Revoke Authorization

Revoke Document Access, expiry & remote file deletion

  Free Trial & Demo

“Fantastic product… outstanding support.”

“We would recommend Locklizard to others”

“The clear leader for PDF DRM protection”

“Our ebook sales have gone through the roof”

“Simple & secure – protects IPR from theft”

Trusted by:

Revoke documents & authorization to access

There will be many occasions when you need to revoke documents you have published or the authorization to access them.  This could be because:

  • the information contained in the documents is no longer valid because it is out of date or wrong
  • you feel your documents are being misused
  • the wrong document was distributed to people in the first place

This guide examines some of the options you can use to revoke documents or document access (revoke authorization or access to a PDF file) and explains how you can use Safeguard PDF Security to achieve this.

The PDF DRM and licensing controls in Safeguard PDF Security give you a number of ways of preventing documents from being used once they have been issued.

Using document expiry to revoke access to PDF files


You can set documents to expire in specific circumstances.  This is done when a document is protected and is bound to the document at that time (although expiry can be changed at a later date from the administration system):

  • On a set date
  • After a number of days from first use
  • After a number of views
  • After a number of prints

For company documents, it is normal to have set an expiry end date, which is when they would normally be superseded.  The other expiry methods are more likely used to control documents used in training courses, and documents for evaluation.

It is possible to set a document expiry end date of ‘never’ so that the document never expires, but if you do so then the end date cannot be changed.  You can, however, change document expiry settings at a later stage on the administration system if you set a fixed date or a number of days/views/prints.  This enables you to either extend or reduce document use, as well as instantly revoke access.

Apart from expiration on a set date, the other methods require an online license check before the user can open the document.  As soon as the number is met, access stops, though it is possible to change the number in the administration system for individual users after the document has been assigned. This will take effect the next time the user opens the document.  You can therefore publish a document with, say, a fixed expiry date for all users, but extend the access period for specific users when required.

Document expiry happens automatically when the expiry criteria is met.  This is, therefore, an easy and automatic way of revoking document access without manual intervention.

Suspending or deleting a document to revoke document access for all users


If you want to revoke document access for all users straight away, then you can suspend or delete a document.  Access will be revoked when the user next tries to open the document, provided the document is set to check against the licensing server (online use).  If you have allowed the document to be used permanently offline (without ever checking with the server) then you cannot revoke access by suspending or deleting a document, as there is nothing in place to tell the document to connect to the licensing server to pick up the new controls.

With Safeguard Web Viewer, you can always revoke document access straight away, as documents are always viewed online.

If you use publications to manage your protected documents, then you can remove publication access from specific users, or change the publication access period so that revocation or expiry takes place for a group of documents.  The same online/offline rules apply as to individual document revocation and expiry.

Revoking document access to all documents on a per user basis


This approach stops a user from accessing any documents, but it only happens if there is a mandatory license check when the document is opened.  If you have set the license check to ‘never’ in Safeguard Writer, (offline access) then revocation cannot be implemented.  One advantage of this approach is that you can reinstate the user, rather than having to delete them and then add them again.

At the user account level, you can revoke access to all license check documents by:

  • Suspending the user account
  • Setting the user account to expire after a certain date

You can also change the fixed expiry date, but again, there must be a license check before the change is implemented.  If you have a license check, then you can keep altering the end date to suit changing requirements and apply different end dates to the same file for different users.  However, you must remember that it will be up to you to reconcile end dates manually since there is no provision in the administration system for showing different end dates by user.

Remote file deletion


Another approach used by some document DRM systems to prevent continued access to documents is the remote deletion of the document from the user’s computer – see remote file deletion.  Sometimes, this includes the concept of being able to ‘delete’ a file ‘beyond recovery.’  Commonly, this is claimed to be achieved by multiple overwrites of the file in its location.

Safeguard PDF Security does not support this feature because it is more of a marketing ploy than a real security feature.

Now, don’t take our word on this  – go and reference the work of Peter Gutmann, the noted computer scientist in New Zealand.  He points out that, “the 35 pass overwrite technique …. a kind of voodoo incantation to banish evil spirits than the result of a technical analysis of drive encoding techniques.”

That statement is referencing a system for trying to prevent any possible kind of recovery of a file stored on a hard drive.  Never mind hosting files on remote servers or using RAID architectures or having system backups.

