defined by the client. This generally allows a user to read, edit, copy, save, and modify the permissions of rights-managed content.

3. Edit List Items

4. Manage List

5. Add and Customize Pages

Read, edit, copy, and save permissions. You can optionally enable users with these permissions to print documents from the list or library.

6. View List Item Read permissions. A user can read the document, but cannot copy or update its content. You can optionally enable users with View List Item permissions to print documents from the list or library.

Other No other permissions map to IRM permissions.



Users may be assigned SharePoint Permissions as a result of being assigned to a default or customized Permission Level or by being assigned to a SharePoint Group that is assigned to a Permission Level.

For example, the default setting for the Contribute SharePoint Permission level includes the Edit List Items and View List Item SharePoint permissions, but none of the others listed above. When mapped to IRM permissions, the user license will include the most permissive set of IRM permissions of all of the SharePoint Permissions that the user has.

In this example, Edit List Items gives the user read, edit, copy and save permissions, but View List Item only gives the user Read permission. Since the user has both Edit List Items and View List Item SharePoint permissions, the user will receive the most permissive IRM permissions of the two (read, edit, copy, and save permissions).

If the SharePoint Permission level has been customized, you can derive the user’s IRM permissions by understanding the mapping between SharePoint Permissions and IRM permissions in Table B-1.

SharePoint Groups provide an easy way to associate a set of users with a SharePoint permission level. Like Permission Levels, SharePoint Groups may be customized by your organization. Table B-2 describes the default mappings and can be used together with Table B-1 to help you define the mapping at your organization, if you do not use SharePoint’s default settings.



Table B-2: Default Mappings

SharePoint Default Definitions

SharePoint Permission Levels Map to Many Individual SharePoint Permissions Including Those Below, Which are Mapped to IRM Permissions

IRM Permissions derived from SharePoint Permissions

List Permissions Site Permissions

Site Permissions SharePoint Groups

SharePoint Permission Level for this SharePoint Group

Ma

nag

e L

ists

Ed

it Ite

ms

Vie

w I

tem

s

Ma

nag

e

Perm

issio

ns

Ma

nag

e W

eb

Sit

e

Ad

d &

Cu

sto

miz

e

Pag

es

<Site> Owner

Users who create and manage sites.

Full Control Read

Edit

Copy

Save

Read

Edit

Copy

Save Read Full

Control Full

Control

Read

Edit

Copy

Save Full Control

<Site> Members

Collaborative users who add and modify content.

Contribute

none

Read

Edit

Copy

Save Read none none none

Read

Edit

Copy

Save

<Site> Visitors

Users who can access, but cannot modify content.

Read

none none Read none none none Read

Approvers

Used in workflows.

Approve

none

Read

Edit

Copy

Save Read none none none

Read

Edit

Copy

Save

Hierarchy Managers Users who create and manage sites. May be delegated down from higher level person

Manage Hierarchy Read

Edit

Copy

Save

Read

Edit

Copy

Save Read Full

Control Full

Control

Read

Edit

Copy

Save Full Control

Restricted Readers

Users who are more restricted than Visitors. They cannot see version history of minor versions, if major and minor versions exist.

Restricted Read

none none Read none none none Read

Quick Deploy Users Style Resource Readers

Designed to give access to a specific list, library, item, or document, without giving access to the entire site.

Limited Access

◄ ▬ No permissions that map to IRM ▬ ► none

There is no default SharePoint Group with the Design Permission Level

Design Read

Edit

Copy

Save

Read

Edit

Copy

Save Read none none

Read

Edit

Copy

Save

Read

Edit

Copy

Save


Liquid Machines, Inc. Index-1

Index

A

Audience, vi Audit Report

generating, 3-2 Auditing

site level, 3-1

B

Book Conventions, vi

C

Configuration library level, 2-8 list level, 2-8 site level, 2-2

Configuring IRM, 1-2, 2-10 using LMDC as Policy Server, 2-1 using RMS as Policy Server, 1-1

Contacting Liquid Machines, ii

Conventions, vi Copyright, ii

D

Documents related, vii SharePoint, vii

G

Gateway for SharePoint introducing, v notifying SharePoint users of, 1-8, 2-14 notifying users of new capabilities, A-1

Generating an Audit Report, 3-2

I

Inheritance breaking before mapping permission levels, 2-5

Introducing Gateway for SharePoint, v

IRM configuring, 1-2 configuring at list level, 2-10 permissions, 1-6

L

Library Level Configuration, 2-8 Liquid Machines

contacting, ii List Level Configuration, 2-8 list or library

setting up IRM, 1-4 LMDC Client

Using Gateway for SharePoint with, v LMDC Policy Server

configuring IRM with, 2-1 LMDC Server

Using Gateway for SharePoint with, vi LMDC Viewer

Using Gateway for SharePoint with, v

M

Mapping permission levels, 2-6

Mapping permissions, 1-6 on subsites, 2-5 with an RMS Policy Server, B-1

N

Notifying SharePoint users of Gateway for SharePoint, 1-8, 2-14

Notifying users of Gateway for SharePoint, A-1

P

Permissions default mapping, B-3 IRM, 1-6 mapping, 1-6 SharePoint, 1-6


Liquid Machines, Inc. Index-2

R

Related documents, vii RMS Policy Server

configuring IRM with, 1-1 mapping permissions when using an, B-1

Roles synchronizing, 2-7

S

Security Profile setting, 2-6

Setting Security Profile, 2-6

Setting up IRM for a list or library, 1-4

SharePoint documents, vii IRM settings for list or library, 1-4 permissions, 1-6

Site Level Auditing, 3-1 Site Level Configuration, 2-2

mapping permission levels, 2-6 selecting security profile, 2-6

Subsites inheriting permission levels from parent, 2-5 mapping permissions, 2-5

Synchronizing roles, 2-7

T

Troubleshooting, 4-1

U

Update interval, 2-7 Using Gateway for SharePoint

with LMDC Client or Viewer, v with LMDC Server, vi