Bentley CONNECT Dynamic Rights Management Service

v1.0 Implementation Guide Last Updated: March 20, 2013

Table of Contents Notices...5 Chapter 1: Introduction to Management Service...7 Chapter 2: Configuring Bentley Dynamic Rights...9 Adding Role Services and Features for Bentley Dynamic Rights...9 Network Connectivity Requirements for Bentley Dynamic Rights...10 Installing and Configuring Bentley Dynamic Rights...11 To Install Bentley Dynamic Rights...11 To Configure the Dynamic Rights Management Utility...15 To Allow a Computer Access to the Bentley Dynamic Rights...17 To Remove a Computer's Access to the Bentley Dynamic Rights...19 Creating and Managing Policies and Policy Sets...20 To Create a Dynamic Rights Management Policy Set...21 To Create a Dynamic Rights Management Policy...21 Chapter 3: Configuring ProjectWise for Bentley Dynamic Rights Management Service...23 Enabling Dynamic Rights Management in the dmskrnl.cfg File...23 To Enable Dynamic Rights Management in the dmskrnl.cfg File...23 Adding the Location of the Bentley Dynamic Rights to dmskrnl.cfg...24 To Add the Location of the Bentley Dynamic Rights to dmskrnl.cfg...24 Adding Users / Groups Access to Dynamic Rights Commands in ProjectWise...24 To Add Users / Groups Access to Dynamic Rights Commands in ProjectWise...24 Protecting Documents with Dynamic Rights Management Policies...25 To Apply a Policy to a Document...26 To Apply a Policy from the Verify Protection Dialog...27 To Remove a Policy from a Document...29 To Revoke Access to a Protected Document...30 To Revoke Access to a Protected Document from the Verify Protection Dialog...31 To Unrevoke Access to a Document...32 To Switch a Policy on a Document...33 To Verify Protection on a Document...35 Apply Policy Dialog...36 Revoke Access Dialog...36 Verify Protection Dialog...37 Switch Policy Dialog...37 ProjectWise Office Integration and the Adobe LiveCycle Rights Management Extension for Microsoft Office...38 3 Implementation Guide

This page intentionally left blank 4 Implementation Guide

Notices Trademark Notice Bentley and the B Bentley logo are either registered or unregistered trademarks or service marks of Bentley Systems, Incorporated, or one of its direct or indirect wholly-owned subsidiaries. Other brands and product names are trademarks of their respective owners. Copyright Notice Copyright (c) 2013 Bentley Systems, Incorporated., Copyright (c) 2013 Bentley Systems, Incorporated. All Rights Reserved. Including software, file formats, and audiovisual displays; may only be used pursuant to applicable software license agreement; contains confidential and proprietary information of Bentley Systems, Incorporated and/or third parties which is protected by copyright and trade secret law and may not be provided or otherwise made available without proper authorization. Acknowledgements Includes Adobe (R) Portable Protection Library technology. Portions Copyright (c) Adobe Systems, Inc. Restricted Rights Legends If this software is acquired for or on behalf of the United States of America, its agencies and/or instrumentalities ( U.S. Government ), it is provided with restricted rights. This software and accompanying documentation are commercial computer software and commercial computer software documentation, respectively, pursuant to 48 C.F.R. 12.212 and 227.7202, and restricted computer software pursuant to 48 C.F.R. 52.227-19(a), as applicable. Use, modification, reproduction, release, performance, display or disclosure of this software and accompanying documentation by the U.S. Government are subject to restrictions as set forth in this Agreement and pursuant to 48 C.F.R. 12.212, 52.227-19, 227.7202, and 1852.227-86, as applicable. Contractor/Manufacturer is Bentley Systems, Incorporated, 685 Stockton Drive, Exton, PA 19341-0678. Unpublished - rights reserved under the Copyright Laws of the United States and International treaties. 5 Implementation Guide

Notices Restricted Rights Legends This page intentionally left blank 6 Implementation Guide

Introduction to 1 dynamically protects and secures project information for Bentley content management applications, and serves as a common dynamic rights management service for all Bentley applications. Using Bentley Dynamic Rights, authorized users can create a secure document from any Adobe PDF, Microsoft Word, Excel, or PowerPoint file. The protected document is stored in the appropriate Bentley content management application. A document is protected when an authorized user applies a policy to it. Protecting a document with a policy allows the document owner control over the document even after it is distributed to recipients. The document owner can still revoke, change, or switch the policy, if necessary. The following list describes what happens on each component of a Dynamic Rights Management system when a service request is submitted from ProjectWise Explorer: 7 Implementation Guide

Introduction to 1. An authorized ProjectWise Explorer user submits a dynamic rights management service request to create a secure document from one of the supported formats. Supported file formats include Adobe PDF, Microsoft Word, Excel, and PowerPoint files. 2. The ProjectWise Integration Server sends a copy of the document to be protected to the Bentley CONNECT Dynamic Rights (On-premise - Service Component) where the document is secured, and then stored back in ProjectWise. 3. The (On-premise - Service Component) receives a copy of the document to be protected and then forwards the document's file type and necessary metadata (not the content) to the (Cloud - Bentley CONNECT) component. In return, it receives the necessary information to secure the document from the Bentley CONNECT cloud component. The document is secured and then sent back to the ProjectWise Integration Server node. 8 Implementation Guide

