Minimum Security Required For InfoPath Forms

I needed to meet a security requirement for an InfoPath form today.  In this business situation, a relatively small number of individuals are allowed to create a new InfoPath form and a much wider audience are allowed to edit it.  (This is new-hire on-boarding form used by Human Resources that launches a workflow).

To meet that objective, I created created two new permission levels ("create and update" and "update only"), broke inheritance for the form library and assigned permissions to a "create, update" user and a separate "update only" user.  The mechanics all worked, but it turned out to be a little more involving than I expected.  (If you feel a little shaky on SharePoint permissions, check out this blog post).  The required security configuration for the permission level was not the obvious set of granular permissions.  To create an update-only permission level for an InfoPath form, I did the following:

  1. Create a new permission level.
  2. Clear away all options.
  3. Selected only the following from "List permissions":
    • Edit Items
    • View Items
    • View Application Pages

Selecting these options allows a user to update a form, but not create it.

The trick was to enable the "View Application Pages".  There isn’t any verbage on the permission level that indicates that’s required for update-only InfoPath forms, but turns out it is.

Create-and-Update was even stranger.  I followed the same steps, 1 through 3 above.  I had to specifically add a "Site Permission" option: "Use client integration features".   Again, the description there does not make it seem like it ought to be required for an InfoPath form, but there it is.

</end>

Technorati Tags: ,

That “In-Between” Feeling; Observations on SharePoint Consulting

Sadly, phase one of my last project has come to a close and the client has opted to move ahead by themselves on phase two.  We did our job too well, as usual 🙂  I’m now between projects, a special time for staff consultants like myself (as opposed to independents who must normally live in perpetual fear of in-between time 🙂 ).  We staff consultants fill this time in various ways: Working with sales folk to write proposals; filling in for someone or backing up a person on this or that odd job;  studying;  Blogging :).  It’s hard to plan more than a few days in advance.  At times like this, while I have a bit of time on my hands, I like to reflect.  

I’m almost always sad to leave a client’s campus for the last time.  We consultants form a peculiar kind of relationship with our clients, unlike your typical co-worker relationship.   There’s the money angle — everyone knows the consultant’s rate is double/triple or even more than the client staff.  You’re a known temporary person.  As a consultant, you’re a permanent outsider with a more or less known departure date.  Yet, you eat lunch with the client, take them out to dinner and/or for drinks, buy cookies for the team, go on coffee runs, give/receive holiday cards — all the kinds of things that co-workers do.  On one hand, you’re the adult in the room.  You’re an expert in the technology which puts you in a superior position.  On the other hand, you’re a baby.  On day zero, consultants don’t know the names, the places or the client’s lingo.  Most times, consultants never learn it all.

When things go well, you become very well integrated with the client’s project team.  They treat you like a co-worker in one sense, and confidant in another.  Since we don’t have a manager-style reporting relationship with the client, the project team often feels a little free to air their dirty laundry.  They let their barriers down and can put the consultant into an awkward position, never realizing they are doing it.

Consultants often don’t get to implement phase two and that never gets easy for me.  I think this is especially hard with SharePoint.  Phase one of of your typical SharePoint project covers setup/configuration, governance, taxonomy, basic content types, etc. and in many respects, amounts to a lengthy, extremely detailed discovery.  That’s how I view my last project.  We did all the basic stuff as well as execute some nice mini-POC’s by extending CQWP, implementing BDC connections to PeopleSoft, introduced a fairly complex workflow with SharePoint Designer, touched on basic KPI’s and more.  A proper phase two would extend all of that with extensive, almost pervasive BDC, really nice workflow, fine tuned and better search, records center, excel services and probably most important, reaching out to other business units.  But, it’s not to be for me, and that’s sad.  

Based on this recent experience, I think it’s fair to say that a proper enterprise SharePoint implementation is a one year process.  It could probably legitimately run two years before reaching a point of diminishing returns.  Details matter, of course.

That’s the consultant’s life and all of these little complaints are even worse in a SharePoint engagement.  As I’ve written before, SharePoint’s horizontal nature brings you into contact with a wide array of people and business units.  When you’re working with so many people, you can see so many ways that SharePoint can help the company become more efficient, save time, do things better…  but you don’t always get to do them.  

