SharePoint Öryggi Undirstöðuatriði grunnur / Forðastu Common gildra

UPDATE 12/18/07: Sjá grein Paul Liebrand fyrir nokkrum tæknilegum afleiðingum að fjarlægja eða breyta þeim sjálfgefið nöfn (sjá athugasemd hans hér að neðan og).

Yfirlit:

SharePoint security is easy to configure and manage. Hins, it has proven to be difficult for some first-time administrators to really wrap their hands around it. Not only that, I have seen some administrators come to a perfect understanding on Monday only to have lost it by Friday because they didn’t have to do any configuration in the intervening time. (I admit to having this problem myself). This blog entry hopefully provides a useful SharePoint security primer and points towards some security configuration best practices.

Important Note:

This description is based on out of the box SharePoint security. My personal experience is oriented around MOSS so there may be some MOSS specific stuff here, but I believe it’s accurate for WSS. I hope that anyone seeing any errors or omissions will point that out in comments or email mig. I’ll make corrections post haste.

Fundamentals:

For the purposes of this overview, there are four fundamental aspects to security: users/groups, securable objects, permission levels and inheritance.

Users and Groups break down to:

  • Individual users: Pulled from active directory or created directly in SharePoint.
  • Groups: Mapped directly from active directory or created in SharePoint. Groups are a collection of users. Groups are global in a site collection. They are never "tied" to a specific securable object.

Securable objects break down to at least:

  • Sites
  • Document libraries
  • Individual items in lists and document libraries
  • Folders
  • Various BDC settings.

There other securable objects, but you get the picture.

Permission levels: A bundle of granular / low level access rights that include such things as create/read/delete entries in lists.

Inheritance: By default entities inherit security settings from their containing object. Sub-sites inherit permission from their parent. Document libraries inherit from their site. So on and so forth.

Users and groups relate to securable objects via permission levels and inheritance.

The Most Important Security Rules To Understand, Alltaf 🙂 :

  1. Groups are simply collections of users.
  2. Groups are global within a site collection (i.e. there is no such thing as a group defined at a site level).
  3. Group name not withstanding, groups do not, in and of themselves, have any particular level of security.
  4. Groups have security in the context of a specific securable object.
  5. You may assign different permission levels to the same group for every securable object.
  6. Web application policies trump all of this (see below).

Security administrators lost in a sea of group and user listings can always rely on these axioms to manage and understand their security configuration.

Common Pitfalls:

  • Group names falsely imply permission: Út af the kassi, SharePoint defines a set of groups whose names imply an inherent level of security. Consider the group "Contributor". One unfamiliar with SharePoint security may well look at that name and assume that any member of that group can "contribute" to any site/list/library in the portal. That may be true but not because the group’s name happens to be "contributor". This is only true out of the box because the group has been provided a permission level that enables them to add/edit/delete content at the root site. Through inheritance, the "contributors" group may also add/edit/delete content at every sub-site. One can "break" the inheritance chain and change the permission level of a sub-site such that members of the so-called "Contributor" group cannot contribute at all, but only read (til dæmis). This would not be a good idea, augljóslega, since it would be very confusing.
  • Groups are not defined at a site level. It’s easy to be confused by the user interface. Microsoft provides a convenient link to user/group management via every site’s "People and Groups" hlekkur. It’s easy to believe that when I’m at site "xyzzy" and I create a group through xyzzy’s People and Groups link that I’ve just created a group that only exists at xyzzy. That is not the case. I’ve actually created a group for the whole site collection.
  • Groups membership does not vary by site (i.e. it is the same everywhere the group is used): Consider the group "Owner" and two sites, "HR" and "Logistics". It would be normal to think that two separate individuals would own those sites — an HR owner and a Logistics owner. The user interface makes it easy for a security administrator to mishandle this scenario. If I didn’t know better, I might access the People and Groups links via the HR site, select the "Owners" group and add my HR owner to that group. A month later, Logistics comes on line. I access People and Groups from the Logistics site, add pull up the "Owners" group. I see the HR owner there and remove her, thinking that I’m removing her from Owners at the Logistics site. Í raun, I’m removing her from the global Owners group. Hilarity ensues.
  • Failing to name groups based on specific role: The "Approvers" group is a perfect example. What can members of this group approve? Where can they approve it? Do I really want people Logistics department to be able to approve HR documents? Of course not. Always name groups based on their role within the organization. This will reduce the risk that the group is assigned an inappropriate permission level for a particular securable object. Name groups based on their intended role. In the previous HR/Logistics scenario, I should have created two new groups: "HR Owners" and "Logistics Owners" and assign sensible permission levels for each and the minimum amount required for those users to do their job.

