Adobe LiveCycle (Archived)

If the policy has "auditing" turned on, events that occur when the document is offline will still be logged and stored locally, and then uploaded to the RM server when a connection is re-established.

It is not possible to enable\disable permissions based on whether the document is opened online or offline.

Regards

Steve

Hi Steve,

  Thanks for your reply. I understand about logging all the events once we synchronize the document from offline to online.

But we are concerned about the documents that were not brought back online. As we cannot get the info on whether he printed the document or not,

atleast we want to make the document non-printable so that user should not print it.

Is that possible. Also, all users are eligible for viewing the documents, so there is no point for making each user to enter his credentials to view the document. If user clicks on the print button, we want the document to check in rights management to check the user credentials and apply a policy to disable him to print the document or just message him saying that he is not eligible to print it. This way, we can avoid unnecessary entry of credentials for all users and also we can reduce the traffic of contacting rightsmanagement server. We can contact RM server only for a few users as only few users will try to go for printing the document.

Can we make this possible?

krishna

Permissions specified in a policy for each user and or group are enforced whether the document is viewed online or offline.

You can create an "Anonymous User" policy and apply it to the document.  When using "Anonymous" policies, users are NOT authenticated when the document is opened, one of the trade offs however is that the permissions specified in the policy are "global" ,eaning you cannot set diffierent permission for different users.  Either all users can print, or no users can print.

If you create a policy where specific users and groups are identified, then each user must authenticate to open\view the document, but you can set the permissions for each user and\or group indvidually. Some can be allowed to print, and some can be prevented from printing.

Whan a user has been granted the "offline" permission, the policy permissions are still enforced.  When viewing the document offline, the user will not be prompted to authenticate to view the document, although authentication still takes place, as they will have authenticated (logged on) to their computer.  The "principal" key used to decrypt a document offline is stored under the users system (i.e. Windows) profile.  For example, if Joe User has been granted offline permission, and Joe User logs onto his computer he will be able to view the protected document.  If another user, Chester Field logs onto Joe User's computer, he will NOT be able to view the document offline as he doies not have access to Joe User's profile information.

You cannot authenticate based on a users action (i.e. clicking the print button), the user must authenticate prior to viewing the document (except in the case of an Anonymous policy).

Hope this helps.

Steve

Hello Steve,

  Thank you for the response. Your answer helped us a lot.This raised one more question to us.

1.  If we create a policy on document to take it offline, till date we are presuming that the document can be taken on thumb drive or cd and can be   opened on any system without connecting to server. This is not true for policy applied documents. Am I right? Can we make this possible? You may ask why. We want the document to be invalidated after 3 days once it is taken offline and we dont mind who ever opens it on what ever system it is, but we want it to be gone after 3 days.

2. We have 5000 users who connect to our documentum with their credentials where we have our policy applied documents. Do we need to install the certificate on all the systems? Or do we generally install the certificate on documentum server so that who ever user logs in to documentum, will be eligible automatically to view the document? I mean the single sign access to documents. Can you give some inputs on developing a poc on this?

Thanks again,

Krishna

Can anyone help me on this?

Thanks,

krishna

Krishna

When a user has the permission to view a document offline, they can only view the document on computers where the corresponding "Principal" key has been downloaded.  The "Principal" key(s) are downloaded in a few ways

1)  The first time a user opens a document where they have offline permissions, they are prompted to downloed the principal key

2)  When the user authenticates to open policy protected documents, a check is performed and principal keyts may be updated

3)  The user can force a "synchronization" form Reader or Acrobat from the menu:  Document > Security > Adobe LiveCycle Rights Management > Synchronize for Offline

For a document to be opened offline, a Principal key MUST reside on the computer used to view the document.  There is now way around this.

As for SSO with Documentum, this is not possible.  Rights Management supports SSO to the document via Microsoft Kerberos with Active Directory.  That being siad, there are some features that exist to limit the amout of time a user has to authenticate.  When a user authenticates to a protected document, a session is established (the session timeout can be configured on the server), if the user does not close Acreobat or Reader, they will not be prompted for their credentials when opening subsequent policy protected documents where they are a member of the policy.

You can also enable "credential caching" on the server so that a users credentials will be cached on the client.  Once stored on the client the user will not be required to enter their user id and password to open policy protected documents where they are a member of the policy.

Regards

Steve

Thanks a lot Steve.

I understood what you were saying about entering credentials part.

I was not clear on one last question - Does it mean the RM certificate needs to be installed on all the individual systems for viewing policy enabled documents right? No matter if it is 5000 or 10,000 users?

Our documentum works in sync with LDAP.

--Krishna

Thanks for your prompt answers Steve. It helped a lot.

Krishna