How to: Grant Permissions to Documents and Workbooks in Shared Locations (2003 System)
The information in this topic applies only to the specified Visual Studio Tools for Office projects and versions of Microsoft Office.
Microsoft Office version
For more information, see Features Available by Application and Project Type.
If the location of a Microsoft Office 2003 document is not secure (for example, a SharePoint site or file share that users—possibly including malicious users—can write to), or if you are not sure who has permission to upload content, you can grant permissions only to documents and workbooks in the location, rather than to all content. You do this by using the Office Document Membership Condition, and modifying the security policy to check for this condition on the computers on which your solution will run. For more information about setting security policy on end user computers, see Deploying Security Policy.
When you use the Office Document Membership Condition, only Office documents are trusted; assemblies and executables are not granted permissions to be run from the share.
You can use Visual Studio command-line tools or the .NET Framework 2.0 Configuration tool to create custom code groups. Both methods are explained below. However, the .NET Framework 2.0 Configuration tool is not included with Visual Studio 2008. You can download the tool as part of the .NET Framework 2.0 SDK from the Microsoft Download Center. For an example, see .NET Framework 2.0 Software Development Kit (SDK) (x86).
To create a custom code group using command-line tools
Open the Visual Studio command prompt. If the computer does not have Visual Studio installed, open a Microsoft Windows command prompt and change to the Microsoft .NET Framework directory for the version of the Framework you are working with. For example:
Type the following commands, replacing the sample locations, names and descriptions with the appropriate ones for your environment:
gacutil -i "C:\Program Files\Microsoft Office\Office11\Addins\Msosec.dll" caspol -m -ag LocalIntranet_Zone -url \\ServerName\FolderName\* Nothing -n "My Data Folder" -d "Intermediate group for my documents" caspol -m -ag "My Data Folder" -custom "C:\Program Files\Microsoft Office\Office11\Addins\Msosec.xml" FullTrust -n "My Data Documents" -d "Grants FullTrust to all documents in my data folder"
Type the commands manually. Copying and pasting the commands into the command prompt might result in Unknown Option errors.
Before you can use the .NET Framework 2.0 Configuration tool, you must download and install the .NET Framework 2.0 Software Development Kit (SDK) from the Microsoft Download Center.
When you use the .NET Framework 2.0 Configuration tool, follow these basic steps:
Add Msosec.dll to the global assembly cache (GAC). Msosec.dll is the assembly that implements Microsoft.Office.Security.Policy.OfficeDocumentMembershipCondition, which is used to identify documents and workbooks. You can find Msosec.dll in the ADDINS folder under your Office installation location, which by default is \Program Files\Microsoft Office\OFFICE11\ADDINS.
Create a code group that has restricted permissions for the server or specific folder (for example, Nothing or LocalIntranet_Zone permissions).
Create a second code group underneath the first that grants full trust to Office documents.
If you use Msosec in your policy, it will have a negative impact on performance for all managed code on the computer. It is recommended that you not add Msosec to servers or other computers where it is not required.
To add Msosec.dll to the assembly cache
Log on to the computer as an administrator.
In Control Panel, open Administrative Tools and then run Microsoft .NET Framework 2.0 Configuration.
Under the Console Root node, expand .NET Framework 2.0 Configuration, and then expand My Computer.
Right-click Assembly Cache and then click Add.
Navigate to Msosec.dll inside the Office installation folder. For example:
C:\Program Files\Microsoft Office\Office11\Addins\Msosec.dll
Select Msosec.dll and then click Open to add the file to the assembly cache.
To create a code group with restricted permissions for the server or folder
Under the Machine node, expand Code Groups, then All_Code.
Right-click LocalIntranet_Zone and then click New.
This step assumes that the server is in the Local Intranet zone. If it has been added to the Trusted Sites zone in Internet Explorer, right-click Trusted_Zone instead.
Give the code group a name. For this example, use Customer Data Folder.
This code group does not grant any permissions to the folder; it is just a container for the next code group.
Select URL in the Choose the condition type for this code group list.
In the URL text box, type the path to the shared folder.
The asterisk on the end is important, because it applies the permissions to all files and sub-folders in this folder. For example:
Select Nothing in the Use existing permission set list.
The default value is FullTrust. You must change this to Nothing to avoid granting full permissions to all files in the specified location.
Click Next, and then click Finish.
To create a code group granting full trust to Office documents
Right-click the new code group, in this example named Customer Data Folder, and then click New.
Give the code group a name. For this example, use Customer Data Documents.
Select (custom) in the Choose the condition type for this code group list.
Click Import and then navigate to Msosec.xml inside the Office installation folder. For example:
C:\Program Files\Microsoft Office\Office11\Addins\Msosec.xml
Select Msosec.xml and then click Open to import the XML custom code condition.
Select FullTrust in the Use existing permission set list.
Click Next, and then click Finish.
For more information about granting trust, see Configuring Security Policy Using the .NET Framework Configuration Tool (Mscorcfg.msc) and Configuring Security Policy Using the Code Access Security Policy Tool (Caspol.exe).