5 Oracle Information Rights Management

Oracle Information Rights Management (Oracle IRM) provides an information security solution that uses encryption to "seal" documents and emails. Access to the decryption keys are controlled so only authorized end users can access and use sealed documents and emails, regardless of where they are stored or used.

This chapter discusses the following topics:

Oracle IRM is documented in the following manuals:

Also see the Oracle Fusion Middleware Installation Guide for Oracle Enterprise Content Management Suite for additional information.

5.1 Oracle IRM Overview

Oracle IRM uses encryption to seal selected documents and emails. Authorized users create and use sealed content transparently within existing desktop applications, such as Microsoft Office, Adobe Reader and Lotus Notes, without requiring any understanding or management of encryption keys or passwords.

To create and use sealed documents and emails within existing desktop applications, users must install the Oracle IRM Desktop client software. Oracle IRM Desktop authenticates users, transparently requesting rights from the server (Oracle IRM Server). Oracle IRM Desktop supports current and previous versions of all standard desktop document and email applications, and continues to protect and track sealed documents and emails while they are in use within those applications.

Oracle IRM enables documents or emails to be automatically or manually sealed at any stage in their lifecycle, using tools that are integrated into the Windows desktop, authoring applications, email clients, and content management and collaborative repositories. Sealing wraps documents and emails within a layer of strong encryption and digital signatures, together with indelible links back to network-hosted servers (operated by the organization to which the information belongs) that store the decryption keys and associated access rights.

Oracle IRM continues to protect and track sealed documents and emails when they are stored and used on desktops beyond the firewall of the originating organization. Recipients of sealed documents and emails can be authorized by the originating organization to use them in specific ways, including reading them, replying to them, editing them, searching them, and copying them. Sealed documents and emails can be distributed by any existing means, such as email, web, file share, etc.

Users sent a sealed document can open the document, initiating a connection to the license server. Login details may be required, after which the sealed document can be used to the extent that rights allow.

5.2 Rights and Access to Documents

Rights control what you can and cannot do with sealed documents. Your rights to a particular sealed document can range from none (so you cannot even open the document), to Open (so you can read it on your computer screen, but do nothing else with it), through a range of rights to, for example, edit, print, and search the document. Your rights also control your ability to create new sealed documents.

Your ability to work with a particular sealed document depends on the rights defined for you in the contexts to which the document is sealed. For example, your rights to work with documents in a Top Secret context and a Confidential context might be very different.

When you are viewing a particular sealed document, you can see your rights for that document on the Rights tab of the Oracle IRM Desktop Control Panel. The Rights tab lists only rights that are relevant to the type of sealed document you are viewing.

Rights are defined and assigned centrally by administrators, who group combinations of rights and end user identities into one or more contexts. Authors control access to their documents by selecting the most appropriate predefined context at the time they seal it. The result is that authors do not make complex rights management decisions when they seal a new document.

Some rights effectively include others (for example, if you have the Edit right, you effectively get the Annotate and Interact rights). Some rights require others (for example, if you have the Edit right, you need the Open right to access the document, and you need the Reseal right so that you can save your edits).

Rights are stored on a server separately from sealed documents and emails, enabling them to be assigned, updated or unassigned at any time. Access to and use of a particular sealed document can change throughout its life.

Your rights can be changed over time, can differ from the rights of other users, and can differ from one sealed document to another. Your rights to a particular document depend on what context that document is sealed to. For example, your rights to documents in a Top Secret context might be much more restricted than for documents in a Confidential context.

When the originator of a sealed document or email decides that the content is no longer valid, or when the originator decides to change who can use a sealed document or email, the rights can be revoked and the recipient may find that they can no longer read it.

5.3 Document Contexts

A context is a type or grouping of sealed content. For example, you might have contexts for confidential sales matters, proprietary research matters, confidential partner communications, and so on.

If you are the owner or creator of sensitive documents, you can work with the licensing administrator (the domain manager) to create one or more contexts to protect that information.

For example, if you are developing a new product, you might create contexts to protect the requirements, specifications, designs, market projections, competitive information, legal information, patents, and so on. Your domain manager can help you decide whether you need new contexts, or whether existing contexts are suitable for your information.

The rights defined for each context can be very different so, for example, you might have rights to open, edit, and print confidential sales documents, but only the right to open confidential partner communications, and no rights at all for research documents. Different users have different rights in different contexts.

5.4 Synchronization

User rights and audit records are automatically synchronized between Oracle IRM Desktop and Oracle IRM Server, ensuring completely transparent offline working without sacrificing revocability or requiring end users to remember to synchronize.

The local cache of rights is updated by synchronizing to connected license servers (Oracle IRM Server). This allows users to keep working with sealed documents even when disconnected from the network and unable to contact the license server. Cached rights typically allow users to keep using documents for several days before being required to contact the license server.

Oracle IRM Desktop and Oracle IRM Server together audit all attempted and actual end user access to sealed documents or emails, and all administrative operations such as assigning or revoking rights. The Oracle IRM Server management console provides audit reporting. Audit records are stored in the Oracle IRM Server database.

Synchronization is almost completely automatic. Typically, it runs daily during standard office hours, but the schedule is controlled by the administrator of the license server. If synchronization fails for any reason, the application displays a failure message and automatically retries at intervals.

If you log in manually to access sealed documents (because, for example, you did not opt to save your credentials at the initial login dialog), then you must initiate synchronization manually. You can also initiate synchronization manually at other times: for example, if someone notifies you that your rights have changed, and you want to synchronize immediately rather than wait for the automatic process.