ExcelHome 译者:rongjun 来源:http://blogs.msdn.com/excel
发表于:2006年7月7日
Excel Services part 8: Controlling and protecting spreadsheets
Excel服务第8部分:控制和保护数据表
To this point in my discussion of Excel Services, I have written primarily about the user-facing part of Excel Services – all the things customers can do with Excel Web Access and Excel Web Services in order to execute and interact with workbooks on the server. In the next two posts, I plan to cover some of the security aspects of Excel – how customers who deploy Excel Services can “lock down” and protect key spreadsheets.
在我以前的有关Excel服务的论述中,我主要介绍过Excel服务的用户界面部分——用户可以利用Excel Web Access和Excel Web服务完成这些操作,使得数据表在服务器上与工作簿相互结合。在下两篇文章中,我打算介绍一些Excel安全方面的知识——配置Excel服务的用户怎样才能“锁定”和保护关键数据表。
In my overview of Excel Services, I mentioned that a request that we frequently hear from customers is the ability to limit access to spreadsheets either for regulatory and audit concerns or to protect proprietary information in spreadsheets. To address this requirement, one of the main things that we’ve done (in addition to allowing users to execute and view spreadsheets on the server) is extended the Windows SharePoint Services (SharePoint) architecture with a new “right”, which we call a the “View Item” right.
在我的“Excel服务概览”这篇文章里,我提到过,用户经常给我们提出这样一个要求,要求我们提供限制访问数据表的功能,例如:管理和审核利害关系或者保护专有信息。为了达到这个要求,我们所做的主要事情就是给Windows SharePoint服务体系增加一个“权限”(除了允许用户在服务器上访问和查看数据表),我们把它叫做“查看项目”权限。
Before I get into exactly what the View Item right is, let me give a bit of background on what SharePoint is, and how it relates to Excel Services. As I’ve mentioned in previous posts, Excel Services is built as part of the SharePoint products and technologies platform. For the context of this conversation on the View Item right, consider SharePoint as a document store on the server – users can save and version files, administrators can control access permissions, etc., all via any browser (Note, SharePoint does *a lot* more than this – in addition to being a document store, SharePoint provides many more features which you can read about here).
在我还没有深入介绍什么是查看项目权限之前,让我先简单的介绍一下什么是SharePoint,它是怎样和Excel服务发生联系的。正如我在前面的文章中提到,Excel服务是基于SharePoint产品和技术平台的一部分。为了便于理解查看项目权限,在这里我们把SharePoint看作服务器上的一个文档库——用户可以保存和修改文件,管理员可以控制访问权限等等,所有这些通过任何一个浏览器都能实现(注:SharePoint还可以做更多的事情——除了作为一个文档库之外,SharePoint还提供更多的功能,你可以看这里)
Currently, SharePoint administrators can give users “Reader” rights (look at content), “Contributor” rights (look at, change, and add to content), or “Administrator” rights (full control). One way to think of this is similar to a regular file system and the file access rights that can be set (e.g. read only, read/write etc.)
通常,SharePoint管理员可以给用户“阅读”权限(查看内容),“投稿”权限(查看、修改和添加内容),或者“管理”权限(完全控制)。咋一看这与正式的文件系统很相似,可以设置文件的访问权限(例如只读、读/写等等)。
With the View Item right that we are adding, customers can lock down spreadsheets that have been published to SharePoint (this right is specific to SharePoint document libraries and does not work with workbooks stored in UNC shares or generic HTTP locations) such that users can open the spreadsheets using Excel Services, interact with the workbooks, and see the execution results, but can’t download a copy of the spreadsheet, or access any areas that were not published as viewable on the server. This hides any proprietary information contained within the book – specific formulas, the proprietary model, the external data connections, and hidden elements of the book – all of these things become inaccessible to users.
由于查看项目权限的添加,用户可以锁定已经发表到SharePoint的数据表(这个权限是SharePoint文档库特有的,它与存储在UNC共享或者普通HTTP域的工作簿不同),这样,用户可以通过Excel服务打开数据表,与工作簿相互作用,可以看到执行的结果,但是不能下载数据表的副本,并且不能访问服务器上任何非可见区域。这里隐藏了文档里的专有信息——特殊公式、专有模型、外部数据连接和文档的隐藏单元——所有这些东西用户都无法接触。
Let’s look at some examples of how View Item can be used in an Excel Services solution. Imagine a workbook that takes several inputs, and then calculates discount rates for a large retailer. The discount rate for any specific distributor is dependant on many factors – what quantity of product is purchased, the time of year, and the number of previous transactions for a given distributor – and of course, this discount rate formula is carefully guarded by the retailer since it determines the profit made on each transaction. With Excel Services, this retailer can now allow distributors View Item right to the workbook containing this sensitive model, without having to worry that they will actually be able to download or see the model.
