Active Directory Rights Management Services (AD RMS) rights provide the means for controlling how a user can access, use, and redistribute rights-protected content. Some rights are enforced exclusively by AD RMS-enabled applications or browsers, while others are enforced primarily by the AD RMS client (although applications can still apply their own interpretation of the right). The rights enforced by the AD RMS client control how license information is used, such as whether the license can be used to re-encrypt previously decrypted content. Rights that control how content is used are interpreted and enforced by AD RMS-enabled applications, such as Microsoft Office applications. For example, Microsoft Office applications enforce the View right by allowing a user to decrypt and view the contents of a protected document if the user has been granted the View right.
The following table lists the rights that are available by default when you create a rights policy template and gives a brief description of how the right is enforced by the AD RMS client and interpreted by common AD RMS-enabled applications.
Note | |
AD RMS-enabled applications can interpret these rights differently. This is intended as a general description for how these rights are typically used. Consult the documentation of the specific application for information on how these rights are enforced. |
Right | Description |
---|---|
Full control | If granted, this right allows a user to exercise all rights in the license, whether or not the rights are specifically granted to that user. |
View | If this right is granted, the AD RMS client allows protected content to be decrypted. Typically, when this right is granted, the application will allow the user to view protected content. |
Edit | If this right is granted, the AD RMS client allows protected content to be decrypted and then re-encrypted by using the same content key. Typically, when this right is granted, the application will allow the user to change protected content and then save it to the same file. This right is effectively identical to the Save right. |
Save | If this right is granted, the AD RMS client allows protected content to be decrypted and then re-encrypted by using the same content key. Typically, when this right is granted, the application will allow the user to change protected content and then save it to the same file. This right is effectively identical to the Edit right. |
Export (Save As) | If this right is granted, the AD RMS client allows protected content to be decrypted and then re-encrypted by using the same content key. Typically, when this right is granted, the application will allow the user to use the “Save As” feature to save protected content to a new file. |
Typically, when this right is granted, the application will allow the user to print protected content. | |
Forward | Typically, when this right is granted, the application will allow an e-mail recipient to forward a protected message. |
Reply | Typically, when this right is granted, the application will allow an e-mail recipient to reply to a protected message and include a copy of the original message. |
Reply All | Typically, when this right is granted, the application will allow an e-mail recipient to reply to all recipients of a protected message and include a copy of the original message. |
Extract | Typically, when this right is granted, the application will allow the user to copy and paste information from protected content. |
Allow Macros | Typically, when this right is granted, the application will allow the user to run macros in the document or use an editor to modify macros in the document. |
View Rights | If this right is granted, the AD RMS client allows a user to view the user rights that are assigned by the license. |
Edit Rights | If this right is granted, the AD RMS client allows a user to edit the user rights that are assigned by the license. |