How to: Grant Permissions to Documents and Workbooks in Shared Locations (2003 System)

  • Article

Applies to

The information in this topic applies only to the specified Visual Studio Tools for Office projects and versions of Microsoft Office.

Project type

  • Document-level projects

  • Application-level projects

Microsoft Office version

  • Microsoft Office 2003

For more information, see Features Available by Application and Project Type.

If the location of a Microsoft Office 2003 document is not secure (for example, a SharePoint site or file share that users—possibly including malicious users—can write to), or if you are not sure who has permission to upload content, you can grant permissions only to documents and workbooks in the location, rather than to all content. You do this by using the Office Document Membership Condition, and modifying the security policy to check for this condition on the computers on which your solution will run. For more information about setting security policy on end user computers, see Deploying Security Policy.

When you use the Office Document Membership Condition, only Office documents are trusted; assemblies and executables are not granted permissions to be run from the share.

You can use Visual Studio command-line tools or the .NET Framework 2.0 Configuration tool to create custom code groups. Both methods are explained below. However, the .NET Framework 2.0 Configuration tool is not included with Visual Studio 2008. You can download the tool as part of the .NET Framework 2.0 SDK from the Microsoft Download Center. For an example, see .NET Framework 2.0 Software Development Kit (SDK) (x86).

Creating a Custom Code Group by Using Visual Studio Command-Line Tools

To create a custom code group using command-line tools

  1. Open the Visual Studio command prompt. If the computer does not have Visual Studio installed, open a Microsoft Windows command prompt and change to the Microsoft .NET Framework directory for the version of the Framework you are working with. For example:

    %systemroot%\Microsoft.NET\Framework\v2.0.50727

  2. Type the following commands, replacing the sample locations, names and descriptions with the appropriate ones for your environment:

    gacutil -i "C:\Program Files\Microsoft 
Office\Office11\Addins\Msosec.dll"

caspol -m -ag LocalIntranet_Zone -url \\ServerName\FolderName\* 
Nothing -n "My Data Folder" -d "Intermediate group for my documents"

caspol -m -ag "My Data Folder" -custom "C:\Program Files\Microsoft 
Office\Office11\Addins\Msosec.xml" FullTrust -n "My Data Documents" 
-d "Grants FullTrust to all documents in my data folder"

    Tip

    Type the commands manually. Copying and pasting the commands into the command prompt might result in Unknown Option errors.

Creating a Custom Code Group by Using the .NET Framework Configuration Tool

Before you can use the .NET Framework 2.0 Configuration tool, you must download and install the .NET Framework 2.0 Software Development Kit (SDK) from the Microsoft Download Center.

When you use the .NET Framework 2.0 Configuration tool, follow these basic steps:

  • Add Msosec.dll to the global assembly cache (GAC). Msosec.dll is the assembly that implements Microsoft.Office.Security.Policy.OfficeDocumentMembershipCondition, which is used to identify documents and workbooks. You can find Msosec.dll in the ADDINS folder under your Office installation location, which by default is \Program Files\Microsoft Office\OFFICE11\ADDINS.

  • Create a code group that has restricted permissions for the server or specific folder (for example, Nothing or LocalIntranet_Zone permissions).

  • Create a second code group underneath the first that grants full trust to Office documents.

    Note

    If you use Msosec in your policy, it will have a negative impact on performance for all managed code on the computer. It is recommended that you not add Msosec to servers or other computers where it is not required.

To add Msosec.dll to the assembly cache

  1. Log on to the computer as an administrator.

  2. In Control Panel, open Administrative Tools and then run Microsoft .NET Framework 2.0 Configuration.

  3. Under the Console Root node, expand .NET Framework 2.0 Configuration, and then expand My Computer.

  4. Right-click Assembly Cache and then click Add.

  5. Navigate to Msosec.dll inside the Office installation folder. For example:

    C:\Program Files\Microsoft Office\Office11\Addins\Msosec.dll

  6. Select Msosec.dll and then click Open to add the file to the assembly cache.

To create a code group with restricted permissions for the server or folder

  1. Under the Machine node, expand Code Groups, then All_Code.

  2. Right-click LocalIntranet_Zone and then click New.

    This step assumes that the server is in the Local Intranet zone. If it has been added to the Trusted Sites zone in Internet Explorer, right-click Trusted_Zone instead.

  3. Give the code group a name. For this example, use Customer Data Folder.

    This code group does not grant any permissions to the folder; it is just a container for the next code group.

  4. Click Next.

  5. Select URL in the Choose the condition type for this code group list.

  6. In the URL text box, type the path to the shared folder.

    The asterisk on the end is important, because it applies the permissions to all files and sub-folders in this folder. For example:

    \\ServerName\ShareName\*

  7. Click Next.

  8. Select Nothing in the Use existing permission set list.

    The default value is FullTrust. You must change this to Nothing to avoid granting full permissions to all files in the specified location.

  9. Click Next, and then click Finish.

To create a code group granting full trust to Office documents

  1. Right-click the new code group, in this example named Customer Data Folder, and then click New.

  2. Give the code group a name. For this example, use Customer Data Documents.

  3. Click Next.

  4. Select (custom) in the Choose the condition type for this code group list.

  5. Click Import and then navigate to Msosec.xml inside the Office installation folder. For example:

    C:\Program Files\Microsoft Office\Office11\Addins\Msosec.xml

  6. Select Msosec.xml and then click Open to import the XML custom code condition.

  7. Click Next.

  8. Select FullTrust in the Use existing permission set list.

  9. Click Next, and then click Finish.

For more information about granting trust, see Configuring Security Policy Using the .NET Framework Configuration Tool (Mscorcfg.msc) and Configuring Security Policy Using the Code Access Security Policy Tool (Caspol.exe).

See Also

Tasks

How to: Add an Assembly to the Policy Assemblies List

How to: Add Assemblies to Security Policy Using Caspol.exe

Concepts

Secure Deployment (2003 System)

Security Requirements to Run Office Solutions (2003 System)

Best Practices for Security in Office Solutions (2003 System)

Other Resources

Security in Office Solutions (2003 System)