Controlling workbook access in Excel with Information Rights Management

Applies to
Microsoft Office Excel 2003
Book cover This article was adapted from Microsoft Office Excel 2003 Inside Out by Craig Stinson and Mark Dodge. Visit Microsoft Learning to buy this book.

One of the more important new features in Office 2003 is support for information rights management (IRM) technology. IRM lets you, as the creator of an Excel workbook (or other Office document), specify which users or groups of users are permitted to read, edit, print, or copy its content.

As a means of preventing unauthorized access to or use of your work, it's a more robust mechanism than traditional firewall methods because the access controls remain with your workbook file, even if it's moved to a different storage location. It's also more robust than workbook file-level password protection. Rather than distributing passwords to authorized users, you can simply name those users when you set the permissions associated with your workbook. And you can control the use of your workbook in a granular fashion, allowing some users only read, others to read and print, still others to edit (with or without printing permission), and so on.

To set up IRM in your organization, you need a domain controller running Windows .NET Server, a premium Client Access License, and Active Directory. For organizations without those resources, however, Microsoft hosts an IRM service. This service uses .NET Passport authentication, rather than your organization's Active Directory authentication.

Before you can apply IRM permissions to a workbook or use an IRM-protected workbook, you have to have the clientside IRM component installed on your computer. The first time you use IRM in any manner, you'll be prompted to download and install this component if it is not already in place. If you're using .NET Passport authentication, you'll also be prompted (if necessary) to sign on or to acquire a Passport if you don't already have one.

Full use of IRM requires Microsoft Office Word 2003, Microsoft Office Excel 2003, or Microsoft Office PowerPoint 2003. Users with earlier versions can, however, read protected workbooks or other Office documents for which they have appropriate permission by downloading the Rights Management Add-on for Internet Explorer (a free IRM viewer) from the Microsoft Internet Explorer Downloads page.

Protecting a workbook with IRM

To protect a workbook with IRM, point to Permission on the File menu, and then click Do Not Distribute (or simply click Permission Button image on the Standard toolbar). Complete the Permissions dialog box, shown in the following picture. In the Read and Change boxes, specify the e-mail addresses of those users to whom you grant read and change permissions, separating addresses with colons. Alternatively, you can click the Read and Change buttons to the left of the boxes, and then select names from your address book.

Permission dialog box

The Read and Change options in the Permissions dialog box apply default settings for those two permissions levels. To refine your permissions settings, and to take advantage of additional options, click More Options and fill out the dialog box shown in the following picture.

When you click More Options, this expanded version of Permission dialog box appears.

The window at the top of this dialog box lists the people who have been granted permission to read or change your workbook. The first address in the list should be your own, and your access level should be Full Control. Near the bottom of the dialog box, your address should appear again as a mailto link. Users who are denied permission to use your workbook or who want a higher level of access will be given this link as a means to request an adjustment. You can type a different address in the Users can request additional permissions from box if you want their appeals to go elsewhere. You can also clear the check box if you don't want to be bothered with change requests.

Using the settings in this dialog box, you can set permission options for users as follows:

  • Specify an expiration date for the workbook     If you want your workbook to be accessible only for a particular period of time, select This Workbook Expires On and specify a date. No one but you will be allowed to open the workbook after it has expired.
  • Allow users to print     Printing is disabled by default for all users except you. To allow printing, select Print Content. This setting affects both the Read and Change access levels.
  • Allow users to copy data     By default, users with Change access are allowed to use the Copy command in your workbook, and users with Read access are not. To allow use of the Copy command for read-only users, select Allow users with read access to copy content. Be aware that this enables those users to replicate formulas and values into unprotected workbooks. On the other hand, even with the Copy command disabled, users can use screencapture utilities to replicate your work by creating images of it.
  • Allow programmatic access     Programmatic access to protected workbooks (for example, to enable a VBA macro in another Excel workbook or Office document to read the contents of your protected workbook) is normally disabled for everyone but you. To enable programmatic access for both the Read and Change access levels, select Access Content Programmatically.
  • Use current settings for future IRM protection     To make the current settings the default for all future IRM-protected worksheet files, click Set Defaults.
  • Add new users and modify permission settings     To make any modifications to the permissions parameters of a workbook for which you have Full Control access, simply open the Permission dialog box again (point to Permission on the File menu, and then click Do Not Distribute).

Using an IRM-protected workbook

To work with an IRM-protected workbook, simply open it in the normal manner. If necessary, the IRM client component will contact the server to authenticate you, and you might experience a short delay. Once the file has opened, if you have Read access, you will find nearly all of the Excel menu commands and toolbar buttons disabled, and keyboard shortcuts will not work. Attempts to click the formula bar or press F2 will be met with a beep and an error message. To see what you are permitted to do, click Permission on the File menu (one of the few menu commands that are always available). A dialog box similar to the following will appear.

My Permission dialog box

If you need a higher level of access, you can click Request additional permissions. Your default e-mail program will open a message window addressed to the person whose mailto link is associated with this workbook. Alternatively, if you have another authentication available to you (one with higher permissions), you can click Change User and specify your other .NET Passport or user name.

The same recourses are available to you if you try to open a worksheet while logged on as an unauthorized person. In that event, a dialog box like the following will appear.

Microsoft Excel permission alert dialog box

Click Yes to fire off an e-mail message with a permission request, or click Change User to select an alternative user name.

Applies to:
Excel 2003