Monthly Archives: May 2014

Permissioning vs Authorization – what are the differences?

There are three main approaches that can be taken to provide digital rights management (DRM) for documents (also referred to as Information Rights Management, IRM):

1. User-independent authorization systems: these are systems where files are downloaded and are authorized for offline usage by either device identification, which requires prior registration of the device, or by entry of an authorization code that is checked on a central DRM system (does not require prior registration). Note that with this second approach there is little or no requirement for central service management as the process is automated.

Examples of device-based systems are Amazon’s Kindle, iPADs with iBooks, and devices like Kobo and Nook (often managed via Adobe DRM services). In practice these systems require user registration in order to handle the financial transactions when ebooks are purchased, so are actually device- and user-based. Note that the great majority of PCs, unlike most other devices, do not have a consistent and uniquely identifiable deviceID.

An example of an authorization system with no prior user or device registration is the Drumlin DRM service with Javelin as the end-user reader. A diagram showing the key elements of this process is available here. Systems of this type will work on all supported devices, but not generally on proprietary devices like Amazon’s Kindle family. For these usage of the device provider’s DRM is often mandatory and in most cases does not include DRM support for PDFs.

2. User and/or device-dependent systems: these are systems where each person downloading a document must be pre-registered on a centrally managed service, and then each publication they are permitted to view is centrally enabled for them. These are “permissioning based systems” and are most commonly used in intra-corporate applications in conjunction with document (or content) management systems (CMS). Locklizard is an example of this kind of system, as is Microsoft’s 365 online services. Drumlin has facilities that provide centralized permissioning – please contact us if you want to know more about this option. However, in many instances publishers find manual permissioning is too labor intensive and not instant, so prefer the authorization code approach and/or device-based DRM services.

3. Online-based systems: approaches 1 and 2 assume the files are to be downloaded and read offline – no regular host connectivity is required after the initial stage of downloading and enabling. An alternative is a hosted service where the files are kept centrally and displayed via a web browser. A pure HTML or HTML5 based solution (with username/password login and other protective measures) would be an example of such a facility. Note that this option is simple to manage because the files are held centrally, and if required access can be controlled for entire groups of users (with usage tracking) rather than at the individual customer level. The compromises here are: (i) the files can only be viewed online; (ii) access is controlled via permissioning, so requires manual management; and (iii) the quality of display and level of security is typically not as good as offline PDF readers. In our previous newsletter (April 2014) we discussed the merits of online vs offline PDF security, with online examples using Flash and pure HTML. Since then we have added some HTML5 examples, which you can view via the online examples index page here.

In all the above instances there is usually little or no true user authentication. The term authentication refers to the process of identifying that the end user is actually who he or she says they are – as would be the case with many online Banking access systems or face-to-face contacts (e.g. at passport control). Authentication can be added to all of the above systems, but adding further layers of access control in an already contentious area, is likely to be a step too far for most commercial environments.