I often look back to my first job out of college, before starting a consulting career 1995.   We did get to do a phase two and even a phase three.  Those were nice times.  On the downside, however,  that means that that would mean a lot of routine stuff too.  Managing site security.  Tweaking content types.  Creating views and changing views.  Dealing with IE security settings.  Restoring lost documents.  Blech! 🙂 

Despite my melancholy mood, I can’t imagine a place I’d rather be (except at a warm beach with a goodly supply of spirits).

I can’t wait to get started implemented the next enterprise SharePoint project.

(Apropos of nothing, I wrote most of this blog entry on an NJ Transit bus.  I don’t think I made any friends, but one CAN blog on the bus 🙂 )

</end>

Technorati Tags:

Sunday Funny: “They’re Not THAT Bad”

Back near 1999, I was spending a lot of weeks out in Santa Barbara, CA, working for a client, leaving my poor wife back here in New Jersey alone.  I dearly love my wife.  I love her just as much today as I did when she foolishly married me 1,000 years or so ago.  Somewhere along the line, I coined a phrase, "special fear", as in "Samantha has special fears."  She as a special fear of "bugs", which to her are not flies or ladybugs, but rather microbes.  She’s afraid of this or that virus or unusual bacteria afflicting our son, or me, but never really herself.  (She is also specially afraid of vampires, miniature evil dolls (especially clowns) and submarine accidents; she has out-grown her special fear of people dressed in Santa Claus outfits).

One day, my co-worker and I decided to drive up into the nearby mountains near Ohai.  At one point, we got out of the car to take in the scene.  When we got back into the car, I noticed that a tick was on my shoulder.  I flicked out the window and that was it.

That night, I told her about our drive and mentioned the tick.  The conversation went something like this:

S: "Oooo!  Those are bad.  They carry diseases."

P: "Well, I flicked it out the window."

S: "They are really bad though. They can get under your skin and suck blood and transfer bugs.  You better check your hair and make sure there aren’t any in your head!"

P: In a loud voice: "My God!  CAN THEY TAKE OVER YOUR MIND???"

S: Literally reassuring me: "No, they’re not THAT bad."

</end>

Technorati Tags:

Quick and Easy: Automatically Open InfoPath Form From SharePoint Designer Email

UPDATE: Madjur Ahuja points out this link from a newsgroup discussion: http://msdn2.microsoft.com/en-us/library/ms772417.aspx.  It’s pretty definitive.

===

We often want to embed hyperlinks to InfoPath forms in emails sent from SharePoint Designer workflows.  When users receive these emails, they can click on the link from the email and go directly to the InfoPath form.

This monster URL construction works for me:

http://server/sites/departments/Technical%20Services/InformationTechnology/HelpDesk/_layouts/FormServer.aspx?XmlLocation=/sites/departments/Technical%20Services/InformationTechnology/HelpDesk/REC%20REM%20RED%20Forms/REC2007-12-18T11_33_48.xml&Source=http%3A%2F%2Fserver%2Ecorp%2Edomain%2Ecom%2Fsites%2Fdepartments%2FTechnical%2520Services%2FInformationTechnology%2FHelpDesk%2FREC%2520REM%2520RED%2520Forms%2FForms%2FAllItems%2Easpx&DefaultItemOpen=1

 

Replace the bolded red text with the name of the form, as shown in the following screenshot:

image

Note that there is a lot of hard-coded path in that URL, as well as a URL-encoded component.  If this is too hard to translate to your specific situation, try turning on alerts for the form library.  Post a form and when you get the email, view the source of the email and you’ll see everything you need to include.

Astute readers may notice that the above email body also shows a link that directly accesses the task via a filtered view.  I plan to explain that in greater detail in a future post. 

</end>

Technorati Tags:

Thinking About Commercial Products

I put up a SharePoint Designer extensions project up at CodePlex earlier this year and even though it’s really quite limited in scope, I estimate that it’s been downloaded by 40 to 60 (possibly even 100) companies in just about two months.  That indicates to me that there’s a market for that solution and if I were to successfully commercialize it, that could translate into a goodly amount of beer 🙂

My background is actually much more in product development and I know what is required to bring a top-notch product, as opposed to a CodePlex hobby project, to market.  In my past life, I was responsible for product R&D for all software products.  The difference between then and now is that I’m a consultant now working for an (excellent) consulting firm (Conchango).  Previously, I had an entire company behind me and in front of me, selling and supporting the products we brought to market.  Today, I’d be alone.

