SharePoint Obses Rerum primario / Vitare Commune foveisque

UPDATE 12/18/07: Videre Paulus Liebrand scriptor articulum technicas consequatur tollendum aut inflexo in default coetus nomina (videre comment infra ut bene).

Overview:

SharePoint security is easy to configure and manage. Autem, it has proven to be difficult for some first-time administrators to really wrap their hands around it. Not only that, I have seen some administrators come to a perfect understanding on Monday only to have lost it by Friday because they didn’t have to do any configuration in the intervening time. (Fateor me ad hoc problema). This blog entry hopefully provides a useful SharePoint security primer and points towards some security configuration best practices.

Maximus Nota:

This description is based on out of the box SharePoint security. My personal experience is oriented around MOSS so there may be some MOSS specific stuff here, but I believe it’s accurate for WSS. I hope that anyone seeing any errors or omissions will point that out in comments or email me. I’ll make corrections post haste.

Fundamentalum:

Usibus hoc overview, quattuor sunt rationes fundamentales securitatem: users / coetibus, securable objecta, licentiam gradus et hereditátem.

Users et Groups ut effringerent:

  • Singulorum users: Traxit ab agente creato album vel directe in SharePoint.
  • Coetibus: Mapped directly from active directory or created in SharePoint. Groups are a collection of users. Groups are global in a site collection. They are never "tied" ad speciem obiecti securable.

Securable objecta saltem ut effringerent:

  • Situs
  • Documento bibliothecis
  • Libelli et singula in scripto bibliothecis
  • Folders
  • Variis occasus BDC.

Ibi alia obiecta securable, sed vos adepto picture.

Licentiam campester: Fasciculus granular / low level access rights that include such things as create/read/delete entries in lists.

Hereditas: By default entities inherit security settings from their containing object. Sub-sites inherit permission from their parent. Document libraries inherit from their site. So on and so forth.

Users et coetus securable obiecta pertinent ad gradus per licentiam et hereditátem.

Maxime intelligere Obses Regulis, umquam :

  1. Coetus simpliciter sunt collectiones users.
  2. Coetus intra global collection site (i.e. Nulla eu nibh ut aliquid definire amet).
  3. Coetus nomen non obstantibus, non convivia, et in se, have any particular level of security.
  4. Groups have security in the context of a specific securable object.
  5. Permittente vobis tribuat diversis ordinibus eidem group omne obiectum securable.
  6. Textus applicatio ex hoc omnes policies tubć (vide infra).

Securitatem administratione coetus in mari perierunt et user amet semper inniti haec axiomata praeesse intelligit, et securitati suae conformatione.

Commune foveisque:

  • Coetus falso nomina important permissu: Ex arca archa, SharePoint defines a set of groups whose names imply an inherent level of security. Consider the group "Contributor". One unfamiliar with SharePoint security may well look at that name and assume that any member of that group can "contribute" to any site/list/library in the portal. That may be true but not because the group’s name happens to be "contributor". This is only true out of the box because the group has been provided a permission level that enables them to add/edit/delete content at the root site. Through inheritance, the "contributors" group may also add/edit/delete content at every sub-site. One can "break" the inheritance chain and change the permission level of a sub-site such that members of the so-called "Contributor" coetus potest non conferre ad omnes, sed tantum legere, (enim). This would not be a good idea, Manifestum, cum esset valde turbatio.
  • Coetus non definitur ad aliquid site gradum. It’s easy to be confused by the user interface. Microsoft provides a convenient link to user/group management via every site’s "People and Groups" link. It’s easy to believe that when I’m at site "xyzzy" and I create a group through xyzzy’s People and Groups link that I’ve just created a group that only exists at xyzzy. That is not the case. I’ve actually created a group for the whole site collection.
  • Coetus sociari non variantur per site (i.e. coetus ubivis sit amet): Consider the group "Owner" et duo sites, "HR" and "Logistics". It would be normal to think that two separate individuals would own those sites — an HR owner and a Logistics owner. The user interface makes it easy for a security administrator to mishandle this scenario. If I didn’t know better, Obvius ut populus, et per HR site links Groups, select the "Owners" group and add my HR owner to that group. A month later, Logistics comes on line. I access People and Groups from the Logistics site, add pull up the "Owners" group. I see the HR owner there and remove her, thinking that I’m removing her from Owners at the Logistics site. In facto, I’m removing her from the global Owners group. Hilarity ensues.
  • Defecto nominare coetus fundatur in speciei partes: The "Approvers" group is a perfect example. What can members of this group approve? Where can they approve it? Do I really want people Logistics department to be able to approve HR documents? Of course not. Always name groups based on their role within the organization. This will reduce the risk that the group is assigned an inappropriate permission level for a particular securable object. Name groups based on their intended role. In the previous HR/Logistics scenario, Ego creavi duo novum Sodalicium: "HR Owners" and "Logistics Owners" et assignamus pro cuiusque gradus sensibilis licentia requiritur summam minimam et pro users ut faciat opus suum.

