5 Oracle Information Rights Management

Oracle Information Rights Management (Oracle IRM) provides an information security solution that uses encryption to "seal" documents and emails. Access to the decryption keys are controlled so only authorized end users can access and use sealed documents and emails, regardless of where they are stored or used.

This chapter discusses the following topics:

IRM is documented in the following manuals:

5.1 IRM Overview

Oracle IRM uses encryption to seal selected documents and emails. Authorized users create and use sealed content transparently within existing desktop applications, such as Microsoft Office, Adobe Reader and Lotus Notes, without requiring any understanding or management of encryption keys or passwords.

To create and use sealed documents and emails within existing desktop applications, users must install the Oracle IRM Desktop client software. The Desktop software authenticates users, transparently requesting rights from the Oracle IRM server. It supports current and previous versions of all standard desktop document and email applications, and continues to protect and track sealed documents and emails while they are in use within those applications.

Documents or emails can be automatically or manually sealed at any stage in their lifecycle with tools that are integrated into the Windows desktop, authoring applications, email clients, and content management and collaborative repositories. Sealed documents are also protected and tracked when stored on desktops beyond the originating organization's firewall. Users sent a sealed document can open the document, initiating a connection to the license server. Login details may be required, after which the sealed document can be used to the extent that rights allow.

5.2 Rights and Synchronization

Rights control what can and cannot be done with sealed documents. The ability to work with a particular sealed document depends on the rights defined in the contexts to which the document is sealed. A context is a type or grouping of sealed content. For example, different contexts may be defined for confidential sales matters, for proprietary research matters, or for confidential partner communications, and so on. Different users have different rights in different contexts.

Rights are defined and assigned centrally by administrators, who group combinations of rights and end user identities into one or more contexts. Authors control access to their documents by selecting the most appropriate predefined context at the time they seal it. The result is that authors do not make complex rights management decisions when they seal a new document.

Some rights effectively include others and some rights require others. Rights are stored on a server separately from sealed documents and emails, enabling them to be assigned, updated or unassigned at any time. Access to and use of a particular sealed document can change throughout its life. When the originator of a sealed document or email decides that the content is no longer valid, or when the originator decides to change who can use a sealed document or email, the rights can be revoked and the recipient may find that they can no longer read it.

User rights and audit records are automatically synchronized between Oracle IRM Desktop and the Oracle IRM Server. The local cache of rights is updated by synchronizing to connected license servers. This allows users to keep working with sealed documents even when disconnected from the network and unable to contact the license server. Cached rights typically allow users to keep using documents for several days before being required to contact the license server.