Wednesday May 05, 2010

Extensible Metadata in Oracle IRM 11g

Another significant change in Oracle IRM 11g is that we now use XML to create the tamperproof header for each sealed document. This article explains what this means, and what benefit it offers.

So, every sealed file has a metadata header that contains information about the document - its classification, its format, the user who sealed it, the name and URL of the IRM Server, and much more.

The IRM Desktop and other IRM applications use this information to formulate the request for rights, as well as to enhance the user experience by exposing some of the metadata in the user interface. For example, in Windows explorer you can see some metadata exposed as properties of a sealed file and in the mouse-over tooltip.


The following image shows 10g and 11g metadata side by side.


As you can see, the 11g metadata is written as XML as opposed to the simple delimited text format used in 10g.

So why does this matter?

The key benefit of using XML is that it creates the opportunity for sealing applications to use custom metadata. This in turn creates the opportunity for custom classification models to be defined and enforced.

Out of the box, the solution uses the context classification model, in which two particular pieces of metadata form the basis of rights evaluation - the context name and the document's item code. But a custom sealing application could use some other model entirely, enabling rights decisions to be evaluated on some other basis.

The integration with Oracle Beehive is a great example of this. When a user adds a document to a Beehive workspace, that document can be automatically sealed with metadata that represents the Beehive security model rather than the context model. As a consequence, IRM can enforce the Beehive security model precisely and all rights configuration can actually be managed through the Beehive UI rather than the IRM UI. In this scenario, IRM simply supports the Beehive application, seamlessly extending Beehive security to all copies of workspace documents without any additional administration.

Finally, I mentioned that the metadata header is tamperproof. This is obviously to stop a rogue user modifying the metadata with a view to gaining unauthorised access - reclassifying a board document to a less sensitive classifcation, for example. To prevent this, the header is digitally signed and can only be manipulated by a suitably authorised sealing application.

Thursday Sep 25, 2008

Secure files in the Beehive with Oracle IRM's sealing wax

Once again Beehive has been demonstrated to be an excellent example of how Oracle IRM can be integrated to extend security well beyond the confines of the application. We love Beehive, and it seems that Beehive loves us. We are the sealing wax of Beehive! Ok, I promise not to make any cheap references in the following with regards to the name of the Beehive product...


On Wednesday, Jamie Rancourt and Indira Vidyaprakash, principal product managers for Beehive, hosted a session in the Marriot Hotel called "Collaboration Beyond Standalone Clients". Many existing collaboration environments are spread across many systems. Your email may reside in both an Exchange server and in PST files on your local machine. You have documents stored in both content repositories and on external USB drives, instant messaging clients store message histories both on the server and on your local systems... information, as we know is all over the place and out of control.

Oracle Beehive

With Beehive you are able to unify all this information using Workspaces. Continuing Oracle's Open Standards and Enterprise 2.0 messages, all of the Beehive components can be resurfaced in other environments, such as portals, websites and you can use any clients to access mail, messaging and other Beehive services.


Oracle Beehive, a complete collaboration solution


In this session, they went a bit deeper when showing Oracle IRM inside Beehive than the high level overview given by Chuck and Charles during the Monday keynote. The Beehive team showed the integration with IRM in a live demonstration and started by moving a document into a Beehive Workspace. It was given the category "Seal" and behind the scenes this assigned a flag to the file which kicked off a BPEL process to seal the document with IRM. In real time the file was then sealed and this was evident when the icon changed within the Beehive UI.

The file was then emailed to another user, however that user did not have any rights to open the file and the Oracle IRM Desktop client denied access. Because the error message functionality in IRM uses a web page, it allowed the access denied message to also contain information about the owner of the document which was dynamically obtained from the IRM server. So the user then contacted this owner and requested access. The document owner agreed and then moved the document within Beehive from his personal Workspace into a group Workspace, checking that the new user had read-only rights in that Workspace. The remote user then attempted to reopen the file and this time, hey presto, it opened!

