SharePoint segurtasuna oinarriak Lehen / Ohiko pitfalls saihesteko

UPDATE 12/18/07: Ikusi Paul Liebrand artikuluak kendu edo aldatzea lehenetsia taldearen izen tekniko ondorio batzuk (ikusi bere iruzkina behean bai).

Orokorra:

SharePoint security is easy to configure and manage. Hala eta guztiz ere, it has proven to be difficult for some first-time administrators to really wrap their hands around it. Not only that, I have seen some administrators come to a perfect understanding on Monday only to have lost it by Friday because they didn’t have to do any configuration in the intervening time. (I admit to having this problem myself). This blog entry hopefully provides a useful SharePoint security primer and points towards some security configuration best practices.

Important Note:

This description is based on out of the box SharePoint security. My personal experience is oriented around MOSS so there may be some MOSS specific stuff here, but I believe it’s accurate for WSS. I hope that anyone seeing any errors or omissions will point that out in comments or email me. I’ll make corrections post haste.

Fundamentals:

For the purposes of this overview, there are four fundamental aspects to security: users/groups, securable objects, permission levels and inheritance.

Users and Groups break down to:

  • Individual users: Pulled from active directory or created directly in SharePoint.
  • Groups: Mapped directly from active directory or created in SharePoint. Groups are a collection of users. Groups are global in a site collection. They are never "tied" to a specific securable object.

Securable objects break down to at least:

  • Sites
  • Document libraries
  • Individual items in lists and document libraries
  • Folders
  • Various BDC settings.

There other securable objects, but you get the picture.

Permission levels: A bundle of granular / low level access rights that include such things as create/read/delete entries in lists.

Inheritance: By default entities inherit security settings from their containing object. Sub-sites inherit permission from their parent. Document libraries inherit from their site. So on and so forth.

Users and groups relate to securable objects via permission levels and inheritance.

The Most Important Security Rules To Understand, Ever 🙂 :

  1. Groups are simply collections of users.
  2. Groups are global within a site collection (I.E. there is no such thing as a group defined at a site level).
  3. Group name not withstanding, groups do not, in and of themselves, have any particular level of security.
  4. Groups have security in the context of a specific securable object.
  5. You may assign different permission levels to the same group for every securable object.
  6. Web application policies trump all of this (see below).

Security administrators lost in a sea of group and user listings can always rely on these axioms to manage and understand their security configuration.

Common Pitfalls:

  • Group names falsely imply permission: Kutxa Out, SharePoint defines a set of groups whose names imply an inherent level of security. Consider the group "Contributor". One unfamiliar with SharePoint security may well look at that name and assume that any member of that group can "contribute" to any site/list/library in the portal. That may be true but not because the group’s name happens to be "contributor". This is only true out of the box because the group has been provided a permission level that enables them to add/edit/delete content at the root site. Through inheritance, the "contributors" group may also add/edit/delete content at every sub-site. One can "break" the inheritance chain and change the permission level of a sub-site such that members of the so-called "Contributor" group cannot contribute at all, but only read (adibidez). This would not be a good idea, jakina,, since it would be very confusing.
  • Groups are not defined at a site level. It’s easy to be confused by the user interface. Microsoft provides a convenient link to user/group management via every site’s "People and Groups" lotura. It’s easy to believe that when I’m at site "xyzzy" and I create a group through xyzzy’s People and Groups link that I’ve just created a group that only exists at xyzzy. That is not the case. I’ve actually created a group for the whole site collection.
  • Groups membership does not vary by site (I.E. it is the same everywhere the group is used): Consider the group "Owner" and two sites, "HR" and "Logistics". It would be normal to think that two separate individuals would own those sites — an HR owner and a Logistics owner. The user interface makes it easy for a security administrator to mishandle this scenario. If I didn’t know better, I might access the People and Groups links via the HR site, select the "Owners" group and add my HR owner to that group. A month later, Logistics comes on line. I access People and Groups from the Logistics site, add pull up the "Owners" group. I see the HR owner there and remove her, thinking that I’m removing her from Owners at the Logistics site. Izan ere,, I’m removing her from the global Owners group. Hilarity ensues.
  • Failing to name groups based on specific role: The "Approvers" group is a perfect example. What can members of this group approve? Where can they approve it? Do I really want people Logistics department to be able to approve HR documents? Of course not. Always name groups based on their role within the organization. This will reduce the risk that the group is assigned an inappropriate permission level for a particular securable object. Name groups based on their intended role. In the previous HR/Logistics scenario, I should have created two new groups: "HR Owners" and "Logistics Owners" and assign sensible permission levels for each and the minimum amount required for those users to do their job.

