About security and deployment

Microsoft Office InfoPath

previous page next page

About security and deployment

Additional security features and deployment functionality have been added to Microsoft Office InfoPath 2003 in Service Pack 1. Support has been added to allow form templates to be moved from one location to another or sent as an attachment to an e-mail message. In addition, support has been added to the InfoPath design mode to facilitate the creation and deployment of fully trusted forms.

Security levels

Form templates can have one of three different security levels, depending on where the form is located. These security levels are as follows:

Show Restricted

The Restricted security level does not permit any communication outside of the form template. This security level is intended to prevent harmful forms from transmitting any data from your computer to a malicious attacker. When running in this security mode, the following features will not work:

Custom Task Pane
Data Connections (except e-mail submit)
ActiveX Controls
Managed Code
Roles
Workflow

Show Domain

The Domain security level restricts a form to a particular Internet zone. The form is allowed to communicate with other data inside its own domain but is not permitted to retrieve data from other domains.

Show Full Trust

The Full Trust security level allows you to run a form with full trust on the computer where the form will be used. This security level can only be used when working with a signed form with a signature that matches a trusted root publisher on your computer or by installing the form and setting the requireFullTrust attribute to "yes". By using this setting, you can access object model calls such as file save, and you can disable certain security prompts that appear when running at a more restrictive security level.

Note All forms generated in the InfoPath designer have a security level associated with them. InfoPath will attempt to open forms at their associated security level. If the security level associated with the form is higher than the security level that can be granted to it, the form will not open.

Forms are granted security levels based on the location from which the form was opened. For more information, see the Trust levels section.

Trust levels

The highest level of trust granted to a form template is determined by the "cached from" location (that is, where the form is cached from) and other verification code, as described in the following table. The attributes listed in the table (for example, HTTP, UNC, requireFullTrust) are cache-based entries that are used to determine the level of trust granted to a form.

Highest Level of Trust Granted	Full Trust	Client Computer (Sandboxed)	Intranet (Sandboxed)	Internet (Sandboxed)	Restricted
	Trust Level Granted	Trust Level Granted	Trust Level Granted	Trust Level Granted	Trust Level Granted
file: LocationId=CachedFromLocation		X
file: LocationId<>CachedFromLocation or no LocationId (regardless of where the form came from)					X
CachedFromLocation: Intranet HTTP or HTTPS			X
CachedFromLocation: Internet HTTP or HTTPS				X
CachedFromLocation: UNC			X
Installed Template (requireFullTrust="yes")	X
Installed Template (requireFullTrust="no")		X
Template with trusted publisher certificate	X
Extracted Form Files		X

All form files opened in the InfoPath editor are bound by a set of conditions that determine the security level in which the form will open and whether it will open. When an InfoPath form is opened in the editor, it will either be opened with an appropriate security level, or it will fail to load. If a form requests a higher security level than it can be granted (a form can request a specific security level using the trustLevel or requireFullTrust attribute), it will not be permitted to load. Otherwise, it will be loaded with the security level it requests. If the form template is not permitted to open with the requested security level, the user will not be able to open the form and will receive the "Insufficient Security Privilege Warning" error message.

The following table describes the conditions required for opening a form at each security level and the resultant behavior when the user attempts to open the form:

		Form asks for:	Form asks for:	Form asks for:
	Editor Opens/Fails	Full Trust (requireFullTrust="yes")	Domain Trust (trustLevel="Domain" or blank)	Restricted (trustLevel="Restricted")
Highest trust level InfoPath can grant based on evidence	Trusted (installed or trusted certificate)	Editor opens at Full Trust level	N/A	N/A
Highest trust level InfoPath can grant based on evidence	Domain Trust: Client Computer	Fails to open	Editor opens at Domain level	Editor opens at Restricted level
Highest trust level InfoPath can grant based on evidence	Domain Trust: Intranet	Fails to open	Editor opens at Domain level	Editor opens at Restricted level
Highest trust level InfoPath can grant based on evidence	Domain Trust: Internet	Fails to open	Editor opens at Domain level	Editor opens at Restricted level
Highest trust level InfoPath can grant based on evidence	Restricted	Fails to open	Fails to open	Editor opens at Restricted level

