Although users are free to author rights-protected content and define access rights to the content, many organizations want to implement a central policy governing who has access to data and under which rights. On RMS Licensing Servers, you can create templates that define who has access to content, as well as the specific access granted on a per-user or per-group basis and other restrictions, such as how long a user is granted access to content or the validity period for an EUL (useful if you want to force users to obtain new EULs frequently if the rights protection granted to content through templates is likely to change). Figure A shows an example of an RMS template. After you create a template on an RMS Server, you need to distribute it to users on the network as an eXtensible rights Markup Language ( XrML) file. SQL Server stores templates in the RMS configuration database. Office 2003 applications require a registry setting to point to the location of RMS templates. The RMS Server signs the templates, and if a malicious user tries to modify a template in an attempt to change access to rights-protected content, the RMS Client won't allow the template to be used. When an application requests an EUL from the RMS Server for content protected through use of a template, the rights granted to the user are the rights specified in the template stored in the configuration database at the time the EUL request is made, not the rights specified in the template file that was in use when the content was protected. The users, rights, and restrictions contained in the template file are displayed when a data author protects content.
Templates provide an additional feature: the ability to use revocation features built into RMS. When you create a template, you can specify the location of a revocation list, which has a specified period of validity. When a user attempts to use rights-protected content, he or she must have both a valid EUL and a copy of a valid revocation list on the RMS Client. If the user or the content is listed in the revocation list, or if no valid revocation list is available, the user won't be able to access the content. The RMS Client will attempt to download the revocation list from the location specified in the template and copied to the EUL when the EUL was issued, and store it in the user's machine-local profile.
