Who am I? How to use Microsoft Office Permission/UserPermission

Posted on 2009-12-21
Last Modified: 2013-11-25
Microsoft Office documents, im my case: PowerPoint presentations, can have restricted permissions. How can I find out, programmatically, which permissions my code has on a given document?

All I can find on MSDN on this topic is this:

If I run the attached code, I get a list of users that have permissions on the given document. The "Permission" is a bitmap the definition for which I found in Microsoft's public COM header files (see next to code).

Still, this does not tell me which particular permissions my code has. If I only knew who I am (in terms of a UserPermission.UserId), I could look up my permissions in the Permission object. But I cannot find that bit of information. What am I missing?

There are known ways to obtain the Windows user name (the login name for the current user on that Windows machine). Unfortunately, this is not the user id that is checked against when PowerPoint decides which permissions I have on the document. To emphasize: PowerPoint provides a UI that lets me change "who I am" at run time. Obviously, this does not change the login use name (i.e., the name returned by ADVAPI). The user names PowerPoint is referring to, are identified/authorized via Microsoft's Passport.

Thanks in advance!

Sub test()

  Dim perm As Office.Permission

  Set perm = ActivePresentation.Permission

  Dim uperm As Office.UserPermission

  For Each uperm In perm

    Debug.Print uperm.UserId & ", " & uperm.Permission

  Next uperm

End Sub

enum MsoPermission


  msoPermissionView = 1,

  msoPermissionRead = 1,

  msoPermissionEdit = 2,

  msoPermissionSave = 4,

  msoPermissionExtract = 8,

  msoPermissionChange = 15,

  msoPermissionPrint = 16,

  msoPermissionObjModel = 32,

  msoPermissionFullControl = 64,

  msoPermissionAllCommon = 127


Open in new window

Question by:think-cell
    LVL 21

    Expert Comment

    Maybe this reference will help:

    Note this:
    Microsoft Office Information Rights Management supports the use of administrative permission policies which list users and groups and their document permissions. Use the ApplyPolicy method to apply a permission policy, and the PermissionFromPolicy, PolicyName, and PolicyDescription properties to return policy information.
    Use of the Permission object raises an error when the Windows Rights Management client is not installed.


    Author Comment

    Glenna, Thank you for your remark. As mentioned in my question, I already studied the documentation you are referring to. For clarification, I enhanced my code sample, see below. I also add some sample output from the enhanced code sample (email addresses obfuscated, obviously). I may be missing the obvious here, but I cannot see how from this information I could derive which permission I actually have on that document.
    Sub test()
        Dim perm As Office.Permission
        Set perm = ActivePresentation.Permission
        Debug.Print "Enabled=" & perm.Enabled
        If perm.Enabled Then
            Debug.Print "PermissionFromPolicy=" & perm.PermissionFromPolicy
            Debug.Print "PolicyName=" & perm.PolicyName
            Debug.Print "PolicyDescription=" & perm.PolicyDescription
            Dim uperm As Office.UserPermission
            For Each uperm In perm
                Debug.Print uperm.UserId & ", " & uperm.Permission
            Next uperm
        End If
    End Sub
    Sample output:
    PolicyName=Do Not Distribute
    PolicyDescription=Permission is currently restricted. Only specified users can access this content., 64, 33, 33

    Open in new window

    LVL 21

    Expert Comment

    I'm finding diddly on this particular object.  I really suck at writing VB, but I'm actually pretty good at being a set of different eyes. :-)
    I'll keep looking.  You might want to post at an alternative forum:

    Accepted Solution

    I have opened a ticket with Microsoft on this (SRQ091221600157). After a lengthy discussion with Microsoft Support, the ticket is still pending but I think it is already safe to say that there is no explicit way to obtain the information I need.

    Microsoft explicitly states that there is no API in PowerPoint to obtain either the identity that was used to open a presentation, or the currently active permissions. A feature request to add that API has been filed.

    If you are in a closed environment with your own Rights Management Server, the approaches detailed in the Code section below would probably work (quoting Microsoft Support, I did not test this myself).

    However, these approaches do not work for identities that use online IRM services (Microsoft Passport). Also, even with your own Rights Management Server, it may be possible to change your identity in PowerPoint at runtime, in which case the above approaches probably would not yield the desired results (I did not investigate this any further).

    I the end, I had to come up with a workaround that tests the permissions I need by trying to run some representative API call and then checking if the call failed.

    Thank you for your contributions,
    1) Using the COM object ADSystemInfo object.
    Dim objADSystemInfo As Object
    Dim objUser As Object
    objADSystemInfo = CreateObject("ADSystemInfo")
    objUser = GetObject("LDAP://" + objADSystemInfo.UserName)
    objUser.Get("mail")  'This will return the AD email id 
    'We can use this to include in the permission related code that you had sent 
    If (uperm.UserId = objUser.Get("mail")) Then
        'You can get the permission uperm.Permission for this userid (current logged in)
        MsgBox(uperm.UserId & "logged in user") 
        MsgBox(uperm.UserId & "other user")
    End If
    2) Using the .NET approach
    Dim oDS = New System.DirectoryServices.DirectorySearcher
    Dim strUserName As String = Environment.UserName
    Dim strFilter As String = "(&(objectCategory=User)(samAccountName=" & strUserName & "))"
    oDS.Filter = strFilter
    Dim oSr As System.DirectoryServices.SearchResult = oDS.FindOne()
    Dim oUser As System.DirectoryServices.DirectoryEntry
    oUser = oSr.GetDirectoryEntry()
    Here is the article that explains about these approaches

    Open in new window


    Author Comment

    Today I received an additional answer from Microsoft (still regarding SRQ091221600157) which actually seems to solve the problem, at least in my particular instance. This approach still smells like work-around and there is no documentation that would confirm that it actually works, but it seems plausible enough and withstands some ad-hoc tests. And, it feels much less patchy than any other work-around I came up with. It goes like this:

    Only users with msoPermissionFullControl can see permissions of other users (undocumented assumption). Thus, if a user does not have msoPermissionFullControl, the Permission collection contains exactly one item and this item reflects the current user's permissions. If the permission collection contains multiple items, this means that the current user must have msoPermissionFullControl. Also, the current user must be visible in the Permission collection, but there is still no way to find out which of the identities in the Permission collection represents the current user.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Top 6 Sources for Identifying Threat Actor TTPs

    Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

    Entering time in Microsoft Access can be difficult. An input mask often bothers users more than helping them and won't catch all typing errors. This article shows how to create a textbox for 24-hour time input with full validation politely catching …
    This article will show you how to use shortcut menus in the Access run-time environment.
    This video shows where to find the word count, how to display it, and what it breaks down to in Microsoft Word.
    The viewer will learn how to  create a slide that will launch other presentations in Microsoft PowerPoint. In the finished slide, each item launches a new PowerPoint presentation and when each is finished it automatically comes back to this slide: …

    737 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    20 Experts available now in Live!

    Get 1:1 Help Now