SharePoint and Information Rights Management

Information Rights Management or IRM is a subset of features and procedures to protect sensitive information from unauthorized access. As we know, SharePoint is document-driven, so everyone expects that platform can help you on protecting data with out-of-box options.

Hopefully SharePoint has it! Allowing you to add policies at Document Library level that persists even after the document was downloaded and isn’t at SharePoint context anymore, so I must say the IRM SharePoint is very powerful! Furthermore, it’s important to say that IRM policy will work only at library level!

Because I’ve had to understand the feature more deeply, considering what could be done by users that only have Read access to libraries, I’ve decided to test how the IRM feature works and then wrote a document trying to identify what are actions were available, depending on what you configure.

But first, let us talk a little about how it works and what can we do with IRM in SharePoint!

Possible settings for Information Rights Management

• Create a permission policy title:

Defines the name of the Information Rights Management policy. It’s mandatory field that allows you on identifying different policies applied to the same library.

• Add a permission policy description:

Optional field that helps on describing the policy. I usually fill this field to explain why I’m using that policy.

Set additional Information Rights Management settings

• Do not allow users to upload documents that do not support IRM:

Probably you will need that, if you want to make an IRM only library. For reason of that, it will allow SharePoint to block file uploads to the library which their file extensios are not supported. The supported formats are: .doc, .docx, .docm, .dot, dotx., .dotm, .xls, .xlsx, .xlsm, .xlt, xltx, .xltm, .xlsb, .xla, .xlam, .ppt, .pptm, .pot, .potx, .potm, .pps, .ppsx, .ppsm e .thmx.

• Stop restricting access to the library at:

Makes it possible to set an expiring date for the policy. After that date, that policy won’t work anymore on the document. If you don’t check this, the policy will live forever (or until you delete it).

• Prevent opening documents in the browser for this Document Library:

Prevent users from opening the document in the browser, ensuring more protection for the data. Unfortunatelly, there may be some browsers that won’t respect it.

Configure document access rights in SharePoint

• Allow viewers to print:

Users can print the document in a printer or other machine. If you don’t check it, the Office client apps won’t allow the users to print the document.

• Allow viewers to run script and screen reader to function on downloaded documents:

Checking this option will permit users that already have permissions on the document like “View list item permissions” or higher, to execute scripts or macros in the documents. It can let them extract data with custom code and it may be considered a security issue.

• Allow viewers to write on a copy of the downloaded document:

If you choose this option, the viewers will be able to edit a downloaded copy of the document. If you don’t check it, then the user will have a read only copy.

• After download, document access rights will expire after these number of days (1-365):

Defines a period of time that counts after the user downloads the document. After the time passes, the policy will no longer work on the document. Hence, each document file downloaded has its own expiring expectancy.

Set group protection and credentials interval

• Users must verify their credentials using this interval (days):

Restricts access to content after a period of time, requiring the user to enter its credentials again to verify if he is able to read the content. Applies to downloaded files.

• Allow group protection. Default group:

Grants permission for users of an Active Directory group to share the document between them.

Behaviour for Users that can’t Edit

Below you can check how the IRM features works depending on the settings you choose and how they affect SharePoint and Information Rights Management. The headers specific which action the user may be able to do depending on what Policy was applied to it.

Possible actions for users with Permission Level: VIEW ONLY

Policy	Download File	Edit file after downloaded	Open in Browser	Open in Office	Sync in OneDrive	Allow printscreen on browser	Allow prints on Office	Allow printing	Allow preview on browser
No policy	No	No	Yes	No	No	Yes	No	Yes	Yes
IRM enabled (empty settings)	No	No	Yes	No	No	Yes	No	No	No
Only “Prevent opening documents in the browser”	No	No	No	No	No	No	No	No	No
Only “Allow to viewers to print”	No	No	Yes	No	No	Yes	No	No	Yes
Only “Allow viewer to write on a copy of the document”	No	No	Yes	No	No	Yes	No	No	No

Similarly we have these possible actions for users with Permission Level: READ

Policy	Download File	Edit file after downloaded	Open in Browser	Open in Office	Sync in OneDrive	Allow printscreen on browser	Allow prints on Office	Allow printing	Allow preview on browser
No policy	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes
IRM enabled (empty settings)	Yes	No	Yes	Yes	Yes	Yes	No	No	No
Only “Prevent opening documents in the browser”	Yes	No	No	Yes	Yes	No	No	No	No
Only “Allow to viewers to print“	Yes	No	Yes	Yes	Yes	Yes	No	Yes	No
Only “Allow viewer to write on a copy of the document”	Yes	Yes	Yes	Yes	Yes	Yes	No	No	No

Conclusion

Therefore, the IRM feature for SharePoint gives you a lot of capabilities on planning the security of the data in your documents. It may have some security problems, depending on the browser the user uses… but after all it’s a great option to deliver value to your client! Hope this post can help you on working with SharePoint and Information Rights Management.

References:

https://support.office.com/en-us/article/apply-information-rights-management-to-a-list-or-library-3bdb5c4e-94fc-4741-b02f-4e7cc3c54aa1