Alius utilis References:

Si secundum hoc fecistis:

Please let me know your thoughts via the comments or email me. If you know other good references, idem placeat facere!

Technorati Tags:

Vivos et Securus: Creare a Data View Web Part (DVWP)

Est a opes magna notitia in WSS 3.0 Notitia View Web Part (DVWP) on the web from several sources. Autem, I found it to be surprisingly difficult to find information on this first very basic step. Here is another article in the "quick and easy" series alloqui eam.

Sequi vestigia creare notitia visum partem telam (DVWP). They are based on an "Announcements" pars telam, sed ad maximam listas.

  1. Aliquam erat volutpat partis et addere illud a site web.
  2. Aperire site in SharePoint Designer.
  3. Aperi situs default.aspx.
  4. Select the Announcements web part and right-click.
  5. Ex contineo contigi menu, select "Convert to XSLT Data View".

Excogitatoris SharePoint notifies vobis quod hoc site Lorem nunc a situ definition. Quod suus non necessario malum, Sed est magna implicationes (transacta, upgrade, alii) which are beyond the scope of this little "Quick and Easy" introitu. To get more information on this subject, Ego suadeo libros hic Fringilla ut Penitus quaero.

Confirmandas recte fecisse dicas:

  1. Propinquus quod re-patefacio textus pasco (to avoid accidentally re-posting the original "add a new web part").
  2. Select the web part’s arrow drop-down and choose "Modify Shared Web Part" ex menu.
  3. Tool ad ius aperit panel.
  4. Panel mutatum ex consue paro bene ut hoc:
imaginem

“Potest non adepto album Te aeternum patrem agmen proprietas a SharePoint album” — description / opus-arounds

Hoc septimana, illa tandem quaestio delata explicabo consequat remota: Summa amet, conata patefacio excellere, quae videtur ad committitur operantes, sed tunc Praecedo esset pop usque errorem: "Cannot get the list schema column property from the SharePoint list". She was running office 2003, windows XP and connecting to MOSS.

Rimarer Internets et viderunt nihil autem speculatio 100% definitive. Hence, post haec.

Forsit: Exporting praestare visum, quod continet date (date = notitia typus agminis).

Quid fecit propter nos: Convert the date to a "single line of text". Igitur, convertere ad eam diem.

That solved it. It was nice to see that the conversion worked, ultro. It was quite nervous that converting things this way would fail, but it did not.

Mendum hoc ingens umbra super MCMXXXIV data huius modi in mente, sic erant 'iens futurus a Microsoft quaerentem a decretoriae responsionis, et fiducialiter agam, et update stipes est hic in proximo breve tempus cum eorum notitia officiali respondere et hotfix.

Alia references:

http://www.kevincornwell.com/blog/index.php/cannot-get-the-list-schema-column-property-from-the-sharepoint-list/

http://forums.microsoft.com/MSDN/ShowPost.aspx?PostID=2383611&SiteID=1

<finem>

Scribet ad mea blog.

Technorati Tags: ,

Vivos et Simplex: Mittere email cum immersa Hyperlink a SharePoint amet workflow

Semel vel bis mensis, aliquis postes a forum quaestio: "Quomodo includit hyperlinks ad URL scriptor quod sunt clickable a SharePoint amet email?"