Show Specifying a security level

The InfoPath designer automatically selects the appropriate security level (either Restricted or Domain) based on the features you are using in the form. The security setting is always as restrictive as possible, starting at Restricted, to ensure a greater level of protection for you and your data. Users can manually override this automated setting to select a level of security that is more appropriate for the form by doing the following:

Select Form Options from the Tools menu.
In the Form Options dialog box, select the Security tab.
Deselect the Automatically determine security level check box.
Select the desired security level.

Mail deployment and mobile form templates

Microsoft Office InfoPath 2003 Service Pack 1 allows you to send your form templates as an attachment to an e-mail message and to move them from one location to another. Mail deployment is an easy and effective way to distribute forms for interoffice use as well as to deploy forms to remote users.

Show Understanding form identity

All forms in the InfoPath designer are created with an identity. This information helps InfoPath associate forms with form templates in the cache and to retrieve updates to forms when they are posted to a shared location. By default, InfoPath creates two identities for form templates: a Form ID and an Access Path.

Form ID

The Form ID is a unique identifier based on a prefix, the form name, and the form namespace. The identifier should be a unique name that can be used to correctly associate form files with the associated form template in the client computer cache. The Form ID is specified as the name attribute in the form definition file (.xsf).

Access Path

The Access Path is a location identifier used to determine the correct location for the form template as well as a location to receive updates. When saved or published, the location to which the form template is saved or published becomes the default Access Path. Each time a form is opened on the client computer, the form attempts to associate itself with a cached form. It will attempt to do this in the following order:

Look for a fully trusted form template with a matching Form ID.
Look for a form template in the cache with a matching Access Path.
Look for a form template in the cache with a matching Form ID.

Once matched, the form will open with the associated form template. In cases where the match was made with an Access Path, InfoPath will use the Access Path to retrieve updates to the form template. In this way, enterprise management of forms can be simplified. In cases where the match cannot be made, the form will fail to open. The Access Path is specified as the publishUrl attribute in the form definition file (.xsf).

Just as there are two identification properties for each form template, there is a set of heuristics to specifically determine the resulting entries in the cache, based on the condition of the form template (if it has an Access Path, a Form ID, or both) and the state of the network connection.

Show Designing a form to send as an attachment to an e-mail message

All forms created in the InfoPath designer can be sent to users as an attachment to an e-mail message. E-mail deployment is an easy and effective way to distribute forms for interoffice use as well as to deploy forms to remote users. To mail a form template to other users, do the following while in design mode:

Select Send Form as Attachment from the File menu. (You will be required to save the form template at least once before doing this.)
Populate the To: line of the e-mail message.
Send the e-mail message.

Show Sharing forms by e-mail message or from a common shared location

Certain scenarios must be considered when building a form that will be deployed by e-mail message.

Will your form be updated regularly? If you are developing a form that must be updated regularly, the form should be published to a shared location before it is sent to other users. This will allow you to update the form by publishing newer versions to the shared location but will also allow you to immediately distribute the form template to users who may not have access to the shared location.
If a form is updated and then distributed by e-mail message, users will get a cache conflict message when they try to open the new form, if they have an older version stored on their computer. The user will be prompted to choose which version they want to use. Even if the updated form is the same as the one on the user's computer, the user will get a cache conflict message and be prompted to choose which copy they want to use. The best practice to use in the latter case is to share the form using a shared location instead.
Does your form access a data connection or use other features not supported at the Restricted security level? If you are developing a form that requires Domain level security, you will need to publish it to a shared location in order for users to be able to open it. Because form templates will only open in the security level they request, forms opened directly from an e-mail message will run at the Restricted level unless they can retrieve updates from a shared location.

Show Compatibility

Forms built with InfoPath 1.0 will run in specific compatibility modes with InfoPath Service Pack 1. All InfoPath 1.0 forms will run in a compatibility mode that closely resembles InfoPath 1.0.

previous page start next page