XrML keeps content under control

Rights management technologies enforce predetermined rules, or policies, designed to protect and control electronic content. They can dictate a variety of vital day-to-day operations on content, ranging from simple viewing and printing to editing and sharing. The proprietary formats of digital rights management has made it too difficult to share content with others. Yet many companies need rights management to solve the dual challenges of regulatory compliance and information leakage. To succeed, rights management must be able to protect content in its native format and share that information across the corporation.

Extensible Rights Markup Language (XrML) is an XML-based language that determines rights and conditions for the use of electronic content to protect it from unauthorized use. XrML is slated to become an International Standards Organization standard this quarter as the MPEG-21 Rights Expression Language and is undergoing a months-long standards review within the Organization for the Advancement of Structured Information Standards. Some vendors already include XrML in word processing, publishing, content management and other security software products.

XrML lets rights enforcement software outline access and usage policies for digital content in the form of licenses. XrML licenses define who can access the content, and how it is protected and distributed; and it controls detailed usage rights such as authorized printing and time-based permissions to perform certain operations. When an author protects content, which can be in the form of word documents, spreadsheet data or Web-based reports delivered in a browser or e-mails, the content is typically encrypted to prevent unauthorized access or tampering. Inside this encryption is a license or a pointer to the license on a policy server. When a reader tries to open the document, the application receives the license from the corporate license server, validates the user’s authorization and enforces the usage privileges defined for that user.

Any rights-enforcement software that supports the XrML standard can subsequently administer the XrML license. What’s more, XrML lets users develop their own rights to meet specific or unique needs.

A standard rights language lets persistently protected content move between applications using cut-copy-paste features. XrML provides access to content using content and credential servers, which issue credential licenses to users that determine their identity and role. When an employee joins or leaves a company, access to content should be provided or removed automatically using XrML to communicate directly with the necessary systems.

There are several approaches for binding rights to content. Some implementations of XrML may embed the rights, or license, within the content. This might be more suitable for static content, such as music, whose rights do not change. Dynamic content should have a pointer that directs the application to the policy server to receive the latest policy. This pointer lets user privileges be changed without republishing the content.

Today, XrML lacks methods for tracking and then auditing user actions on protected content. The earliest version of XrML, designed for content publishing, simply needed to grant or deny access. As XrML becomes more popular in corporate environments, new versions of the language will need to address this type of auditing, and tracking will be critical for auditing, compliance and governance regulations.

XrML provides a good start at a common structure for representing and expressing rights. However, much work remains to define how rights are communicated between policy servers, the actual content and heterogeneous applications.

Epstein is CTO at Liquid Machines. He can be reached at aepstein@liquidmachines.com.