Obtulit sine comment: (bene, actu est plura post imaginem):

imaginem

Becky Isserman sequitur cum a benevolens explicatione in quam ad Embed a link ad item in in email: http://www.sharepointblogs.com/mosslover/archive/2007/11/20/addition-to-paul-galvin-s-post-about-sending-an-e-mail-with-hyperlinks-in-spd.aspx

Novum remissionis: SharePoint amet Workflow vitae (filum flexibus functiones)

UPDATE: Hic meo cogitationes in commercializing hoc project: http://paulgalvin.spaces.live.com/blog/cns!1CC1EDB3DAA9B8AA!569.entry

Ego fuit occupatus operantes in mea Codeplex consilium est statim focused in providente filum flexibus tractus ad workflows creata per SharePoint amet.

Hic enim details:

Project domum: http://www.codeplex.com/spdwfextensions

Dimittere: https://www.codeplex.com/Release/ProjectReleases.aspx?ProjectName=spdwfextensions&ReleaseId=8280

Versionem 1.0 includit sequenti nova:

Munus Descriptio (si non idem. Net munus)
NUM-entries() Redit in numero "entries" in a string as per a specified delimiter.

Verbigratia: Num-entries in a string "a,b,c" with delimiter "," = 3.

Entry() Returns the nth token in a string as per a specified delimiter.
Longitudo String.Length
Restituo() String.Replace()
Continet() String.Contains()
Returns the word "true" or the word "false".
Substring(Committitur) String.Substring(Committitur)
Substring(Committitur,longitudo) String.Substring(Committitur,longitudo)
ToUpper() String.ToUpper()
ToLower() String.ToLower()
StartsWith() String.StartsWith()
Returns the word "true" or the word "false".
EndsWith() String.EndsWith()
Returns the word "true" or the word "false".

A BDC runtime error explicatur

Ego causatur a BDC error hoc septimana quod manifestavit se in user interface et in in 12 alveare stipes at runtime.

Primum, hoc apparuit in in user interface:

Posset non agros inserere omnes Identifier valores recte exequi a SpecificFinder MethodInstance cum nomen … Accumsan porttitor input habent TypeDescriptors coniungitur cum omni Identifier definitur hoc Ente.

Hic 'a screen iecit:

clip_image001

Uideri possem facere verbum hoc 12 alveare stipes nutum (using my patented high-tech-don’t-try-this-at-home "mysterious errors" methodo):

11/14/2007 09:24:41.27 w3wp.exe (0x080C) 0x0B8C SharePoint Portal Server Business Data 6q4x High Exception in BusinessDataWebPart.OnPreRender: System.InvalidOperationException: Identifier ad valentiam ”, type ”, invalida. Expected Identifier value of Type ‘System.String’. at Microsoft.Office.Server.ApplicationRegistry.MetadataModel.Entity.FindSpecific(Obiectum[] subIdentifierValues, LobSystemInstance lobSystemInstance) at Microsoft.SharePoint.Portal.WebControls.BdcClientUtil.FindEntity(Entitate Entitas, Obiectum[] userValues, LobSystemInstance lobSystemInstance) at Microsoft.SharePoint.Portal.WebControls.BusinessDataItemBuilder.GetEntityInstance(View desiredView) at Microsoft.SharePoint.Portal.WebControls.BusinessDataDetailsWebPart.GetEntityInstance() at Microsoft.SharePoint.Portal.WebControls.BusinessDataDetailsWebPart.SetDataSourceProperties()

Quæsivi circa et invenit in aliquo vestrum MSDN forum, but they weren’t enough for me to understand what I was doing wrong. I watched a webcast by Ted Pattison quod meae cuneum squirreled ablata fuerit cultor est, et venit ad animadverto forsit meo.

