Excel files and Access Denied on library with custom permission mask

Excel files and Access Denied on library with custom permission mask

Whenever you are creating permission masks you can tweak quite a few settings to your liking. However they might have some unexpected consequences. I encountered some issues with a custom permission mask and the use of Excel files. For some reason all of the Excel files that we would open from any library would throw an Access Denied. While if we would open a Word document (or anything else for that matter) with the same permission mask everything was fine. So eventhough we have enough 'rights' to open files, we still encountered an access denied.

Checking the ULS logs we found nothing special, but after searching the internet we found the following support article: http://support.microsoft.com/kb/2498047. Now it explains that anonymous users do not have the "OpenItems" rights on the Document Library, and thus encounter access denied issues when opening Excel files. So we started checking our permission mask. Even though the user was not anonymous, but authenticated with a custom permission mask, the mask itself was indeed missing the OpenItems permission. As the documentation states it is for viewing the source of the file using a handler, we can assume that at some point there is some sort of handler coming along and get requests as soon as you are opening Excel files.

The reason we deselected that checkbox in our permission mask was to prevent users to view stuff like the allitems.aspx, so in order to get that working again there are two steps you have to do to fix your permission mask and get it to work again:

  • Selected the open documents checkbox so that users can see Excel files
  • Enable the ViewFormPagesLockdown feature

Enabling the ViewFormPagesLockdown can be easily done using the following PowerShell cmdlet:

Enable-SPFeature -url http://url -identity 7c637b23-06c4-472d-9a9a-7c175762c5c4

After these two steps your permission mask allows you to open Excel files, and you will no longer get an access denied and you still won’t be able to access pages like /allitems.aspx on lists or /_layouts/viewlsts.aspx.

Leave a Reply