Configuring Bentley Dynamic Rights Management Service 2 This section discusses everything you need to configure in order to install and deploy Bentley Dynamic Rights. Configuration Checklist for Configuring Bentley Dynamic Rights The following is a checklist of all the things you need to do, in order to set up Bentley Dynamic Rights. 1. See the Supported Operating Systems and Adding Role Services and Features sections. 2. Make sure that the computer you are installing on and the ProjectWise Integration Server computer are on the same domain. 3. Make sure that the required TCP ports listed in the Network Connectivity Requirements for Bentley Dynamic Rights section are open. 4. Make sure that you configure the Dynamic Rights Management Utility and enter the credentials to connect to the in the cloud. 5. For security reasons, you may want to restrict the IP addresses that have access to the Bentley Dynamic Rights computer. 6. Create at least one policy set and the necessary policies on the cloud component. Supported Operating Systems Bentley Dynamic Rights can be installed on the following operating systems: Windows Server 2008 R2 SP1 Windows Server 2012 Adding Role Services and Features for Bentley Dynamic Rights In Server Manager, turn on the following features and role services. Role Services and Features for Windows Server 2008 R2 Role services: Management Tools IIS Management Console IIS 6 Management Compatibility 9 Implementation Guide

Configuring Bentley Dynamic Rights Network Connectivity Requirements for Bentley Dynamic Rights Features: IIS 6 Metabase Compatibility.NET Framework 3.5.1 Features.NET Framework 3.5.1 WCF Activation HTTP Activation Non-HTTP Activation Role Services and Features for Windows Server 2012 Role services: Web Server (IIS) Web Server Management Tools Features: IIS Management Console IIS 6 Management Compatibility.NET Framework 3.5 Features.NET Framework 3.5 (includes.net 2.0 and 3.0) HTTP Activation Non-HTTP Activation.NET Framework 4.5 Features.NET Framework 4.5 ASP.NET 4.5 WCF Services HTTP Activation Network Connectivity Requirements for Bentley Dynamic Rights This section describes the different kinds of network connectivity that Bentley Dynamic Rights requires to route dynamic rights management requests submitted from ProjectWise Explorer users. TCP port 443 (HTTPS) and TCP port 8080 must be open to the internet. The Bentley Dynamic Rights computer communicates with the in the cloud using ports 443 and 8080. You can use the Windows Firewall with Advanced Security dialog (Control Panel > Windows Firewall > Advanced Settings) to open a port. Note: The on-premise component does not support the use of proxy connections to the cloud service. Thus, if you use a proxy 10 Implementation Guide

Configuring Bentley Dynamic Rights Installing and Configuring Bentley Dynamic Rights server on your network, you may need to make firewall or network adjustments, such as an exception for this computer. TCP port 808 (Microsoft Net.TCP Port Sharing Service) must be open between the ProjectWise Integration Server and Bentley Dynamic Rights computers. Tip: To allow access to port 808 on the Bentley Dynamic Rights computer (Windows Server 2008 R2), you can enable the Windows Firewall inbound rule Windows Communication Foundation Net.TCP Listener Adapter (TCP-In). This is a program rule for C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe). This inbound rule should already be enabled on Windows Server 2012. To support nettcpbinding, you will need to install the Non-HTTP Activation feature from the Add Features Wizard and make sure the following services are running: Net.Tcp Listener Adapter and the Net.Tcp Port Sharing Service. Installing and Configuring Bentley Dynamic Rights Management Service After you install the required role services and features, you can install Bentley Dynamic Rights. It can be installed on the same computer as ProjectWise Integration Server or on a separate computer. If you install it on a separate computer, make sure that the two computers are on the same domain. You will need to launch the Dynamic Rights Management Utility to configure the credentials necessary to connect to the in the cloud. You can choose to launch the utility during the installation of the software or afterwards. To Install Bentley Dynamic Rights 1. Double-click the Bentley Dynamic Rights MSI file. 2. When the setup wizard opens, click Next. 11 Implementation Guide

Configuring Bentley Dynamic Rights Installing and Configuring Bentley Dynamic Rights 3. When the End-User License Agreement page opens, accept the license agreement and click Next. 4. When the Destination Folder page opens, accept or change the default installation folder (C:\Program Files (x86)\bentley\dynamic Rights Management\), then click Next. 12 Implementation Guide

Configuring Bentley Dynamic Rights Installing and Configuring Bentley Dynamic Rights 5. When the Configure virtual directory page opens, do the following: a. Select a website from the Websites Found list box. b. Accept the virtual directory name (BentleyDRMService) or type in a new one. This virtual directory name will be used in the ProjectWise Integration Server dmskrnl.cfg file to define the location of the Bentley Dynamic Rights on-premise computer. c. Click Next. 13 Implementation Guide