The document owner then updated the user's rights in Beehive to allow editing and when the user reopened the file he found he had edit rights. Finally they then took this to the next step by revoking the user's rights completely and again this was locally propagated, once again disallowing the user to open the content.

This live demonstration showed the fantastic opportunities for the integration of IRM using the coming release of the Oracle IRM 11g Server, where rights do not need to be managed directly on the IRM Server but can be fully delegated to an external system, such as Beehive. We hope to see these prototyped demonstrations become reality over the coming months as the Beehive colony swarms to create the propolis which will ensure users of sensitive information inside the hive do not get stung when content leaves the nest!

I'm sorry, I just could not resist... A little bee

Thomas Kurian discusses Oracle IRM

Well it has been very, very busy here at Open World and i've not been able to get my blogs written as fast as I would like and I resisted the urge to write rubbish into the pages in a desperate attempt to get content up. The DEMOgrounds have also been very busy, quite a lot of people have been making the association with the True Delete demonstration inside Beehive with the Oracle IRM technology that drives the functionality. I'm just getting chance now to spare an hour and put up some of what we've captured during the past few days.

On Tuesday I sat through Thomas Kurian's keynote speech. Thomas is the senior vice president of Oracle Fusion Middleware, the technology organization Oracle IRM is aligned with. His presentation covered information integration using Oracle Data Integrator, business intelligence, performance management and then onto content management (ECM and related technologies) and collaboration (Portals and technologies from the BEA acquisition). This space is now under the new category of Enterprise 2.0, and we will be seeing a lot more activity in this space from Oracle over the coming year. Oracle IRM is the E2.0 technology which will provide security for your content, no matter where it came from (database, application, portal) when stored in documents and emails, no matter where they reside.

Thomas Kurian presents at Oracle OpenWorld 2008
"Oracle IRM enforces security permissions on documents, even when they've been sent out of the repository."
Thomas Kurian, SVP Oracle Fusion Middleware

With regards to content management, Thomas's main message was of the ability to "Capture, Store, Manage, and Secure all forms of Content". Security is my key focus here and Thomas led into content security with Oracle's Secure Enterprise Search. This technology, combining your access rights from the identitiy management system, allows for the ability to search across the enterprise returning only information to which the user legitimately has access. SES is now integrated into the content management system and is being integrated with many of the middleware technologies.

Thomas Kurian's slide on Secure Enterprise Search at OOW 2008


A natural progression from this is, if you can only search for content to which you have rights, security should also apply when you actually attempt to open that information. I'll let Thomas, in his words, describe how IRM fits in...

"Documents live within the repository for very short periods of time, most people take a document that's checked into the repository where it is secure, download it, attach it to email and send it to other people. Oracle IRM enforces security permissions on documents, even when they've been sent out of the repository. So only authorized people can see documents no matter where they access the information from..."
This highlights a very important point, if you use an encryption technology, such as IRM, to protect your most valuable content, you MUST also allow for authorized users to be able to use full text search methods to find the information whilst it is still encrypted. Oracle IRM is the only technology which exposes this ability and has been integrated not only with the content management repositories but also with the Windows Explorer on your desktop.



Thomas Kurian talking about Oracle IRM at OOW 2008


And following all of this, was once again, the message that these technologies are all integrated into Oracle BeeHive as well as other Oracle applications such as Siebel. Even more great exposure for Oracle IRM during OpenWorld, i'll be getting the chance to speak with the VP of IRM Development, Ryan Carroll, later on this week... watch this space (umm blog).

Monday Sep 22, 2008

True Delete in Oracle Beehive

Charles Phillips and Chuck Rozwat during their Open World keynote speech today demonstrated how an IRM integration has been prototyped to protect documents that are stored in a Workspace within Beehive. They described security as one of the main features of the Beehive platform; IRM extends this security when documents and emails are used outside the Beehive environment. As Chuck said, "I am a hoarder of documents", he often saves documents to his local machine where it is easer to work on them. However in doing so any security that applied to the document whilst it resided in the repository is lost when removed.