I have several product ideas in mind, but I think the easiest would be to create a commercial version of the above-mentioned CodePlex project that uses that as a starting point and extends it further.  My fuzzy off-the-cuff thinking is to charge something like $100 for an unlimited developer license and $500 per production web front end.  I think I would also give away the source code.

If you have thoughts or experiences that you’re willing to share, please leave a comment or email me directly.  I’d like to hear opinions like:

  • Is it all worthwhile?
  • Practical suggestions for marketing, collecting money, distributing.
  • Pricing.
  • Support.
  • Any other comment you’d like to leave.

It’s "easy" to come up with product ideas and to implement them, though many dozens of hours of work are required.  The other stuff is not as easy for me.

</end>

Technorati Tags:

Sunday Morning Funny: “Jesus Must Die”

We bought our first (and only) "luxury" car back when hurricane Floyd nailed the east coast of the U.S.  We got a LOT of rain here in New Jersey and several days passed before life returned to normal.  Just before Floyd struck, we made an offer for a used Volvo 850 GL and after Floyd struck, drove it home.

It was our first car with a CD player.  Like most new car owners, we went a little CD crazy, revived our dormant CD collection and went on long drives just to listen to CD’s in the car.  Like all fads, this passed for us and we ended listening to the same CD over and over again.  In our case, it was Jesus Christ Superstar

One of the (many) brilliant pieces in that rock opera is sung by the establishment religious types, led by Caiaphas, the "High Priest".  They sing their way into deciding how to handle the "Jesus problem" and Caiaphas directs them to the conclusion that "Jesus must die".  The refrain on the song is "Just must die, must die, must die, this Jesus must die".  You hear that refrain a lot in that piece.

At the time, my son was about three years old.  You can probably see where this is going. 

I came home from work one day and my son is in the living room playing with toys and humming to himself.  I’m taking off my jacket, looking through the mail and all my usual walk-in-the-door stuff and I suddenly realize that he’s just saying, not really singing: "Jesus must die, must die, must die."  I was mortified.  I could just see him doing that while on one of his baby play dates at a friend’s house — probably the last play date with that baby friend.

We pulled that CD out of the Volvo after that 🙂

</end>

Technorati Tags: ,

Google Did Accept My Live Spaces Blog Into the AdSense Program

UPDATE: As of 03/09, I have found no way to integrate my live spaces account with Google Adsense.  Microsoft’s system here seems to prevent all of the technical mechanisms that Google provides would-be adsense hosters.  I tend to believe this is mainly a side effect of the security they’ve built into live spaces, not a direct effort to disable Adsense. 

This is not a SharePoint post, but might be of interest to bloggers generally.

Someone commented on their Windows Live Spaces blog that Google affirmatively denied their application to participate in AdSense.  She theorized that Google denied her because Windows Live Spaces hosts her blog. However, I was recently accepted into the program for my live spaces blog, so the policy has either changed or Google denied her for some other reason.

Of course, I don’t see any obvious way to integrate Google AdSense into my live space, but it’s a start 🙂

</end>

Technorati Tags: ,

Implementing Master / Detail Relationships Using Custom Lists

Forum users frequently as questions like this:

> Hello,
>
> Please tell me if there are any possibilities to build a custom list with
> master and detail type (like invoices) without using InfoPath.
>

SharePoint provides some out of the box features that support kinds of business requirements like that.

In general, one links two lists together using a lookup column.  List A contains the invoice header information and list B contains invoice details.

Use additional lists to maintain customer numbers, product numbers, etc.

Use a content query web part (in MOSS only) and/or a data view web part to create merged views of the lists.  SQL Server Reporting Services (SRS) is also available for the reporting side of it.