Configuring Bentley Dynamic Rights Installing and Configuring Bentley Dynamic Rights 6. When the Ready to Install Bentley Dynamic Rights page opens, click Install. 7. On the last page of the wizard, the options to launch the Product Activation Wizard and the Dynamic Rights Management Utility are on by default. You can turn either of these options off if you prefer to do them later. 14 Implementation Guide

Configuring Bentley Dynamic Rights Installing and Configuring Bentley Dynamic Rights 8. Click Finish. If you selected the options to launch both the Product Activation Wizard and the Dynamic Rights Management Utility, the Product Activation Wizard opens first for you to configure licensing for this product. When you close the wizard, the Dynamic Rights Management Utility opens for you to configure the credentials to connect to the Bentley Dynamic Rights in the cloud. To Configure the Dynamic Rights Management Utility The Dynamic Rights Management Utility lets you configure the credentials to connect to the Bentley CONNECT Dynamic Rights in the cloud. The user name you enter in this utility determines which policies and policy sets are made available to ProjectWise Explorer users when securing documents. 1. To launch the Dynamic Rights Management Utility, do one of the following: On Windows Server 2008 R2, select Start > All Programs > Bentley > Bentley Dynamic Rights > Dynamic Rights Management Utility. or On Windows Server 2012, press the Windows key or press Ctrl + Esc to open the Start screen, then select Dynamic Rights Management. The Dynamic Rights Management Utility opens. 15 Implementation Guide

Configuring Bentley Dynamic Rights Installing and Configuring Bentley Dynamic Rights 2. On the Settings tab, set the following: DRM server name - Enter the URL of the in the cloud. Port - Enter the TCP port used to communicate with the in the cloud. This is typically port 443 (HTTPS). User name / Password - Enter the credentials of an account used to log in to the Bentley CONNECT Dynamic Rights in the cloud. The user name you enter in this utility determines which policies and policy sets are made available to ProjectWise Explorer users when securing documents. Make sure that this user and the user you assign the role of document publisher when you create your policy sets are the same. Test connection [Optional] - Click to test the connection to the in the cloud. 16 Implementation Guide

Configuring Bentley Dynamic Rights Installing and Configuring Bentley Dynamic Rights 3. Optional: In the Access tab, do the following: Select Allow all IP addresses to allow all computers access to the Bentley Dynamic Rights computer. or Un-check Allow all IP addresses, type in the IP address of a computer to allow access to the Bentley Dynamic Rights computer, and then click Add. (Repeat this step to allow other computers access.) Note: For more information, see To Allow a Computer Access to the Bentley Dynamic Rights. 4. Click OK. The Dynamic Rights Management Utility closes. To Allow a Computer Access to the Bentley Dynamic Rights Management Service The default behavior of Bentley Dynamic Rights is to allow access for all IP addresses. For security reasons, you may want to modify this behavior so that only specific IP addresses have access. This task explains how to give access to specific IP addresses. 1. To launch the Dynamic Rights Management Utility, do one of the following: On Windows Server 2008 R2, select Start > All Programs > Bentley > Bentley Dynamic Rights > Dynamic Rights Management Utility. or On Windows Server 2012, press the Windows key or press Ctrl + Esc to open the Start screen, then select Dynamic Rights Management. The Dynamic Rights Management Utility opens. 17 Implementation Guide

Configuring Bentley Dynamic Rights Installing and Configuring Bentley Dynamic Rights 2. Select the Access tab. The Access tab opens. 3. Clear the Allow all IP addresses check box. The Add control becomes active. 4. Do one of the following: Type in an IP address, then click Add. or Type in a comma-separated list of IP addresses, then click Add. The IP addresses display in the Allow these IP addresses list box. 18 Implementation Guide

Configuring Bentley Dynamic Rights Installing and Configuring Bentley Dynamic Rights 5. Click OK. The Dynamic Rights Management Utility closes. To Remove a Computer's Access to the Bentley Dynamic Rights Management Service The default behavior of Bentley Dynamic Rights is to allow access for all IP addresses. For security reasons, you may want to modify this behavior so that only specific IP addresses have access. This task explains how to remove access to one or more computers. 1. To launch the Dynamic Rights Management Utility, do one of the following: On Windows Server 2008 R2, select Start > All Programs > Bentley > Bentley Dynamic Rights > Dynamic Rights Management Utility. or On Windows Server 2012, press the Windows key or press Ctrl + Esc to open the Start screen, then select Dynamic Rights Management. The Dynamic Rights Management Utility opens. 2. Select the Access tab. The Access tab opens. 19 Implementation Guide

