About document security

Last update: May 3, 2023

CREATED FOR:

  • User
CAUTION
AEM 6.4 has reached the end of extended support and this documentation is no longer updated. For further details, see our technical support periods. Find the supported versions here.

Document security ensures that only authorized users can use your documents. Using document security, you can safely distribute any information that you have saved in a supported format. Supported file formats include:

  • Adobe PDF files
  • Microsoft® Word, Excel, and PowerPoint files

For more information about how policies protect supported file types, see Additional document security information.

Using document security, you can easily create, store, and apply predefined confidentiality settings to your documents. To prevent information from spreading beyond your reach, you can also monitor and control how recipients use your documents after you distribute them.

You can protect documents by using policies. A policy is a collection of information that includes confidentiality settings and a list of authorized users. The confidentiality settings you specify in a policy determine how a recipient can use a document to which you apply the policy. For example, you can specify whether recipients can print or copy text, edit text, or add signatures and comments to protected documents.

Document security users create policies through the end-user web pages. Administrators use the document security web pages to create policy sets that contain shared policies that are available to all authorized users.

Although policies are stored in document security, you apply them to documents through your client application. How to apply policies to PDF documents is described in detail in Acrobat Help. Applying policies by using other applications, such as Microsoft Office, is documented in the Acrobat Reader DC extensions Help for the application.

When you apply a policy to a document, the confidentiality settings specified in the policy protect the information that the document contains. The confidentiality settings also protect any files (text, audio, or video) within a PDF document. You can distribute the policy-protected document to recipients who are authorized by the policy.

Document access control and auditing

Using a policy to protect a document gives you ongoing control over that document, even after you distribute it. You can monitor the document, make changes to the policy, prevent users from continuing to access the document, and switch the policy that is applied to the document.

Through document security, you can monitor policy-protected documents and track events, such as when an authorized or unauthorized user attempts to open the document.

Components

Document security consists of a server and user interface:

Server: The central component through which document security performs transactions such as user authentication, real-time management of policies, and application of confidentiality. The server also provides a central repository for policies, audit records, and other related information.

Web pages: The interface where you create policies, manage your policy-protected documents, and monitor events that are associated with policy-protected documents. Administrators can also configure global options such as user authentication, auditing, and messaging for invited users, and manage invited user accounts.

rm_psworkflow

The steps in the illustration are as follows:

  1. The document owner creates policies using the web pages. Document owners can create personal policies that are accessible only to them. Administrators and policy set coordinators can create shared policies within policy sets that are accessible to authorized users.
  2. The document owner applies the policy, and then saves and distributes the document. The document can be distributed by email, through a network folder, or on a website.
  3. The recipient opens the document in the appropriate client application. The recipient can use the document according to its policy.
  4. The document owner, policy set coordinator, or administrator can track documents and modify access to them using the web pages.

About document security users

Various types of users work with document security to accomplish different tasks:

  • The system administrator or other information systems (IS) person installs and configures document security. This person may also be responsible for configuring global settings for the server, web pages, and policies and documents.

    These settings may include, for example, a base document security URL, auditing and privacy notifications, invited user registration notices, and default offline lease periods.

  • Document security administrators create policies and policy sets, and manage policy-protected documents for users as required. They also create invited user accounts, and monitor system, document, user, policy, policy set, and custom events. They may also be responsible for configuring the global server, and web page and policy settings in conjunction with a system administrator.

    Administrators can assign users the following roles in the User Management area of administration console. Users who are assigned these roles perform their tasks in the document security user interface area of administration console.

    Document security super administrator

    Users with this role have access to all of the document security settings in administration console. These permissions are associated with the role:

    • Manage configuration
    • Manage policy
    • Manage policy sets
    • Manage documents
    • Manage document publishers
    • Manage invited and local users
    • View events
    • Delegate
    • Invite external users

    Document security administrator

    Users with this role can configure the document security server, using the Configuration page in document security section of administration console. This permission is associated with the role, Manage Configuration.

    NOTE
    Users with this role must also have the administration console User role to be able to log in to administration console and edit any configuration-related settings.

    Document security policy set administrator

    Users with this role can use the document security section of administration console to edit other users’ polices and to create, edit, and delete policy sets. When a policy set administrator creates a policy set, they can assign a policy set coordinator to that policy set. These permissions are associated with the role:

    • Manage policy
    • Manage policy sets
    • Manage documents
    • Manage document publishers
    • View events
    • Delegate
    NOTE
    Users with this role must also have the administration console User role to be able to log in to administration console and edit any configuration-related settings.

    Document security manage invited and local users

    Users with this role can perform tasks required to manage all invited and local users on the relevant document security web pages. These permissions are associated with the role:

    • Manage invited and local users
    • Invite external users
    • Access end-user web pages
    NOTE
    Users with this role must also have the administration console User role to be able to log in to administration console and edit any configuration-related settings.

    Document security invite user

    Users with this role can invite users. These permissions are associated with the role:

    • Invite external users
    • Access end-user web pages

    Document security end user

    Users with this role can access document security end-user web pages. This role can also be assigned to administrators to allow administrators to create policies using the end-user pages. This permission is associated with the role Access end-user web pages.

  • Users within the organization who have valid document security accounts create their own policies, use policies to protect documents, track and manage their policy-protected documents, and monitor events that are related to their documents.

  • Policy set coordinators manage documents, view events, and manage other policy set coordinators (based on their permissions). Administrators designate users as policy set coordinators for particular policy sets.

  • Users who are external to your organization (for example, a business partner) can use policy-protected documents if they are in the document security document security directory, if the administrator creates an account for them, or if they register with document security through an automated email invitation process. Depending on how the administrator enables the access settings, the invited users may also have permission to apply policies to documents, to create, modify and delete their policies, and to invite other external users to use their policy-protected documents.

