Oracle IRM contexts, a smart way to implement your corporate classification policies
By Simon Thorpe on Oct 06, 2009
A central concept of the Oracle IRM solution is the security context. So what are contexts and how do they help you protect sensitive information in a secure, usable, and manageable way? In the Oracle IRM solution, a context represents a set of related information and the rights of users to work with that information. For example, a typical enterprise might use the following contexts to manage the rights to access and work with some of its most sensitive information:
To protect a sensitive document from unauthorized access and modification, all you need to do is seal it to the relevant context. Once sealed, the document is protected by the rights defined for the context.
For example, sealing the board minutes to the sensitive board communication context, as shown above, might ensure that the minutes are accessible only to the board members and their personal assistants. To simplify the assignment of different rights to different users, each context contains roles such as Contributor, Reviewer, and Reader. A particular user might be a Contributor in sensitive board communication and a Reader in confidential engineering research.
Contexts and Security
Rather than allowing individual users to configure rights for individual documents, the Oracle IRM solution simply requires users to select the appropriate context for those documents, as shown for the board minutes above. Once sealed, all documents in a context are automatically subject to any future amendment to the rights - no matter who created the documents or how many copies have been distributed within and beyond the enterprise. Contexts ensure that rights management is not arbitrary. Users cannot simply invent new policy for particular documents or emails, so the enterprise retains overall control of information security and has a powerful mechanism for implementing any corporate classification policies.
Contexts and Usability
Any solution that is not easy to use is unlikely to provide the security that an enterprise is seeking. Rather than requiring users to consider in detail what rights are appropriate for particular documents, Oracle IRM simply requires users to seal documents to the appropriate context. Further, Oracle IRM controls the right to seal documents such that, for example, only board members and their personal assistants can create new documents in sensitive board communication. Thus, the enterprise can be confident that only authorized users contribute to each context. By creating contexts that relate very clearly to enterprise business processes and exposing users only to contexts that are relevant to their role, an enterprise can be confident that information will be protected appropriately because users can easily understand what is required of them and are not exposed to detailed choices that they might use inconsistently.
Contexts and Manageability
The simplicity of contexts and roles means that day-to-day rights management tasks are handled by the most appropriate business users. In many live deployments, the rights to board documents are managed by the PA of the CEO or Company Secretary and is as simple as assigning roles to users and groups.
By avoiding the need to manage and propagate the rights to thousands of individual documents, the solution can scale to meet the needs of even the largest enterprise. Finally, contexts enable policy changes to be applied at any time to thousands of documents - regardless of where those documents are. Rights can be assigned and unassigned as required without having to locate and modify each of the documents.
Standard Roles for Enterprise Rights Management
Finally, to help organizations to quickly deploy and create contexts the Oracle IRM solution provides a standardized set of roles that are ready to be assigned out-of-the-box - roles such as Contributor, Reviewer, and Reader.
Each role defines a set of rights that are appropriate to that role. For example, a Contributor has the right to create and edit sensitive documents, whereas a Reviewer can only edit existing documents and change tracking is enforced. These roles are then assigned to users for particular workflows and information classifications. Commonly these assignments are done by group membership inside your corporate user directory. So by simply adding a user to one or more groups in say Active Directory would immediately give them access to thousands documents secured against those classifications, and vice versa, they leave the organization and their account is deleted from Active Directory, all the documents they had copied to their USB device are now useless.
Where necessary, the standard roles can be tailored or extended, but Oracle has used the experience gained from numerous enterprise deployments to provide a set of roles that meet the needs of most clients. So what are the standard roles and what do they allow users to do?
Standard Roles OverviewOut-of-the-box, Oracle IRM provides five standard roles for controlling access to sensitive documents and email:
Contributors are the people who are authorized to create and edit documents in a particular context. They can open and search and print documents that are sealed to the context. Reviewers are authorized to edit sealed documents and email, but change tracking is enforced. They can also open and search and print sealed documents and email but are not authorized to create new sealed documents or email - they can only review or reply to documents and email created by Contributors. The Reader role allows opening, searching and printing of sealed documents but they cannot create or edit. The Reader (no print) is the same except they obviously have no rights to print.
Finally Item Readers are authorized to open and search particular sealed documents. This allows for people to be added to contexts which contain large amounts of protected information and yet they can only open a few identified documents. This role is designed to be the exception to the rules defined by all the contexts on the system, otherwise it managing lists of users rights to specific documents becomes quickly unmanageable.
Oracle also recognizes the need to control access to these roles so that they are assigned appropriately. Oracle IRM therefore defines standardized administrative roles, the most significant being:
Context Owners are authorized to assign roles, and are typically the owners of confidential information and work flows. System Owners are authorized to create new contexts and make the initial assignment of the Context Owner role. Their involvement in a particular context might end soon after that initial assignment.