Configuring Bentley Dynamic Rights Creating and Managing Policies and Policy Sets 3. Select one or more IP addresses from the Allow these IP addresses list box. 4. Click Remove. The IP addresses are removed from the Allow these IP addresses list box. 5. Click OK. The Dynamic Rights Management Utility closes. Creating and Managing Policies and Policy Sets In this section, you will use your administrator web site (e.g., https://www.your-web-site.com/adminui/) to create policy sets and policies. This section is not intended to be a complete guide to creating and managing policies and policy sets, but will help you to jump start the process. Before you create a policy, you must create a policy set. A policy set is a container for policies and allows you to group similar policies together. For example, if users within your organization need to use different sets of policies, you can group the policies in separate policy sets. Then when an authorized user wants to secure a document, they can select the appropriate policy set. You can create policies after you create your policy sets. A policy can specify different confidentiality settings for specific users. For example, one user may be permitted to print a document, while another user is permitted to print and make changes to the document. If you create a new user account for a Policy Set Coordinator or Document Publisher, be sure to assign the following role assignments when adding their user accounts: Rights Management End User--Members of this role can access Rights Management End User Console. 20 Implementation Guide

Configuring Bentley Dynamic Rights Creating and Managing Policies and Policy Sets Services User--Members of this role can view and invoke any LiveCycle Service. To Create a Dynamic Rights Management Policy Set 1. From your browser, type in your administrator web site (e.g., https://www.your-web-site.com/adminui/), then log in using your User ID and password. Note: You will need the User ID / Password credentials you were given when you subscribed to the product. 2. When the Home page opens, select Services > LiveCycle Rights Management > Policies > Policy Sets, then click New. 3. When the Enter name (Step 1 of 4) page opens, type in a name and description for the policy set, then click Next. 4. When the Add Visible Users and Groups (Step 2 of 4) page opens, select Add Domain(s), select a domain you created or select the Default Domain check box, then click Add. The Add Visible Domains page opens. 5. Click OK, then click Next. The Add Visible Domains page closes. 6. When the Add Policy Set Coordinator(s) (Step 3 of 4) page opens, select Add Users and Groups and click Find to display a list of users, select the user you were given when you subscribed to the product, or select a user you added to be the policy set coordinator, then click Next. Note: You typically add a policy set coordinator to author the policies in the policy set. You can also add a group as the policy set coordinator. 7. When the Add and Assign Permissions page opens, select the permissions you want to give to the policy set coordinator and click Add, then click Next. Important: If the policy set coordinator is to author the policies in the policy set, make sure you give them (at a minimum) the first three permissions (View Events, Manage documents, and Manage policies). 8. When the Add Document Publisher(s) (Step 4 of 4) page opens, select Add Users and Groups and click Find to display a list of users, select the user you were given when you subscribed to the product or select a user you added to be the document publisher and click Add, then click OK. Note: The user you assign the role of document publisher will be used when you configure the Dynamic Rights Management Utility. This user determines which policies and policy sets are made available to ProjectWise Explorer users when securing documents. 9. Click Save. To Create a Dynamic Rights Management Policy You must create a policy set before you can create a policy. 1. From your browser, type in your administrator web site (e.g., https://www.your-web-site.com/adminui/), then log in using your User ID and password. Note: You will need the User ID / Password credentials you were given when you subscribed to the product. 2. When the Home page opens, select Services > LiveCycle Rights Management > Policies > Policy Sets. 21 Implementation Guide

Configuring Bentley Dynamic Rights Creating and Managing Policies and Policy Sets 3. Select the name of the policy set, select the Policies tab, then click New. 4. Type in a name and description for the new policy. 5. Under Users and Groups, do one of the following: Click Add User or Group, and then type in the user or group, otherwise, follow the steps below to perform an advanced search for a user or group. Click Advanced Search. Set the search criteria (by setting the using, type, and in controls), then click Find. Select the user or group, then click Add. Select the check box for the user or group in the Permissions section to set the permissions. or Click Add Anonymous User to give everyone access, then select the check box for Anonymous User in the Permissions section to set the permissions. Note: You cannot specify a specific user or group and Anonymous User in the same policy. It is one or the other, but not both. 6. To set the permissions for the selected user, do one of the following: Select the permissions for the user (Print, Modify, or Copy). or Select Show custom permissions for PDF to expose additional permissions for Print, Modify, and Copy, then select the appropriate permissions. 7. Under General Settings, specify various settings, or take the default settings. 8. Under Advanced Settings, specify various settings, or take the default settings. 9. Under Unchangeable Advanced Settings, specify various settings, or take the default settings. 10. Click Save. The Edit Policy Set page opens. 11. Set the check box to the left of the policy name and click Enable, then click OK. 22 Implementation Guide

Configuring ProjectWise for Bentley Dynamic Rights 3 At this point in the configuration, you should have already installed and deployed Bentley Dynamic Rights. Now you can configure the ProjectWise Integration Server and ProjectWise Administrator computers for Bentley Dynamic Rights. When these two computers are configured, authorized users can create policy-protected documents in ProjectWise Explorer. Configuration Checklist for Configuring ProjectWise for Bentley Dynamic Rights The following is a checklist of all the things you need to do, in order to set up ProjectWise for Bentley Dynamic Rights. This also assumes ProjectWise Integration Server is already installed on the same or on a separate computer, and a datasource is already configured. 1. The administrator must enable dynamic rights management in the ProjectWise Integration Server dmskrnl.cfg file. 2. The administrator must add the location of the Bentley Dynamic Rights to dmskrnl.cfg. 3. The administrator can optionally add users / groups that are allowed access to dynamic rights management commands in ProjectWise Explorer. Enabling Dynamic Rights Management in the dmskrnl.cfg File The [UserModules] section in the ProjectWise Integration Server's dmskrnl.cfg file is used to enable Dynamic Rights Management for ProjectWise Explorer users. To Enable Dynamic Rights Management in the dmskrnl.cfg File 1. On the ProjectWise Integration Server computer, open the dmskrnl.cfg file. 2. Find the [UserModules] section. 3. Under that, locate the following line: ;drmsvcsrv=drmsvcsrv.dll 4. Remove the comment at the beginning of the line, as shown below: drmsvcsrv=drmsvcsrv.dll 5. Save the changes and exit the file. 6. Stop and restart the ProjectWise Integration Server V8i (SELECTseries4) service. 23 Implementation Guide

