2 About Oracle IRM and Sealed Content
This section covers the following topics:
2.1 About Oracle IRM
Oracle Information Rights Management (Oracle IRM) is an information security solution that uses encryption to 'seal' content (documents and emails). Access to the decryption keys is carefully controlled, so that only authorized end users can open and use the sealed content, regardless of where it is stored and used.
Oracle IRM enables authorized users to create and use sealed content transparently within existing desktop applications, such as Microsoft Office, Adobe Reader and Lotus Notes, without requiring detailed knowledge of keys or passwords. A one-time installation of the Oracle IRM client software, Oracle IRM Desktop, supports current and previous versions of these standard desktop applications, and continues to protect and track sealed documents and emails while they are in use within them. See Section 9.4, "Formats".
Oracle IRM also continues to protect and track sealed content when it is stored and used on desktops beyond the firewall of the originating organization. Recipients of sealed documents and emails may be authorized by the originating organization to use them in one or more different ways, including reading them, replying to them, editing them, searching them, copying them, and printing them.
When the originator of a sealed document or email decides that the content is no longer valid, or when the originator decides to change who can use a sealed document or email, the rights can be revoked and the recipient may find that they can no longer read it.
2.2 About Sealed Documents
Sealed documents are encrypted files that are accessible only to authorized users. They have distinctive icons and file extensions. See Section 9.4, "Formats" for a full list.
The Oracle IRM solution supports a wide range of document formats, including Microsoft Word, Excel, and PowerPoint, PDF, HTML, RTF and text, and various image and movie formats.
Supporting popular document formats enables the Oracle IRM solution to fit seamlessly into existing working practices, ensuring the security and confidentiality of critical business information.
Your ability to work with a specific sealed document depends on the rights defined for you in the contexts to which the document is sealed. For example, your rights to work with documents in a Top Secret context and a Confidential context might be very different.
2.3 About Rights
Rights control what you can and cannot do with sealed documents. Your rights to a specific sealed document can range from none (so you cannot even open the document), to Open (so you can read it on your computer screen, but do nothing else with it), through a range of rights to, for example, edit, print, and search the document. Your rights also control your ability to create new sealed documents.
Your rights can be changed over time, can differ from the rights of other users, and can differ from one sealed document to another. Your rights to a specific document depend on what context that document is sealed to. For example, your rights to documents in a Top Secret context might be much more restricted than for documents in a Confidential context.
Some rights effectively include others (for example, if you have the Edit right, you also get the Annotate and Interact rights), and some rights require others (for example, if you have the Edit right, you need the Open right to access the document, and you need the Reseal right so that you can save your edits).
When you are viewing a specific sealed document, you can see your rights for that document on the Rights tab of the Oracle IRM Desktop Control Panel. The Rights tab lists only rights that are relevant to the type of sealed document you are viewing.
This guide tells you the rights you need to perform common Oracle IRM tasks. If you need to perform tasks for which you do not have rights, you should ask an Oracle IRM Server administrator whether you can be given the necessary rights.
Note to Oracle IRM Server administrators:
The "rights" available in Oracle IRM Desktop are created by assigning "features", and setting constraints, within Oracle IRM Server. See the Administrator's Guide for Oracle IRM Server for full details.The complete set of rights is described in Table 2-1.
| Right | Description | Usage notes |
|---|---|---|
|
Accessibility |
Relaxes protection of sealed files so the use of accessibility tools and features is not blocked for sealed files. It does this by turning off program protection, screen capture protection, and keyboard protection in the file. |
Some accessibility tools might work even without this right. |
|
Annotate |
Allows you to add comments in Microsoft Excel and Microsoft Word documents (DOC and RTF formats). |
The ability to add comments may be the only editing you can do on sealed documents. In Microsoft Word, the Annotate right negates the Interact right. |
|
Copy |
Allows you to copy content from a sealed document and paste it into any other document. Allows you to change the context of a sealed document to any other context that you have access to. |
Applicable only to Microsoft Office, email, and PDF. If you have the Copy right, you do not have, or need, the Copy To right. This is because Copy To is more restrictive that Copy. Use of copy and paste within a specific sealed document does not require any rights other than the Edit right. |
|
Copy To |
Allows you to copy content between documents that are sealed to the same context. Allows you to copy content from a sealed document and paste it into a document that is sealed to another context, but only if this is a trusted context. Allows you to change the context of a sealed document to another context that is a trusted context. Allows you to make a copy of a sealed document and then change the context of the copy to another context that is a trusted context. Important: Copy To is not directly selectable as a right. Instead, it is assigned by setting Exporting Content to "Allow with restrictions" on the Constraints tab of a role. |
Trusted contexts are set up in Oracle IRM Server. You can check which contexts have been set up as trusted contexts for the current sealed document (there will be at least one), by looking under "Trusted Destinations" on the Rights tab of the Oracle IRM Desktop Control Panel. If you have rights to copy content to other contexts, you also need the relevant rights in those contexts. For example, to copy content to a document in another context, you need the right to open and edit documents in that context. To change the context of a sealed document, right-click it in a file browser and select Reseal To. You need the Copy To right for the current context and the Seal right for the destination context. Use of copy and paste within a specific sealed document does not require any rights other than the Edit right. Even with the Copy To right, you may sometimes not be able to copy content between documents (for example, in some multi-process environments). |
