Restricting access with Information Rights Management

Information Rights Management (IRM) allows individuals and administrators to set access permissions for documents, workbooks, presentations, and e-mail messages. This helps prevent sensitive information from being printed, forwarded, or copied by unauthorized people. After permission for a file is restricted by using IRM, the access and usage restrictions are enforced even if the file reaches unintended recipients. This is because the access permissions are stored in the document, workbook, presentation, or e-mail message itself. And these must be authenticated against the server.

IRM helps people to enforce their personal preferences for the transmission of personal or private information. IRM also helps organizations enforce corporate policy governing the control and dissemination of confidential or proprietary information.

More specifically, IRM helps do the following:

  • Prevent an authorized recipient of restricted content from forwarding, copying, changing, printing, faxing, or pasting the content for unauthorized use

  • Restrict content wherever it is sent

  • Provide file expiration so that content in documents can no longer be viewed after a specified time

  • Enforce corporate policies that govern the use and dissemination of content within the company

IRM can't prevent restricted content from being:

  • Erased, stolen, or captured and transmitted by malicious programs such as Trojan horses, keystroke loggers, and certain kinds of spyware

  • Lost or corrupted because of the actions of computer viruses

  • Hand-copied or retyped from a display on a recipient's screen

  • Digitally photographed (when displayed on a screen) by a recipient

  • Copied by using third-party screen-capture programs

Note: For information about how you can restrict permission to content in e-mail messages, see Create a message with restricted permission.

Using IRM in Microsoft Office

Select the platform you're using from the tabs below.

To apply IRM to your document, workbook or presentation in iOS go to the ribbon of your app and tap the Protect button. When the callout appears tap Restrict permissions. If Office prompts you to select a server, select the server that is appropriate for your file, otherwise you'll be presented with the Restrict Permissions dialog box.

  • No restrictions - This is the default for files that don't already have any restrictions applied. If the document does already have restrictions you can select this to remove all restrictions from the file.

  • Custom permissions - Use this to set a custom set of permissions on the file. Here you can specify if others should be allowed to edit, print or copy and you can enable or disable time restrictions for the file. Time restrictions let you expire the file so that a recipient may be able to access the file only until a specified date and time, for example.

  • The third section contains any IRM templates that your organization may have created. These are preconfigured sets of restrictions that you can swiftly apply with a tap.

Once you've selected your restrictions you'll be presented with a name picker that lets you enter the names or email addresses of the people or groups you wish these restrictions to apply to. Once you're satisfied you've added all the people you want the restrictions to apply to tap Protect at the top right corner.

Though you can't currently assign IRM permissions in the Android versions of Microsoft Office, any IRM-protected files that you receive will open if you are signed in with an account that has permissions to the file. When you open an IRM-protected file you will see an information bar at the top that offers to let you view the permissions that have been assigned to this file.

When you open an IRM-protected file in Office for Android you can view the permissions you've been assigned.

Important: To restrict permission to content in a file, you have to have Microsoft Office for Mac Standard 2011.

IRM in Office for Mac 2011 provides three permission levels.

Permission Level

Allows

Read

Read

Change

Read, edit, copy, save changes

Full Control

Read, edit, copy, save changes, print, set expiration dates for content, grant permissions to users, access content programmatically

Do any of the following:

Set permission levels manually

  1. On the Review tab, under Protection, click Permissions, and then click Restricted Access.

    Word Review tab, Protection group

  2. If this is the first time that you are accessing the licensing server, enter your user name and password for the licensing server, and then select the Save password in Mac OS keychain check box.

    Tip: If you do not select the Save password in Mac OS keychain check box, you might have to enter your user name and password multiple times.

  3. In the Read, Change, or Full Control boxes, enter the e-mail address or name of the person or group of people that you want to assign an access level to.

  4. If you want to search the address book for the e-mail address or name, click Contacts button .

  5. If you want to assign an access level to all people in your address book, click Add Everyone   Add everyone .

  6. After you assign permission levels, click OK.

    The Message Bar appears and displays a message that the document is rights-managed.

Use a template to restrict permission

An administrator can configure company-specific IRM policies that define who can access information permissions levels for people. These aspects of rights management are defined by using Active Directory Rights Management Services (AD RMS) server templates. For example, a company administrator might define a rights template called "Company Confidential," which specifies that documents that use that policy can be opened only by users inside the company domain.

  • On the Review tab, under Protection, click Permissions, and then click the rights template that you want.

    Word Review tab, Protection group

Change or remove permission levels that you have set

If you applied a template to restrict permission, you can't change or remove permission levels; these steps only work if you have set permission levels manually.

  1. On the Message Bar, click Change Permissions.

  2. In the Read, Change, and Full Control box, enter a new e-mail address or name of the person or group of people that you want to assign an access level to.

  3. To remove a person or group of people from an access level, click the e-mail address, and then press DELETE .

  4. To remove Everyone from a permission level, click Add Everyone  Add everyone .

Set an expiration date for a restricted file

Authors can use the Set Permissions dialog box to set expiration dates for content. For example, Ranjit might also decide to limit both Helena's and Bobby's access to this document to May 25th, and then the permission to the document expires.

  1. On the Review tab, under Protection, click Permissions, and then click Restricted Access.

    Word Review tab, Protection group

  2. Click More Options, and then select the This document expires on check box, and then enter the date.

    After permission for a document has expired for authorized people, the document can be opened only by the author or by people with Full Control permission.

Allow people with Change or Read permission to print content

By default, people with Change and Read permission cannot print.

  1. On the Review tab, under Protection, click Permissions, and then click Restricted Access.

    Word Review tab, Protection group

  2. Click More Options, and then select the Allow people with Change or Read permission to print content check box.

Allow people with Read permission to copy content

By default, people with Read permission cannot copy content.

  1. On the Review tab, under Protection, click Permissions, and then click Restricted Access.

    Word Review tab, Protection group

  2. Click More Options, and then select the Allow people with Read permission to copy content check box.

Allow scripts to run in a restricted file

Authors can change settings to allow Visual Basic macros to run when a document is opened and to allow AppleScript scripts to access information in the restricted document.

  1. On the Review tab, under Protection, click Permissions, and then click Restricted Access.

    Word Review tab, Protection group

  2. Click More Options, and then select the Access content programmatically check box.

Require a connection to verify permissions

By default, people have to authenticate by connecting to the AD RMS server the first time that they open a restricted document. However, you can change this to require them to authenticate every time that they open a restricted document.

  1. On the Review tab, under Protection, click Permissions, and then click Restricted Access.

    Word Review tab, Protection group

  2. Click More Options, and then select the Require a connection to verify permissions check box.

Remove restrictions

  1. On the Review tab, under Protection, click Permissions, and then click No Restrictions.

    Word Review tab, Protection group

  2. In the dialog box, click Remove Restrictions.

Related Topics

Restrict permission to content in a file
Open a file that has restricted permissions
Add credentials to open a rights-managed file or message
File formats that work with IRM

Expand your skills
Explore training
Get new features first
Join Office Insiders

Was this information helpful?

Thank you for your feedback!

Thank you for your feedback! It sounds like it might be helpful to connect you to one of our Office support agents.

×