Configuring ProjectWise for Bentley Dynamic Rights Adding the Location of the Bentley Dynamic Rights to dmskrnl.cfg Adding the Location of the Bentley Dynamic Rights Management Service to dmskrnl.cfg The [DynamicRightsManagement] section in the ProjectWise Integration Server's dmskrnl.cfg file is used to specify the location of the Bentley Dynamic Rights, in order to route dynamic rights management requests submitted from ProjectWise Explorer users. To Add the Location of the Bentley Dynamic Rights to dmskrnl.cfg 1. On the ProjectWise Integration Server computer, open the dmskrnl.cfg file. 2. Find the [DynamicRightsManagement] section. 3. Under that, add a new line to define the endpoint address of the Dynamic Rights Management web service. For example: [DynamicRightsManagement] ;DrmEndpoint = net.tcp://<machinename>:808/bentleydrmservice/ service.svc/tcp DrmEndpoint = net.tcp://drm-computer-name:808/bentleydrmservice/ service.svc/tcp Note: In the above string, DRM-computer-name represents the machine you installed Bentley Dynamic Rights on, and the string BentleyDRMService represents the virtual directory name for the Bentley Dynamic Rights. If you changed the virtual directory name during product installation, make sure you set this string to the same name. 4. Save the changes and exit the file. Adding Users / Groups Access to Dynamic Rights Commands in ProjectWise The [DynamicRightsManagement] section in the ProjectWise Integration Server's dmskrnl.cfg file contains a setting (DrmGroup) that is used to specify the name of the group that is allowed access to the Dynamic Rights commands in ProjectWise Explorer. If the DrmGroup setting is not defined, all users will have access to the Dynamic Rights commands. To Add Users / Groups Access to Dynamic Rights Commands in ProjectWise Before you complete this task, the administrator should have already created the user(s) and group they want to have access to the Dynamic Rights commands in ProjectWise Explorer. Also, the user(s) should already be added to the group. 1. On the ProjectWise Integration Server computer, open the dmskrnl.cfg file. 2. Find the [DynamicRightsManagement] section. 24 Implementation Guide

Configuring ProjectWise for Bentley Dynamic Rights Protecting Documents with Dynamic Rights Management Policies 3. Find the following line: ;DrmGroup = Administrator 4. Under that, add a new line to specify the group whose users will have access to Dynamic Rights commands. For example: DrmGroup = DynamicRightsGroupName Protecting Documents with Dynamic Rights Management Policies lets authorized ProjectWise Explorer users create a secure document from any Adobe PDF, Microsoft Word, Excel, or PowerPoint file in ProjectWise. The protected document is stored in ProjectWise as well. A document is protected when a policy is applied to it in ProjectWise Explorer. Protecting a document with a policy allows the document owner control over the document even after the document is distributed to recipients. The document owner can still revoke, change, or switch the policy, if necessary. A policy contains two types of information: confidentiality settings and a list of recipients who can access the policy-protected document. Confidentiality settings include permissions (print, copy, and modify), dynamic watermarks, auditing and extended usage tracking, encryption algorithms, document restrictions, and a specified validity period. To be able to apply a policy to a document, your administrator must first set up Bentley Dynamic Rights and then log in to their account in the cloud to create policy sets and policies. The administrator must also configure ProjectWise Integration Server (dmskrnl.cfg) for Dynamic Rights Management and specify which users or groups can apply a policy to a document. In simple terms, applying a policy looks like this: 1. Select a document. 2. Select Document > Dynamic Rights > Apply Policy. 3. Select a policy set. 4. Select a policy. 5. Select a document folder and click OK. In summary, the following workflow describes the steps to set up a Dynamic Rights Management system: 1. The administrator must log in to their account in the cloud to create policy sets and policies. 2. The administrator configures a Bentley Dynamic Rights machine and enables Dynamic Rights Management in the ProjectWise Integration Server dmskrnl.cfg file. The administrator can also specify the name of a group that is allowed access to the Dynamic Rights commands in ProjectWise Explorer. 3. An authorized ProjectWise Explorer user applies the policy to a document, and then distributes the document. 4. Recipients open the policy-protected document. 5. Access to the document is controlled by the document owner. For example, the policy can be revoked (can no longer be accessed), changed, or switched at any time. 25 Implementation Guide

