UPDATE 11/03/08: Kun żgur li taqra l-kumment eċċellenti u dettaljata mill- Dessie Lunsford għal din il-kariga.

Stajt ilhom jaħdmu fuq proġett sigriet editjar tech għal ktieb up-li ġejjin u referenzi dan blog dħul mill Tyler Butler fuq il-ECM blog MSDN. This is the first time I personally read a clear definition of the meaning of Limited Access. Here’s the meat of the definition:

Fil SharePoint, utenti anonimi’ drittijiet huma determinati mill-livell Limited permess Aċċess. Limited Aċċess huwa livell permess speċjali li ma jistgħux jiġu assenjati lil utent direttament jew grupp. Ir-raġuni dan jeżisti huwa minħabba li jekk għandek librerija jew sottosit li faqqa 'wirt permessi, u inti tagħti utent / grupp aċċess biss għal dak il-librerija / sottosit, sabiex ħsieb kontenut tiegħu, l-utent / grupp għandhom ikollhom xi aċċess għall-web għerq. Inkella l-utent / grupp se jkun kapaċi jibbrawżjaw il-librerija / sottosit, anki jekk dawn ikollhom id-drittijiet hemm, għaliex hemm affarijiet fil-web għerq li huma meħtieġa biex jirrendu-sit jew librerija. Għalhekk, meta inti tagħti permessi grupp biss għal sottosit jew librerija li qed tikser wirt permessi, SharePoint awtomatikament se jagħti Limited Aċċess għal dak il-grupp jew l-utent fuq il-web għerq.

Din il-kwistjoni taqa up issa u mbagħad fuq il-forums MSDN u stajt dejjem kien kurjuż (iżda mhux kurjużi biżżejjed biex figura hija out qabel illum :)).

</aħħar>

Abbona għall-blog tiegħi.

Follow lili Twitter fi http://www.twitter.com/pagalvin

Fil sinjal li Computing Soċjali qed jibda jieħu off ma SharePoint, I see an increased number of My Site type questions. One common question goes something like this:

"I am an administrator and I need to be able to access every My Site. How do I do that?"

The trick here is that each My Site is its own site collection. SharePoint security is normally administered at the site collection level and this trips up many a SharePoint administrator. Normalment, she already has access to configure security in the "main" kollezzjonijiet sit u ma jistgħux jirrealizzaw li dan ma awtomatikament xogħol għal siti tiegħi.

Kollezzjonijiet sit kollettivament jgħixu ġewwa kontenitur akbar, which is the web application. Farm admins can can configure security at the web app level and this is how admins can grant themselves access to any site collection in the web application. This blog entry describes one of my personal experiences with web application policies. I defined a web application policy by accident: http://paulgalvin.spaces.live.com/Blog/cns!1CC1EDB3DAA9B8AA!255.entry.

Web application policies can be dangerous and I suggest that they be used sparingly. If I were an admin (u nirringrazzja goodness I am not), I would create a separate AD account named something like "SharePoint Web App Administrator" and give that one account the web application security role it needs. I would not configure this kind of thing for the regular farm admin or individual site collection admins. It will tend to hide potential problems because the web app role overrides any lower level security settings.

</aħħar>

Abbona għall-blog tiegħi.

Follow lili Twitter fi http://www.twitter.com/pagalvin

UPDATE (02/29/08): Dan il-proġett CodePlex ġdida tidher li tipprovdi metodu biex tiġi żgurata kolonni individwali: http://www.codeplex.com/SPListDisplaySetting. If you have any experience working with it, jekk jogħġbok leave kumment.

Posters forum spiss jistaqsu mistoqsija bħal dan: "I have a manager view and and a staff view of a list. How do I secure the manager view so that staff can not use it?"

Huma wkoll spiss jistaqsu mistoqsija relatata: "I want to secure a specific metadata column so that only managers may edit that column while others may not even see it."

These answers apply to both WSS 3.0 u MOSS:

• SharePoint ma jipprovdix l-il-kaxxa ta 'appoġġ għall-iżgurar fehmiet.
• SharePoint ma jipprovdix l-il-kaxxa ta 'appoġġ għall-kolonni tas-sigurtà.

