Azure RMS best practices for auditing

%3CLINGO-SUB%20id%3D%22lingo-sub-105856%22%20slang%3D%22en-US%22%3EAzure%20RMS%20best%20practices%20for%20auditing%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-105856%22%20slang%3D%22en-US%22%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHi%2C%3C%2FP%3E%3CP%3EI'm%20having%20difficulty%20trying%20to%20implement%20this%20where%20the%20o365%20global%20admins%20(and%20who%20do%20not%20have%20read%20access%20to%20the%20file)%2C%20would%20be%20the%20ones%20using%20the%20auditing%20tool.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI'm%20assuming%20I%20would%20only%20install%20the%20Track%20and%20Revoke%20AIP%20tool%20on%20the%20admin%20PCs%2C%20but%20grant%20them%20'special'%20rights'%3F%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E...and%20also%20just%20to%20confirm%2C%20if%20a%20user%20has%20the%20following%20rights%3A%3C%2FP%3E%3CP%3EView%20Content%2C%20Export%20Content%20(Save%20As)%2C%20Save%20File%2C%20Edit%20Content%3C%2FP%3E%3CP%3EIf%20they%20were%20to%20save%20as...'NewFile.docx'%2C%20how%20would%20that%20impact%20the%20auting%3F%20(it%20seems%20to%20keep%20the%20same%20Policy%20and%20Tracking%20info%20regardless%20of%20the%20filename)%3C%2FP%3E%3CP%3EIt%20also%20appears%20users%20with%20these%20RMS%20permisisons%20are%20able%20to%20remove%20the%20RMS%20protection%20(inc%20Tracking)%20from%20the%20original%20file.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ETo%20clarify%2C%20I%20am%20trying%20to%20acheive%20the%20following%3A%3C%2FP%3E%3CP%3E%5BPOLICY1%5D%3C%2FP%3E%3CP%3E-ADMIN%3CBR%20%2F%3ERead%3A%20Yes%3CBR%20%2F%3EAudit%20and%20Tracking%3A%20Yes%3C%2FP%3E%3CP%3E-End-User%3A%3CBR%20%2F%3ERead%3A%20Yes%3CBR%20%2F%3EEdit%2FSave%3A%20Yes%3CBR%20%2F%3ERemove%2FChange%20RMS%20Protection%3A%20No%3C%2FP%3E%3CP%3E%3CBR%20%2F%3E%5BPOLICY2%5D%3C%2FP%3E%3CP%3E-ADMIN%3CBR%20%2F%3ERead%3A%20No%3CBR%20%2F%3EAudit%20and%20Tracking%3A%20Yes%3C%2FP%3E%3CP%3E-End-User%3A%3CBR%20%2F%3ERead%3A%20Yes%3CBR%20%2F%3EEdit%2FSave%3A%20Yes%3CBR%20%2F%3ERemove%2FChange%20RMS%20Protection%3A%20No%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI'm%20not%20sure%20if%20this%20is%20possible%2C%20but%20any%20suggestions%20would%20be%20great!%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-105856%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EInformation%20Protection%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ERights%20Management%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-108726%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20RMS%20best%20practices%20for%20auditing%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-108726%22%20slang%3D%22en-US%22%3E%3CP%3EThis%20is%20basically%20what%20I%20am%20trying%20to%20achieve.%3C%2FP%3E%3CP%3ECould%20someone%20clarify%20the%20Owners%20and%20Authors%3F%20ie.%20from%20the%20Azure%20Classic%20Portal%3B%20Authors%20has%20FULL%20Control.%20When%20configuring%20the%20RMS%20protection%20in%20the%20new%20Azure%20Portal%20Co-Owners%20do%20not%20have%20FULL%20Control.%3C%2FP%3E%3CP%3EAre%20Owners%2FAuthors%20(Co-Owners%2FCo-Authors)%20the%20users%20that%20creates%20the%20document%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20641px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F20516iACDC2380C732D4B3%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22Drawing2.jpg%22%20title%3D%22Drawing2.jpg%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3EIn%20addition%2C%20is%20it%20possible%20to%20have%20a%20group%20of%20users%20manage%20auditing%3F%3C%2FP%3E%3CP%3EFor%20example%2C%20HR%20Dept.%20has%20a%20confidential%20document%20and%20wants%20to%20track%20and%20audit%20it.%20Is%20it%20possible%20fo%20the%20HR%20dept%20to%20use%20the%20track%20and%20audit%20portal%26nbsp%3B%20and%20what%20access%20would%20they%20need%3F%3C%2FP%3E%3CP%3EI%20understand%20the%20AIP%20Client%20must%20be%20installed%20on%20the%20computer%20they%20are%20auditing%20from..%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

 

Hi,

I'm having difficulty trying to implement this where the o365 global admins (and who do not have read access to the file), would be the ones using the auditing tool.

 

I'm assuming I would only install the Track and Revoke AIP tool on the admin PCs, but grant them 'special' rights'? 

 

...and also just to confirm, if a user has the following rights:

View Content, Export Content (Save As), Save File, Edit Content

If they were to save as...'NewFile.docx', how would that impact the auting? (it seems to keep the same Policy and Tracking info regardless of the filename)

It also appears users with these RMS permisisons are able to remove the RMS protection (inc Tracking) from the original file.

 

To clarify, I am trying to acheive the following:

[POLICY1]

-ADMIN
Read: Yes
Audit and Tracking: Yes

-End-User:
Read: Yes
Edit/Save: Yes
Remove/Change RMS Protection: No


[POLICY2]

-ADMIN
Read: No
Audit and Tracking: Yes

-End-User:
Read: Yes
Edit/Save: Yes
Remove/Change RMS Protection: No

 

I'm not sure if this is possible, but any suggestions would be great!

 

Thanks

 

 

1 Reply

This is basically what I am trying to achieve.

Could someone clarify the Owners and Authors? ie. from the Azure Classic Portal; Authors has FULL Control. When configuring the RMS protection in the new Azure Portal Co-Owners do not have FULL Control.

Are Owners/Authors (Co-Owners/Co-Authors) the users that creates the document?

 

Drawing2.jpg

In addition, is it possible to have a group of users manage auditing?

For example, HR Dept. has a confidential document and wants to track and audit it. Is it possible fo the HR dept to use the track and audit portal  and what access would they need?

I understand the AIP Client must be installed on the computer they are auditing from..