Author Archive: Jonathan Herbach

Feature Spotlights – Rights Management ES2 Improvements

Today’s post will cover a variety of other other improvements we’ve made to LiveCycle Rights Management ES2.

First, extending our previous capabilities to revoke documents and offer version notification, we now offer out-of-the-box “Revoke and Replace” functionality. By using LiveCycle Content Services as your document repository, you can make sure that every “major version” that is checked in supersedes any version people may have cached locally elsewhere. More info:


Second, our Extension for Office now offers dynamic visible watermarks much like we have offered previously for PDF files viewed within Acrobat and Reader. This means that you can exchange protected Word, Excel, and PowerPoint files that visibly display the recipient’s name, email address, and the time they opened the document. More info:


Third, for developers out there who need to create policies programmatically, we’ve offered significant improvements in how our orchestration APIs work. More info:


Finally, customers have asked for additional flexibility in managing audit event records that track the history of a document. With the latest release you can export, archive, and delete event history specifying who has opened, modified, printed, etc, your protected documents. More info:


Need more information on how your organization can effectively manage and protect your intellectual property? Further information can be obtained at or by
contacting Adobe

Feature Spotlights – Flexible Authentication in LiveCycle ES2

Adobe released updates of all of the LiveCycle components when we released our “ES2″ version in November 2009. As a part of this we made some significant strides to expand how you can integrate our product suite into other directory, identity management, and authentication systems.

I’d like to take this opportunity to explain some of what is new, as well as show you several videos that go into each area in more depth.

First, our integration with ActiveDirectory and LDAP directories executes substantially faster, as we have optimized the system to only pick up records that have changed recently. More info:

Second, our integration with Smartcards and PKI certificates for strong authentication is much more flexible, and supports many more types of certificates. More info:

Third, several customers have asked us to query one directory for user information, but integrated with a second instance for high performance authentication. We’ve listened and now support this — more info:

Finally, all of our web- and Flex-based components now support SAML-based federated identity for authentication. Technically, this means that LiveCycle is substantially more flexible in terms of the Single-Sign-On (SSO) and authentication facilities that be used. In practice this means that it is very easy for you to integrate LiveCycle into your processes for interacting with customers and engaging with citizens without deploying additional identity provisioning or management software. More info:

Feature Spotlights – Simplifying Access Control in Rights Management ES2

Adobe released LiveCycle Rights Management ES2 in November 2009. This will be the first of several postings that detail some of the new functionality within the product and how it can help you be more effective in protecting your intellectual property and restricting access to personally identifiable information.

Today I’ll provide an update on how we’ve simplified how you can define and use access control within your organization as well as across artificial boundaries; with LiveCycle you can confidently ensure that only the right people — regardless of whether they are one of your employees, contractors, partners, customers, or citizens — have access to documents.

Specifically, the latest product offers a new rich web application for defining which users and groups should be able to open documents — or modify, print, copy, etc. You can define and edit policies much more quickly now that you can add multiple users or groups simultaneously.

And with our new “dynamic groups” feature, you can more quickly restrict access to an entire external organization. For example, if you found you were previously listing several users with your partner “”, manually adding,, and, you now have a new option. By adding the LiveCycle dynamic group “*”, you have the flexibility of a wildcard.

The following two video demos show off the new UI as well as the new flexible dynamic groups mechanisms. Check them out!

Improved policy interface:

Dynamic groups:

Need more information on how your organization can effectively manage and protect your intellectual property? Further information can be obtained at or by
contacting Adobe

Primer on configuring offline lease and synchronization

Today, I hope to answer some of the questions surrounding “offline lease” and “offline synchronization” settings within the LiveCycle Rights Management ES server configuration. Here is a screenshot showing several settings within our Admin UI:


and within our end-user-facing policy-edit UI:


What are these settings for? The “offline lease period” and “offline synchronization period” are interrelated settings that dictate how and when clients can be trusted to access (view, modify, print, etc) “offline”. There are varied casual definitions of “offline” depending on the scenario: when an executive needs to view confidential documents on an airplane without network access; when a field service technician is on-site at a customer location repairing a device but not entitled to “network guest access” due to security concerns. Both are supported with our solution and in fact are exceedingly transparent to the end user because they “just work” when the client is unable to “phone home” to the LiveCycle Rights Management ES server to authorize access in real time.


