Using Information Rights Management (IRM) with DDAS

1. What is Information Rights Management (IRM)?

DDAS is pre-configured with IRM to prevent data or information from being unauthorised access or disclosure. IRM employs the Microsoft product – “Azure Information Protection” (AIP) solution which can help to achieve the requirements of ISDM policy.

In this regard, when document is downloaded from DDAS, and which being configured with IRM, user needs to use AIP software to consume the data or information since it protected by AIP software.

2. I cannot open the PDF file. What happens?

When a PDF is being downloaded into your PC, and which is pre-configured with IRM in DDAS (IRM@DDAS), you may encounter the following error message when using Acrobat Reader to open it.

After document has been uploaded into DDAS, it is protected by IRM. The most easilest way to consume the file is viewing it from SharePoint Web Access (thru your web browser).

However, if you may want to download the PDF file into your PC, Acrobat Reader cannot read the IRM protected document since it is encrypted by AIP. In this case, you shall open the PDF by AIP viewer.  (Please refer to “Use of Information Rights Management (IRM) for email and file protection” for how to install AIP software.)

Supposed that you have installed AIP client and downloaded the PDF file into your local PC, you may follow the procedures below to consume it:

a. Right-click the downloaded PDF file

b. Select ‘Open with’

c. Select ‘Azure Information Protection Viewer’

d. The AIP viewer will be able to open the PDF file. The following screen capture shows AIP viewer is reading a PDF file.

Please note that MS Office files which downloaded from DDAS will also be protected by IRM@DDAS. In those cases, please login MS Office with you HKU Portal ID to consume the file. For more details in using AIP client, please refer to  “Use of Information Rights Management (IRM) for email and file protection” for details.

3. What file types will be protected by IRM@DDAS?

Currrently, the following file types will be automatically protected by IRM if it is being uploaded without any protection (e.g. IRM, password).

  • Portable Document Format (PDF)
  • The 97-2003 file formats for the following Microsoft Office programs: Word, Excel, and PowerPoint (with suffix ‘.doc’)
  • The Office Open XML formats for the following Microsoft Office programs: Word, Excel, and PowerPoint (with suffic ‘.docx’)
  • The XML Paper Specification (XPS) format
Other files types, e.g. ‘.txt’, ‘.jpg’, ‘.img’, or ‘.bmp’ will not be protected by IRM in DDAS SharePoint.

4. What is the effective IRM permission of my DDAS login?

When user login to DDAS and download document which configured with IRM, the following effective IRM permission will be reflected:

Data Management Roles

DDAS SharePoint Rights

Effective IRM Permission

Data Owners and Data Stewards Full Control Co-owner
Data Custodians Edit Reviewer
Data Users Contribute Reviewer
Departmental Users Read-only Viewer-only

5. What if I save a file which already configured with protection?

DDAS IRM protection will only be applied for the following conditions:

  • If the file type can be supported, e.g. PDF, DOC, XLS, or PPT
  • If the file does not apply for any protection, e.g. IRM@DOC (document level IRM protection), MS Office password protection

If document already protected by IRM on document level (IRM@DOC), IRM@DOC will take priority over IRM@DDAS.

6. I have concern to use IRM@DDAS to store a very sensitive document. How?

In this case, you may consider to protect the document by using IRM@DOC prior to save to DDAS. Document protection using IRM@DOC will be preserved and the access list written on document will be used to grant for IRM access. Whereas, access control list obtained from SharePoint will just be used for authentication and control for downloading, but IRM@DDAS will not override the protection which originally written on IRM@DOC.

7. Can I share document which is protected by IRM@DDAS?

7.1 Are you allowed to share document protected by IRM@DDAS?

ISDM policy imposes stringent requirements on ‘confidential’ and ‘restricted’, which does not allow ‘confidential’ and ‘restricted’ documents to be shared with non-authorised person without prior approval from Data Owners, or his/her delegated Data Stewards. Although certain Data Custodians can share ‘confidential’ and ‘restricted’ documents, they must be pre-authorised by their Data Owners or Data Stewards. It does not simply imply every Data Custodian can share documents.

7.2 What is the permission level prior to sharing?

Before user can share document protected by IRM@DDAS, he/she must be granted for ‘Full Control’ in DDAS. Please refer to ‘User Guide on Assigning Unqiue Permission on DDAS’ for how to assign unique permission. The following  permission shows SharePoint group ‘DS-Operator’ will be able to share such documents.

7.3 Sharing DDAS document

Before you may want to share the DDAS document, please make sure you have installed MS AIP software. Please refer to “Use of Information Rights Management (IRM) for email and file protection” for how to install AIP software.

When AIP software is ready, you follow the step to download and share the document.

a. Downloads the file into your local PC

b. Right-click the file and select “Classify and protect”

c. “Azure Information Protection” client will be shown. Please input the recipient’s email address, e.g. ‘’. Change ‘Select permissions’ if you may not want the recipient to have ‘co-owner’ permission.

d. Press ‘Apply’ and then you can share file with ‘’.

8. I do not want IRM@DDAS for ‘public’ and ‘internal’ document. How?

ISDM policy does not require ‘public’ and ‘internal’ data/information to be encrypted prior to share with other person. However, IRM configuration in DDAS is set in basis of ‘Document Library’. If you may want to store ‘public’ or ‘internal’ data/information, and which does not require IRM to protect, you shall consider to create another ‘Document Library’ which is not set for IRM.

You are welcome to send email to and request to set up an additional document library for such purpose.

9. Can I use MacOS to read an IRM@DDAS protected document?

Unfortunately, the answer is ‘No’. Document protected by IRM@DDAS can only be read by Windows version AIP software, or using web browser.

Please read the following Microsoft webpage for details:

Rev 1.0, DS Team, June 28, 2018