Changing AIP Labels for Document Life Cycle
Updated: Apr 7
When protecting a document, AIP is relatively a static process where once a document is protected, the permissions are not often changed. But what if you wanted to protect a document through a life cycle such as a new product development? In this case you may be changing AIP protection several times on a document.
This would seem to be a relatively simple process, just have multiple labels for the multiple levels of protection, and simply change the label for classification to change the effective permissions. This seems straight forward enough, but there are a couple considerations that you must make, namely around how RMS works from an "ownership" perspective as well as how access licenses are issued.
For a simple example, let's assume we have a product development life cycle which documents evolve based on the stage in the process.
Engineering creates initial document for new product development and is the only group who has any access to it.
Engineering hands off ownership of the document to Marketing after the initial development is complete, but maintains the ability to view the document.
Once Marketing has finished their phase, they pass the document ownership over to Sales for finalization, but Engineering and Marketing maintain the ability to view the document.
This sounds like a simple process, but the challenge comes into the transition of ownership. For example, when Engineering hands over the document to Marketing, Engineering must provide Marketing the ownership while relinquishing ownership access. To change permissions you must have ownership, but can you remove your own level of ownership? Yes and no.
The logic makes sense that I cannot remove my own Full Control access to a document as changing the permissions require Full Control... that and especially in the Engineering case, it would be typically unlikely that someone who is the initial creator or author of a document should lose access to the content they originally created. The challenge here comes from the Rights Management Issuer and Rights Management Owner roles used by AIP.
From a very high view, these can almost be viewed as being synonymous with each other, but there are some differences in the fine details.
Rights Management Document Roles
First, let's take a look at the Rights Management Issuer. By default, when a document is protected with AIP, the account which applies that protection becomes the Rights Management Issuer for the document. But what does this mean? Essentially, this means the account does not have to play by all the rules when it comes to AIP, specifically:
The Rights Management Issuer can access a document past an expiration date applied by AIP.
The Rights Management Issuer can access a document offline regardless of whether AIP requires online access to the RMS service.
The Rights Management Issuer can still access a document when AIP has revoked access.
Note that the Rights Management Issuer is the account that protected the document, not necessarily the account that created or authored the document. This is where the Rights Management Owner role comes into play.
By default, the Rights Management Issuer also becomes the Rights Management Owner, but there are cases where these may not always be the same account. Specifically, when protections are being applied systematically or administratively in bulk. In these cases, the Rights Management Owner role can be assigned on behalf of another account. This ensures that the original document owner maintains the same level of control of the protected document as if they applied the protection themselves.
The Rights Management Owner has essentially the same privileges to the document as the Rights Management Issuer. The purpose of this role is to ensure the original document owner maintains access to their created content even if the AIP policy would restrict access as well as allow the original document owner to remove protections from their content.
Because of how AIP is assigned, this means that there is the potential that even though a label change may reduce the level of access to the Engineering team, the specific engineer that originally created the document or applied the AIP label will maintain full-access to the document regardless of what phase in the life cycle the document exists.
So how do we address this in our life cycle requirements? The good news is that it is actually easy to do, the bad news is it does add a degree of complexity to the end-user.
Based on our life cycle stages, we need to have the following AIP labels defined:
Engineering Development: Engineering = Co-Owner
Engineering to Marketing: Engineering = Co-Owner, Marketing = Co-Owner
Marketing Development: Engineering = Viewer, Marketing = Co-Owner
Marketing to Sales: Engineering = Viewer, Marketing = Co-Owner, Sales = Co-Owner
Sales Development: Engineering = Viewer, Marketing = Viewer, Sales = Co-Owner
The two important labels are Engineering to Marketing and Marketing to Sales. These need to exist for the transition of ownership of the document between departments.
The phase transition would occur as follows:
Engineering Development = Assigned by Engineering
Engineering to Marketing = Assigned by Engineering
Marketing Development = Assigned by Marketing
Marketing to Sales = Assigned by Marketing
Sales Development = Assigned by Sales
Because Engineering is the only group with permission to the document in Engineering Development, they are the only ones that can change the permissions on the document to include Marketing.
The Engineering to Marketing assigns Co-Owner to both Engineering and Marketing because we need Marketing to have the ability to change the AIP label assigned. Yes, someone in Engineering could directly assign the Marketing Development label, but because this person is assigning the protection, they are the Rights Management Issuer, which will maintain their Full Control access even though the Marketing Development label should provide only View permissions.
Because Marketing can change the label out of the Engineering to Marketing phase to Marketing Development phase, no one in Engineering is the Rights Management Issuer or the Rights Management Owner. When Marketing changes the label, the person making the change becomes both the Rights Management Issuer and Rights Management Owner.
The alternative to this approach is to designate an administrative user or group that is responsible for applying AIP labels that will maintain access to the document at all times. This would align with the use of a AIP Super User, but takes control out of the departments directly involved with the document life cycle stages. This administrative user or group can reclassify a documents with new labels programmatically to assign someone else as the Rights Management Owner (even though the Super User will be the Rights Management Issuer).
AIP Use License Life Time
The other consideration to take is the use license that is assigned when a document protected with AIP is accessed. By default, this is 30 days, meaning that if the protection allows offline access, a change in the label that reduces access may not go into affect for all users for up to 30 days. This can be modified by setting the Offline Access value for the protection label, but remember that Rights Management Issuers and Rights Management Owners can always access a document regardless of this setting.