There are several techniques one can follow to meet these kinds of security requirements. Here’s what I can think of:

• Use out-of-the-box item level security. Views always honor item level security configuration. Event receivers and/or workflow can automate security assignment.
• Use personal views for "privileged" fehmiet. These are easy enough to set up. Madankollu, due to their "personal" natura, these need to be configured for each user. Use standard security configuration to prevent anyone else from creating a personal view.
• Uża parti tad-data web ħsieb u jimplimentaw xi tip ta 'sigurtà AJAXy soluzzjoni tirqim.
• Roll stess display lista funzjonalità tiegħek u jinkorporaw sigurtà tirqim fil-livell kolonna.
• Timmodifika l-forom dħul tad-data u l-użu JavaScript flimkien mal-mudell ta 'sigurtà biex jimplimentaw sigurtà ta' livell kolonna tirqim.
• Use an InfoPath form for data entry. Implement column-level security trimming via web service calls to SharePoint and conditionally hide fields as needed.
• Roll stess ASP.NET funzjoni tiegħek dħul tad-data li timplimenta livell ta 'sigurtà kolonna tirqim.

Ebda wieħed minn dawn l-għażliet huma verament li kbir, iżda hemm mill-inqas triq biex isegwu jekk inti għandek bżonn, anki jekk huwa diffiċli.

NOTA: Jekk inti jinżlu kwalunkwe minn dawn mogħdijiet, don’t forget about "Actions -> Open with Windows Explorer". You want to be sure that you test with that feature to make sure that it doesn’t work as a "back door" u defeat iskema tas-sigurtà tiegħek.

Jekk għandek ideat oħra għal jew esperjenzi bil-kolonni jew il-veduti iżgurar, jekk jogħġbok email me jew leave kumment u jien ser taġġorna dan kollokament kif xieraq.

</aħħar>

Abbona għall-blog tiegħi.

UPDATE: I stazzjonati din il-kwistjoni MSDN hawn (http://forums.microsoft.com/Forums/ShowPost.aspx?PostID=2808543&SiteID=1&mode=1) and Michael Washam of Microsoft responded with a concise answer.

I ħolqot servizz web biex jaġixxi bħala Faċċata BDC-friendly to a SharePoint list. When I used this from my development environment, maħduma multa. Meta I emigraw din lil server ġdida, I jiltaqgħu dan l-iżball:

Hawnhekk huwa linja 69:

użu (Sit SPSite = ġdid SPSite("http://localhost/sandbox"))

I ppruvaw varjazzjonijiet differenti fuq l-URL, inkluż l-użu reali isem tal-server, indirizz IP tiegħu, slashes tkaxkir fuq l-URL, eċċ. I always got that error.

I użati Il-Google to research it. Lots of people face this issue, jew varjazzjonijiet ta 'dan, imma ebda wieħed deher li huwa solvuti.

Tricksy MOSS sakemm tali żball dettaljata li dan ma sarx lili biex jiċċekkja l- 12 hive logs. Eventwalment, dwar 24 siegħa wara kollega tiegħi rakkomandat I jagħmlu dan, I ċċekkjati l- 12 log doqqajs u sabet dan:

Eċċezzjoni ġara waqt li jipprova li jiksbu l-irziezet lokali:
System.Security.SecurityException: Aċċess reġistru Mitlub ma jkunx permess.
fil System.ThrowHelper.ThrowSecurityException(ExceptionResource riżorsi) fi
(Isem String, Writable Boolean) fi
(Isem String) fi
() fi
() fi
(SPFarm& farm, Boolean& isJoined)
Il-Żona ta 'l-assemblea li naqas kien:  MyComputer

Dan fetħet toroq ġodda ta 'riċerka, allura kien lura lill-Google. Li wasslitni sabiex dan forum post: http://forums.codecharge.com / posts.php?post_id = 67,135. That didn’t really help me but it did start making me think there was a database and/or security issue. I soldiered on and Andrew Connell tal post finally triggered the thought that I should make sure that the application pool’s identity account had appropriate access to the database. I thought it already did. Madankollu, kollega tiegħi marru u taw l-app pool identità kont aċċess sħiħ għall SQL.

Hekk kif hi magħmula li l-bidla, everything started working.

Dak li ġara jmiss huwa l-aħjar espressa bħala haiku poeżija:

Problemi jgħollu idejhom.
You swing and miss. Try again.
Success! But how? Għaliex?

Hi ma riditx li jħallu l-affarijiet waħdu bħal dik, pprefera li tagħti l-permess minimu meħtieġ (u probabbilment b'attenzjoni għall-kitba ta 'dħul blog; I taħbit tagħha lill-punch, muhahahahaha!).