Everything sounds fine if everyone is playing by the rules.  But dishonest people have already established that they are not playing by your rules.  It is trivial to set a file to ‘read only’ so that an ordinary application cannot write to it no matter what it wants.  Now, of course, there are ways of getting around that, but they need code that gets around the operating system of the computer, and that is most definitely a ‘bad’ idea.  That is what hackers and viruses set out to do, and if anything goes wrong, you generally won’t have any files to come home to.

Be aware also that UK CESG, notes that if you want to be sure files cannot be recovered you need to physically destroy the disk drive.  As in burning it.  (Now, I’m not saying everyone wants or needs that level of certainty, but it shows agencies’ belief that nothing is ever truly deleted.)

But to bypass the control, all the user has to do is make a copy of the file before using it. They lose nothing except time if one gets deleted.  The idea of sudden deletion is interesting but is clearly less effective than expiring or revoking a file so that it is present, but can no longer be used.

Revoking PDF documents online


So, you can’t stop somebody from making a copy of a file on their PC, particularly if that PC is not on your enterprise network or under your control. However, what if you revoke PDF documents online – those delivered through a web portal or collaboration software? PDFs viewed via an internet browser do not have the same presence on a user’s PC. Various cloud solutions allow you to share documents with specific accounts and then revoke access to them at a later date. However, just because somebody doesn’t have a file to move about, it doesn’t mean they can’t copy.

The problem with all web-based document solutions is that the browser has very limited control over the user’s computer. This is more or less a necessity – imagine how much damage a malicious webpage could do if it could gain full access to your PC. From a document control perspective, however, it means an inability to prevent screenshots, printing to file drivers, and often copying and pasting.

File-sharing services typically use JavaScript to enforce their controls which is partially executed in the user’s browser rather than the server the documents are stored on. This JavaScript can often be manipulated, either through the browser’s developer mode or browser plugins, to bypass protection controls.  Indeed, in the case of Google Docs security, it can be as simple as disabling JavaScript entirely.  After this point, they can copy and print, creating an identical, unrestricted copy with ease.  Certain services will also leave parts or the entire unencrypted document behind in the user’s temporary files.

Locklizard provides a cloud-based Web Viewer that our customers can publish PDF files to if they so wish.  When you revoke a document or user in your admin portal, you revoke the PDF document online, too.  However, though we have taken pains to make our online Viewer more secure than the competition, there is only so much that can be done in a browser environment.  We therefore recommend that customers use the desktop viewer applications when maintaining confidentiality is important.

How to expire documents using Safeguard PDF Security

  Document expiry options in Safeguard Writer

You can set PDF documents to expire automatically when protecting them using Safeguard Writer.  It’s possible to change the document expiry settings for all or individual users at a later stage using the Safeguard administration system.

  1. Go to the Expiry & Validity Tab and from the ‘Document Expires’ section and select either an expiry date or a number of days from first use.

    If you select an expiry date, then the document will expire on that date.

    If you select a number of days from first use (say 30), then the document will expire 30 days from when it is first opened.  The document will expire at different dates for different users depending on when they first opened the document.

  2. If you want to expire documents after a number of prints or views then this can be achieved from the ‘Printing & Viewing’ tab.

    To expire documents after a number of prints, select the number of copies you want to allow and check the ‘No access after print copies depleted’ checkbox.  Once the number of prints have been reached the document will automatically expire and can no longer be used.

    To expire documents after a number of views, check the box ‘Limit number of views’ and enter a number in the scroller field.  Once the number of views has been reached the document expires.

  Changing document expiry in the Safeguard Admin System

Once a protected document has been published, you can change the expiry date from the Safeguard Admin System.  You can do this for the document (so the new expiry date affects all users) or for individual users.

Document expiry for all users

To change the document expiry date for a specific document, go to the Documents Tab and select the document you want to edit. Click on the Details button and enter the new document expiry date in the ‘Expires’ field.

Document expiry for individual users

To change the document expiry date for a specific user, go to the Documents Tab and select the document you want to edit.  Click on the Details button and then the ‘Grant or Revoke Access’ link.  Select the user you want to change the expiry date for and then from the ‘Grant Limited Access’ pull-down field enter a new document expiry date.

You can also change the start date of a document here.  Changing the start date of a document to a future date stops access to the document until that date is reached.  This is therefore another method of temporarily revoking document access for individual users, or ensuring that documents are not used before a certain date.

