Offline access

When someone tries to access a protected file, the local agent in the machine asks the server which the rights of the user are over the protected file that is being opened. This operation requires that the machine is connected to Internet in order to be able to access the protected file.

It is possible to establish a configuration where an Internet connection will not be necessary to access a protected file. You can enable the “Offline access” option in a protection policy and define the number of days a user will be able to open the protected file without requiring an Internet connection.

With the offline access enabled, the local agent asks for the server the rights of the user the first time this file is opened. The local agent receives a Use License that contains the rights of this user in the file. The local agent stores this Use License in the local machine in order to use it again in next openings. The information contained in the Use License is signed with the private key of the server in order to avoid that nobody can modify the content and try to get more permissions than the permissions the server gave him.

 When the user tries to open the document after the first accessing, the local agent looks for the user license kept in the license store that belongs to the file and the user. If it finds the license in the store, the local agent checks whether the number of days of validity has been exceeded and whether the license has been faked. If the number of days of validity has not been exceeded, the local agent will enforce Office, Adobe, image viewer or text viewer (the program that is opening the protected file) to open the file with the rights in the use license for the user. Therefore, the user was able to consume the protected file with the rights defined in the local use license without connecting to Internet.

If the local agent does not find the use license in the local store or the use license has expired (the number of days of offline access has been exceeded), the local agent asks again the server which are the current rights of the user in the protected file. The connection is necessary to get a new license with the updated permissions and this new license will be valid for a number of days of offline access defined in the protection policy.

In those machines where the local agente is not installed and the protected file opening is done directly from Microsoft Office, the process is the same as the process explained before. In fact, Microsoft Office and SealPath local agent share the certificate and license store. SealPath uses the Rights Management Services functionality that Microsoft Office comes with, so Office is able to understand the protection formats used by SealPath.

The use licenses are stored in the ”%localappdata%\Microsoft\DRM” folder. The name of these files begins with the characters “EUL” (from “End User License”). It follows with a hyphen and the GUID that identifies uniquely the protected document, between braces.


Offline Access and Revocation of Access

During the validity period of the use license in the local machine there is no connection with the server, so this user will not be affected by any change in the policy, among them, the revocation of all the user’s permissions.

If the author of the protected document removes the user from the users’ list of the policy that was used to protect the document, this user will continue being able to access to the file with the permissions defined when this use license was created. This will happen until the use license expires. Once the use license has expired and the local agent has asked for the server the current permissions of the user over the file, the agent will receive a response that tells him the user does not have any rights. The agent will forbid the user to access the file.

For instance, a user who has the View right over a protected document with an offline access of 5 days and the author changes the policy and removes all rights to the user in the day 2 after the first opening of the document. The user will be able to access the protected document with the View right for the next 3 days. On the 6th day, when he tries to access again to the document, he will lose all his permissions and will not be able to open the document.


Offline Access and Change of Permissions

As it was explained in the previous section, if the author of the document or the author of the policy changes the permission of a user, this user will not be affected by any of these changes while he has a valid use license in his machine.

If this user wants to Access the protected document with the new rights (e.g., the author gave him initially only View right, but, after sending the document, he added him the Edit right), the user will have to remove the use license stored in the local machine, so that the local agent searches for an updated use license in the server.

The use licenses are stored in ”%localappdata%\Microsoft\DRM”. If Office 2013 is used, these licenses are also stored in ”%localappdata%\Microsoft\MSIPC”. If the user wants to receive an updated use license, all use licenses should be removed from both folders; use licenses are the files whose filename begins with “EUL-“.

If you want to be more accurate removing the use license, you should look for the “Guid” that identifies the document and that is part of the filename of the use license. In order to find out this unique identifier, it has to be searched inside the protected document. The document has inside a publishing license that contains this unique identifier. Open the protected document with “Notepad” or with any binary editor and look for the chain “<WORK><OBJECT type=".docx">”, changing “docx” with the extension of the protected file. After this content, it is found a chain similar to “<ID type="MS-GUID">{d0dcb83f-8941-4d9b-a613-52e5f5eb3feb}” with the document Guid between braces. The name of the use license that belongs to this document begins with the string “EUL-{Guid}”, changing “Guid” with the document unique identifier. If this file is deleted, the local agent will ask the server an updated use license for the protected document and the user will receive the new permissions.


SealPath Sync

If you need to access thousands of documents in offline mode without needing to open them in advance, you can use SealPath Sync. This tool will synchronize the offline access licenses of your documents, so when you go offline you could open them without any problem. This tool is an optional module that can be requested jointly with SealPath Enterprise SaaS or SealPath Enterprise On-Premise.




Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request


Article is closed for comments.
Powered by Zendesk