Tech Trek – 2011.08.15
I was building an InfoPath form that requires security from certain users of the solution. One of those involve preventing access to the following context menu and ribbon menu options:
- Send To … Download a Copy
- Open with Explorer
Unfortunately, these options becomes a loophole if they are available for the security mechanism that I was planning to enforce through browser-based form services. Note, configuring the “Default open behaviour for browser-based documents” in Advanced settings of form library doesn’t prevent a user from selecting the “Edit in InfoPath” option from item menu.
Downloading a local copy allows the end-user to see any restricted views while allowing the “Open with Explorer” option opens the WebDAV folder that could give access to other files in the form library. Not good!
As I conduct my research, it’s amazing how many programmers came up with different solutions to resolve such issue. Although, some are simple to implement one key criteria that I had in mind is a “no-code” solution since that is what SharePoint offers in the first place. So with that principle applied, I ended with configuring the permission levels to disable or hide such menu options in both the 2010 ribbon menu and item dropdown without opening SharePoint Designer that could affect any future upgrade issues.
Note, I’m not going to provide the steps here since most SharePoint administration references would walk through such configuration but the key site permission options to note are the following:
- Use Remote Interfaces
- Use Client Integration Features (removes Edit in … option)
The best practice is to copy a default permission level and remove the particular permissions that you want to exclude. Just a reminder that disabling the above permissions may include other features that you may want for your site so make sure to “test early and test often” with different accounts that would use the system. Lastly, I created a separate list view page that is similar to the All Items view in a secure document library so that only site administrators have access to it for additional security measures.
The end result, problem solved without custom coding.