Other Useful References:

If you’ve made it this far:

Please let me know your thoughts via the comments or email me. If you know other good references, please do the same!

Technorati Tags:

Azkarra eta erraza: Sortu Datu Ikusi Web Taldea (DVWP)

Badago informazio handia aberastasuna WSS da 3.0 Datuak ikusi Web Taldea (DVWP) on the web from several sources. Hala eta guztiz ere, I found it to be surprisingly difficult to find information on this first very basic step. Here is another article in the "quick and easy" seriea da aurre egiteko.

Jarraitu urrats hauei datu ikuspegi web parte sortzeko (DVWP). They are based on an "Announcements" web zati, baina gehienetan zerrendak aplikatuko.

  1. Sortu Deialdiak web parte eta gehitu gune bat.
  2. Ireki SharePoint Designer horretan gunea.
  3. Ireki gunearen default.aspx.
  4. Select the Announcements web part and right-click.
  5. Testuinguru menuan, select "Convert to XSTheT Data View".

SharePoint Designer jakinarazten dizu web gune hau, gaur egun, bere definizio-gune batetik pertsonalizatuak. Hau da, ez du zertan txarra, baina inplikazio garrantzitsuak (errendimendua, berritzea, beste batzuk) which are beyond the scope of this little "Quick and Easy" sarrera. To get more information on this subject, Bi liburu gomendatzen dut hemen baita zure gogoko Internet bilaketa.

Berretsi egiten duzula behar bezala:

  1. Itxi eta berriro ireki web nabigatzailea (to avoid accidentally re-posting the original "add a new web part").
  2. Select the web part’s arrow drop-down and choose "Modify Shared Web Part" menuan.
  3. Tresna panela eskuinera irekitzen du.
  4. Panel du bere jaurtiketa ohiko aukeretatik, hau aldatu:
image

“Ezin da zerrenda eskema zutabe jabetza SharePoint zerrendatik” — deskribapena / lan-arounds

Aste honetan, erreproduzitu, azkenik dugu arazo bat izan da urruneko erabiltzaile berri: Zerrenda edukiak esportatzeko excel saiatu zuen, gauzak lanean hasteko badirudi, baina gero, Excel irekiko luke errore bat: "Cannot get the list schema column property from the SharePoint list". She was running office 2003, windows XP and connecting to MOSS.

Internets bilatu dut eta espekulazio batzuk, baina ez du ezer ikusi 100% definitive. Hence, post honetan.

Arazoa: Ikuspegi esportatu Excel duten data bat dauka (data = zutabean datu mota).

Zer Gurekin lan egin: Convert the date to a "single line of text". Gero, bihurtzeko bueltan data.

That solved it. It was nice to see that the conversion worked, benetan. It was quite nervous that converting things this way would fail, but it did not.

Bug hau bota itzal handi bat, datu-mota baino gehiago bezeroaren kontuan, beraz, bila itzazu Microsoft, behin betiko erantzun bat dugu, eta ea argitaratzeko eta eguneratzeko dut hemen hurrengo denbora epe labur euren erantzun ofiziala eta informazio Hotfix zuzenketa batera.

Beste erreferentziak:

http://www.kevincornwell.com/blog/index.php/cannot-get-the-list-schema-column-property-from-the-sharepoint-list/

http://forums.microsoft.com/MSDN/ShowPost.aspx?PostID=2383611&SiteID=1

<amaiera>

Nire blog Harpidetu.

Technorati Tags: ,

Azkarra eta sinplea: Bidali mezu elektroniko bat hiperesteka kapsulatuak dituzten SharePoint Designer workflow-tik

Behin edo bitan hilabete, Norbaitek mezu foro galdera bat: "How do I include hyperlinks to URL’s that are clickable from a SharePoint Designer email?"

Iruzkin gabe aurkezten: (ondo, Egia esan, ez da gehiago irudi ondoren duzu):

image

Becky Isserman honela sortu lagungarria azalpen nola elementu bati esteka bat txertatzeko email buruzko: http://www.sharepointblogs.com/mosslover/archive/2007/11/20/addition-to-paul-galvin-s-post-about-sending-an-e-mail-with-hyperlinks-in-spd.aspx

New oharra: SharePoint Designer Workflow Extensions (katea manipulatzeko funtzio)

UPDATE: Ikusi hemen nire pentsamenduak proiektu honi buruzko merkaturatzea: http://paulgalvin.spaces.live.com/blog/cns!1CC1EDB3DAA9B8AA!569.entry

Izan dut nire lanpetuta Codeplex proiektua Gaur egun, katea manipulazioa luzapenak emateko fluxuak bideratuta sortutako lan SharePoint Designer bidez.

