Active Directory Rights Management Services (AD RMS) rights provide the means for controlling how a user can access, use, and redistribute rights-protected content. Some rights are enforced exclusively by AD RMS-enabled applications or browsers, while others are enforced primarily by the AD RMS client (although applications can still apply their own interpretation of the right). The rights enforced by the AD RMS client control how license information is used, such as whether the license can be used to re-encrypt previously decrypted content. Rights that control how content is used are interpreted and enforced by AD RMS-enabled applications, such as Microsoft Office applications. For example, Microsoft Office applications enforce the View right by allowing a user to decrypt and view the contents of a protected document if the user has been granted the View right.

The following table lists the rights that are available by default when you create a rights policy template and gives a brief description of how the right is enforced by the AD RMS client and interpreted by common AD RMS-enabled applications.

Note

AD RMS-enabled applications can interpret these rights differently. This is intended as a general description for how these rights are typically used. Consult the documentation of the specific application for information on how these rights are enforced.

Right Description

Full control

If granted, this right allows a user to exercise all rights in the license, whether or not the rights are specifically granted to that user.

View

If this right is granted, the AD RMS client allows protected content to be decrypted. Typically, when this right is granted, the application will allow the user to view protected content.

Edit

If this right is granted, the AD RMS client allows protected content to be decrypted and then re-encrypted by using the same content key. Typically, when this right is granted, the application will allow the user to change protected content and then save it to the same file. This right is effectively identical to the Save right.

Save

If this right is granted, the AD RMS client allows protected content to be decrypted and then re-encrypted by using the same content key. Typically, when this right is granted, the application will allow the user to change protected content and then save it to the same file. This right is effectively identical to the Edit right.

Export (Save As)

If this right is granted, the AD RMS client allows protected content to be decrypted and then re-encrypted by using the same content key. Typically, when this right is granted, the application will allow the user to use the “Save As” feature to save protected content to a new file.

Print

Typically, when this right is granted, the application will allow the user to print protected content.

Forward

Typically, when this right is granted, the application will allow an e-mail recipient to forward a protected message.

Reply

Typically, when this right is granted, the application will allow an e-mail recipient to reply to a protected message and include a copy of the original message.

Reply All

Typically, when this right is granted, the application will allow an e-mail recipient to reply to all recipients of a protected message and include a copy of the original message.

Extract

Typically, when this right is granted, the application will allow the user to copy and paste information from protected content.

Allow Macros

Typically, when this right is granted, the application will allow the user to run macros in the document or use an editor to modify macros in the document.

View Rights

If this right is granted, the AD RMS client allows a user to view the user rights that are assigned by the license.

Edit Rights

If this right is granted, the AD RMS client allows a user to edit the user rights that are assigned by the license.

Additional references

Table Of Contents