让我们来看看查看项目在Excel服务中应用的一些例子。假设某个工作簿里有若干录入数据,然后要为一个大零售商计算折扣率。无论哪个批发商的折扣率都是决定于很多因素——产品购买量、时间、既定批发商以前的交易量——当然,零售商会小心的控制折扣率公式,因为它决定着每一笔交易所获得的利润。利用Excel服务,零售商可以允许批发商拥有这个工作簿的查看项目权限,并限制敏感的模型,所以零售商不必担心批发商能够下载或看到模型。
The View Item right affects how both Excel Web Access and the Excel Web Services allow access to a workbook.. Let’s look at the specific elements that are affected:
查看项目权限影响着Excel Web Access和Excel Web服务访问工作簿的方式。让我们来看看具体的影响因素:
1. Which portions of the workbook can be accessed by a user: When a user only has the View Item right, they can only see the portions of the workbook that have been marked as viewable on the server during the publish process.
1、工作簿的哪个部分能被用户访问:当该用户只有查看项目权限时,那么他就只能看到工作簿的可见部分。
View Item right prevents users from seeing ranges that were not marked as viewable during publish
查看项目权限阻止用户查看非可见区域
2. Which portions of the workbook can be opened in Excel: While users with the Reader right can always open the original workbook in Excel if they want to see the model/formulas/data connections/etc., users with the View Item right can only open a snapshot of the original workbook in Excel. A snapshot is much like what you would get with a copy/paste values and formatting, so that the user can see the numbers, but none of the proprietary information behind those numbers (formulas, connections, etc.), since that information is not contained in the snapshot. And, of course, they can only see the numbers for the portions of the workbook that were marked as visible on the server.
2、工作簿的哪个部分能在Excel里打开:拥有阅读权限的用户,如果想要看到模型/公式/数据连接等等,他们可以在Excel中打开原工作簿;拥有查看项目权限的用户在Excel中只能打开原工作簿的瞬态图。瞬态图就像复制/粘贴数值和格式得到的结果一样,所以用户只看到数字,而在这些数字后面并没有专有信息(公式、连接等等),也就是说瞬态图不包含这些信息。当然,他们只能看到工作簿可见部分的数据。
Workbook contains formulas and other proprietary information
工作簿包含公式和其他专有信息
Snapshot contains only the numerical values and formatting
瞬态图只包含数值和格式
These examples focus on accessing the spreadsheet through the browsing using Excel Web Access (the browser). Similarly, if an application accesses the spreadsheet through Excel Web Services, the View Item right is enforced. For example, issuing a “GetRangeA1” call to a range that has not been marked as viewable will result in an exception, as will “GetWorkbook”.
这些例子集中在通过Excel Web Access(浏览器)访问数据表。同样的,如果某个应用程序通过Excel Web服务访问数据表,那么查看项目权限是被强制执行的。例如,发布一个“GetRangeAl”作为没有标记为可见的区域,那么就会导致出现异常,同样也会发生在“GetWorkbook”上。
That sums up how users can lock down spreadsheets to protect proprietary information/ensure everyone is looking at the latest sanctioned version using the new View Item right within SharePoint. Next, more about some of the security functionality that we’ve built into Excel Services – how Excel Services decides whether or not to execute a workbook, how it connects to external data sources, and how it integrates with some of the other security features in SharePoint like versioning, IRM, and document approval.
这篇文章概括了用户怎样锁定数据表以保护专有信息/怎样利用SharePoint里的查看项目权限保证每个人正在看的是最新的标准版本。下次,介绍一些Excel服务安全性的知识——Excel服务怎样判断是否运行工作簿,它怎样连接外部数据源,它怎样与SharePoint的其它安全特性(如版本、IRM、文档证明)相结合。
Published Tuesday, November 22, 2005 5:16 PM by David Gainer
注:本文翻译自http://blogs.msdn.com/excel,原文作者为David Gainer(a Microsoft employee),Excel home授权转载。严禁任何人以任何形式转载,违者必究。
非常感谢Kevin的帮助和指导!