Configuring ProjectWise for Bentley Dynamic Rights Protecting Documents with Dynamic Rights Management Policies Tip: The Document > Dynamic Rights option only appears in ProjectWise if your administrator has configured a Bentley Dynamic Rights machine and enabled Dynamic Rights Management in the ProjectWise Integration Server dmskrnl.cfg file. To Apply a Policy to a Document The following task explains the typical workflow to protect a document. In this workflow, you select the documents, policy set and policy, and then have the option to overwrite existing documents in place or put the protected documents in a different folder, leaving the original documents untouched. However, there is an alternate workflow to protect one or more documents. In this workflow, you first query a folder, project, or set of documents using the Verify Protection menu item to determine which documents are protected. Then from the Verify Protection dialog, you select the documents you want to protect, and then select Apply Policy. This workflow always overwrites the original documents in place, therefore, you should use caution when using this workflow. 1. Do one of the following: In the document list, select documents, flat sets, folders, or projects, then select Document > Dynamic Rights > Apply Policy. or In the datasource list, select a folder, then select Folder > Dynamic Rights > Apply Policy. The Apply Policy dialog opens. 26 Implementation Guide

Configuring ProjectWise for Bentley Dynamic Rights Protecting Documents with Dynamic Rights Management Policies 2. Select a policy set. 3. Select a policy. 4. Do one of the following: Select Overwrite existing documents in place to place document protection in the source document. Note: It is recommended that you keep an original, unprotected copy of your document and not overwrite existing documents in place. or Select Put protected documents in a different folder (Original documents are not modified) to place document protection in a new document, and then click the Browse button to the right of the Folder field to select a folder or project for the protected document(s). The Select Folder dialog opens. Select the output folder and click OK. 5. Click OK. A dialog displays showing progress status, and the Apply Policy dialog closes. 6. Optional: Click Cancel to cancel the operation. Note: When you select a flat set, all the documents in the flat set will be processed. When you select a folder or project, all documents in all subfolders/subprojects will be processed. Note: If the documents in your selection set span projects that use different policies, you will be required to select a single policy that will be used for all files. Note: Selecting a folder in the document list and selecting Folder > Dynamic Rights > Apply Policy will apply policies to documents from the folder that is open in the datasource list rather than the folder selected in the document list. To apply policies to documents from a folder selected in the document list, you must select Document > Dynamic Rights > Apply Policy. To Apply a Policy from the Verify Protection Dialog The following task explains how to apply a policy from the Verify Protection dialog. In this workflow, you select the documents from the Verify Protection dialog, and then click Apply Policy. This workflow always overwrites the existing documents in place, therefore, you should use caution when using this workflow. 1. Select the document(s) from the Protection status list box. 27 Implementation Guide

Configuring ProjectWise for Bentley Dynamic Rights Protecting Documents with Dynamic Rights Management Policies 2. Click Apply Policy. The Apply Policy dialog opens. 3. Select a policy set. 28 Implementation Guide

Configuring ProjectWise for Bentley Dynamic Rights Protecting Documents with Dynamic Rights Management Policies 4. Select a policy. 5. Click OK. A dialog displays showing progress status, and the Apply Policy dialog closes. 6. Optional: Click Cancel to cancel the operation. To Remove a Policy from a Document The following task explains how to remove a policy from a document from the Verify Protection dialog. You can only remove a policy from a document if the policy does not permit anonymous access. This option only removes the policy from the local copy and does not affect copies that have already been distributed. 1. Select the document(s) from the Protection status list box. 2. Click Remove Policy. A dialog displays showing progress status. 29 Implementation Guide

Configuring ProjectWise for Bentley Dynamic Rights Protecting Documents with Dynamic Rights Management Policies 3. Optional: Click Cancel to cancel the operation. To Revoke Access to a Protected Document 1. Do one of the following: In the document list, select documents, flat sets, folders, or projects, then select Document > Dynamic Rights > Revoke Access. or In the datasource list, select a folder, then select Folder > Dynamic Rights > Revoke Access. The Revoke Access dialog opens. 2. Select a reason for revoking access to the document(s). 3. Optional: To specify a URL to a new version of the protected document(s), do one of the following: If the new version of the protected document is located on a web page, type in the URL of the web page or copy the URL of the web page from your internet browser and paste it into the URL of new version field. For example, http://www.bentley.com/en-us/. or If the new version of the protected document is located in ProjectWise, click Browse to select the folder or project. 4. Optional: Select Append source document file name to URL to append the revoked document's file name to the referring URL. The referring URL redirects the user to the new version of the document when they click Download Revised Document from the Document Withdrawn dialog. The Document Withdrawn dialog opens when the user tries to open the revoked document. 5. Click OK. 30 Implementation Guide

