How the IRM Desktop Handles Multiple Servers
By Martin Abrahams on Sep 01, 2010
Another question from a colleague - suppose a user receives documents from two or more IRM services - how does the user switch between documents? Does the user need to manually log out of one service and log in to another so that the correct rights and restrictions apply? Do you need to clear your rights cache out to make way for the second service's rights, and repeat this process each time you want to switch back and forth between services?
Not at all.
Oracle IRM seamlessly supports multiple IRM services - even to the extent of allowing documents from different services to be opened and edited simultaneously, allowing the clipboard to be used to move information around, yet ensuring that information cannot be copied from one service's documents to another.
Every sealed document has a metadata header that identifies which IRM server manages its policy. The IRM Desktop automatically manages the communication and authentication with each server as required, and partitions its local database so that information relating to each server - rights, keys, credentials, and audit data - is managed separately.
To illustrate this, take a look at the Servers tab of my own IRM Desktop...
You can see that my IRM Desktop is enabling me to work with three IRM servers at the moment. My credentials for all three are cached, so I am never prompted to login in manually - the IRM Desktop simply authenticates me transparently to each server as required.
Also, all three servers have a tick in the "Update Rights" field, meaning that the IRM Desktop automatically synchronises rights with the servers according to a schedule defined by each server. This requires no manual intervention, and ensures that I always have a complete and fresh set of rights for all three servers.
More than that, the IRM Desktop automatically manages my audit logs so that the correct audits are uploaded to the three servers with no potential for the wrong information going to the wrong server.
When I want to seal a document, the IRM Desktop provides me with a complete list of all classifications that I am authorised to seal to for all three servers. I simply pick the right classification, and the IRM Desktop does the correct authentication and applies the correct metadata and keys etc to the new document.
For example, a portion of my list is shown below, with classifications from all three servers:
So, the IRM Desktop automatically manages my interactions with as many servers as I need to work with.
From a security perspective, the IRM Desktop ensures that the three sets of keys and rights and audit data are partitioned so that the three servers do not compromise each other's security.
Finally, our advanced clipboard control means that a user will be prevented from pasting information between documents sealed to different servers. So, if you receive documents from companies A and B, the IRM Desktop will can ensure that company A information stays in company A documents, and company B information stays in company B documents - even if both companies allow the use of the clipboard. Most IRM solutions could only provide such a safeguard by disabling the clipboard completely - which is a real blow to usability. Besides, company A and company B would typically be completely unaware that the user is receiving documents from two different services.