Other Useful References:

If you’ve made it this far:

Please let me know your thoughts via the comments or email me. If you know other good references, please do the same!

Technorati Tags:

Fljótur og Þægilegur: Búa til Data View Web Part (DVWP)

Það er mikið af mikill upplýsingar á WSS 3.0 Gögn Skoða Web Part (DVWP) on the web from several sources. Hins, I found it to be surprisingly difficult to find information on this first very basic step. Here is another article in the "quick and easy" röð til að takast það.

Follow these steps to create a data view web part (DVWP). They are based on an "Announcements" web part, but apply to most lists.

  1. Create an Announcements web part and add it to a site.
  2. Open the site in SharePoint Designer.
  3. Open the site’s default.aspx.
  4. Select the Announcements web part and right-click.
  5. From the context menu, select "Convert to XSLT Data View".

SharePoint Designer notifies you that this site is now customized from its site definition. That’s not necessarily bad, but there are important implications (performance, upgrade, aðrir) which are beyond the scope of this little "Quick and Easy" færslu. To get more information on this subject, I recommend both books hér as well as your favorite Internet search.

Confirm that you did it correctly:

  1. Close and re-open the web browser (to avoid accidentally re-posting the original "add a new web part").
  2. Select the web part’s arrow drop-down and choose "Modify Shared Web Part" from the menu.
  3. The tool panel opens to the right.
  4. The panel has changed from its usual set options to this:
mynd

“Get ekki fá stefið lista dálki eign af SharePoint listi” — lýsing / vinna-arounds

Í þessari viku, við afrita loks vandamál sem hafði verið greint frá a fjarlægur notandi: Þegar hún reyndi að flytja efni af lista til að skara fram úr, það virðist að byrja að vinna, en þá Excel myndi skjóta upp villa: "Cannot get the list schema column property from the SharePoint list". She was running office 2003, windows XP and connecting to MOSS.

I searched the Internets and saw some speculation but nothing 100% definitive. Hence, þessa færslu.

The problem: Exporting a view to excel that contains a date (date = the data type of the column).

What worked for us: Convert the date to a "single line of text". Þá, convert it back to a date.

That solved it. It was nice to see that the conversion worked, actually. It was quite nervous that converting things this way would fail, but it did not.

This bug has thrown a huge shadow over the date data type in the client’s mind, so we’re going to be seeking out a definitive answer from Microsoft and hopefully I’ll post and update here in the next short period of time with their official answer and hotfix information.

Other references:

http://www.kevincornwell.com/blog/index.php/cannot-get-the-list-schema-column-property-from-the-sharepoint-list/

http://forums.microsoft.com/MSDN/ShowPost.aspx?PostID=2383611&SiteID=1

<enda>

Gerast áskrifandi að bloggið mitt.

Technorati Tags: ,

Fljótleg og einföld: Senda tölvupóst með embed in tengil frá SharePoint Designer workflow

Einu sinni eða tvisvar mánuði, einhver innlegg vettvangur spurning: "Hvernig bæti ég tengla á URL sem eru smella af SharePoint Designer tölvupósti?"

Kynnt án frekari athugasemda: (vel, raun það er frekar athugasemd eftir myndina):

mynd

Becky Isserman fylgir með gagnlegar skýringar á hvernig á að embed in tengil á hlut í tölvupósti: http://www.sharepointblogs.com/mosslover/archive/2007/11/20/addition-to-paul-galvin-s-post-about-sending-an-e-mail-with-hyperlinks-in-spd.aspx

Ný útgáfa: SharePoint Designer vinnuflæðisreglum Eftirnafn (band meðferð aðgerðir)

UPDATE: Sjá hér fyrir hugsunum mínum á commercializing þetta verkefni: http://paulgalvin.spaces.live.com/blog/cns!1CC1EDB3DAA9B8AA!569.entry

Ég hef verið upptekinn að vinna á Codeplex verkefninu mínu sem er nú áherslu á að veita band handfjöllun eftirnafn til workflows búin með SharePoint Designer.