In meam ADF, Ego coniuncta ad database ut ostensum SQL:

            <Proprietas Nomen="RdbCommandText" Typus="System.String">
              <![CDATA[
                OPTO
                      , CARRIER_ID, EFFDT, DESCR, EFF_STATUS, TAXPAYER_ID, NETWORK_ID, FRT_FORWARD_FLG, ALT_NAME1, ALT_NAME2, LANGUAGE_CD,
                      RUS, ADDRESS1, ADDRESS2, ADDRESS3, ADDRESS4, CIVITAS, NUM1, NUM2, HOUSE_TYPE, ADDR_FIELD1, ADDR_FIELD2, ADDR_FIELD3,
                      COMIVA, LOQUOR, Praesent, GEO_CODE, IN_CITY_LIMIT, COUNTRY_CODE, Phone, PROPAGATIO, Fax, LAST_EXP_CHK_DTTM, FREIGHT_VENDOR,
                      INTERLINK_DLL, TMS_EXCLUDE_FLG
                 (nolock)
                UBI
                  (Leas <> 'Vomere) et
                  (demitto(CARRIER_ID) >Inferior-(@ MinID)) et
                  (demitto(CARRIER_ID) <Inferior-(@ MaxId)) et
                  (demitto(DESCR) Sicut inferiora(@ InputDescr))
                ]]>
            </Proprietas>

SQL DBA, si quis a me, et ego suus datur intelligi quod specialis view they created just for me. The unique key there is CARRIER_ID.

Ego introducta est hic cimex:

      <Identifiers>
        <Identify Nomen="CARRIER_ID" TypeName="System.String" />
        <Identify Nomen="DESCR" TypeName="System.String" /> 
</Identifiers>

Alicubi in linea, Ego gessisset confundas me super significationem <Identifiers> and added DESCR even though it’s not actually an identifier. I took DESCR out of the identifiers set and presto! Omne fermentatum.

Spero quod aliquis salvet aliquem dolorem

Technorati Tags: , , ,

Te potest non percutiebant SharePoint scriptor porriget

Postremis biduum, I have participated in two meetings during which we presented the results of a SharePoint project. The CIO and his team joined the first meeting. That’s standard and not especially notable. The IT department is obviously involved in an enterprise rollout of any technology project. The second meeting expanded to include a V.P. a ipsum, compluribus moderatoribus repraesentans HR, Logistics, Manufacturing, Purus capitalia,, Qualitas, MERCANS, Progressionem corporatum et aliis dicasteriis (et qui se etiam nunc tempus involvit). That’s a mighty wide audience.

In priori vita mea, I primarily worked on ERP and CRM projects. They both have a fairly wide solution domain but not as wide as SharePoint. To be fully realized, SharePoint projects legitimately and necessarily reach into every nook and cranny of an organization. How many other enterprise solutions have that kind of reach? Not many.

SharePoint clearly represents an enormous opportunity for those of us fortunate enough to be in this space. It provides a great technical opportunity (volvitur in caput, quod est quodammodo hic under "Technologies You Must Master"). But even better, SharePoint exposes us to an extensive and wide range of business processes through these engagements. How many CRM specialists work with the manufacturing side of the company? How many ERP consultants work with human resources on talent acquisition? SharePoint exceeds them both.

Quasi aliquid, suus 'non perfectus, tamen suus 'a bonus locus ut damnati sint.

Nam amor [replendum tuus diléxit persona / superiori], don’t change the ‘Title’ site agmen.

Sc SharePoint forums, someone occasionally asks about "changing the label of Title" or about "removing title from lists".

Imo linea: Non illud faciunt!

Miserabile, user interface ut sino uno modo mutatio agmen label ut ostensum:

imaginem

Title is a column associated with the "Item" content type. Multis, multis, multi CT usum huius columpne et si mutaverit hic, it ripples out everywhere. There’s a good chance that you didn’t intend for that to happen. You were probably thinking to yourself, "I have a custom lookup list and ‘Title’ non aliter quam sicut columna nomen, so I’m going to change it to ‘Status Code’ and add a description column." But if you follow through on that thought and rename ‘Title’ to ‘Status Code’, omne album title scriptor (bibliothecas possidet document) changes to "Status Code" et vos forsit quod nequaquam fieri.