Hija ħassret permessi suċċessivi mill-pool kont identità app sakemm … there was no longer any explicit permission for the app pool identity account at all. The web service continued to work just fine.

We went and rebooted the servers. Everything continued to work fine.

Allura, biex terġa: we gave the app pool identity full access and then took it away. The web service started working and never stopped working. Bizarre.

Jekk xi ħadd jaf għaliex li għandhom ħadmu, jekk jogħġbok leave kumment.

</aħħar>

I needed to meet a security requirement for an InfoPath form today. In this business situation, a relatively small number of individuals are allowed to create a new InfoPath form and a much wider audience are allowed to edit it. (Dan huwa ġdid-kiri forma on-imbark użata minn riżorsi umani li tniedi workflow).

Biex jintlaħqu dan l-għan, I ħolqot ħolqot żewġ livelli permess ġdid ("create and update" and "update only"), broke inheritance for the form library and assigned permissions to a "create, jaġġornaw" user and a separate "update only" utent. The mechanics all worked, but it turned out to be a little more involving than I expected. (Jekk inti tħoss ftit dgħajfa fuq permessi SharePoint, check out dan blog post). The required security configuration for the permission level was not the obvious set of granular permissions. To create an update-only permission level for an InfoPath form, Jien għamilt dan li ġej:

1. Oħloq livell permess ġdid.
2. Ċar bogħod għażliet kollha.
3. Selected only the following from "List permissions":

• Edit Punti
• View Partiti
• Ara Pages Applikazzjoni

Għażla ta 'dawn l-għażliet jippermetti utent li taġġorna forma, iżda mhux joħolqu dan.

The trick was to enable the "View Application Pages". There isn’t any verbage on the permission level that indicates that’s required for update-only InfoPath forms, iżda jinstabx huwa.

Create-and-Update was even stranger. I followed the same steps, 1 permezz 3 hawn fuq. I had to specifically add a "Site Permission" għażla: "Use client integration features". Għal darb'oħra, id-deskrizzjoni hemm ma jagħmilha jidhru simili hi jmissha tkun meħtieġa għal forma InfoPath, iżda hemm hu.

</aħħar>

UPDATE 01/28/08: Dan il-proġett CodePlex jindirizza din il-kwistjoni: http://www.codeplex.com/AccessChecker. I have not used it, iżda jidher promettenti jekk din hija kwistjoni li għandek bżonn biex jindirizzaw fl-ambjent tiegħek.

UPDATE 11/13/08: Joel OLESON kiteb kariga tajba ħafna dwar il-kwistjoni akbar ġestjoni tas-sigurtà hawn: http://www.sharepointjoel.com / Listi / Posts / Post.aspx?List=0cd1a63d-183c-4fc2-8320-ba5369008acb&ID=113. It links to a number of other useful resources.

Forum users and clients often ask a question along these lines: "How do I generate a list of all users with access to a site" or "How can I automatically alert all users with access to list about changes made to the list?"

There is no out of the box solution for this. If you think about it for a moment, it’s not hard to understand why.

SharePoint security is very flexible. There are at least four major categories of users:

• Anonymous users.
• SharePoint Users and Groups.
• Active Directory users.
• Formoli Awtentikazzjoni Ibbażat (FBA) utenti.

The flexibility means that from a security perspective, any given SharePoint site will be dramatically different from another. In order to generate an access list report, one needs to ascertain how the site is secured, query multiple different user profile repositories and then present it in a useful fashion. That’s a hard problem to solve generically.

How are organizations dealing with this? I’d love to hear from you in comments or email.

</aħħar>

UPDATE 12/18/07: Ara l-artikolu Paul Liebrand għall xi konsegwenzi tekniċi tat-tneħħija jew timmodifika l-ismijiet tal-grupp default (Ara l-kumment tiegħu hawn taħt kif ukoll).

Ħarsa ġenerali:

SharePoint security is easy to configure and manage. Madankollu, it has proven to be difficult for some first-time administrators to really wrap their hands around it. Not only that, I have seen some administrators come to a perfect understanding on Monday only to have lost it by Friday because they didn’t have to do any configuration in the intervening time. (I admit to having this problem myself). This blog entry hopefully provides a useful SharePoint security primer and points towards some security configuration best practices.