Sjá hér fyrir nánari upplýsingar:

Heimasíða verkefnisins: http://www.codeplex.com/spdwfextensions

Slepptu: https://www.codeplex.com/Release/ProjectReleases.aspx?ProjectName=spdwfextensions&ReleaseId=8280

Útgáfa 1.0 felur í sér eftirfarandi nýjar aðgerðir:

Virka Lýsing (ef ekki sama og. Hreinar virka)
NUM-færslur() Skilar fjölda "færslur" in a string as per a specified delimiter.

Til dæmis: Num-entries in a string "a,B,c" with delimiter "," = 3.

Entry() Returns the nth token in a string as per a specified delimiter.
Lengd String.Length
Skipta() String.Replace()
Inniheldur() String.Contains()
Returns the word "true" or the word "false".
Hlutstreng(byrja) String.Substring(byrja)
Hlutstreng(byrja,lengd) String.Substring(byrja,lengd)
ToUpper() String.ToUpper()
ToLower() String.ToLower()
StartsWith() String.StartsWith()
Returns the word "true" or the word "false".
EndsWith() String.EndsWith()
Returns the word "true" or the word "false".

A BDC afturkreistingur villa útskýrt

Ég olli BDC villa í þessari viku sem fram sig á notendaviðmóti og í 12 Hive þig á afturkreistingur.

Fyrsta, Þetta birtist í the notandi tengi:

Gat ekki fundið reiti til að setja inn allar kennimerki Values ​​að rétt framkvæma SpecificFinder MethodInstance með nafni … Tryggja inntak breytur hafa TypeDescriptors tengslum við hvert Identifier skilgreind fyrir þessa aðila.

Hér er skjámynd:

clip_image001

Ég gæti einnig valdið þessi skilaboð að birtast í 12 Hive þig á vilja (using my patented high-tech-don’t-try-this-at-home "mysterious errors" aðferð):

11/14/2007 09:24:41.27 w3wp.exe (0x080C) 0x0B8C SharePoint Portal Server Business Data 6q4x High Exception in BusinessDataWebPart.OnPreRender: System.InvalidOperationException: The Identifier gildi ”, tegund í ”, er ógild. Expected Identifier value of Type ‘System.String’. á Microsoft.Office.Server.ApplicationRegistry.MetadataModel.Entity.FindSpecific(Object[] subIdentifierValues, LobSystemInstance lobSystemInstance) á Microsoft.SharePoint.Portal.WebControls.BdcClientUtil.FindEntity(Heild aðila, Object[] userValues, LobSystemInstance lobSystemInstance) á Microsoft.SharePoint.Portal.WebControls.BusinessDataItemBuilder.GetEntityInstance(Skoða desiredView) á Microsoft.SharePoint.Portal.WebControls.BusinessDataDetailsWebPart.GetEntityInstance() á Microsoft.SharePoint.Portal.WebControls.BusinessDataDetailsWebPart.SetDataSourceProperties()

Ég leitaði í kring og fann nokkrar leiðir í MSDN Forum, but they weren’t enough for me to understand what I was doing wrong. I watched a webcast by Ted Pattison að minn fyrirtæki hefur squirreled burt á netþjóni og kom að átta vandamál mitt.