Ikusi hemen xehetasunetarako:

Proiektua hasiera: http://www.codeplex.com/spdwfextensions

Askatu: https://www.codeplex.com/Release/ProjectReleases.aspx?ProjectName=spdwfextensions&ReleaseId=8280

Bertsioa 1.0 barne hartzen du, honako ezaugarri berriak:

Funtzioa Deskribapena (berean ez bada ere. funtzio garbia)
Num-sarrerak() Returns the number "entries" in a string as per a specified delimiter.

Adibidez: Num-entries in a string "a,b,c" with delimiter "," = 3.

Sarrera() Returns the nth token in a string as per a specified delimiter.
Luzera String.Length
Ordeztu() String.Replace()
Dauka() String.Contains()
Returns the word "true" or the word "false".
Izan ezik:(hasteko) String.Substring(hasteko)
Izan ezik:(hasteko,luzera) String.Substring(hasteko,luzera)
ToUpper() String.ToUpper()
ToLower() String.ToLower()
StartsWith() String.StartsWith()
Returns the word "true" or the word "false".
EndsWith() String.EndsWith()
Returns the word "true" or the word "false".

A BDC runtime error azaldu

BDC errore bat eragin nuen aste honetan duten manifiesta bera interfazearen eta in 12 hive log exekuzio at.

Lehen, Erabiltzaile interfaze agertu:

Ezin izan da aurkitu eremuak Identifier balore guztiak txertatu behar bezala exekutatu SpecificFinder MethodInstance baten izena-rekin … Ziurtatu sarrerako parametroak dute Erakunde honetarako definitutako Identifier behin lotutako TypeDescriptors.

Hemen pantaila jaurtiketa bat:

clip_image001

Era berean, ezin dut eragin mezu hau agertzen 12 hive log izango at (using my patented high-tech-don’t-try-this-at-home "mysterious errors" metodoa):

11/14/2007 09:24:41.27 w3wp.exe (0x080C) 0x0B8C SharePoint Portal Server Business Data 6q4x High Exception in BusinessDataWebPart.OnPreRender: System.InvalidOperationException: Identifier balioa ”, Mota ”, baliogabea da. Expected Identifier value of Type ‘System.String’. Microsoft.Office.Server.ApplicationRegistry.MetadataModel.Entity.FindSpecific at(Objektu[] subIdentifierValues, LobSystemInstance lobSystemInstance) Microsoft.SharePoint.Portal.WebControls.BdcClientUtil.FindEntity at(Entitate entitate, Objektu[] userValues, LobSystemInstance lobSystemInstance) Microsoft.SharePoint.Portal.WebControls.BusinessDataItemBuilder.GetEntityInstance at(Ikusi desiredView) Microsoft.SharePoint.Portal.WebControls.BusinessDataDetailsWebPart.GetEntityInstance at() Microsoft.SharePoint.Portal.WebControls.BusinessDataDetailsWebPart.SetDataSourceProperties at()

Inguruan bilatuko dut eta, hainbat lead aurkitu en MSDN forum, but they weren’t enough for me to understand what I was doing wrong. I watched a webcast by Ted Pattison nire enpresa izan squirreled kanpoan zerbitzari batean, eta etorri zen nire arazoa konturatzen.

Nire ADF en, SQL datu-base bat naiz orokorrak gisa konektatzen:

            <De la Propiedad Izena="RdbCommandText" Mota="System.String">
              <![CDATA[
                AUKERATU
                      , CARRIER_ID, EFFDT, DESCR, EFF_STATUS, TAXPAYER_ID, NETWORK_ID, FRT_FORWARD_FLG, ALT_NAME1, ALT_NAME2, LANGUAGE_CD,
                      HERRIALDEA, ADDRESS1, ADDRESS2, ADDRESS3, ADDRESS4, Hiria, NUM1, NUM2, HOUSE_TYPE, ADDR_FIELD1, ADDR_FIELD2, ADDR_FIELD3,
                      COUNTY, Herrialdea, POSTAL, GEO_CODE, IN_CITY_LIMIT, COUNTRY_CODE, TELEFONOA, EXTENSION, Faxa, LAST_EXP_CHK_DTTM, FREIGHT_VENDOR,
                      INTERLINK_DLL, TMS_EXCLUDE_FLG
                 (nolock)
                NON
                  (Leas <> 'Partekatu') eta
                  (jaistea(CARRIER_ID) >= Txikiagoa(@ MinID)) eta
                  (jaistea(CARRIER_ID) <= Txikiagoa(@ MaxId)) eta
                  (jaistea(DESCR) Txikiagoa LIKE(@ InputDescr))
                ]]>
            </De la Propiedad>