  • Developers use the AEM forms SDK to integrate custom applications with document security.

Document security administrators can create custom roles by using the following permissions in User Management:

  • Document security Manage Configuration
  • Document security Manage Invited and Local Users
  • Document security Manage Policy Sets
  • Document security Manage Policy Sets
  • Document security View Server Events
  • Document security Change Policy Owner

Policies and policy-protected documents

A policy defines a set of confidentiality settings and users who can access a document to which the policy is applied. A policy also enables the permissions on a document to be changed dynamically. It gives the person who secures the document permission to change the confidentiality settings to revoke access to the document or to switch the policy.

Policy protection can be applied to a PDF document by using Adobe Acrobat® Pro and Acrobat Standard. Policy protection can be applied to other file types, such as Microsoft Word, Excel, and PowerPoint files, by using the client application with the appropriate Acrobat Reader DC extensions installed.

How policies work

Policies contain information about the authorized users and the confidentiality settings to apply to documents. Users can be any one in your organization, as well as people who are external to your organization who have an account. If the administrator enables the user invitation feature, it is even possible to add new users to policies, therefore initiating a registration invitation email process.

The confidentiality settings in a policy determine how the recipients can use the document. For example, you can specify whether recipients can print or copy text, make changes, or add signatures and comments to protected documents. The same policy can also specify different confidentiality settings for specific users.

NOTE
Confidentiality settings that are applied through a policy override any settings that may have been applied to a PDF document in Acrobat by using the password or certificate security options. (See Acrobat Help for more information.)

Users and administrators create policies through the document security web pages. Only one policy at a time can be applied to a document. You can apply a policy by using one of these methods:

  • Open the document in Acrobat or another client application and select a policy to secure the document.
  • Send a document as an email attachment in Microsoft Outlook. In this case, you can select a policy from a list of policies or select an auto-generated policy that Acrobat creates with a default set of confidentiality settings to protect the document only for the email message recipients.

A policy can be removed from a document by using the client application.

rm_psonline_policy

The steps in the diagram are as follows:

  1. The document owner secures the document from a supported client application with a policy that allows online use.
  2. Document security creates a document license and document keys, and encrypts the policy. The document license, encrypted policy, and document key are returned to the client application.
  3. The document is encrypted with the document key, and the document key is discarded. The document now embeds the license and policy. These tasks are performed in the supported client application.

When you apply a policy to a document, the information that the document contains, including any contained files (text, audio, or video) in PDF documents, is protected by the confidentiality settings that are specified in the policy. Document security generates a license and encryption information that is then embedded in the document. When you distribute the document, document security can authenticate the recipients who attempt to open the document and authorize access according to the privileges specified in the policy.

If offline usage is enabled, recipients can also use policy-protected documents offline (without an active Internet or network connection) for the time period specified in the policy.

How policy-protected documents work

To open and use policy-protected documents, the policy must include your name as a recipient, and you must have a valid document security account. For PDF documents, you need Acrobat or Adobe Reader®. For other file types, you need the appropriate application for the file with the Acrobat Reader DC extensions installed.

When you attempt to open a policy-protected document, Acrobat, Adobe Reader, or the Acrobat Reader DC extensions connects to document security to authenticate you. Then, you can proceed to log on. If the document usage is being audited, a notification message appears. After document security determines which document permissions to grant, it manages the decryption of the document. You can then use the document according to the policy confidentiality settings.

rm_psopen_online

The steps in the diagram are as follows:

  1. The document user opens the document in a supported client application and authenticates with the server. The document identifier is sent to the document security server.
  2. Document security authenticates the users, checks the policy for authorization, and creates a voucher. The voucher (which contains the document key and permissions) is returned to the client application.
  3. The document is decrypted with the document key, and the document key is discarded. The document can then be used according to the confidentiality settings of the policy. These tasks are performed in the supported client application.

You can continue to use a document under these conditions:

  • Indefinitely or for the validity period that is specified in the policy
  • Until the administrator or the person who applied the policy revokes access to the document or changes the policy

You can also use policy-protected documents offline (without an Internet or network connection) if the policy permits offline access. You must first log in to document security to synchronize the document. You can then use the document for the duration of the offline lease period that is specified in the policy.

When the offline lease period ends, you must synchronize the document with document security again, either by going online and opening a policy-protected document or by using a command in the client application. (See Acrobat Help or the appropriate Acrobat Reader DC extensions Help for details.)

If you save a copy of a policy-protected document by using the Save or Save As menu command, the policy is automatically applied and enforced for the new document. Events such as attempts to open the new document are also audited and recorded for the original document.

Policy sets

Policy sets are used to group a set of policies that have a common business purpose. These policy sets are then made available to a subset of users in the system.

Each policy set can have one or more associated policy set coordinators. The policy set coordinator is an administrator or a user who has additional permissions. The policy set coordinator is typically a specialist in the organization who can best author the policies in a particular policy set.

Policy set coordinators can perform these tasks:

  • Create new policies
  • Edit and delete any policy in the policy set
  • Edit policy set settings
  • Add and remove policy set coordinators
  • View policy and document events for any policy or document within the policy set
  • Revoke access to documents
  • Switch policies for the document.

Policy sets are created and deleted in the document security administration web pages by administrators and policy set coordinators who have permission to do so.

Policy sets are generally made available to a limited number of users by specifying which users or groups within a domain can use the policies from the policy set to protect documents.

When document security is installed, a default policy set is created called Global Policy Set. The administrator who installed the software manages this policy set.

recommendation-more-help