About document security users
Various types of users work with document security to accomplish different tasks:
-
The system administrator or other information systems (IS) person installs and configures document security. This person may also be responsible for configuring global settings for the server, web pages, and policies and documents.
These settings may include, for example, a base document security URL, auditing and privacy notifications, invited user registration notices, and default offline lease periods.
-
Document security administrators create policies and policy sets, and manage policy-protected documents for users as required. They also create invited user accounts, and monitor system, document, user, policy, policy set, and custom events. They may also be responsible for configuring the global server, and web page and policy settings in conjunction with a system administrator.
Administrators can assign users the following roles in the User Management area of administration console. Users who are assigned these roles perform their tasks in the document security user interface area of administration console.
Document security super administrator
Users with this role have access to all of the document security settings in administration console. These permissions are associated with the role:
- Manage configuration
- Manage policy
- Manage policy sets
- Manage documents
- Manage document publishers
- Manage invited and local users
- View events
- Delegate
- Invite external users
Document security administrator
Users with this role can configure the document security server, using the Configuration page in document security section of administration console. This permission is associated with the role, Manage Configuration.
NOTE
Users with this role must also have the administration console User role to be able to log in to administration console and edit any configuration-related settings.Document security policy set administrator
Users with this role can use the document security section of administration console to edit other users’ polices and to create, edit, and delete policy sets. When a policy set administrator creates a policy set, they can assign a policy set coordinator to that policy set. These permissions are associated with the role:
- Manage policy
- Manage policy sets
- Manage documents
- Manage document publishers
- View events
- Delegate
NOTE
Users with this role must also have the administration console User role to be able to log in to administration console and edit any configuration-related settings.Document security manage invited and local users
Users with this role can perform tasks required to manage all invited and local users on the relevant document security web pages. These permissions are associated with the role:
- Manage invited and local users
- Invite external users
- Access end-user web pages
NOTE
Users with this role must also have the administration console User role to be able to log in to administration console and edit any configuration-related settings.Document security invite user
Users with this role can invite users. These permissions are associated with the role:
- Invite external users
- Access end-user web pages
Document security end user
Users with this role can access document security end-user web pages. This role can also be assigned to administrators to allow administrators to create policies using the end-user pages. This permission is associated with the role Access end-user web pages.
-
Users within the organization who have valid document security accounts create their own policies, use policies to protect documents, track and manage their policy-protected documents, and monitor events that are related to their documents.
-
Policy set coordinators manage documents, view events, and manage other policy set coordinators (based on their permissions). Administrators designate users as policy set coordinators for particular policy sets.
-
Users who are external to your organization (for example, a business partner) can use policy-protected documents if they are in the document security document security directory, if the administrator creates an account for them, or if they register with document security through an automated email invitation process. Depending on how the administrator enables the access settings, the invited users may also have permission to apply policies to documents, to create, modify and delete their policies, and to invite other external users to use their policy-protected documents.
-
Developers use the AEM forms SDK to integrate custom applications with document security.
Document security administrators can create custom roles by using the following permissions in User Management:
- Document security Manage Configuration
- Document security Manage Invited and Local Users
- Document security Manage Policy Sets
- Document security Manage Policy Sets
- Document security View Server Events
- Document security Change Policy Owner
Policies and policy-protected documents
A policy defines a set of confidentiality settings and users who can access a document to which the policy is applied. A policy also enables the permissions on a document to be changed dynamically. It gives the person who secures the document permission to change the confidentiality settings to revoke access to the document or to switch the policy.
Policy protection can be applied to a PDF document by using Adobe Acrobat® Pro and Acrobat Standard. Policy protection can be applied to other file types, such as Microsoft Word, Excel, and PowerPoint files, by using the client application with the appropriate Acrobat Reader DC extensions installed.
How policies work
Policies contain information about the authorized users and the confidentiality settings to apply to documents. Users can be any one in your organization, as well as people who are external to your organization who have an account. If the administrator enables the user invitation feature, it is even possible to add new users to policies, therefore initiating a registration invitation email process.
