Microsoft Office 2000/Visual Basic Programmer's Guide

Reading Permissions

To read the permissions of an object by using ADOX, you use the GetPermissions method to return a Long value that specifies a bitmask for the permissions the group or user has on the object. The syntax for the GetPermissions method has the following format:

ReturnValue = GroupOrUser.GetPermissions(Name, ObjectType[, ObjectTypeID])

Just as with the SetPermissions method, the Name argument is a Variant value specifying the name of the object to set permissions for. If you want to read permissions for all new objects of the specified type, set the Name argument to Null. The ObjectType argument is a Long value specifying the type of object you are reading permissions for. For forms, reports, or macros, the ObjectType argument must be set to adPermObjProviderSpecific and the ObjectTypeID argument is set to a Variant value that specifies the GUID for the corresponding object. If you want to read permissions for the database itself, set the Name argument to Null, and set the ObjectType argument to adPermObjDatabase. For ObjectType argument constants and form, report, and macro GUIDs for the ObjectTypeID argument, see the tables for the SetPermissions method in "Setting Permissions" earlier in this chapter.

The GetPermissions method is useful for reading permissions to determine what permissions a user or group currently has.

The GetPermissions method is also useful when you are adding or removing permissions from an existing set of permissions:

• To add additional permissions to an existing set of permissions, use the GetPermissions method to retrieve the bitmask for the current set of permissions and use the Or operator with permissions constants to add additional permissions to the bitmask passed to the SetPermissions method as the Rights argument.
  
  
• To remove permissions from the existing set of permissions, use the GetPermissions method to retrieve the bitmask for the current set of permissions, and then use the And Not operator to remove permissions from the bitmask passed to the SetPermissions method. For examples of this technique, see "Permissions Programming Examples" later in this chapter.

An Important Point to Remember

Microsoft Jet User-Level security always uses the least restrictive set of permissions among the permissions granted to a user and to all groups to which that user belongs. This can have consequences that you may find confusing when you use the SetPermissions and GetPermissions methods.

• Using the SetPermissions method to revoke permissions for a user account doesn't override permissions granted by any group to which that user belongs.
  
  
• Using the GetPermissions method to retrieve a user's permissions returns a bitmask that reflects only the permissions granted explicitly to that user on that object, not the user's implicit permissions inherited from group membership. If you aren't aware of this, you may be confused by the results returned. For example, suppose you use the SetPermissions method on a user with the adRightNone constant to remove all permissions for an object. Using GetPermissions to check the user's permissions will return adRightNone. However, if the user is a member of a group that has permissions on the object, the user will have the permissions he or she inherited from that group.

To avoid these situations, revoke all permissions on all objects for the default Users group (the User-Level Security Wizard will do this for you) and don't assign permissions to individual users; assign permissions only to groups, and then assign users to the appropriate group. If possible, avoid assigning users to more than one group (in addition to the default Users group).