Í ADF minn, Ég er að tengja við SQL gagnagrunn eins og sýnt:

            <Eign Nafn="RdbCommandText" Tegund="System.String">
              <![CDATA[
                SELECT
                      , CARRIER_ID, EFFDT, DESCR, EFF_STATUS, TAXPAYER_ID, NETWORK_ID, FRT_FORWARD_FLG, ALT_NAME1, ALT_NAME2, LANGUAGE_CD,
                      COUNTRY, ADDRESS1, ADDRESS2, ADDRESS3, ADDRESS4, CITY, Num1, Num2, HOUSE_TYPE, ADDR_FIELD1, ADDR_FIELD2, ADDR_FIELD3,
                      COUNTY, STATE, Pósti, GEO_CODE, IN_CITY_LIMIT, COUNTRY_CODE, SÍMI, EXTENSION, FAX, LAST_EXP_CHK_DTTM, FREIGHT_VENDOR,
                      INTERLINK_DLL, TMS_EXCLUDE_FLG
                 (nolock)
                HVAR
                  (LEAs <> Hlutdeild ') og
                  (lækka(CARRIER_ID) >= Lægra(@ MinID)) og
                  (lækka(CARRIER_ID) <= Lægra(@ MaxId)) og
                  (lækka(DESCR) EINS lægri(@ InputDescr))
                ]]>
            </Eign>

Ég var að því tilskildu að SQL frá DBA mann og ég er gefið að skilja að það er sérstakt view they created just for me. The unique key there is CARRIER_ID.

Hér er villan sem ég kynnt:

      <Auðkenni>
        <Þekkja Nafn="CARRIER_ID" TypeName="System.String" />
        <Þekkja Nafn="DESCR" TypeName="System.String" /> 
</Auðkenni>

Einhvers staðar meðfram línu, Ég hafði tekist að rugla mig yfir skilningi <Auðkenni> and added DESCR even though it’s not actually an identifier. I took DESCR out of the identifiers set and presto! Það gekk allt.

Ég vona að þetta bjargar einhverjum sorg 🙂

Technorati Tags: , , ,

Þú getur ekki slá Náðu Sharepoint er

Síðustu tvo daga, I have participated in two meetings during which we presented the results of a SharePoint project. The CIO and his team joined the first meeting. That’s standard and not especially notable. The IT department is obviously involved in an enterprise rollout of any technology project. The second meeting expanded to include a V.P. frá markaðssetningu, nokkrir stjórnendur fulltrúi HR, Logistics, Framleiðsla, Capital Verkefni, Gæði, Innkaupastjóri, Þróunarsvið og aðrar deildir (sumir hverjir voru ekki einu sinni beinan þátt í núverandi áfanga). That’s a mighty wide audience.

Í fyrri líf mitt, I primarily worked on ERP and CRM projects. They both have a fairly wide solution domain but not as wide as SharePoint. To be fully realized, SharePoint projects legitimately and necessarily reach into every nook and cranny of an organization. How many other enterprise solutions have that kind of reach? Not many.

SharePoint clearly represents an enormous opportunity for those of us fortunate enough to be in this space. It provides a great technical opportunity (sem er einhvern veginn snúið á haus hér under "Technologies You Must Master"). But even better, SharePoint exposes us to an extensive and wide range of business processes through these engagements. How many CRM specialists work with the manufacturing side of the company? How many ERP consultants work with human resources on talent acquisition? SharePoint exceeds them both.

Eins og ekkert, það er ekki fullkominn, en það er fordæmdur góður staður til að vera.

Fyrir kærleika [fylla í flestum elskaði mann þinn / hærra vera], don’t change the ‘Title’ síða dálk.

On the SharePoint forums, someone occasionally asks about "changing the label of Title" or about "removing title from lists".

Neðsta lína: Ekki gera það!

Því miður, The notandi tengi gerir aðra leiðina breytingu á þeim dálki merki eins og sýnt:

mynd

Title is a column associated with the "Item" efnisgerð. Margir, margir, many CT’s use this column and if you change it here, it ripples out everywhere. There’s a good chance that you didn’t intend for that to happen. You were probably thinking to yourself, "I have a custom lookup list and ‘Title’ just doesn’t make sense as a column name, so I’m going to change it to ‘Status Code’ and add a description column." But if you follow through on that thought and rename ‘Title’ to ‘Status Code’, every list’s title (including document libraries) changes to "Status Code" and you probably didn’t intend for that to happen.

The real problem is that this is a one-way change. The UI "knows" that "title" is a reserved word. Svo, if you try and change "Status Code" back to "Title", it will prevent you and now you’ve painted yourself into a corner nota málningu sem þornar aldrei 🙂

So what happens if you already changed it? I haven’t seen the answer we all want, which is a simple and easy method to change the label back to ‘Title’. Right now, the best advice is to change it to something like "Doc/Item Title". That’s a generic enough label that may not be too jarring for your users.