How to revoke document access on a user basis using Safeguard PDF Security

   Revoke document access for a single user

It is very easy to revoke access for a user for both single or multiple documents.

  1. Log in to the Safeguard administration system and go to the Customer Accounts tab.  Here you can search for the individual customer record you want to alter.
  2. Click on the Details arrow to show you information about the selected customer record.
  3. Go to the section titled ‘Manage Access’. This is where you grant access to documents or revoke access.  If you click on the option ‘Set document access’ it will bring up a tab showing all the documents that this user has access to.

    If you find they have access to a lot of documents, you can use the filter to narrow the search down to the document that you want.
  4. Select the document(s) by clicking on the selection box and go to the ‘With all checked’ pull-down field.
  5. Select ‘Revoke access’ and then press the OK button.  Assuming that you set the original document to check its license, the next time a license check happens, access is revoked.

    A more granular result can be achieved using the ‘Grant limited access’ option.

    Here you are able to set start and end dates for access that override the values set when the document was originally protected.  Provided there is a license check for the document, this control will override the original setting.  You could set the ‘Until’ date to yesterday, for example, and access would stop. You can also go back later and change these dates, with the new ones overriding the old.

  Revoke document access for multiple users

You can revoke access for multiple users to multiple documents in one go.

  1. Select the ‘Documents’ tab and press the ‘Details’ arrows next to the document you want to revoke.
  2. Then under the ‘Manage access’ heading, you can select all the customers who have been granted access to the document via the ‘View customers with access’ link.
  3. You can use the Filter to reduce the number of customers selected.  You can check the records that you want to revoke or use the option to check all of them, and then you have the same options as before, applied to a larger number of users instead of just one.

   FAQs

What does revoke access mean?

Revoking access to a document involves removing the user’s authorization or ability to view and interact with the document without necessarily deleting the file itself.  This is typically achieved through the use of encryption and the removal of access to the decryption key – a revoked document becomes indecipherable if a user does not have the relevant key to decrypt it.

What does limited access to a document mean?

Limited access to a document simply means that the user can only use the document under certain terms.  This could mean that the ability to view the document is removed after a certain date, but it could equally refer to:

  • The use of location or IP locking to make the document accessible only in specific places.
  • The ability to use a document only on certain devices.
  • Granting the ability to view a document, but not edit or print it.
  • Allowing only a certain number of views or prints.
How do you revoke someone’s access to a document?

If you protect it with Locklizard Safeguard before you distribute it, then it is a simple matter of removing authorization to view it.  Just take a look at the “Revoke document access for a single user” section above for a step-by-step guide on how to revoke authorization to a PDF.

Can you revoke authorization to print a PDF?

Yes, using Safeguard you can change the number of prints allowed to zero.  You can also make the document no longer accessible once a certain number of prints have been made.

How do I open an expired PDF document?

The only way to open a revoked document or expired document protected by Locklizard is to contact the seller or administrator.  You may also be able to re-subscribe to their service or renew a license via their website.

Can Locklizard revoke files that are not in the PDF format?

No, Locklizard DRM only works with PDF files.  Microsoft Office files have to be converted to PDF format first.  Once converted you can then revoke PDF file access in Sharepoint for example using Locklizard.

Can I use Locklizard to revoke email attachments in Microsoft Outlook & Gmail?

If the email attachments are PDF files, then yes.  You can send a secure PDF just like any other file and instantly revoke or automatically expire it after a period of time or use.

Can you set an offline policy period using Locklizard?

Yes, with Safeguard Enterprise you can specify the number of days users can view documents offline before they have to connect to a licensing server.

   Download PDF Revocation Software

Download document revocation software that uses US Government strength encryption and digital rights management controls to revoke authorization to PDF files.   Automatically expire PDFs after a given period of time and revoke PDF documents instantly.

  • Expire PDF files on a date
  • Expire PDFs after a number of days from first use
  • Expire PDFs after a number of opens (views) or prints
  • Expire user access to one, multiple, or all PDFs
  • Revoke PDF files and users manually at any time

Safeguard PDF Security and Enterprise PDF DRM enable you to automatically expire PDF files and revoke PDFs instantly.  You can additionally protect PDF files against copying, printing, editing, and unauthorized distribution and lock PDF files to individual devices and locations so they cannot be shared, watermark PDFs and track use.

Customer Testimonials