However, there are some important limitations that will make it difficult to use pure out-of-the-box features for anything that is even moderately complex.  These include:

  • Size of related lookup lists vs. "smartness" of the lookup column type.  A lookup column type presents itself on the UI differently depending on whether you’ve enabled multi-select or not.  In either case, the out-of-the-box control shows all available items from the source list.  If the source list has 1,000 items, that’s going to be a problem.  The lookup control does not page through those items.  Instead, it pulls all of them into the control.  That makes for a very awkward user interface both in terms of data entry and performance.
  • Lookups "pull back" one column of information.  You can never pull back more than one column of information from the source list.  For instance, you cannot select a customer "12345" and display the number as well as the customer’s name and address at the same time.  The lookup only shows the customer number and nothing else.  This makes for an awkward and difficult user interface.
  • No intra-form communication.  I’ve written about this here.  You can’t implement cascading drop-downs, conditionally enable/disable fields, etc. 
  • No cascading deletes or built-in referential integrity.  SharePoint treats custom lists as independent entities and does not allow you to link them to each other in a traditional ERD sense.  For example, SharePoint allows you to create two custom lists, "customer" and "invoice header".  You can create an invoice header that links back to a customer in the customer list.  Then, you can delete the customer from the list.  Out of the box, there is no way to prevent this.  To solve this kind of problem, you would normally use event handlers.

It may seem bleak, but I would still use SharePoint as a starting point for building this kind of functionality.  Though there are gaps between what you need in a solution, SharePoint enables us to fill those gaps using tools such as:

  • Event handlers.  Use them to enforce referential integrity.
  • Custom columns: Create custom column types and use them in lieu of the default lookup column.  Add paging, buffering and AJAX features to make them responsive.
  • BDC.  This MOSS-only feature enables us to query other SharePoint lists with a superior user interface to the usual lookup column.  BDC can also reach out to a back end server application.  Use BDC to avoid replication.  Rather than replicating customer information from a back end ERP system, use BDC instead.  BDC features provide a nice user interface to pull that information directly from the ERP system where it belongs and avoids the hassle of maintaining a replication solution.

    BDC is a MOSS feature (not available in WSS) and is challenging to configure. 

  • ASP.NET web form: Create a full-featured AJAX-enabled form that uses the SharePoint object model and/or web services to leverage SharePoint lists while providing a very responsive user interface.

The last option may feel like you’re starting from scratch, but consider the fact that the SharePoint platform starts you off with the following key features:

  • Security model with maintenance.
  • Menu system with maintenance.
  • "Master table" (i.e. custom lists) with security, built-in maintenance and auditing.
  • Search.
  • Back end integration tools (BDC).

If you start with a new blank project in visual studio, you have a lot of infrastructure and plumbing to build before you get close to what SharePoint offers.

I do believe that Microsoft intends to extend SharePoint in this direction of application development.  It seems like a natural extension to the existing SharePoint base.  Microsoft’s CRM application provides a great deal of extensibility of the types needed to support header/detail application development.  Although those features are in CRM, the technology is obviously available to the SharePoint development team and I expect that it will make its way into the SharePoint product by end of 2008.  If anyone has an knowledge or insight into this, please leave a comment. 

</end>

Quick Tip: Content Query Web Part, Lookup Column Value and XSL

I have a column name in a content type named "Real Estate Location".

That column is of type "lookup".

I have modified <CommonViewFields> and ItemStyle.xsl to show the column.

A simple <xsl:value-of select=…> returns back an internal value that includes ordinal position data, such as:

1;#Miami

To get the human-friendly value, use xsl substring-after, as shown:

<xsl:value-of select="substring-after(@Real_x005F_x0020_Estate_x005F_x0020_Location,’#’)"></xsl:value-of>

Use this technique whenever you are working with lookup values in XSL transforms and need to get the human-friendly value.

<end/>

Technorati Tags: , ,

SharePoint Beagle December Issue Up & Live

Many of you know this already, but the December edition of SharePoint Beagle is live.

Every article is worth reading in my opinion.

I want to give a little extra bump to my colleague’s article (Natalya Voskrensenskya).  She provides a screen-shot extravaganza while describing how she used custom lists, workflow, SharePoint Designer, data views and other elements to implement a self-service training feature in MOSS.  She describes techniques that can be applied in many different business scenarios.  Check out her blog while you’re at it.

Don’t forget to check out my article as well 🙂  I wrote about using MOSS to help an HR department manage open positions.

</end>