Customers appreciate that this offline access mechanism works transparently for users when they need it to most – but only when the author (and administrator) want it enabled. Not all organizations are willing to enable offline features for their most sensitive documents because while they retain complete access to revoke content or change authorization rules at any time, they are not guaranteed that these changes will go into effect immediately for all users world-wide. This is because the users and clients who are physically unable to “phone home” to the server will not receive an updated set of authorization rules while they remain disconnected.


In other words, by introducing offline access, authors retain complete control over protected intellectual property, however they introduce some latency before authorization rules are implemented.


This latency is the period of time before the clients can “phone home” to get the latest set of authorization rules. So we offer customers the ability to set a “ceiling” on the amount of latency they are willing to tolerate between an authorization rule being changed and when it will go into effect worldwide.


The maximum tolerated latency can be configured by document author/owners on a per-policy basis. This offers our customers the greatest flexibility because an internally-targeted policy covering executive “Insiders” may be very different from information classified for external use by customers. So how does this work? Each policy can set the "auto-offline lease period" – refer back to the second screnshot. This is how an author sets the maximum latency associated with one policy (and all documents associated with it). Since not all authors will want to set the latency, we give the administrator the ability to establish a default global latency: see screenshot one, where the administrator can set the default maximum latency – which is the value that is copied into each policy when it is created.


When discussing the feature, customers ask what happens if a disconnected user has access to two different documents with different policies, and different latency thresholds (that offline lease period). An example may help – say we have document A which allows three days of offline access, and document B which allows 15 days, and the client last phoned home to the server on March 1. Through March 3, the client will be authorized to view document A and document B, and from March 4-15 will be able to view document B only. If on March 8 the client phones home again, the clock is reset so document A and B will be viewable until March 11, and B will continue to be accessible until March 23.


Back to the March 1 example. What if somebody gives the offline client document C with 10 days of maximum latency on March 6? Because our system tries to be transparent to the user, and we do not require offline documents to be opened first online, he will be able to open document C from March 6 through March 10.


So…how does “Default Offline Synchronization Period” (screenshot one) relate? It’s a global server setting regulated by the administrator that dictates how long offline accessible documents should remain available offline. We accomplish the feature of not requiring offline documents to be opened first online by having the server give the client enough information to open “all” documents the user should be entitled to use while offline.


Our engineers decided to allow customers to tune whether “all” is really “all documents ever protected in the system” or whether in most customer uses it may mean for example “all documents protected in the last 365 days”, because many customers may not need to grant access to documents offline forever. By tuning this from an infinite (true “all”) period to a rolling-window of XX (e.g., 365) days, it simplifies the amount of information that needs to be sent to the client, and the amount of information that the client must store. The user benefit of this is that if you hire a new employee in the future and want to enable his machine to access documents offline, it’s unlikely he would need to access documents from 1982 while offline.


There are clearly tradeoffs here; the key takeaway is that this value should be set to the amount of time the client should allow protected documents to be viewed offline from the date they are initially protected.  Tuning this value to accommodate your scenario may be somewhat complex, so if you have any questions about your setup, do not hesitate to contact your local Adobe support representative.


Some general advice: administrators should set the offline synchronization period to be the total amount you would like documents to be viewable offline. It’s very easy to set this value large at initial deployment and then decide to tune it down later. Increasing this value is possible, but we recommend you contact Adobe support first to understand the implications and interactions in the system.


In conclusion, the “offline synchronization period” is an administrator-tunable setting that makes sure the end-user experience is always straightforward and that people can view confidential intellectual property when on an airplane, at a disconnected customer site, etc. Simply set this as the maximum time any document can be used offline from when it is initially protected.


End users who want to control access to content need only set how long they want their content to be viewable offline—and remember that it will stop being viewable offline once the “offline synchronization period” has been exhausted.

Need more information on how your organization can effectively manage and protect your intellectual property? Further information can be obtained at or by contacting Adobe

Seamlessly storing and managing documents protected with LiveCycle ES

A frequent topic of conversation with customers is how LiveCycle ES can be used to seamlessly store and manage protected documents. Following on to an earlier discussion of some of the capabilities within LiveCycle Content Services ES, we recently published an article in the LiveCycle Developer Center describing how LiveCycle can be used as a repository of protected documents. An online guide as well a several Captivate demos can be found at

Need more information on how your organization can effectively manage and protect your intellectual property? Further information can be obtained at or by contacting Adobe

Primer on Server Base URL

One frequently asked question I get is about the “Base URL” setting within the LiveCycle Rights Management ES server configuration. What is this for? It’s a global setting that is used in several places where the server must identify its location to a remote client. The text is used as a “base” for deriving various types of server URLs. Here is a screenshot of the relevant configuration section of the administrative web console:

