Export (0) Print
Expand All

How to: Grant Permissions to Documents and Workbooks in Shared Locations

Note Required applications

The features in this topic are available only if you have the required applications installed.

For more information, see Features Available by Product Combination.

  • One of these development environments:

    VSTO 2005

    -or-

    Visual Studio Team System

  • Microsoft Office 2003

If the location of a Microsoft Office 2003 document is not secure (for example, a SharePoint site or file share that users—possibly including malicious users—can write to), or if you are not sure who has permission to upload content, you can grant permissions only to documents and workbooks in the location, rather than to all content. You do this by using the Office Document Membership Condition, and modifying the security policy to check for this condition on the computers on which your solution will run. For more information about setting security policy on end user computers, see Deploying Security Policy.

When you use the Office Document Membership Condition, only Office documents are trusted; assemblies and executables are not granted permissions to be run from the share.

You can use the .NET Framework configuration tool or Visual Studio command-line tools to create custom code groups. Both methods are explained below.

Creating a Custom Code Group Using the .NET Configuration Tool

When using the .NET Configuration Tool, the recommended practice is to:

  • Add Msosec.dll to the global assembly cache (GAC). Msosec.dll is the assembly that implements Microsoft.Office.Security.Policy.OfficeDocumentMembershipCondition, which is used to identify documents and workbooks. You can find Msosec.dll in the ADDINS folder under your Office installation location, which by default is \Program Files\Microsoft Office\OFFICE11\ADDINS.

  • Create a code group that has restricted permissions for the server or specific folder (for example, Nothing or LocalIntranet_Zone permissions).

  • Create a second code group underneath the first that grants full trust to Office Documents.

    NoteNote

    If you use Msosec in your policy, it will have a negative impact on performance for all managed code on the computer. It is recommended that you not add Msosec to servers or other computers where it is not required.

To add Msosec.dll to the assembly cache

  1. Log on to the computer as an administrator.

  2. In the Control Panel, open Administrative Tools and then run Microsoft .NET Framework 2.0 Configuration.

  3. Under the Console Root node, expand .NET Framework 2.0 Configuration, and then expand My Computer.

  4. Right-click Assembly Cache and then click Add.

  5. Navigate to Msosec.dll inside the Office installation folder. For example:

    C:\Program Files\Microsoft Office\Office11\Addins\Msosec.dll

  6. Select Msosec.dll and then click Open to add the file to the assembly cache.

To create a code group with restricted permissions for the server or folder

  1. Under the Machine node, expand Code Groups, then All_Code.

  2. Right-click LocalIntranet_Zone and then click New.

    This step assumes that the server is in the Local Intranet zone. If it has been added to the Trusted Sites zone in Internet Explorer, right-click Trusted_Zone instead.

  3. Give the code group a name. For this example, use Customer Data Folder.

    This code group does not grant any permissions to the folder; it is just a container for the next code group.

  4. Click Next.

  5. Select URL in the Choose the condition type for this code group list.

  6. In the URL text box, type the path to the shared folder.

    The asterisk on the end is important, because it applies the permissions to all files and sub-folders in this folder. For example:

    \\ServerName\ShareName\*

  7. Click Next.

  8. Select Nothing in the Use existing permission set list.

    The default value is FullTrust. You must change this to Nothing to avoid granting full permissions to all files in the specified location.

  9. Click Next, and then click Finish.

To create a code group granting full trust to Office documents

  1. Right-click the new code group, in this example named Customer Data Folder, and then click New.

  2. Give the code group a name. For this example, use Customer Data Documents.

  3. Click Next.

  4. Select (custom) in the Choose the condition type for this code group list.

  5. Click Import and then navigate to Msosec.xml inside the Office installation folder. For example:

    C:\Program Files\Microsoft Office\Office11\Addins\Msosec.xml

  6. Select Msosec.xml and then click Open to import the XML custom code condition.

  7. Click Next.

  8. Select FullTrust in the Use existing permission set list.

  9. Click Next, and then click Finish.

Creating a Custom Code Group Using Visual Studio Command-Line Tools

To create a custom code group using command-line tools

  1. Open the Visual Studio command prompt. If the computer does not have Visual Studio installed, open a Microsoft Windows command prompt and change to the Microsoft .NET Framework directory for the version of the Framework you are working with. For example:

    %systemroot%\Microsoft.NET\Framework\v2.0.50727
    
  2. Type the following commands, replacing the sample locations, names and descriptions with the appropriate ones for your environment:

    gacutil -i "C:\Program Files\Microsoft 
    Office\Office11\Addins\Msosec.dll"
    
    caspol -m -ag LocalIntranet_Zone -url \\ServerName\FolderName\* 
    Nothing -n "My Data Folder" -d "Intermediate group for my documents"
    
    caspol -m -ag "My Data Folder" -custom "C:\Program Files\Microsoft 
    Office\Office11\Addins\Msosec.xml" FullTrust -n "My Data Documents" 
    -d "Grants FullTrust to all documents in my data folder"
    
    NoteTip

    Type the commands manually. Copying and pasting the commands into the command prompt might result in Unknown Option errors.

For more information about granting trust, see Configuring Security Policy Using the .NET Framework Configuration Tool (Mscorcfg.msc) and Configuring Security Policy Using the Code Access Security Policy Tool (Caspol.exe).

See Also

Community Additions

ADD
Show:
© 2014 Microsoft