Developing Compliance Solutions on Office 2007

I know that I mentioned that I'll start stepping you through customizing the ribbon today but I am just too excited! I released my whitepaper on Compliance Features for the 2007 Microsoft Office System today and I can't seem to talk about anything else. This is a great paper and I'm just so excited to get this out the door to you guys.

Why should you, as a developer, care about compliance?

Because there are a multitude of opportunities out there for you. Take a minute to read through a few of the compliance-related blogs out there and you'll see that there's a HUGE customer demand. Basically, you'll have companies banging down your door for your code. 🙂 Here are some good blogs to read to get acquainted with the compliance area: Office 2007 Records Management blog, Russ Stalters, and Marc Dencker.

In addition to those blogs, at the end of my whitepaper I've listed a lot of resources to get you jumpstarted on building your own solutions. Office 2007 sets you up to take advantage of that huge customer demand. As I mentioned in my previous posts, Office 2007 does all the plumbing and dirty work so that you don't have to. It's not that it takes you away from writing code, it just gives you more time to write more of the useful code.  

Let me give you a few examples of ways you can extend Office 2007 to build compliance solutions (this is right out of my paper folks ;-)).

Adding Instant Messaging History to the Records Center

A major issue on the technical side of compliance is handling unstructured data such as e-mail and instant messaging. E-mail records management is built into the 2007 Office system, but there is no out-of-the-box ability to store instant messaging conversations as records. Office Communicator has always been an enterprise-class, security-enhanced instant messaging application, but in the 2007 release, it also stores all session history on the Exchange Server 2007 system and makes it viewable to the user through a specially-created folder in the user’s Office Outlook 2007 inbox. This storage results in an audit log for each conversation and file transfer (for example, who participated, what was written, and at which date and time). With the Records Center feature in Office SharePoint Server 2007, you can now write custom code to quickly connect the two and send all instant messaging session history to the Records Center.


The custom code would first query the Exchange Server 2007 system to retrieve the session history files. It would then use SharePoint Products and Technologies to send the files to the Records Center site.

Server-Side Signing of Documents

In the 2007 Office release, you can digitally sign all Office Word 2007, Office Excel 2007, Office PowerPoint 2007, and Office InfoPath 2007 files to help ensure authenticity and then upload them to the server. The same is not true for all third-party files or all other non-core Microsoft Office file types. Authenticity is a major issue in compliance, and there are opportunities for you to extend the 2007 Office system platform to meet this need. With some custom code, no matter which file (such as a CAD file or a Windows media file) a user uploads to a SharePoint site, the user can digitally sign that file during the upload process to ensure that all necessary files are authenticated.


After the 2007 Office application initially verifies the signature, custom code can verify the third-party certificate and then modify the XML-DSIG. On the server side, you would parse the XML-DSIG to extract the public key, algorithm details, and the signed data. You could then verify the key and store it in an IRM-protected document library.


Attached is the technical architecture I've drawn of the 2007 Microsoft Office System client, server, and tools (also available in the whitepaper). In this diagram, you can see how common technologies such as XML and ASP.NET connect all the different components of the 2007 Microsoft Office System to make it interoperable so that you can easily make those enterprise solutions.

 Read it and let me know what you think.

Office Architecture.jpg

Comments (11)
  1. Hi everyone, I wanted to point you to an excellent whitepaper that discusses compliance across the entire

  2. mic.dan says:

    Hi Joanna!

    First I would like to say that this is the most proffessional and comprehensive article I’ve read about Office 2007 – you did a great job here!

    Second, I have some questions, if I may:

    1)IRM/RMS – Does the RMS supports encryption of files that were transferred to an external repository? (as mentioned in the article, MOSS allows that transfer)

    2) Record Routing – It simply doesn’t seem to work. All you can do is sending a document to a record center (=site), but not to a specific document library! I’ve posted about it in the RECMAN blog (

  3. mic.dan says:


    I wrote:

    " … All you can do is sending a document to a record center (=site), but not to a specific document library"

    But I ment of course to:

    2) …All you can do is sending a document to a specific document library but not to a record center (=site)!

    I’ll be glad to watch a screenshot of the menu that allows you to define a Records Center as a destination for sending.


  4. Joanna_Bichsel says:

    Hi mic.dan,

    Thanks very much, I’m glad you enjoyed the paper! I consider the Program Managers who post on the recman blog ( the experts in this area so I’m glad that you posted your questions there as well. I asked your qestions to Adam Harmetz, one of the Program Managers on the RM team there, and he responded to #1 in the following way:

    Question: 1)IRM/RMS – Does the RMS supports encryption of files that were transferred to an external repository? (as mentioned in the article, MOSS allows that transfer)

    Answer: "Generally, when an item is removed from a rights managed document library, it will be protected to so that only the person requesting the file can open it.  This includes transfers to other SharePoint libraries as well as regular user downloads.

    However, we do make several exceptions for special cases.  For instance, our import/export tool (PRIME) will export an unencrypted copy of the file.  It’s up to the administrator to make sure that the exported document is correctly ACLed.  Also, when something is sent to the Records Center, we won’t encrypt the file."

    He said that he believes that all of your other questions were answered on the recman blog.

    While I worked on this compliance paper, the real RM experts on Microsoft Office 2007 are those who are blogging over at the RecMan blog. I’m more focused on showing developers how to build a wide breadth of enterprise solutions.

    Hope this helps, Joanna

  5. mic.dan says:


    Adam indeed answered me at the RecMan blog, but IRM issue wasn’t mentioned there.

    I’ll call RecMan back…

    Thanks again.

  6. Erika Ehrli says:

    I have seen some great articles about the 2007 Microsoft Office System, but if you are an architect or solution developer, this is one you don’t want to miss: Compliance Features in the 2007 Microsoft Office System. This paper talks about business opportunities

  7. Попалась ссылка на отличную белую бумагу (whitepaper :-), обсуждающую поддержку требований регулирующих

  8. mic.dan says:

    Izvenieta gospodin Козлов, no mi nie govorit paruski (tolko niemnozka)…

  9. Nick says:

    Great article. I think where you refer to Microsoft Windows SharePoint Services 2007 on page 59, the product you’re talking about is known outside of Microsoft as Microsoft Windows SharePoint Services 3.0.

  10. Joanna_Bichsel says:

    Thanks for clarifying that Nick, my mistake.

    — Joanna

  11. markovich says:

    Попалась ссылка на отличную белую бумагу (whitepaper :-), обсуждающую поддержку требований регулирующих

Comments are closed.

Skip to main content