Announcing the Rights Management Services File API

  • Article

As you know, we have made developing RMS-enabled applications much easier with the release of the AD RMS SDK 2.0. What used to take months and thousands of lines of code, now takes days and just a few dozen API calls.

That means that if you develop an application that creates documents that need to be protected, you can now do so with minimal investment and in a very consistent and robust way.

 But what if your application has to deal with files in a format that is not its own? What if your application has to protect or consume files that can be in ANY of a myriad of file formats, many of which you don’t even understand? For example, your application is a document management system to which documents in different formats can be uploaded, or it might be a Data Leakage Prevention solution that has to scan and protect files in different formats as they are found on disk. In those cases, handling protected files involved a significant effort as you had to make decisions on the fly based on the format the files were in, and perform lots of low-level functions to get files protected and unprotected as needed.

 We are pleased to announce the new File API for Rights Management Services. The File API is a new API that allows applications to easily protect and unprotect files in a single operation. With the file API, you pass the file to an API like EncryptFile along with the policy you want applied and the API does the rest. It will identify the file’s format, and then protect the file appropriately. If it can’t find a suitable protector it will use the brand new Protected File format to encrypt the file and embed access controls so the file is protected in a generic format. All in a single operation.

 For example:

 

            if (IpcfIsFileProtected(wszFilePath))

            {

                // Unprotected file so protect it with full rights to the provided email name

                hr = IpcfEncryptFile(wszFilePath, UsageRights, Owner);    

            } 

And if your application has to consume protected files, it is equally simple. You call the API, pass a pointer to the file and, assuming your software runs under an account with the required rights, you get an unprotected file as a result.

This can be extremely useful in integrating solutions with AD RMS, for example:

  • A document management system can use the File API to encrypt and decrypt files as they are uploaded and downloaded from the document libraries.
  • A Data Leakage Prevention solution can pass encrypted files to the File API in order to scan their content for sensitive data, as well as using the API to apply different policies to documents found to contain data that needs to be protected.
  • A document scanning solution such as an antivirus software can use it to decrypt files before passing them to the antimalware engine.
  • A search indexer can use the file API to decrypt files in order to index them.
  • A mobile device management system can use the File API to decrypt protected files in order to protect them with a device-specific solution.

 And there are many, many other scenarios where the File API can be used to integrate your software with AD RMS.

 So how does the File API relate to the AD RMS SDK 2.0 (a.k.a. MSIPC)? The File API is built on top of the SDK, so in essence there’s no overlap in functionality. If your application creates files in its own file format and you are responsible for controlling that file format, then the SDK 2.0 will enable you to create files in the right file format. If, on the other hand, you have to deal with files created by other applications in format you don’t control and you want to be able to protect or decrypt such files from your own software in order to provide protection while you are able to do things with the files content, then the File API is for you.

So I can imagine you are anxious to begin working with the File API. File API Beta is now available at Microsoft Connect (https://connect.microsoft.com/site1170/program6586). You need to sign-up to Microsoft Connect with your Microsoft Account (a.k.a. Live ID), join the Rights Management Services TAP (you can use the Search function to find this in the Directory) and then download the API package by going to https://connect.microsoft.com/site1170/downloads. Once you begin testing it, you can post your feedback at https://connect.microsoft.com/site1170/feedback.

We will be looking forward to see the new solutions you build by using the File API!