Demystifying “Owner”

[Note: This post assumes the reader is already familiar with terms such as issuance license, use-license, rights account certificate (RAC) and client licensor certificate (CLC). In summary, an issuance license represents the usage policy for a piece of content and contains a list of authorized users and usage rights assigned to the user. A use-license enables end-users to encrypt or decrypt RMS-protected content. It is typically issued by the RMS Server, given the issuance license and RAC corresponding to the end-user. The use-license is issued to the user identified by the RAC, and contains the symmetric key used to encrypt or decrypt content, as well as all the usage rights granted to the user in the issuance license. A CLC is used for creating protected content offline, without requiring a connection to the RMS server.]

The term Owner is overloaded in the RMS Client API and is used in a lot of different contexts, such as to specify the OWNER right, an OWNER license, or an OWNER user. This post will attempt to clarify the various contexts in which the term Owner is used.

OWNER Right

This is the simplest and easiest to understand usage of the word Owner. The OWNER right is used to indicate that the user granted this right has full control (i.e. implies all possible rights even if they are not explicitly granted) on the content that the issuance license is associated with.

For example, if a user is explicitly granted only the OWNER right in the issuance license, the call to DRMCreateBoundLicense with wszRequestedRights in DRMBOUNDLICENSEPARAMS set to EDIT (or PRINT, or VIEW, and so on) will return success because the platform will detect that the user is granted the OWNER right. 

OWNER License

Offline publishing (enabled by passing in the DRM_SIGN_OFFLINE flag in DRMGetSignedIssuanceLicense) lets a user encrypt or decrypt content without requiring a connection to the RMS server. This is useful not just for publishing while offline, but also when online, as a performance optimization, to avoid the cost of going over the network. An OWNER license is a special use-license that is created by the RMS client to enable offline publishing. It gives the end-user performing the publishing operation (i.e. the user to which the CLC, passed in the wszClientLicensorCertificate parameter, belongs to) a use-license containing the OWNER right, with no expiration. This enables the end-user to use the OWNER license to encrypt the document, as well as access the encrypted document without requiring a connection to the RMS server.

An OWNER license is created even if the issuance license does not explicitly grant the user any rights, making this useful in scenarios where the user account applying RMS protection uses an RMS template that does not grant the user account any rights. For example, a data scanning and protection service that runs as Local System can use the OWNER license to apply protection to sensitive documents using RMS templates that grant access to only end-users.

Note that this capability should be used carefully. Since a highly privileged account can impersonate the built-in accounts, for security reasons, you may not want that user account to have any rights to the document once it is finished publishing. In such a scenario, the OWNER license should not be persisted to disk, should be used only in memory and discarded when encrypting the document is completed. This can be done by using the DRM_OWNER_LICENSE_NOPERSIST flag at the time of signing the issuance license, which ensures that the owner license is never written to disk. The in-memory copy of the OWNER license can always be retrieved using the DRMGetOwnerLicense API, irrespective of whether the DRM_OWNER_LICENSE_NOPERSIST flag is specified.

OWNER User

This is the least understood usage of OWNER. It is referenced in two places in the documentation: in the description of the “Internal” user id type in DRMCreateUser and as the hOwner parameter in DRMCreateIssuanceLicense. A user specified in the issuance license is typically identified by a user ID, such as an email address or SID, that specifies which user should get the assigned rights when a use-license is requested. An OWNER user is a special type of user whose user ID is not explicitly stated in the list of users and rights in the issuance license, but is obtained from the user set, as the hOwner parameter, when the issuance license is created.

This is useful for creating issuance licenses from templates in scenarios where an enterprise wants the same template applied to all sensitive documents, but wants a different owner for each document, depending on the author. Specifically, consider an example with two documents: one authored by user A, and another authored by user B. Both need to be protected by the same “Company Confidential Read Only” template, which grants all users listed in the template Read Only access. It is important that the document authors have full access to their content, but not to each other’s content, so they cannot both be listed with the OWNER right in the template. Also, it is not recommended to modify rights information in an issuance license created from a template, so the user corresponding to the document author should not be explicitly added to the issuance license with the OWNER right.

This problem in this scenario can be solved by enabling the following setting while creating the template on the server: “Grant owner (author) full control right with no expiration”, which translates to the following snippet in the resulting template (the OWNER right is granted to a user of type “Internal” and id “Owner”):

         <RIGHTSGROUP name="Main-Rights">
<RIGHTSLIST>
<RIGHT name="OWNER">
<CONDITIONLIST>
<ACCESS>
<PRINCIPAL>
<OBJECT>
<ID type="Internal">Owner</ID> </OBJECT>
</PRINCIPAL>
</ACCESS>
</CONDITIONLIST>
</RIGHT>
...
...
</RIGHTSLIST>
</RIGHTSGROUP>

Note that a client side template can be created similarly, using the DRMCreateUser API (by creating a user with wszUserId as “OWNER” and wszUserIdType as “Internal”) and then granting the user the OWNER right.

Using such a template for creating issuance licenses means that a different owner can be specified for every document author: one issuance license can be created from the template with user A set as hOwner in DRMCreateIssuanceLicense, and another issuance license can be created from the same template with user B set as owner. The user specified by hOwner is captured in the issuance license as the OWNER in the METADATA tag as follows:

<WORK>
<OBJECT type="Sensitive Document">
<ID type="MS-GUID">{0CC81A3A-7EA0-4A57-A90A-43C1C2AC868C}</ID>
<NAME>Sensitive Document</NAME>
</OBJECT>
<METADATA>
<OWNER>
<OBJECT>
<ID type="Windows" />
<NAME>userA@company.com</NAME>
</OBJECT>
</OWNER>
</METADATA></WORK>

When a use-license is requested from the RMS server for such an issuance license, the RMS server looks for the special OWNER user in the list of users and, if it exists, checks if an owner was specified in the METADATA of the issuance license. If the RAC corresponding to the end-user making the request for the use-license contains the same email address as the one listed in the METADATA of the issuance license, the end user is issued a use-license containing the OWNER right, with no expiration.

Note that for the hOwner user specified in DRMCreateIssuanceLicense to have any affect, a template containing the OWNER user must be specified, making this a little unintuitive. Instead, it might have been better if the hOwner specified always got OWNER rights. We’ll look into improving this in future releases of our product.

Pankaj Kamat, Senior Software Design Engineer