I have few other ideas which are on my to-do list of things to research:

  • Contact Microsoft.
  • Do something with the object model, maybe in conjunction with a feature.
  • Figure out the database schema and manually update SQL. (You should contact Microsoft before doing this though; it will likely void your support contract).

If anyone knows how to solve this, vinsamlegast staða a athugasemd.

Update late afternoon, 11/15: I found this link that describes a method for creating a type of list that does not have a title column: http://www.venkat.org/index.php/2007/09/03/how-to-remove-title-column-from-a-custom-list/

BDC ADF og vinur þinn, CDATA

I’ve noticed some awkward and unnecessary hand-encoding of RdbCommandText in some examples (including MSDN documentation).

I wanted to point out to newcomers to BDC that commands can be wrapped inside a CDATA tag in their "natural" form. Svo, this awkward construction:

<Eign Nafn="RdbCommandText" Tegund="System.String">
SELECT dbo.MCRS_SETTLEMENT.id, dbo.MCRS_SETTLEMENT.settlement from dbo.MCRS_SETTLEMENT
HVAR (id &GT;= @MinId) AND (id &lt;= @ MaxId)
</Eign>

can be better represented this way:

<Eign Nafn="RdbCommandText" Tegund="System.String">
<![CDATA[
SELECT dbo.MCRS_SETTLEMENT.id, dbo.MCRS_SETTLEMENT.settlement from dbo.MCRS_SETTLEMENT
HVAR (id >= @MinId) AND (id <= @MaxId)
]]>
</Eign>

</enda>

BDC Primer

Intro to BDC

Functional Dæmi: BDC ADF sem tengist SQL gagnagrunn með embed in notandi persónuskilríki og lykilorð

I needed to wire up MOSS to a SQL database via BDC. For testing/POC purposes, I wanted to embed the SQL account user id and password in the ADF. Starting with Þessi sniðmát (http://msdn2.microsoft.com/en-us/library/ms564221.aspx), Ég var að stofna ADF sem tengist tiltekinni SQL Server dæmis og skráir sig með ákveðna notandi persónuskilríki og lykilorð og sýnt í þessari runu:

  <LobSystemInstances>
    <LobSystemInstance Nafn="ClaimsInstance">
      <Eiginleikar>
        <Eign Nafn="AuthenticationMode" Tegund="System.String">Passthrough</Eign>
        <Eign Nafn="DatabaseAccessProvider" Tegund="System.String">SQLServer</Eign>
        <Eign Nafn="RdbConnection Data Source" Tegund="System.String">Raunveruleg miðlara  raunverulegt dæmi</Eign>
        <Eign Nafn="RdbConnection Byrjunar Vöruflokkar" Tegund="System.String">Raunveruleg fyrstu verslun</Eign>
        <Eign Nafn="RdbConnection Innbyggt Öryggi" Tegund="System.String">SSPI</Eign>
        <Eign Nafn="RdbConnection samnýtingu" Tegund="System.String">ósatt</Eign>

        <!-- Þetta eru helstu gildi: -->
        <Eign Nafn="RdbConnection Notandanafn" Tegund="System.String">actual Notandanafn</Eign>
        <Eign Nafn="RdbConnection Lykilorð" Tegund="System.String">Raunveruleg Lykilorð</Eign>
        <Eign Nafn="RdbConnection Trusted_Connection" Tegund="System.String">ósatt</Eign>

      </Eiginleikar>
    </LobSystemInstance>
  </LobSystemInstances>

Það er ekki bestu starfshætti, but it’s useful for a quick and simple configuration for testing. This was surprisingly difficult to figure out. I never found a functional example with search keywords:

  • ADF embed UserId og lykilorð
  • embed notandi persónuskilríki og lykilorð í ADF
  • embed notandi persónuskilríki og lykilorð í ADF BDC
  • SharePoint BDC grunnur
  • SharePoint Fella notandi persónuskilríki og lykilorð í ADF

</enda>

Gerast áskrifandi að bloggið mitt.