The present invention relates to management of electronic documents in a document management system.
Document management systems often store sensitive electronic documents and provide sophisticated control over who can access the electronic documents, for example, within an enterprise. One example of a document management system is the Documentum® Enterprise Content Management platform, offered by Documentum Inc. of Pleasanton, Calif. The electronic documents may often contain sensitive information, such as financial data, trade secrets, and so on.
An electronic document can have many renditions. A rendition is an instance of an electronic document, and includes a representation of some or all of the content of the electronic document. Typically, each rendition of a document differs in its format. For example, an electronic document may have a Microsoft® Word® rendition, a Word® rendition in a Macintosh® format, an Adobe® Acrobat® PDF (Portable Document Format) rendition, and an HTML rendition with associated image files. Furthermore, a rendition of an electronic document does not necessarily have to correspond to a single file. A rendition of an electronic document may be stored in a portion of a file that holds other electronic documents (or renditions), in a single file dedicated to the electronic document in question, or in multiple coordinated files.
In a typical document management system, the electronic documents are stored in a document repository. A document repository is a secure computer storage location, such as a server, in which a library of renditions of electronic documents is kept and maintained in an organized way, so that the renditions can be accessed and searched efficiently, regardless of the source or format of the individual renditions in the library. The library can be maintained in different types of secure computer storage—for example, a set of protected directories in a server host's file system or an external storage facility, a relational database management system (RDBMS), a content-addressed storage device, or an external storage area, such as a legacy system. A document repository can also be an abstract repository that encompasses a number of distinct distributed physical resources in which the library of electronic documents is stored. For example, a global company might have a document repository that encompasses physical storage located in each geographical region, with the goal of storing the electronic documents locally to the users who work on them, such that universal access is provided while the document management system performance is preserved. The renditions of the electronic documents in the document repository are accessible to multiple users, subject to access control. Each electronic document in the document repository is represented by an object and associated content. The object is identified by a document identifier (ID), which typically is the same for all the renditions of the electronic document. Each document ID is associated with access control information, such as an Access Control List (ACL) that governs access to the electronic document and describes which users are allowed to access the electronic document. The access control information is thus shared between the different renditions of the electronic document, and is separate from the electronic document itself.
In a document management system, when a user tries to access a rendition of an electronic document (which typically means downloading the rendition to his computer), the document management system first verifies that the user is authorized to access the electronic document against a set of access policies. The access control can, for example, be performed by first authenticating the user to confirm the user's identity, and then verifying the user identity against the ACL for the requested electronic document. If the user is authorized to access the electronic document, a rendition of the electronic document is sent to the user and the user is then free to access the content of the rendition.
Once an authorized user accesses a rendition of an electronic document from the document repository and makes a local copy of the rendition, typically, much—or even all—control of the rights pertaining to the electronic document is lost. For example, after making a local copy of the rendition, the user can e-mail the rendition to other, unauthorized, users, without regard to the access control mechanisms of the document management system.
In one attempt to solve this problem, a document security system has been provided in which the security of the electronic documents is governed by a set of rights management policies that is established and administered separately from any policies associated with a document management system. The rights management policies govern, for example, who can access an electronic document, dates and times when a particular electronic document can be accessed, a particular IP address or computer network from which an electronic document can be accessed, whether printing/copying/pasting of the electronic document is allowed, and so on. Since a separate set of rights management policies is used in the document security system, the electronic documents may be stored at any accessible location and does not have to reside in a document management system. The rights management policies are stored on a separate policy server in the document security system. In addition, the policy server stores document encryption and decryption keys, user identities, and logs activities in the document security system. However, no electronic documents are stored on the policy server.
When a document author registers an electronic document in the document security system, he can create a set of rights management policies for the electronic document. Before storing the document at a desired storage location, he encrypts the document with a symmetric encryption key that is issued to him by the policy server. A copy of the key is kept at the policy server, where it is associated with an identifier for the electronic document (including the electronic document's location) and the established set of rights management policies. When a user attempts to open the encrypted document, the user is prompted to log in to the policy server, where the user's credentials (such as username and password) are verified against the rights management policy set up by the document author. If the rights management policies allow the user to open the encrypted document, a decryption key is sent to the user from the policy server and the electronic document can be decrypted at the user's computer, upon which the decryption key is destroyed. The electronic document can thus only be opened by users that are registered with the policy server and that are authorized by the document author to open the document.