Policies and policy-protected documents

Policies contain information about the authorized users and the confidentiality settings to apply to documents. Users can be any one in your organization, as well as people who are external to your organization who have an account. If the administrator enables the user invitation feature, it is even possible to add new users to policies, therefore initiating a registration invitation email process.

The confidentiality settings in a policy determine how the recipients can use the document. For example, you can specify whether recipients can print or copy text, make changes, or add signatures and comments to protected documents. The same policy can also specify different confidentiality settings for specific users.

Users and administrators create policies through the Rights Management web pages. Only one policy at a time can be applied to a document. You can apply a policy by using one of these methods:

• Open the document in Acrobat or another client application and select a policy to secure the document.

• Send a document as an email attachment in Microsoft Outlook. In this case, you can select a policy from a list of policies or select an auto-generated policy that Acrobat creates with a default set of confidentiality settings to protect the document only for the email message recipients.

A policy can be removed from a document by using the client application.

View full size graphic

The steps in the diagram are as follows:

1. The document owner secures the document from a supported client application with a policy that allows online use.

2. Rights Management creates a document license and document keys, and encrypts the policy. The document license, encrypted policy, and document key are returned to the client application.

3. The document is encrypted with the document key, and the document key is discarded. The document now embeds the license and policy. These tasks are performed in the supported client application.

When you apply a policy to a document, the information that the document contains, including any contained files (text, audio, or video) in PDF documents, is protected by the confidentiality settings that are specified in the policy. Rights Management generates a license and encryption information that is then embedded in the document. When you distribute the document, Rights Management can authenticate the recipients who attempt to open the document and authorize access according to the privileges specified in the policy.

If offline usage is enabled, recipients can also use policy-protected documents offline (without an active Internet or network connection) for the time period specified in the policy.

To open and use policy-protected documents, the policy must include your name as a recipient, and you must have a valid Rights Management account. For PDF documents, you need Acrobat or Adobe Reader®. For other file types, you need the appropriate application for the file with the Rights Management Extension installed.

When you attempt to open a policy-protected document, Acrobat, Adobe Reader, or the Rights Management Extension connects to Rights Management to authenticate you. Then, you can proceed to log on. If the document usage is being audited, a notification message appears. After Rights Management determines which document permissions to grant, it manages the decryption of the document. You can then use the document according to the policy confidentiality settings.

View full size graphic

The steps in the diagram are as follows:

1. The document user opens the document in a supported client application and authenticates with the server. The document identifier is sent to the Rights Management server.

2. Rights Management authenticates the users, checks the policy for authorization, and creates a voucher. The voucher (which contains the document key and permissions) is returned to the client application.

3. The document is decrypted with the document key, and the document key is discarded. The document can then be used according to the confidentiality settings of the policy. These tasks are performed in the supported client application.

You can continue to use a document under these conditions:

• Indefinitely or for the validity period that is specified in the policy

• Until the administrator or the person who applied the policy revokes access to the document or changes the policy

You can also use policy-protected documents offline (without an Internet or network connection) if the policy permits offline access. You must first log in to Rights Management to synchronize the document. You can then use the document for the duration of the offline lease period that is specified in the policy.

When the offline lease period ends, you must synchronize the document with Rights Management again, either by going online and opening a policy-protected document or by using a command in the client application. (See Acrobat Help or the appropriate Rights Management Extension Help for details.)

If you save a copy of a policy-protected document by using the Save or Save As menu command, the policy is automatically applied and enforced for the new document. Events such as attempts to open the new document are also audited and recorded for the original document.