Important Note:

This description is based on out of the box SharePoint security. My personal experience is oriented around MOSS so there may be some MOSS specific stuff here, but I believe it’s accurate for WSS. I hope that anyone seeing any errors or omissions will point that out in comments or email me. I’ll make corrections post haste.

Fundamentals:

For the purposes of this overview, there are four fundamental aspects to security: users/groups, securable objects, permission levels and inheritance.

Users and Groups break down to:

• Individual users: Pulled from active directory or created directly in SharePoint.
• Groups: Mapped directly from active directory or created in SharePoint. Groups are a collection of users. Groups are global in a site collection. They are never "tied" to a specific securable object.

Securable objects break down to at least:

• Sites
• Document libraries
• Individual items in lists and document libraries
• Folders
• Various BDC settings.

There other securable objects, but you get the picture.

Permission levels: A bundle of granular / low level access rights that include such things as create/read/delete entries in lists.

Inheritance: By default entities inherit security settings from their containing object. Sub-sites inherit permission from their parent. Document libraries inherit from their site. So on and so forth.

Users and groups relate to securable objects via permission levels and inheritance.

The Most Important Security Rules To Understand, Ever 🙂 :

1. Groups are simply collections of users.
2. Groups are global within a site collection (I.E. there is no such thing as a group defined at a site level).
3. Group name not withstanding, groups do not, in and of themselves, have any particular level of security.
4. Groups have security in the context of a specific securable object.
5. You may assign different permission levels to the same group for every securable object.
6. Web application policies trump all of this (see below).

Security administrators lost in a sea of group and user listings can always rely on these axioms to manage and understand their security configuration.

Common Pitfalls:

• Group names falsely imply permission: Barra mill-kaxxa, SharePoint defines a set of groups whose names imply an inherent level of security. Consider the group "Contributor". One unfamiliar with SharePoint security may well look at that name and assume that any member of that group can "contribute" to any site/list/library in the portal. That may be true but not because the group’s name happens to be "contributor". This is only true out of the box because the group has been provided a permission level that enables them to add/edit/delete content at the root site. Through inheritance, the "contributors" group may also add/edit/delete content at every sub-site. One can "break" the inheritance chain and change the permission level of a sub-site such that members of the so-called "Contributor" group cannot contribute at all, but only read (per eżempju). This would not be a good idea, ovvjament, since it would be very confusing.
• Groups are not defined at a site level. It’s easy to be confused by the user interface. Microsoft provides a convenient link to user/group management via every site’s "People and Groups" rabta. It’s easy to believe that when I’m at site "xyzzy" and I create a group through xyzzy’s People and Groups link that I’ve just created a group that only exists at xyzzy. That is not the case. I’ve actually created a group for the whole site collection.
• Groups membership does not vary by site (I.E. it is the same everywhere the group is used): Consider the group "Owner" and two sites, "HR" and "Logistics". It would be normal to think that two separate individuals would own those sites — an HR owner and a Logistics owner. The user interface makes it easy for a security administrator to mishandle this scenario. If I didn’t know better, I might access the People and Groups links via the HR site, select the "Owners" group and add my HR owner to that group. A month later, Logistics comes on line. I access People and Groups from the Logistics site, add pull up the "Owners" group. I see the HR owner there and remove her, thinking that I’m removing her from Owners at the Logistics site. Fil-fatt, I’m removing her from the global Owners group. Hilarity ensues.
• Failing to name groups based on specific role: The "Approvers" group is a perfect example. What can members of this group approve? Where can they approve it? Do I really want people Logistics department to be able to approve HR documents? Of course not. Always name groups based on their role within the organization. This will reduce the risk that the group is assigned an inappropriate permission level for a particular securable object. Name groups based on their intended role. In the previous HR/Logistics scenario, I should have created two new groups: "HR Owners" and "Logistics Owners" and assign sensible permission levels for each and the minimum amount required for those users to do their job.

Other Useful References:

• Web application policy gotcha’s: http://paulgalvin.spaces.live.com/blog/cns!1CC1EDB3DAA9B8AA!255.entry
• Clearinghouse for SharePoint security: http://www.sharepointsecurity.com/
• Links from Joel Oleson: http://blogs.msdn.com/joelo/archive/2007/08/23/sharepoint-security-and-compliance-resources.aspx

If you’ve made it this far:

Please let me know your thoughts via the comments or email me. If you know other good references, please do the same!