Geek Answers Handbook

Who am I? How to use Microsoft Office / UserPermission permission

Microsoft Office documents, in my case: PowerPoint presentations, may have limited permissions. How can I find out, programmatically, what permissions of my code are in this document?

All I can find on MSDN on this topic is: http://msdn.microsoft.com/en-us/library/aa432118.aspx

If I run the following code, I get a list of users who have permissions for this document:

Sub test() Dim perm As Office.Permission Set perm = ActivePresentation.Permission Debug.Print "Enabled=" & perm.Enabled If perm.Enabled Then Debug.Print "PermissionFromPolicy=" & perm.PermissionFromPolicy Debug.Print "PolicyName='" & perm.PolicyName & "'" Debug.Print "PolicyDescription='" & perm.PolicyDescription & "'" Dim uperm As Office.UserPermission For Each uperm In perm Debug.Print uperm.UserId & ", " & uperm.Permission Next uperm End If End Sub

Output Example:

 Enabled=True PermissionFromPolicy=False PolicyName='Do Not Distribute' PolicyDescription='Permission is currently restricted. Only specified users can access this content.' john@doe.com, 64 user@system.de, 33 myname@example.com, 33

"Resolution" is a bitmap whose definition I found in Microsoft's public header files:

 enum MsoPermission { msoPermissionView = 1, msoPermissionRead = 1, msoPermissionEdit = 2, msoPermissionSave = 4, msoPermissionExtract = 8, msoPermissionChange = 15, msoPermissionPrint = 16, msoPermissionObjModel = 32, msoPermissionFullControl = 64, msoPermissionAllCommon = 127 };

However, this does not tell me what specific permissions my code has. If I only knew who I was (in terms of UserPermission.UserId), I could find my rights in the Permission object. But I can not find this information. What am I missing?

Known methods for obtaining a Windows username (username for the current user on this Windows machine). Unfortunately, this is not the user ID that is checked when PowerPoint decides what permissions I have in the document. To emphasize: PowerPoint provides a user interface that allows me to change who I am at runtime. Obviously, this does not change the login username (that is, the name returned by ADVAPI). PowerPoint usernames refer to them, are identified / authorized through Microsoft Passport.

Thanks in advance! Volker

+7
vba ms-office permissions com
source share
3 answers

Today I received an additional answer from Microsoft (still related to SRQ091221600157) which seems to solve the problem, at least in my particular case. This approach still smells like work, and there is no documentation that confirms that it really works, but it seems pretty believable and withstands some special tests. And he feels a lot less spotty than any other work that I have come across. This happens as follows:

Only users with msoPermissionFullControl can see the permissions of other users (undocumented assumption). Thus, if the user does not have msoPermissionFullControl, the Permission collection contains exactly one element, and this element reflects the current user rights. If the collection of permissions contains several elements, this means that the current user must have msoPermissionFullControl. In addition, the current user must be visible in the Permission collection, but there is still no way to find out which identifier in the permission collection the current user represents.

0
source share

Try using one of the GetUserName (), GetUserNameW (), or GetUserNameA () functions and declare them as follows:

 Private Declare Function GetUserName Lib "advapi32.dll" Alias _ "GetUserName" (ByVal lpBuffer As String, nSize As Long) As Long

Also see the MSDN for GetUserName .

You need a dim string of length 255 and pass the value 254 as the nSize parameter. This string is passed to ByVal back to the caller. You may need a left() string before you can use it to compare with uperm.UserId .

+1
source share

I opened a ticket with Microsoft on this (SRQ091221600157). After a long discussion with Microsoft support, the ticket remains under consideration, but I think that we can already say that there is no obvious way to get the information I need.

Microsoft explicitly states that there are no APIs in PowerPoint to get either the identifier used to open the presentation or the current active permissions. A function request to add this API has been registered.

If you are in a closed environment with your own rights management server, the following approaches may work (quoting Microsoft Support, I have not tested this myself):

1) Using the COM object of the ADSystemInfo object.

 Dim objADSystemInfo As Object Dim objUser As Object objADSystemInfo = CreateObject("ADSystemInfo") objUser = GetObject("LDAP://" + objADSystemInfo.UserName) objUser.Get("mail") 'This will return the AD email id 'We can use this to include in the permission related code that you had sent If (uperm.UserId = objUser.Get("mail")) Then 'You can get the permission uperm.Permission for this userid (current logged in) MsgBox(uperm.UserId & "logged in user") Else MsgBox(uperm.UserId & "other user") End If

2) Using the .NET approach

 Dim oDS = New System.DirectoryServices.DirectorySearcher Dim strUserName As String = Environment.UserName Dim strFilter As String = "(&(objectCategory=User)(samAccountName=" & strUserName & "))" oDS.Filter = strFilter Dim oSr As System.DirectoryServices.SearchResult = oDS.FindOne() Dim oUser As System.DirectoryServices.DirectoryEntry oUser = oSr.GetDirectoryEntry() MessageBox.Show(oUser.InvokeGet("mail"))

Here is an article that explains these approaches -
http://www.microsoft.com/technet/scriptcenter/resources/pstips/dec07/pstip1207.mspx

However, these approaches do not work for identifiers that use Microsoft Passport (IRM) online services. In addition, even with your own RMS server, it may be possible to change your identity in PowerPoint at runtime, in which case the above approaches probably will not produce the desired results (I have not researched this yet).

In the end, I had to come up with a workaround that checks the permissions I need, trying to run some kind of representative API call, and then check if the call has called.

Thanks for your contributions,
Volker

+1
source share

More articles:


All Articles