Tuesday, December 13, 2016

Azure AIP/RMS: SharePoint Permission vs IRM Permission Mapping

Mr.Customer asked me about how SharePoint Permission map to IRM Permission? Will the IRM Permission takeover or replace the SharePoint Permission granted to user?

https://support.office.com/en-us/article/Apply-Information-Rights-Management-to-a-list-or-library-3bdb5c4e-94fc-4741-b02f-4e7cc3c54aa1 This article actually explained the questions above. However, there is a little doubt here. Do we need all the Permission configured on the left in order to map the IRM Permissions?

For example: To map the Full Control IRM Permission. Do we need both Manage Permissions, and Manage Web Site in SharePoint Permission? Or we just need only one of the SharePoint Permission?

image

To answer the little doubt above, I ran few rounds of test in my environment. The answer is any one of the SharePoint Permission. You need either Manage Permissions OR Manage Web Site in SharePoint Permission to map the Full Control IRM Permission.

Another example, if Edit Items SharePoint Permission assigned to the user, he/she will have the Edit, Copy, and Save IRM Permissions. It Doesn’t Requires All 3 SharePoint Permissions (Edit Items, Manage Lists, Add and Customize Pages) To Be Assigned In Order To Map The Edit, Copy, and Save IRM Permissions !! Anyone will do….

I did some further testing by enabling “Allow viewers to write on a copy of the downloaded document” This setting will allow the user to download and edit the downloaded/offline copy. This setting OVERWRITE those with View Items SharePoint Permission OR Read IRM Permission to edit the downloaded /offline copy.

image

My two cents is View Items SharePoint Permission OR Read IRM Permission is meant to control the documents so that user can View only (cannot edit, modify, copy, save, etc). By enabling the “Allow viewers to write on a copy of the downloaded document” simply defeat the purpose of trying to control the documents. Enabling this setting wisely.

So long, and Thanks for reading!

No comments:

Post a Comment