|
Edit |
Allows you to edit Microsoft Office documents. |
The Edit right includes the Edit Tracked, Annotate, Interact, and Formulae rights. |
|
Edit Tracked |
Allows you to edit Microsoft Office documents, but enforces the use of the track changes feature of Microsoft Word. |
The Edit Tracked right is included in the Edit right. |
|
Formulae |
Allows you to select and view formulae (formulas) in Microsoft Excel workbooks. |
The Formulae right is included in the Edit and Edit Tracked rights. |
|
Interact |
Allows you to enter data into Form fields in Microsoft Word documents. Allows you to enter data into unprotected cells of Microsoft Excel documents. |
The Interact right is included in the Edit and Edit Tracked rights. In Microsoft Word, the Interact right is ineffective if the Annotate right has also been granted. |
|
Open |
Allows you to open a sealed document and view it on screen. |
The Open right might be the only right you have to a document. The Open right is a prerequisite for all other rights except Seal and Search. |
|
|
Allows you to print documents to create paper copies. |
The Print right is included in the Print to File right. |
|
Print To File |
Allows you save a document as a print file, or send documents to a virtual printer (for example, Adobe PDF). |
Print To File includes the Print right. |
|
Program |
Allows you to use macros within a sealed document to manipulate the document's content. |
|
|
Reply |
Allows you to edit a sealed email to create a reply. |
You also need Reseal to save your email edits. You do not need Edit when replying to sealed email. Reply does not allow you to create new sealed emails. That requires the Seal right. |
|
Reply Tracked |
Allows you to edit a sealed email to create a reply, but enforces the track changes feature. |
You also need the Reseal right to save your email edits. Reply Tracked does not allow you to create new sealed emails. That involves creating a new sealed document, and therefore requires the Seal right. |
|
Reseal |
Allows you to save edits to a sealed document or to a sealed email reply. |
When you save a sealed document, you can use a different filename, but the new file is subject to exactly the same rights as its source document. The Reseal right is not associated with the Reseal To option available when right-clicking a sealed file in a file browser (such as Windows Explorer). For an explanation of the Reseal To option, see the Copy To right. |
|
Save Unsealed |
Allows you to create an unsealed copy of a sealed document. |
This right enables you to create an unprotected copy of a sealed document. An unsealed document can be created using the Save As option in applications. An unsealed document can also be created using the Unseal option when you right-click a sealed file in a file browser (such as Windows Explorer). |
|
Screen Capture |
Allows you to take screen captures of sealed documents. (See Section 4.9, "Screen Capturing Sealed Documents".) |
Apart from its obvious use, you might be given this right if you have a legitimate reason to use an application that sends images from your computer to another computer, such as a web presentation product. |
|
Seal |
Allows you to create a new sealed document or email. |
Typically, if you have the Seal right, you also have the Edit right, so that you can edit the documents you create. However, if you have been given the Seal right so that you can use sealed email, it is possible that you will not have the Edit right. Sealed email usage requires the Seal right for email creation, and the Reseal and Reply (or Reply Tracked) rights for replying. |
|
Search |
Allows you to use Microsoft Windows search facilities to search the content of sealed documents. |
Unless you have this right, searches will not include the content of sealed documents. Searching sealed PDF requires a search filter from Adobe as well as the Search right. |
|
Set Item Code |
Allows you to manually set the item code of a sealed document. |
Item codes are mostly allocated and updated automatically, and reflect the name of a sealed document and the time that it was sealed. Not all sealed documents have item codes. You might be given the right to allocate item codes manually. If so, you will see some extra options and messages when working with sealed documents, and you should be trained to understand what you need to do. |
2.4 About Contexts
A context is a type or grouping of sealed content. For example, you might have contexts for secret sales matters, confidential sales matters, proprietary research matters, confidential partner communications, and so on.
The rights defined for each context can be very different so, for example, you might have rights to open, edit, and print confidential sales documents, but only the right to open secret sales documents, and no rights at all for research documents. Different users have different rights in different contexts.
If you are the owner or creator of sensitive documents, you can work with the rights administrator (or, in Oracle IRM terms, the "domain manager") to create one or more contexts to protect that information. For example, if you are developing a new product, you might create contexts to protect the requirements, specifications, designs, market projections, competitive information, legal information, patents, and so on. Your domain manager can help you decide whether you need new contexts, or whether existing contexts are suitable for your information.
2.5 About Connecting to Oracle IRM Server
Before you can create or read sealed documents, your installation of Oracle IRM Desktop must be connected to the server (Oracle IRM Server) that holds the user and context information for the documents to be created or read.
If you have been sent a sealed document and want to read it, simply opening the document will initiate connection to the server. You may be asked to provide login details, after which you will be able to use the sealed document to the extent that your rights allow. You will find that the server to which you have been connected is listed on the Servers tab of the Oracle IRM Desktop Options dialog.