Nintzen emandako SQL bat DBA pertsona naiz eta eman dela ulertzeko bat bereziak view they created just for me. The unique key there is CARRIER_ID.

Hona hemen erroreen dut sartu da:

      <Identifikadore>
        <Identifikatzeko Izena="CARRIER_ID" TYPENAME="System.String" />
        <Identifikatzeko Izena="DESCR" TYPENAME="System.String" /> 
</Identifikadore>

Nonbait, lerro zehar, Kudeatzen nuen neure burua nahastu esanahia baino gehiago <Identifikadore> and added DESCR even though it’s not actually an identifier. I took DESCR out of the identifiers set and presto! Lan egin zuen guztia.

I hope this saves someone some grief 🙂

Technorati Tags: , , ,

Ezin duzu Beat SharePoint eskura

Azken bi egunetan zehar, I have participated in two meetings during which we presented the results of a SharePoint project. The CIO and his team joined the first meeting. That’s standard and not especially notable. The IT department is obviously involved in an enterprise rollout of any technology project. The second meeting expanded to include a V.P. marketing-tik, hainbat ordezkari, zuzendari HR, Logistika, Fabrikazio, Capital Proiektuak, Kalitatea, Erosteko, Korporatiboaren garapena eta beste sail (eta horietako batzuk ez ziren zuzenean, egungo fasean parte hartzen). That’s a mighty wide audience.

Nire bizitza, aurreko, I primarily worked on ERP and CRM projects. They both have a fairly wide solution domain but not as wide as SharePoint. To be fully realized, SharePoint projects legitimately and necessarily reach into every nook and cranny of an organization. How many other enterprise solutions have that kind of reach? Not many.

SharePoint clearly represents an enormous opportunity for those of us fortunate enough to be in this space. It provides a great technical opportunity (hau da, nolabait esateko, bere burua aktibatuta hemen under "Technologies You Must Master"). But even better, SharePoint exposes us to an extensive and wide range of business processes through these engagements. How many CRM specialists work with the manufacturing side of the company? How many ERP consultants work with human resources on talent acquisition? SharePoint exceeds them both.

Atsegin dut ezer, ez da perfektua, baina madarikatuak leku ona izan da.

Maitasuna egiteko [pertsona gehien maite / altuagoak bete izateaz], don’t change the ‘Title’ gune zutabea.

Buruzko SharePoint foroak, someone occasionally asks about "changing the label of Title" or about "removing title from lists".

Behean line: Baina ez du!

Tamalez, Erabiltzaile interfazea zutabea duten aldaketa bat-modu bat agerian uzten du:

image

Title is a column associated with the "Item" eduki mota. Asko, asko, CT horrek asko erabili zutabe hau eta aldatu baduzu hemen, it ripples out everywhere. There’s a good chance that you didn’t intend for that to happen. You were probably thinking to yourself, "I have a custom lookup list and ‘Title’ besterik ez du zentzurik zutabean izen bat, so I’m going to change it to ‘Status Code’ and add a description column." But if you follow through on that thought and rename ‘Title’ to ‘Status Code’, zerrenda behin izenburua (Dokumentu liburutegiak barne) changes to "Status Code" eta ziurrenik ez zuen asmoa hori dela-eta.

Benetako arazoa da hori, bat-modu bat da aldaketa. The UI "knows" that "title" is a reserved word. Beraz,, if you try and change "Status Code" back to "Title", saihesteko duzu izango da eta orain dituzun zeuk margotu izkinan using paint that never dries 🙂

Beraz, zer gertatzen da dagoeneko aldatu bada? I haven’t seen the answer we all want, which is a simple and easy method to change the label back to ‘Title’. Right now, the best advice is to change it to something like "Doc/Item Title". That’s a generic enough label that may not be too jarring for your users.