Not so with IRM, rights to the content, as defined inside Beehive, are persistantly applied even when the document is moved beyond the storage area of the Workspace. So Chuck saved a document down to the local machine, then Charles deleted the original document inside the Beehive Workspace with "True Delete". When Chuck next went to open the locally saved copy, he was denied access because of the true delete. This shows an important element of the new 11g release of Oracle IRM. We are able to delegate the request for rights from the IRM server to anything, in this instance it is the Beehive server
Charles Phillips demonstrating Oracle IRM in Beehive
but could well be a content management system, records management application, anything which stores rights about access to information. In this demo when Charles true-deleted the document, it automatically revoked all access to all copies of the document via IRM. So when Chuck tried to access the locally saved document it talked to the IRM server which denied access to the document. In fact it would deny access to any copy that exists anywhere, both inside and outside of Beehive and inside or outside the traditional enterprise security perimeters such as the firewall.
I had the chance to speak with James Leask, the IRM Developer flown over from the UK to work with the Beehive team and help them with the prototyping of the integration. James said "The new 11g server due for release next year, has a highly extensible architecture allowing me to quickly write a plugin to delegate rights to the Beehive server. It was written in Java and uses web services.".

James was available behind the scenes during the demonstration incase last minute changes were required. However everything went very smoothly, so much so, it was hard to believe that it was live software being shown and not just slideware.
James Leask, Oracle IRM developer. Looking forward to fun in San Francisco
"Implementing the integration was simple, it only took about a day. Leaving me the rest of the week to enjoy San Francisco!"
James Leask, IRM Developer

Sunday Sep 21, 2008

IRM at Oracle Open World 2008


Oracle Open World 2008 starts today in downtown San Francisco. No expense spared as they close off Howard Street for the entire duration of the event. Wednesday evening Treasure Island, in the middle of the bay, will host concerts headlined by Elvis Costello, Seal and UB40 (Will Red Red Wine become the new Oracle anthem?). The phrase "paint the town red" really does apply this week!

I will be attending all week and will be joined by key members of the Oracle IRM team. Andy Peet, sat with me now and helping me with this article, is the product manager for IRM. Ensuring we listen to customers, Andy has been visiting some high profile strategic companies in the week leading up to OOW as well as enduring my poor humour. Ryan Carroll, VP of IRM Engineering, is also flying in tonight and will be joining us in the DEMOgrounds at stand A9. Ryan heads up the awesome development team based in Reading, England. Last, but not least, Dr Martin Lambert will be with us. Martin is the creator and founder of the Oracle IRM technology who has recently moved from the UK to the bay area, bringing his expertise to Oracle HQ.

Simon at Oracle Open World 2008

Andy Peet at Oracle Open World 2008
"The OpenWorld opening keynote is going to show some really exciting integration work between Oracle IRM and Beehive."
Andy Peet
Oracle IRM will get its first main exposure during OpenWorld in the Charles Phillips and Chuck Rozwat keynote speech at 9am PST in Moscone North, Hall D. You can also view it streamed live or on demand via I asked Andy for an insight into what the keynote will offer;

"They will be demonstrating a ground breaking integration of Oracle Information Rights Management with Oracle Beehive; showing the use of IRM in work spaces and document versioning. It's so cool, make sure you don't miss it.

Work space users' rights are delegated directly from their rights in Beehive, so if a user's rights are changed in Beehive they are automatically changed in all of their documents. Document versioning enables a new version of a document to be issued and stops users from accessing older versions ensuring they always have up-to-date information. This integration, whilst fully operational, is based on the next generation IRM Server, our 11g release. It is not currently available, but has been prototyped for this presentation by great collaborative work between the Beehive and IRM development teams. Great work guys!"

So come and meet the team during Open World, we are in the DEMOgrounds area at booth A9 and have a pretty slick demonstration setup. We are able to show the new UCM and IRM integration, sealed email and many other aspects of this exciting technology.


Oracle IRM protects and tracks your sensitive information no matter where it goes. It combines business friendly encryption with role based usage rights and auditing.

11g quick guide


« July 2016