If you wish to seal a document to a context hosted by a server that is not yet listed on the Servers tab, you will need to connect to that server manually. See Section 7.3, "Connecting to Oracle IRM Server Manually".
2.6 About Synchronizing with Oracle IRM Server
If you are permitted to work offline, your local cache of rights is updated by synchronizing to connected servers. This will allow you to keep working with sealed documents even when you are disconnected from the network and cannot contact the server. Typically, your cached rights allow you to keep using documents for several days before being required to contact the server.
Synchronization is almost completely automatic. Typically, it runs daily during standard office hours, but the schedule is controlled by the administrator of the server.
If synchronization fails for any reason, the application displays a failure message and automatically retries at intervals.
You can initiate synchronization manually at other times: for example, if someone notifies you that your rights have changed, and you want to synchronize immediately rather than wait for the automatic process. See Section 7.4, "Synchronizing Your Rights Manually".
2.7 About Sealed Document Item Codes
By default, all documents in a given context are subject to the same rights. However, the need may arise for exceptions to be made for specific documents. For example, it might be necessary to allow an auditor access to a specific secret merger document, but not to all secret merger documents.
To support such exceptions, every sealed document has an item code.
In most cases, item codes are allocated and managed automatically. In rare cases, users may be authorized to allocate and change item codes manually. This enables a user to, for example, create several different documents all with the same item code, enabling the documents to be handled as a unit for the allocation of rights.
Item codes are changed or retained depending on your rights. If you have the Seal right, then when you change the file name of a document, a new item code will be created for that document. If you do not have the Seal right, then every time you save the document, the same item code will be used.
Using custom item codes with sealed templates offers additional flexibility. If a template is given a custom item code when sealing (requires the Set Item Code right), the item code will not automatically update when a user with the Seal right edits and saves any documents created from it. Hence you may use sealed templates to not only enforce a consistent look and feel, but also group documents together within a context. For example, a Sales context may have different sealed templates based on customer, with each template having an item code that reflects the customer it is for. Item inclusions or exclusions could then be used within the Sales context to limit what customer documents may be opened by individual Sales persons, without having to keep track of specific documents.
2.8 About Sealed Email
In any business environment, confidential and sensitive information is entrusted to email communications. The Oracle IRM solution provides the tools you need to enable you to seal email just as you seal other types of content.
To work effectively with sealed email, you need to:
-
Create and send sealed email.
-
Open sealed email that you receive.
-
Open sealed files that are sent as attachments to emails.
-
Create and send sealed replies.
-
Forward sealed emails.
Oracle IRM Desktop enables all of the above so that you can participate in sealed email threads. See Section 5, "Using Sealed Email".
Your rights to create and reply to sealed email are managed separately from your rights to create and edit other types of sealed document.
2.9 About Microsoft Office Templates
The Oracle IRM solution supports two ways of using templates to enable organizations to create sealed documents consistently:
-
You can use sealed Microsoft Office templates to create Microsoft Word, Excel, and PowerPoint documents consistently.
-
You can create sealed documents from regular Microsoft Office templates using the Oracle IRM menu within Microsoft Office.
See Section 4.11.1, "About Using Sealed Microsoft Office Templates".
In each case, your templates can contain Oracle IRM fields that help to remind users of the sensitive nature of the documents created from them. For example, a template might have headers and footers that contain fields that identify the context of the documents, and the name of the user who opens a specific copy.
2.10 About Sealed Multimedia Files
Oracle IRM supports a range of video file formats. You will generally need the Open right to view sealed video files. See Section 2.3, "About Rights".
You can seal video files in the same way as you seal other types of file. For example, users of the Oracle IRM Desktop can select video files in Windows Explorer and select Seal To from the File menu. You are prompted to select a context for the files.
When you open sealed video files, the Oracle IRM Desktop toolbar provides buttons for playing, pausing, and stopping the file.
You will need to have QuickTime Player installed on your PC to be able to play back sealed video files.
2.11 About Oracle IRM Fields and Watermarks in Sealed Documents
If you are an author of sealed documents, you can add Oracle IRM fields to your document sources before sealing. When someone opens a sealed document that contains Oracle IRM fields, the fields help to remind the reader that the document is sensitive. Oracle IRM fields used as watermarks can help to make a printed copy of the document traceable in the event that it falls into the wrong hands.
You can use Oracle IRM fields in Microsoft Word and Microsoft Excel. See Section 6, "Working With Oracle IRM Fields and Watermarks".
For these applications, you can also create templates that contain a set of Oracle IRM fields, and apply them consistently to new documents. For example, in Microsoft Word, you can create a sealed Word template that contains the fields in headers and footers, and use that template to create a new sealed document.
When viewing the unsealed source, the fields appear as field names or placeholder strings. However, when sealed and viewed with Oracle IRM Desktop available, the fields are transformed to contain the relevant data. For example, irm-account-name might be transformed to John.Smith, the name of the user who opens a specific copy of a sealed document.