Here are two examples of its use in the system:

  • Have you ever wondered how, when somebody opens a RM protected document, the client determines your credentials and decrypts the document? “Baked” into each protected document are two important pieces of unencrypted information: a globally unique identifier (the document GUID), and the server address that the client contacts to receive authorization to decrypt and open the document. The server address is a derivative of the base URL that the administrator configured when setting up the server.
  • When an author or recipient performs a “web-based action” on a particular document, the client will automatically receive a single-sign-on-based redirect to a web age populated with the appropriate information. For example, the client-based request to view the audit history of a document opens a web browser showing which users have viewed, modified, or printed a protected document. The end-user experience is seamless, and the redirect instruction is derived from the base url of the document.


The advantage of deriving URLs from this base URL is that it simplifies the end-user experience, as outlined above, and gives flexibility to customers implementing a LiveCycle Rights Management server. This flexibility means that administrators can leverage DNS as a layer of indirection between client and ultimate server(s). DNS, for example, can provide different routes to a server depending on whether a document viewer is located inside or outside of a company’s network. It can also be used in with a load-balanced cluster to ensure that LiveCycle Rights Management runs as a high-availability and high-throughput system.

However, when configuring this URL you need to be careful: by changing settings on the server, you may orphan existing secured documents if you neglect to update DNS to point to the new server. Also, because of the sensitive information communicated between our server and clients (e.g., Adobe Acrobat, Adobe Reader, the LiveCycle Rights Management ES Extensions for Microsoft Office, PTC Pro/ENGINEER, …), we strongly advocate that the URL specified be HTTPS such that the communication is done over SSL. In fact, most of our clients will refuse to talk to a server URL that is not specified as HTTPS. (Specifying a HTTP-based URL will attempt to force the client to communicate over HTTP, however this is likely to fail because our clients generally do not support non-SSL connections.)

Need more information on how your organization can effectively manage and protect your intellectual property? Further information can be obtained at or by contacting Adobe

Configuring Certificate Authentication

Following on to our overview of authentication types in LiveCycle Rights Management, we recently published a guide within the LiveCycle Developer Center that shows how you can configure LiveCycle to support certificate authentication.You can read it here:

Flexibility in identifying and authenticating users

We’ve received a bunch of good feedback lately on some of our explanations and demonstrations of the authentication types supported in LiveCycle Rights Management. We adapted some of these posts into a technical article within the LiveCycle Developer Center on Adobe’s web site. You can read it here:

Improving Design Collaboration While Reducing Risk

As we’ve mentioned in earlier posts on this blog, LiveCycle Rights Management ES has a growing set of integrations with 3D CAD/CAM packages. Today we have integrations in the market to provide for rights management IP protection in native Pro/ENGINEER, CATIA, and XVL files.

Adobe recently hosted a joint webcast with PTC to showcase how customers can improve design collaboration while reducing risk using Pro/ENGINEER and LiveCycle Rights Management. In today’s global manufacturing marketplace, survival depends on fast time-to-market.  Spreading the design process across the supply chain continues to increase design complexity as customers demand better products, quickly.   The key is better collaboration, but as companies try to deliver better information, earlier in the process, to a broader audience, the risk of intellectual property (IP) loss goes up dramatically.  Survey after survey has shown that protection of design information is at the top of the list for most engineering organizations.  Companies that learn to balance improved collaboration with the risk of IP loss will be the winners moving forward.

You can replay the webcast by going to:

Configuring Rights Management client access

Adobe’s LiveCycle Rights Management solution has been in the market since the beginning of 2005 and can be used to protect a growing variety of file formats – PDF, Office, CAD, and FLV as of our LiveCycle ES Update 1 release this past summer. The server works together with Adobe Acrobat and Adobe Reader clients to protect, view, and manage sensitive PDF documents. Because support is included in every copy of Acrobat and Reader 7.x, 8.x, and 9.x, we have more than 700 million machines worldwide that are capable of receiving protected PDF documents with absolutely no configuration required or any special software to be deployed.

We give our customers the option to allow documents to be viewed on any of these clients out of the box, but understand that in certain cases customers might wish to restrict clients to the latest version. For example, there may be cases where customers want to take advantage of newly introduced functionality, such as the new AES-256bit encryption algorithms introduced earlier this year.

As such, we now allow customers to configure each deployed server to restrict which client versions or applications the server may communicate with. Technical details can be found at

Need more information on how your organization can effectively manage and protect your intellectual property? Further information can be obtained at or by contacting Adobe