Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Handling of MIP Sensitivity Labels #979

Closed
JanMarvin opened this issue Mar 28, 2024 · 0 comments
Closed

Handling of MIP Sensitivity Labels #979

JanMarvin opened this issue Mar 28, 2024 · 0 comments
Labels
enhancement 😀 New feature or request help wanted 🙏 Extra attention is needed

Comments

@JanMarvin
Copy link
Owner

As discussed in an openxlsx issue (ycphs/openxlsx#461 (comment)) it is possible to load and apply sensitivity labels with openxlsx2.

There are things to consider

  1. They are only visible in corporate environments that have MIP (Microsoft information protection) enabled (https://learn.microsoft.com/en-us/information-protection/develop/concept-mip-metadata) and there is no way for us to test this without such an environment that at the moment is not available.

  2. The entire thing is just a custom xml string attached to the package (the security aspect is therefore similar to printing "Confidential" on each page of a document, just that this is at least visible. Outside of MIP environments the sensitivity label is no longer visible. So if someone shares a file marked as confidential with somebody in the outside world, this other person would not be aware of any confidentiality requirements, when opening the file and you can simply remove the sensitivity label by removing the xml string from the file ...).
    Each MIP environment can provide custom roles for access. These roles have a custom id known only to the MIP environment and this is stored with the xml string. (Think of it as a corporate id string added to the "Confidential" stamp. For the sensitivity to apply, the stamp is not only "Confidential", but "Confidential for Corporation"). This id is required to write a valid sensitivity label. The id and the possible sensitivity levels could be obtained using the power shell command Get-Label, but access might be restricted.
    Therefore extracting the custom.xml string from a template file should be the way to go. I somehow doubt that there is any security risk involved if the string is public, worst thing, somebody could stamp documents with this (similar to printing "Confidential for Corporation" on non confidential pages not from the Corporation). Still it might be a good idea to store the string in an option, so that if the user shares code, it will be obvious that the MIP string should not be passed along to everyone everywhere, but first and foremost, so that the user wont have to remember passing the string to every function.

  3. We have to make sure that we do not duplicate these strings (Excel might complain if we do). Even if we do not yet provide a way to create or alter custom.xml, our function should not remove existing custom.xml strings. Not sure how to handle a situation, where the user might want to raise or lower the sensitivity of a document.

A few additional links:
@JanMarvin JanMarvin added enhancement 😀 New feature or request help wanted 🙏 Extra attention is needed labels Mar 28, 2024
@JanMarvin JanMarvin mentioned this issue Mar 31, 2024
Merged
3 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement 😀 New feature or request help wanted 🙏 Extra attention is needed
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@JanMarvin