Abstract: The present invention extends to methods, systems, and computer program products for workflow based authorization for content access. A workflow can be triggered when a protection policy does not fully express an intended recipient's rights in protected content. A workflow processes relevant inputs to more fully express the intended recipient's rights in protected content. Workflows can provide policy item updates and authorizations decisions with respect to protected content. Through the use of workflows to make an authorization decision, access to information can become more flexible, allowing it to follow the desired flow of information throughout its lifecycle. This flexibility allows organizations to protect their information without worrying about the protection stopping the natural flow of business.

Abstract: The present invention extends to methods, systems, and computer program products for separating authorization identity from policy enforcement identity. Embodiments of the invention extend the consumption phase for protected information. Two identities, an authorization identity and a policy enforcement identity, are used for acquiring, issuing and enforcing usage license instead of one identity certificate. The authorization identity is used to evaluate against usage policy. The authorization identity is similar to identification information in an identity certificate. The policy enforcement identity is used to ensure the confidentiality of granted permissions and content key. The policy enforcement identity enforces a usage license on an authorization principal's (e.g., recipient's) machine. The policy enforcement identity's enforcement of a usage license is similar use of a cryptographic key in an identity certificate.

Abstract: One embodiment includes a method which may be practiced in a computing environment where resources are distributed. The method includes acts for obtaining policy information defining restrictions on resources distributed in the computing environment. The method includes sending a request to a server for metadata about one or more resource protection policies at the server. In response to the request, metadata about one or more resource protection polices at the server is received from the server. The metadata from the server is analyzed. Based on analyzing the metadata, one or more resource protection policies stored at the client are updated.

Abstract: The present invention extends to methods, systems, and computer program products for separating authorization identity from policy enforcement identity. Embodiments of the invention extend the consumption phase for protected information. Two identities, an authorization identity and a policy enforcement identity, are used for acquiring, issuing and enforcing usage license instead of one identity certificate. The authorization identity is used to evaluate against usage policy. The authorization identity is similar to identification information in an identity certificate. The policy enforcement identity is used to ensure the confidentiality of granted permissions and content key. The policy enforcement identity enforces a usage license on an authorization principal's (e.g., recipient's) machine. The policy enforcement identity's enforcement of a usage license is similar use of a cryptographic key in an identity certificate.

Abstract: The present invention extends to methods, systems, and computer program products for a centrally accessible policy repository. Protection policies for protecting resources within an organization are stored at a central policy repository. Thus, an administrator can centrally create, maintain, and manage resource protection polices for all of the organizational units within an organization. Accordingly, resources consumed when performing these protection policy related operations is significantly reduced. Additionally, since protection policies are centrally located, there is increased likelihood of being able to consistently apply an organization's protection policies within different organizational units, even when protection policies change.

Abstract: A scalable computing system for managing annotations is capable of handling requests for annotations to millions of documents a day. The computing system consists of multiple tiers of servers. A tier I server indicates whether there are annotations associated with a content source. A tier II server indexes the annotations. A tier III server stores the body of the annotation.

Abstract: The secure application of content protection policies to content. The secure application of content protection polices is accomplished by having an enforcement mechanism monitor policy application points to detect the transfer of content. The enforcement mechanism accesses the content and a determination is made to protect the content. A usage policy is then identified by the enforcement mechanism to apply to the content and the usage policy is then applied to the content, resulting in a usage policy for the content.

Abstract: A method, apparatus, and software are disclosed for delivering customized content to clients with diverse content needs, such as clients from diverse geographical areas an language backgrounds. Customizable content is separated from the underlying code, which is used as a template for inserting localized content into a basic document framework as represented by the template. Both electronic mail and Web community customization techniques are disclosed.

Abstract: Embodiments described herein are directed to selectively redacting and unredacting display information in accordance with a redaction policy. In one embodiment, a computer system receives user input indicating a user's intention to selectively redact portions of accessed documents. The computer system accesses at least one document, such that the document is capable of being displayed to the user. The computer system determines that the accessed document comprises one or more tags indicating which portions of the document are to be redacted. The computer system dynamically redacts those portions of the document identified by the tags without otherwise altering the structure of the document, in accordance with the user's intention. The computer system also displays the document according to the document's original structure, omitting the dynamically redacted portions.

Abstract: The present invention extends to methods, systems, and computer program products for pre-performing operations for accessing protected content. Cryptographic user key pairs can be pre-generated and distributed in response to a variety of different events prior to provisioning client machine for accessing protected content. Usage licenses can be pre-generated and allocated prior to requests for usage licenses. Usage licenses can be pre-obtained for client machines prior to client machines access protected content. Pre-performed operations can be performed in response to detected events, such as, for example, reduced resource consumption in a Digital Rights Management system.