Configuring ProjectWise for Bentley Dynamic Rights Protecting Documents with Dynamic Rights Management Policies A dialog displays showing progress status. 6. Optional: Click Cancel to cancel the operation. Note: When you select a flat set, all the documents in the flat set will be processed. When you select a folder or project, all documents in all subfolders/subprojects will be processed. Note: Selecting a folder in the document list and selecting Folder > Dynamic Rights > Revoke Access will revoke access to documents from the folder that is open in the datasource list rather than the folder selected in the document list. To revoke access to documents from a folder selected in the document list, you must select Document > Dynamic Rights > Revoke Access. To Revoke Access to a Protected Document from the Verify Protection Dialog The following task explains how to revoke access to a protected document from the Verify Protection dialog. In this workflow, you select the document(s) from the Verify Protection dialog, and then select Revoke Access. 1. Select the document(s) from the Protection status list box. 2. Click Revoke Access. The Revoke Access dialog opens. 31 Implementation Guide

Configuring ProjectWise for Bentley Dynamic Rights Protecting Documents with Dynamic Rights Management Policies 3. Select a reason for revoking access to the document(s). 4. Optional: To specify a URL to a new version of the protected document(s), do one of the following: If the new version of the protected document is located on a web page, type in the URL of the web page or copy the URL of the web page from your internet browser and paste it into the URL of new version field. For example, http://www.bentley.com/en-us/. or If the new version of the protected document is located in ProjectWise, click Browse to select the folder or project. 5. Optional: Select Append source document file name to URL to append the revoked document's file name to the referring URL. The referring URL redirects the user to the new version of the document when they click Download Revised Document from the Document Withdrawn dialog. The Document Withdrawn dialog opens when the user tries to open the revoked document. 6. Click OK. A dialog displays showing progress status. 7. Optional: Click Cancel to cancel the operation. To Unrevoke Access to a Document The following task explains how to unrevoke access to a document from the Verify Protection dialog. 1. Select the revoked document(s) from the Protection status list box. 32 Implementation Guide

Configuring ProjectWise for Bentley Dynamic Rights Protecting Documents with Dynamic Rights Management Policies 2. Click Unrevoke Access. The Unrevoke Access dialog opens to give progress status. 3. Optional: Click Cancel to cancel the operation. 4. When finished, click Close. To Switch a Policy on a Document The following task explains how to switch a policy on a document from the Verify Protection dialog. 1. Select the document(s) from the Protection status list box. 33 Implementation Guide

Configuring ProjectWise for Bentley Dynamic Rights Protecting Documents with Dynamic Rights Management Policies 2. Click Switch Policy. The Switch Policy dialog opens. 3. Select a policy set. 4. Select a policy. 5. Click OK. A dialog displays showing progress status. 34 Implementation Guide

Configuring ProjectWise for Bentley Dynamic Rights Protecting Documents with Dynamic Rights Management Policies 6. Click Cancel to cancel the operation. To Verify Protection on a Document 1. Do one of the following: In the document list, select documents, flat sets, folders, or projects, then select Document > Dynamic Rights > Verify Protection. or In the datasource list, select a folder, then select Folder > Dynamic Rights > Verify Protection. The Verify Protection dialog opens. 2. Optional: Select documents from the Protection status list box, then click one of the following: Option Description Apply Policy Switch Policy Remove Policy Revoke Access Lets you apply a policy to a document. Lets you switch a policy on a protected document. Lets you remove a policy from a protected document. Lets you revoke access to a protected document. 35 Implementation Guide

Configuring ProjectWise for Bentley Dynamic Rights Protecting Documents with Dynamic Rights Management Policies Option Unrevoke Access 3. When finished, click Close. Apply Policy Dialog Description Lets you unrevoke a document that is revoked. Used to apply a Dynamic Rights policy to an Adobe PDF, Microsoft Word, Excel, or PowerPoint file in ProjectWise. When you apply a policy to a document, the information in the document is protected from unauthorized users and unauthorized access to the document. Opens when you: Select Document > Dynamic Rights > Apply Policy Select Folder > Dynamic Rights > Apply Policy Select Dynamic Rights > Apply Policy from the right-click menu Click Apply Policy from the Verify Protection dialog. Policy set Policy List Box Overwrite existing documents in place Specifies the policy set that will be used when creating policy-protected documents. Policy sets group sets of policies that are used for a specific purpose. Selecting a different policy set will update the associated policies in the Policy list box. Displays the policies associated with the selected policy set. A policy contains confidentiality settings and a list of recipients who can access the policyprotected document. You can click the Name and Description column headings to sort the policies. When this setting is on, the document protection is placed in the source document. Note: It is recommended that you keep an original, unprotected copy of your document and not overwrite existing documents in place. However, if you select the Apply Policy dialog from the Verify Protection dialog, you will always overwrite existing documents in place. Put protected documents in a different folder (Original documents are not modified) Folder When this setting is on, the document protection is placed in a new document and in a different folder. Note: This option is not available when you select the Apply Policy dialog from the Verify Protection dialog. (Available only when Put protected documents in a different folder (Original documents are not modified) is selected.) Allows you to specify the ProjectWise folder or project for the policy-protected documents. Revoke Access Dialog Used to revoke access to a policy-protected document. When you revoke access to a policy-protected document, users cannot open the document. However, in the process of revoking a document, the document owner can provide a link or URL to a new version of the protected document. Opens when you: Select Document > Dynamic Rights > Revoke Access 36 Implementation Guide

