Excel Services part 8: Controlling and protecting spreadsheets


To this point in my discussion of Excel Services, I have written primarily about the user-facing part of Excel Services – all the things customers can do with Excel Web Access and Excel Web Services in order to execute and interact with workbooks on the server.  In the next two posts, I plan to cover some of the security aspects of Excel – how customers who deploy Excel Services can “lock down” and protect key spreadsheets.

在我以前的有关Excel服务的论述中,我主要介绍过Excel服务的用户界面部分——用户可以利用Excel Web Access和Excel Web服务完成这些操作,使得数据表在服务器上与工作簿相互结合。在下两篇文章中,我打算介绍一些Excel安全方面的知识——配置Excel服务的用户怎样才能“锁定”和保护关键数据表。

In my overview of Excel Services, I mentioned that a request that we frequently hear from customers is the ability to limit access to spreadsheets either for regulatory and audit concerns or to protect proprietary information in spreadsheets.  To address this requirement, one of the main things that we’ve done (in addition to allowing users to execute and view spreadsheets on the server) is extended the Windows SharePoint Services (SharePoint) architecture with a new “right”, which we call a the “View Item” right.

在我的“Excel服务概览”这篇文章里,我提到过,用户经常给我们提出这样一个要求,要求我们提供限制访问数据表的功能,例如:管理和审核利害关系或者保护专有信息。为了达到这个要求,我们所做的主要事情就是给Windows SharePoint服务体系增加一个“权限”(除了允许用户在服务器上访问和查看数据表),我们把它叫做“查看项目”权限。

Before I get into exactly what the View Item right is, let me give a bit of background on what SharePoint is, and how it relates to Excel Services.  As I’ve mentioned in previous posts, Excel Services is built as part of the SharePoint products and technologies platform.  For the context of this conversation on the View Item right, consider SharePoint as a document store on the server – users can save and version files, administrators can control access permissions, etc., all via any browser  (Note, SharePoint does *a lot* more than this – in addition to being a document store, SharePoint provides many more features which you can read about here).


Currently, SharePoint administrators can give users “Reader” rights (look at content), “Contributor” rights (look at, change, and add to content), or “Administrator” rights (full control).  One way to think of this is similar to a regular file system and the file access rights that can be set (e.g. read only, read/write etc.)


With the View Item right that we are adding, customers can lock down spreadsheets that have been published to SharePoint (this right is specific to SharePoint document libraries and does not work with workbooks stored in UNC shares or generic HTTP locations) such that users can open the spreadsheets using Excel Services, interact with the workbooks, and see the execution results, but can’t download a copy of the spreadsheet, or access any areas that were not published as viewable on the server.  This hides any proprietary information contained within the book – specific formulas, the proprietary model, the external data connections, and hidden elements of the book – all of these things become inaccessible to users.


Let’s look at some examples of how View Item can be used in an Excel Services solution.  Imagine a workbook that takes several inputs, and then calculates discount rates for a large retailer.  The discount rate for any specific distributor is dependant on many factors – what quantity of product is purchased, the time of year, and the number of previous transactions for a given distributor – and of course, this discount rate formula is carefully guarded by the retailer since it determines the profit made on each transaction.  With Excel Services, this retailer can now allow distributors View Item right to the workbook containing this sensitive model, without having to worry that they will actually be able to download or see the model.


The View Item right affects how both Excel Web Access and the Excel Web Services allow access to a workbook.. Let’s look at the specific elements that are affected:

查看项目权限影响着Excel Web Access和Excel Web服务访问工作簿的方式。让我们来看看具体的影响因素:

1. Which portions of the workbook can be accessed by a user:  When a user only has the View Item right, they can only see the portions of the workbook that have been marked as viewable on the server during the publish process.



View Item right prevents users from seeing ranges that were not marked as viewable during publish


2. Which portions of the workbook can be opened in Excel:  While users with the Reader right can always open the original workbook in Excel if they want to see the model/formulas/data connections/etc., users with the View Item right can only open a snapshot of the original workbook in Excel.  A snapshot is much like what you would get with a copy/paste values and formatting, so that the user can see the numbers, but none of the proprietary information behind those numbers (formulas, connections, etc.), since that information is not contained in the snapshot.  And, of course, they can only see the numbers for the portions of the workbook that were marked as visible on the server.



Workbook contains formulas and other proprietary information



Snapshot contains only the numerical values and formatting


These examples focus on accessing the spreadsheet through the browsing using Excel Web Access (the browser).  Similarly, if an application accesses the spreadsheet through Excel Web Services, the View Item right is enforced.  For example, issuing a “GetRangeA1” call to a range that has not been marked as viewable will result in an exception, as will “GetWorkbook”.

这些例子集中在通过Excel Web Access(浏览器)访问数据表。同样的,如果某个应用程序通过Excel Web服务访问数据表,那么查看项目权限是被强制执行的。例如,发布一个“GetRangeAl”作为没有标记为可见的区域,那么就会导致出现异常,同样也会发生在“GetWorkbook”上。

That sums up how users can lock down spreadsheets to protect proprietary information/ensure everyone is looking at the latest sanctioned version using the new View Item right within SharePoint.  Next, more about some of the security functionality that we’ve built into Excel Services – how Excel Services decides whether or not to execute a workbook, how it connects to external data sources, and how it integrates with some of the other security features in SharePoint like versioning, IRM, and document approval.


Published Tuesday, November 22, 2005 5:16 PM by David Gainer

注:本文翻译自http://blogs.msdn.com/excel,原文作者为David Gainer(a Microsoft employee),

 收藏 (0) 打赏




分享到: 生成海报