The confidentiality settings in a policy determine how the recipients can use the document. For example, you can specify whether recipients can print or copy text, make changes, or add signatures and comments to protected documents. The same policy can also specify different confidentiality settings for specific users.
Users and administrators create policies through the document security web pages. Only one policy at a time can be applied to a document. You can apply a policy by using one of these methods:
- Open the document in Acrobat or another client application and select a policy to secure the document.
- Send a document as an email attachment in Microsoft Outlook. In this case, you can select a policy from a list of policies or select an auto-generated policy that Acrobat creates with a default set of confidentiality settings to protect the document only for the email message recipients.
A policy can be removed from a document by using the client application.
The steps in the diagram are as follows:
- The document owner secures the document from a supported client application with a policy that allows online use.
- Document security creates a document license and document keys, and encrypts the policy. The document license, encrypted policy, and document key are returned to the client application.
- The document is encrypted with the document key, and the document key is discarded. The document now embeds the license and policy. These tasks are performed in the supported client application.
When you apply a policy to a document, the information that the document contains, including any contained files (text, audio, or video) in PDF documents, is protected by the confidentiality settings that are specified in the policy. Document security generates a license and encryption information that is then embedded in the document. When you distribute the document, document security can authenticate the recipients who attempt to open the document and authorize access according to the privileges specified in the policy.
If offline usage is enabled, recipients can also use policy-protected documents offline (without an active Internet or network connection) for the time period specified in the policy.
How policy-protected documents work
To open and use policy-protected documents, the policy must include your name as a recipient, and you must have a valid document security account. For PDF documents, you need Acrobat or Adobe Reader®. For other file types, you need the appropriate application for the file with the Acrobat Reader DC extensions installed.
When you attempt to open a policy-protected document, Acrobat, Adobe Reader, or the Acrobat Reader DC extensions connects to document security to authenticate you. Then, you can proceed to log on. If the document usage is being audited, a notification message appears. After document security determines which document permissions to grant, it manages the decryption of the document. You can then use the document according to the policy confidentiality settings.
The steps in the diagram are as follows:
- The document user opens the document in a supported client application and authenticates with the server. The document identifier is sent to the document security server.
- Document security authenticates the users, checks the policy for authorization, and creates a voucher. The voucher (which contains the document key and permissions) is returned to the client application.
- The document is decrypted with the document key, and the document key is discarded. The document can then be used according to the confidentiality settings of the policy. These tasks are performed in the supported client application.
You can continue to use a document under these conditions:
- Indefinitely or for the validity period that is specified in the policy
- Until the administrator or the person who applied the policy revokes access to the document or changes the policy
You can also use policy-protected documents offline (without an Internet or network connection) if the policy permits offline access. You must first log in to document security to synchronize the document. You can then use the document for the duration of the offline lease period that is specified in the policy.
When the offline lease period ends, you must synchronize the document with document security again, either by going online and opening a policy-protected document or by using a command in the client application. (See Acrobat Help or the appropriate Acrobat Reader DC extensions Help for details.)
If you save a copy of a policy-protected document by using the Save or Save As menu command, the policy is automatically applied and enforced for the new document. Events such as attempts to open the new document are also audited and recorded for the original document.
Policy sets
Policy sets are used to group a set of policies that have a common business purpose. These policy sets are then made available to a subset of users in the system.
Each policy set can have one or more associated policy set coordinators. The policy set coordinator is an administrator or a user who has additional permissions. The policy set coordinator is typically a specialist in the organization who can best author the policies in a particular policy set.
Policy set coordinators can perform these tasks:
- Create new policies
- Edit and delete any policy in the policy set
- Edit policy set settings
- Add and remove policy set coordinators
- View policy and document events for any policy or document within the policy set
- Revoke access to documents
- Switch policies for the document.
Policy sets are created and deleted in the document security administration web pages by administrators and policy set coordinators who have permission to do so.
Policy sets are generally made available to a limited number of users by specifying which users or groups within a domain can use the policies from the policy set to protect documents.
When document security is installed, a default policy set is created called Global Policy Set. The administrator who installed the software manages this policy set.