Verus forsit est ut hoc unum modo mutationis. The UI "knows" that "title" is a reserved word. Ita, if you try and change "Status Code" back to "Title", erit, ne te nunc habes, ipse picta in angulo usura pingere quod numquam arescit

Ita quod si iam fit illud mutata? I haven’t seen the answer we all want, which is a simple and easy method to change the label back to ‘Title’. Right now, the best advice is to change it to something like "Doc/Item Title". That’s a generic enough label that may not be too jarring for your users.

Paucis sententiis qui me non meis, ut adipiscing diam omnia:

  • Microsoft contactus.
  • Facere aliquid cum rei exemplum, maybe in conjunctione cum pluma.
  • Instar ex database schemate et tincidunt eget SQL. (Contactus quidem id facere debeas coram Microsoft; erit verisimile contractum irritum vestro subsidio).

Si quis noverit quod solvere, placere stipes a comment.

Update tardus meridianus, 11/15: Donec suscipit describit, invenimus quaedam ratio quae non habent ordinem agminis titulo: http://www.venkat.org/index.php/2007/09/03/how-to-remove-title-column-from-a-custom-list/

Amici BDC ADF,, CDATA

I’ve noticed some awkward and unnecessary hand-encoding of RdbCommandText in some examples (including MSDN documentation).

I wanted to point out to newcomers to BDC that commands can be wrapped inside a CDATA tag in their "natural" form. Ita, this awkward construction:

<Proprietas Nomen="RdbCommandText" Typus="System.String">
SELECT dbo.MCRS_SETTLEMENT.id, dbo.MCRS_SETTLEMENT.settlement from dbo.MCRS_SETTLEMENT
UBI (id &gt;= @MinId) ATQUE (id &LT;= @ MaxId)
</Proprietas>

can be better represented this way:

<Proprietas Nomen="RdbCommandText" Typus="System.String">
<![CDATA[
SELECT dbo.MCRS_SETTLEMENT.id, dbo.MCRS_SETTLEMENT.settlement from dbo.MCRS_SETTLEMENT
UBI (id >= @MinId) ATQUE (id <= @MaxId)
]]>
</Proprietas>

</finem>

BDC Primer

Intro to BDC

Functional Example: BDC ADF that connects to SQL database with embedded user id and password

I needed to wire up MOSS to a SQL database via BDC. For testing/POC purposes, I wanted to embed the SQL account user id and password in the ADF. Starting with this template (http://msdn2.microsoft.com/en-us/library/ms564221.aspx), I created an ADF that connects to a particular SQL server instance and logs in with a specific user id and password and shown in this snippet:

  <LobSystemInstances>
    <LobSystemInstance Nomen="ClaimsInstance">
      <Proprietates>
        <Proprietas Nomen="AuthenticationMode" Typus="System.String">PassThrough</Proprietas>
        <Proprietas Nomen="DatabaseAccessProvider" Typus="System.String">SqlServer</Proprietas>
        <Proprietas Nomen="RdbConnection Data Source" Typus="System.String">actual server\actual instance</Proprietas>
        <Proprietas Nomen="RdbConnection Initial Catalog" Typus="System.String">actual initial catalog</Proprietas>
        <Proprietas Nomen="RdbConnection Integrated Security" Typus="System.String">SSPI</Proprietas>
        <Proprietas Nomen="RdbConnection Pooling" Typus="System.String">falsum</Proprietas>

        <!-- These are the key values: -->
        <Proprietas Nomen="RdbConnection User ID" Typus="System.String">actual User ID</Proprietas>
        <Proprietas Nomen="RdbConnection Password" Typus="System.String">actual Password</Proprietas>
        <Proprietas Nomen="RdbConnection Trusted_Connection" Typus="System.String">falsum</Proprietas>

      </Proprietates>
    </LobSystemInstance>
  </LobSystemInstances>

It is not a best practice, but it’s useful for a quick and simple configuration for testing. This was surprisingly difficult to figure out. I never found a functional example with search keywords:

  • adf embedded userid and password
  • embed user id and password in adf
  • embed user id and password in adf bdc
  • sharepoint bdc primer
  • sharepoint embed user id and password in adf

</finem>

Scribet ad mea blog.