If you’re protecting files on your Windows Server with Microsoft Rights Management Services (RMS), then you need to know how the rights assigned by RMS relate to the NTFS permissions already in place on the file. To explore that relationship we will use the example of one Word document that is both protected by RMS and also stored on an NTFS volume. The table below lists the NTFS permissions and RMS rights for three different users, who are each trying to open that document.
Note, the NTFS permission to Read the file only gives these users access to open the file. Because the file has RMS protection embedded, it can only be opened by an RMS-aware application such as Word 2016. When Word opens the file, it checks with the the RMS server to see what rights the user has to the protected document. The application then enforces those rights and restrictions.
In the above table, Rachel has permissions to read the file so she will be able to access it. As Word opens the document the RMS rights are evaluated. Although Rachel has the RMS rights to view and edit the document, in fact she will only be able to view it. Rachel cannot edit the document because that is not supported by the NTFS permissions.
Mike is also able to access the file as he has the Full Control permission level in NTFS. However, because the file is protected by RMS, Mike’s rights to use the file are evaluated as it is opened in Word. Mike is not able to even view the document since he has not been granted any RMS rights to do so. Although he has the NTFS permission level of Full Control for the file, this does not allow him to change the rights granted to him by RMS.
John, on the other hand, is unable to open the Word document because he has no NTFS permissions to access it. He is thus unable to view the file, even though RMS has granted him the rights to do so.
It should be noted that RMS protection is embedded with the file and travels with it, whereas NTFS permissions will not stay with the file if it is emailed or moved to a non-NTFS file system. This illustrates the benefit of using RMS to protect files that need to be shared with others, as RMS-protected files remain protected both at rest and in transit. It is only when that file is on an NTFS volume that we need to also take into account the NTFS permissions.
To summarize: Both the NTFS permissions and the rights assigned by RMS need to be taken into account. If the actions permitted by permissions and rights overlap (e.g. “read” and “view”), then both need to be assigned to the user for them to be able to carry out the action.