Abstract: A method, apparatus, and software are disclosed for delivering customized content to clients with diverse content needs, such as clients from diverse geographical areas an language backgrounds. Customizable content is separated from the underlying code, which is used as a template for inserting localized content into a basic document framework as represented by the template. Both electronic mail and Web community customization techniques are disclosed.

Abstract: The present invention extends to methods, systems, and computer program products for workflow based authorization for content access. A workflow can be triggered when a protection policy does not fully express an intended recipient's rights in protected content. A workflow processes relevant inputs to more fully express the intended recipient's rights in protected content. Workflows can provide policy item updates and authorizations decisions with respect to protected content. Through the use of workflows to make an authorization decision, access to information can become more flexible, allowing it to follow the desired flow of information throughout its lifecycle. This flexibility allows organizations to protect their information without worrying about the protection stopping the natural flow of business.

Abstract: Systems and methods for providing digital rights management services are disclosed. Such a system includes a service program that provides a processing framework for performing a digital rights management service, such as publishing or licensing rights managed digital content. A plurality of plug-in components are provided, each of which performs a respective task associated with the digital rights management service. The plug-in components are integrated into the processing framework according to predefined sets of interface rules.

Abstract: The present invention extends to methods, systems, and computer program products for a centrally accessible policy repository. Protection policies for protecting resources within an organization are stored at a central policy repository. Thus, an administrator can centrally create, maintain, and manage resource protection polices for all of the organizational units within an organization. Accordingly, resources consumed when performing these protection policy related operations is significantly reduced. Additionally, since protection policies are centrally located, there is increased likelihood of being able to consistently apply an organization's protection policies within different organizational units, even when protection policies change.

Abstract: The secure application of content protection policies to content. The secure application of content protection polices is accomplished by having an enforcement mechanism monitor policy application points to detect the transfer of content. The enforcement mechanism accesses the content and a determination is made to protect the content. A usage policy is then identified by the enforcement mechanism to apply to the content and the usage policy is then applied to the content, resulting in a usage policy for the content.

Abstract: Providing access to information based on super policy. Information is associated with author policy expressing restrictions on use of the information The author policy is processed using super policy programmatic code to generate a composite policy. The composite policy includes a combination of the author policy and super policy applied by the super policy programmatic code, such that restrictions are added to or removed from the author policy to create the composite policy. A request for the information is evaluated. This includes evaluating information about the requester against the composite policy to determine if the requester is authorized to access the information. A determination is made that the requester is authorized to access the information based on the composite policy, where after the requester is authorized to access the information based on the composite policy, access is granted to the information to the requester.

Abstract: The offline consumption and publication of protected information in a networked environment. The offline consumption of protected information is accomplished by having the consuming user maintain a store of asymmetric encryption keys. The protected information is encrypted by the publishing user using a symmetric key and the symmetric key is then encrypted using a public asymmetric key associated with the consuming user. The consuming user received the protected information and a usage policy containing the encrypted symmetric key. The consuming user verifies that it can decrypt the symmetric key using a private asymmetric key maintained by the consumer. The user then decrypts the symmetric key and accesses the content of the protected information.

Abstract: The present invention extends to methods, systems, and computer program products for pre-performing operations for accessing protected content. Cryptographic user key pairs can be pre-generated and distributed in response to a variety of different events prior to provisioning client machine for accessing protected content. Usage licenses can be pre-generated and allocated prior to requests for usage licenses. Usage licenses can be pre-obtained for client machines prior to client machines access protected content. Pre-performed operations can be performed in response to detected events, such as, for example, reduced resource consumption in a Digital Rights Management system.

Abstract: Embodiments described herein are directed to selectively redacting and unredacting display information in accordance with a redaction policy. In one embodiment, a computer system receives user input indicating a user's intention to selectively redact portions of accessed documents. The computer system accesses at least one document, such that the document is capable of being displayed to the user. The computer system determines that the accessed document comprises one or more tags indicating which portions of the document are to be redacted. The computer system dynamically redacts those portions of the document identified by the tags without otherwise altering the structure of the document, in accordance with the user's intention. The computer system also displays the document according to the document's original structure, omitting the dynamically redacted portions.

Abstract: One embodiment includes a method which may be practiced in a computing environment where resources are distributed. The method includes acts for obtaining policy information defining restrictions on resources distributed in the computing environment. The method includes sending a request to a server for metadata about one or more resource protection policies at the server. In response to the request, metadata about one or more resource protection polices at the server is received from the server. The metadata from the server is analyzed. Based on analyzing the metadata, one or more resource protection policies stored at the client are updated.