Thursday May 26, 2011

IRM Item Codes: How to Find Them

barcode

In a recent post, I discussed the value of item codes for enabling document-specific policies. As a rule, we recommend avoiding document-specific policies because of the governance and usability issues that tends to raise, but there are numerous scenarios where it is the right approach for some types of communication.

A colleague who is responsible for such a scenario within Oracle asked me for some tips on how to find the item code, so this post provides a few simple suggestions.

Firstly, you can usually see a document's item code simply by selecting it in Windows Explorer and hovering the mouse pointer over the document. On most operating systems, the tooltip provided by Explorer is modified to include a few pieces of IRM metadata, including the item code.

IRM tooltip

If you prefer, you can select a file and access its Properties dialog. The IRM Desktop adds an Oracle IRM tab to the dialog on most OSs and exposes further metadata including the item code. This approach has the additional advantage that you can copy the metadata to the clipboard - so you can cut and paste the item code if you need to specify it when setting up item specific policy.

IRM properties tab in Explorer

Another method is to access the control panel from the IRM toolbar or menu when you are actually using a document. This gives you access to the metadata as well as a tab that tells you what rights you have, when the rights are due for refresh or expiry, a link to reset your password (presuming you are not using single sign on), and IRM Desktop version information.

IRM Desktop control panel

There are other ways to get at the item code and other metadata - including programmatic methods that you might use during automated workflows that need to make decisions based on the item code or other factors - but these are the three most obvious ways for users to get at the item code if the scenario requires it. Of course, most users never need to know or care about such things.

Friday Mar 11, 2011

IRM Item Codes – what are they for?

 

barcode

A number of colleagues have been asking about IRM item codes recently - what are they for, when are they useful, how can you control them to meet some customer requirements? This is quite a big topic, but this article provides a few answers.

An item code is part of the metadata of every sealed document - unless you define a custom metadata model. The item code is defined when a file is sealed, and usually defaults to a timestamp/filename combination.

This time/name combo tends to make item codes unique for each new document, but actually item codes are not necessarily unique, as will become clear shortly.

In most scenarios, item codes are not relevant to the evaluation of a user's rights - the context name is the critical piece of metadata, as a user typically has a role that grants access to an entire classification of information regardless of item code. This is key to the simplicity and manageability of the Oracle IRM solution.

Item codes are occasionally exposed to users in the UI, but most users probably never notice and never care. Nevertheless, here is one example of where you can see an item code - when you hover the mouse pointer over a sealed file.

tooltip As you see, the item code for this freshly created file combines a timestamp with the file name.

But what are item codes for?

The first benefit of item codes is that they enable you to manage exceptions to the policy defined for a context. Thus, I might have access to all oracle - internal files - except for 2011_03_11 13:33:29 Board Minutes.sdocx.

This simple mechanism enables Oracle IRM to provide file-by-file control where appropriate, whilst offering the scalability and manageability of classification-based control for the majority of users and content. You really don't want to be managing each file individually, but never say never.

Item codes can also be used for the opposite effect - to include a file in a user's rights when their role would ordinarily deny access. So, you can assign a role that allows access only to specified item codes. For example, my role might say that I have access to precisely one file - the one shown above.

So how are item codes set?

In the vast majority of scenarios, item codes are set automatically as part of the sealing process. The sealing API uses the timestamp and filename as shown, and the user need not even realise that this has happened. This automatically creates item codes that are for all practical purposes unique - and that are also intelligible to users who might want to refer to them when viewing or assigning rights in the management UI.

It is also possible for suitably authorised users and applications to set the item code manually or programmatically if required.

Setting the item code manually using the IRM Desktop

The manual process is a simple extension of the sealing task. An authorised user can select the Advanced... sealing option, and will see a dialog that offers the option to specify the item code.

setitemcode

 

To see this option, the user's role needs the Set Item Code right - you don't want most users to give any thought at all to item codes, so by default the option is hidden.

Setting the item code programmatically

A more common scenario is that an application controls the item code programmatically. For example, a document management system that seals documents as part of a workflow might set the item code to match the document's unique identifier in its repository. This offers the option to tie IRM rights evaluation directly to the security model defined in the document management system. Again, the sealing application needs to be authorised to Set Item Code.

The Payslip Scenario

To give a concrete example of how item codes might be used in a real world scenario, consider a Human Resources workflow such as a payslips. The goal might be to allow the HR team to have access to all payslips, but each employee to have access only to their own payslips.

To enable this, you might have an IRM classification called Payslips. The HR team have a role in the normal way that allows access to all payslips. However, each employee would have an Item Reader role that only allows them to access files that have a particular item code - and that item code might match the employee's payroll number. So, employee number 123123123 would have access to items with that code. This shows why item codes are not necessarily unique - you can deliberately set the same code on many files for ease of administration.

The employees might have the right to unseal or print their payslip, so the solution acts as a secure delivery mechanism that allows payslips to be distributed via corporate email without any fear that they might be accessed by IT administrators, or forwarded accidentally to anyone other than the intended recipient.

All that remains is to ensure that as each user's payslip is sealed, it is assigned the correct item code - something that is easily managed by a simple IRM sealing application. Each month, an employee's payslip is sealed with the same item code, so you do not need to keep amending the list of items that the user has access to - they have access to all documents that carry their employee code.

 

About

Oracle IRM protects and tracks your sensitive information no matter where it goes. It combines business friendly encryption with role based usage rights and auditing.

11g quick guide

Search

Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today