Gutxi beste ideia nire egiteko gauzen zerrenda ikerketa dira daukat:

  • Harremanetan Microsoft.
  • Zerbait objektu ereduaren, agian ezaugarri bat batera.
  • Irudikatu datu-basearen eskema eta eskuz SQL eguneratu. (Microsoft harremanetan jarri beharko duzu hori egiteko, nahiz eta aurretik; ziur aski gal zure laguntza-kontratua).

Edozeinek daki nola konpondu nahi bada, mesedez, post a comment.

Eguneratu arratsean, 11/15: Lotura hori metodo bat deskribatzen zerrenda-mota bat sortzeko ez duten titulu zutabe bat aurkitu dut: http://www.venkat.org/index.php/2007/09/03/how-to-remove-title-column-from-a-custom-list/

BDC ADF eta zure laguna, CDATA

Nabaritu ditut baldar eta alferrikako RdbCommandText eskutik-encoding adibide batzuk (MSDN dokumentazioa barne).

I wanted to point out to newcomers to BDC that commands can be wrapped inside a CDATA tag in their "natural" form. Beraz,, baldar eraikuntza honetan:

<De la Propiedad Izena="RdbCommandText" Mota="System.String">
AUKERATU dbo.MCRS_SETTLEMENT.id, dbo.MCRS_SETTLEMENT tik dbo.MCRS_SETTLEMENT.settlement
NON (id &gt;= @ MinID) ETA (id &lt;= @ MaxId)
</De la Propiedad>

hobeto irudikatzen modu honetan:

<De la Propiedad Izena="RdbCommandText" Mota="System.String">
<![CDATA[
AUKERATU dbo.MCRS_SETTLEMENT.id, dbo.MCRS_SETTLEMENT tik dbo.MCRS_SETTLEMENT.settlement
NON (id >= @ MinID) ETA (id <= @ MaxId)
]]>
</De la Propiedad>

</amaiera>

BDC Adibidea

To BDC Intro

Adibidea funtzionalak: BDC ADF duten SQL datu lotzen kapsulatutako id erabiltzailea eta pasahitza

I needed to wire up MOSS to a SQL database via BDC. For testing/POC purposes, I wanted to embed the SQL account user id and password in the ADF. Starting with plantila honetan (http://msdn2.microsoft.com/en-us/library/ms564221.aspx), ADF bat sortu dut, hori da jakin baten SQL zerbitzari instantzia eta erregistroetako lotzen, erabiltzaile baten berariazko IDa eta pasahitza eta kode honetan erakutsitako:

  <LobSystemInstances>
    <LobSystemInstance Izena="ClaimsInstance">
      <Propietateak>
        <De la Propiedad Izena="AuthenticationMode" Mota="System.String">Espero</De la Propiedad>
        <De la Propiedad Izena="DatabaseAccessProvider" Mota="System.String">SQLServer</De la Propiedad>
        <De la Propiedad Izena="RdbConnection Datu iturria" Mota="System.String">benetako zerbitzaria  benetako instantzia</De la Propiedad>
        <De la Propiedad Izena="RdbConnection Hasierako katalogoa" Mota="System.String">benetako hasierako katalogoa</De la Propiedad>
        <De la Propiedad Izena="RdbConnection integratua segurtasuna" Mota="System.String">SSPI</De la Propiedad>
        <De la Propiedad Izena="RdbConnection elkarrekin" Mota="System.String">faltsuak</De la Propiedad>

        <!-- Gako horiek balioek: -->
        <De la Propiedad Izena="RdbConnection Erabiltzaile ID" Mota="System.String">batctual Erabiltzaile ID</De la Propiedad>
        <De la Propiedad Izena="RdbConnection Pasahitza" Mota="System.String">oraingo pasahitza</De la Propiedad>
        <De la Propiedad Izena="RdbConnection Trusted_Connection" Mota="System.String">faltsuak</De la Propiedad>

      </Propietateak>
    </LobSystemInstance>
  </LobSystemInstances>

Ez da onena praktika, but it’s useful for a quick and simple configuration for testing. This was surprisingly difficult to figure out. I never found a functional example with search keywords:

  • ADF Embedded userid eta pasahitza
  • txertatzeko erabiltzaile IDa eta pasahitza ADF en
  • txertatzeko erabiltzaile IDa eta pasahitza ADF bdc en
  • SharePoint bdc primer
  • SharePoint embed erabiltzaile IDa eta pasahitza ADF

</amaiera>

Nire blog Harpidetu.