Configuring ProjectWise for Bentley Dynamic Rights Protecting Documents with Dynamic Rights Management Policies Select Folder > Dynamic Rights > Revoke Access Select Dynamic Rights > Revoke Access from the right-click menu Click Revoke Access from the Verify Protection dialog. Reason for revoking access URL of new version Append source document file name to URL Provides a list of reasons for revoking access to a policy-protected document. Lets you specify a new version of the revoked document. If the new version of the protected document is located on a web page, you can type in the URL of the web page or copy the URL of the web page from your internet browser and paste it into this field. For example, http://www.bentley.com/ en-us/. If the new version of the protected document is located in ProjectWise, click the Browse button to select a folder or project. Appends the base name of the revoked file(s) to the referring URL. The referring URL redirects the user to the new version of the document when they click Download Revised Document from the Document Withdrawn dialog. The Document Withdrawn dialog opens when the user tries to open the revoked document. Verify Protection Dialog Used to determine whether or not a document is protected by a policy. Additionally, this dialog can be used to apply, remove, revoke, unrevoke, or switch a policy. Opens when you: Select Document > Dynamic Rights > Verify Protection Select Folder > Dynamic Rights > Verify Protection Select Dynamic Rights > Verify Protection from the right-click menu Protection Status List Apply Policy Switch Policy Remove Policy Revoke Access Unrevoke Access Status Bar Displays the document(s) file name, folder, protection status, policy name, and whether or not the document is revoked. You can sort the items in any of the columns by clicking the column heading. Lets you apply a policy to a document. Lets you switch the policy on a protected document. Lets you remove a policy from a document if the policy does not permit anonymous access. This option only removes the policy from the local copy and does not affect copies that have already been distributed. Lets you revoke access to a protected document. Lets you unrevoke a document that is revoked. Displays the status messages for the dialog. Switch Policy Dialog Used to switch policies on a protected document. Note: In some situations you cannot switch the policy on a protected document. For example, if a policy-protected document does not have anonymous access and you try to switch the policy with 37 Implementation Guide

Configuring ProjectWise for Bentley Dynamic Rights ProjectWise Office Integration and the Adobe LiveCycle Rights Management Extension for Microsoft Office one that does, you will receive a dialog stating that the operation cannot be performed. To switch the policy, first remove the policy that does not have anonymous access, and then apply the policy that has anonymous access. Opens when you: Click Switch Policy from the Verify Protection dialog. Policy set Policy List Box Specifies the policy set that will be used when creating policy-protected documents. Policy sets control the policy settings that are used when creating policy-protected documents. Selecting a different policy set may update the associated policies. Displays the policies associated with the selected policy set. A policy contains both confidentiality settings and a list of recipients who can access the policy-protected document. ProjectWise Office Integration and the Adobe LiveCycle Rights Management Extension for Microsoft Office The Adobe LiveCycle Rights Management Extension for Microsoft Office lets you open Microsoft Word, Excel, or PowerPoint documents that have been protected by Adobe LiveCycle Rights Management software. This software is commercially available and can be downloaded from Adobe's website: http:// www.adobe.com/go/getrmextensions/. It is documented in the Adobe Release Notes that the Adobe LiveCycle Rights Management Extension for Microsoft Office does not work with third-party plug-ins such as ProjectWise Office Integration. Therefore, it is recommended that you use Microsoft Office without ProjectWise Office integration if you need to use the Adobe LiveCycle Rights Management Extension for Microsoft Office. 38 Implementation Guide

Index A Adding the location of the Dynamic Rights to dmskrnl.cfg 24 Apply Policy 26 Apply Policy Dialog 36 C Configuring Dynamic Rights 9 Configuring the Dynamic Rights Management Utility 15 Creating a Dynamic Rights Management Policy 21 Creating a Dynamic Rights Management Policy Set 21 D Dynamic Rights Management adding users / groups access 24 and ProjectWise Office integration 38 apply policy 26 configuring for ProjectWise 23 creating and managing policies and policy sets 20 features and role services 9, 10 installation 11 introduction 7 network connectivity requirements 10 remove policy 29 revoke access 30 switch policy 33 unrevoke access 32 verify protection 35, 37 Dynamic Rights Management Service allowing a computer access 17 remove a computer's access 19 E Enabling Dynamic Rights Management in the dmskrnl.cfg file 23 P Protecting Documents with Dynamic Rights Policies 25 Protection, Verify 35 R Remove Policy 29 Revoke Access 30 Revoke Access Dialog 36 S Switch Policy 33 Switch Policy Dialog 37 T to add the location of the Dynamic Rights to dmskrnl.cfg 24 to add users / groups access to Dynamic Rights Management commands 24 to create a dynamic rights management policy 21 to create a dynamic rights management policy set 21 to enable Dynamic Rights Management in the dmskrnl.cfg file 23 U Unrevoke Access 32 V Verify Protection 35 Verify Protection Dialog 37 39 Implementation Guide

40 Implementation Guide