Low-trust user groups and high-trust user groups are terms defined by this guide, which are used to help classify the different groups of users accessing documents in your SharePoint site.
Configuration of Prizm DRM and SharePoint permissions for a specific group depends on the classification of the group as a low-trust user group or high-trust user group. The sections below discuss more about each of these classifications and the permissions that should be granted to each.
Low-Trust User Groups
Low-trust user groups are SharePoint groups for which you want to limit their ability to duplicate contents of documents from one or more document libraries. To effectively limit the groups' ability to duplicate contents of a document, both SharePoint permissions and Prizm DRM need to be configured to control access to the documents.
Typically low-trust user groups will be granted a level of read-only access using SharePoint permissions, and then the groups' access to the documents will be further restricted using Prizm DRM permissions.
There may be some cases where a low-trust user group is granted more than read-only permissions in SharePoint, which may include permissions to contribute, edit, or manage a list or site. However, these scenarios should be limited as it could result in a conflicting user experience where the group is granted permission to edit or manage a document, but Prizm DRM restricts their ability to download or copy contents of the document.
 |
There are some SharePoint permissions that must be denied to low-trust user groups in order to effectively limit access to documents:
Granting either of these permissions to a low-trust user group would allow a user to circumvent protection offered by Prizm DRM. |
High-Trust User Groups
High-trust user groups are SharePoint groups that need to have greater access to documents in a document library or site. Furthermore, the ability to duplicate contents of a document does not need to be controlled for these groups. As a result, Prizm DRM is not needed to limit the access of high-trust user groups to a document.
Although DRM can typically be disabled for high-trust user groups, there is one common scenario where DRM is enabled for high-trust user groups. In order to offer high-trust user groups the same ability to click a link to a document and view it in the browser, DRM can be enabled for high-trust user groups. Unlike for low-trust user groups, Prizm DRM permissions can be used to grant the high-trust groups the ability to save the document.
|
The 'Use Client Integration Features' base permission must still be denied to the high-trust user groups so that the redirection will function correctly. And it is important to note that denying this base permission will result in loss of built-in SharePoint features for this group. |
An alternative option for enabling in-browser viewing for high-trust user groups is to use the Prizm Preview Field. Configuring this feature is described in Configuring the Previewer.