Protect Sensitive Data (Microsoft RMS)

File Content Extraction has the capability to decrypt files that are protected by the Microsoft Rights Management Service (RMS). For information about configuring File Content Extraction to integrate with RMS, see Microsoft Rights Management Service Protected Files.

This section provides some information that can help you secure sensitive data related to processing RMS-protected files.

When you enable decryption of file content, protect the secrets (tenant ID, client ID, and client secret) that you pass to File Content Extraction. File Content Extraction creates a database file to store authentication tokens. You can configure the path of this file in the [Rms] section of formats_e.ini, by setting the parameter OauthDatastoreConnectionstring. OpenText recommends that you restrict access to this file.

Finally, be aware that when you configure these features File Content Extraction can access the content of any RMS-encrypted file in your domain. A user who does not have access to a document through Microsoft endpoints might be able to use File Content Extraction to bypass authorization, unless your application prevents this. OpenText also recommends that you secure the temporary directory used by File Content Extraction, because it might contain sensitive data. For more information, see the security best practices.