SharePoint Security Fundamentals Primer / Avoid Common Pitfalls

UPDATE 12/18/07: See Paul Liebrand’s article for some technical consequences of removing or modifying the default group names (see his comment below as well). 

Overview:

SharePoint security is easy to configure and manage.  However, it has proven to be difficult for some first-time administrators to really wrap their hands around it.  Not only that, I have seen some administrators come to a perfect understanding on Monday only to have lost it by Friday because they didn’t have to do any configuration in the intervening time.  (I admit to having this problem myself).  This blog entry hopefully provides a useful SharePoint security primer and points towards some security configuration best practices.

Important Note:

This description is based on out of the box SharePoint security.  My personal experience is oriented around MOSS so there may be some MOSS specific stuff here, but I believe it’s accurate for WSS.  I hope that anyone seeing any errors or omissions will point that out in comments or email me.  I’ll make corrections post haste. 

Fundamentals:

For the purposes of this overview, there are four fundamental aspects to security: users/groups, securable objects, permission levels and inheritance.

Users and Groups break down to:

  • Individual users: Pulled from active directory or created directly in SharePoint.
  • Groups: Mapped directly from active directory or created in SharePoint.  Groups are a collection of users.  Groups are global in a site collection.  They are never "tied" to a specific securable object.

Securable objects break down to at least:

  • Sites
  • Document libraries
  • Individual items in lists and document libraries
  • Folders
  • Various BDC settings.

There other securable objects, but you get the picture.

Permission levels: A bundle of granular / low level access rights that include such things as create/read/delete entries in lists. 

Inheritance: By default entities inherit security settings from their containing object.  Sub-sites inherit permission from their parent.  Document libraries inherit from their site.  So on and so forth.

Users and groups relate to securable objects via permission levels and inheritance.

The Most Important Security Rules To Understand, Ever 🙂 : 

  1. Groups are simply collections of users.
  2. Groups are global within a site collection (i.e. there is no such thing as a group defined at a site level).
  3. Group name not withstanding, groups do not, in and of themselves, have any particular level of security. 
  4. Groups have security in the context of a specific securable object. 
  5. You may assign different permission levels to the same group for every securable object.
  6. Web application policies trump all of this (see below).

Security administrators lost in a sea of group and user listings can always rely on these axioms to manage and understand their security configuration.

Common Pitfalls:

  • Group names falsely imply permission: Out of the box, SharePoint defines a set of groups whose names imply an inherent level of security.  Consider the group "Contributor".  One unfamiliar with SharePoint security may well look at that name and assume that any member of that group can "contribute" to any site/list/library in the portal.  That may be true but not because the group’s name happens to be "contributor".  This is only true out of the box because the group has been provided a permission level that enables them to add/edit/delete content at the root site.  Through inheritance, the "contributors" group may also add/edit/delete content at every sub-site.  One can "break" the inheritance chain and change the permission level of a sub-site such that members of the so-called "Contributor" group cannot contribute at all, but only read (for example).  This would not be a good idea, obviously, since it would be very confusing.
  • Groups are not defined at a site level.  It’s easy to be confused by the user interface.  Microsoft provides a convenient link to user/group management via every site’s "People and Groups" link.  It’s easy to believe that when I’m at site "xyzzy" and I create a group through xyzzy’s People and Groups link that I’ve just created a group that only exists at xyzzy.  That is not the case.  I’ve actually created a group for the whole site collection.
  • Groups membership does not vary by site (i.e. it is the same everywhere the group is used): Consider the group "Owner" and two sites, "HR" and "Logistics".  It would be normal to think that two separate individuals would own those sites — an HR owner and a Logistics owner.  The user interface makes it easy for a security administrator to mishandle this scenario.  If I didn’t know better, I might access the People and Groups links via the HR site, select the "Owners" group and add my HR owner to that group.  A month later, Logistics comes on line.  I access People and Groups from the Logistics site, add pull up the "Owners" group.  I see the HR owner there and remove her, thinking that I’m removing her from Owners at the Logistics site.  In fact, I’m removing her from the global Owners group.  Hilarity ensues.
  • Failing to name groups based on specific role:  The "Approvers" group is a perfect example.  What can members of this group approve?  Where can they approve it?  Do I really want people Logistics department to be able to approve HR documents?  Of course not.  Always name groups based on their role within the organization.  This will reduce the risk that the group is assigned an inappropriate permission level for a particular securable object.  Name groups based on their intended role.  In the previous HR/Logistics scenario, I should have created two new groups: "HR Owners" and "Logistics Owners" and assign sensible permission levels for each and the minimum amount required for those users to do their job.

Other Useful References:

If you’ve made it this far:

Please let me know your thoughts via the comments or email me.  If you know other good references, please do the same!

Technorati Tags:

Quick and Easy: Create a Data View Web Part (DVWP)

There is a wealth of great information on the WSS 3.0 Data View Web Part (DVWP) on the web from several sources.  However, I found it to be surprisingly difficult to find information on this first very basic step.  Here is another article in the "quick and easy" series to address it.

Follow these steps to create a data view web part (DVWP).  They are based on an "Announcements" web part, but apply to most lists.

  1. Create an Announcements web part and add it to a site.
  2. Open the site in SharePoint Designer.
  3. Open the site’s default.aspx.
  4. Select the Announcements web part and right-click. 
  5. From the context menu, select "Convert to XSLT Data View".

SharePoint Designer notifies you that this site is now customized from its site definition. That’s not necessarily bad, but there are important implications (performance, upgrade, others) which are beyond the scope of this little "Quick and Easy" entry.  To get more information on this subject, I recommend both books here as well as your favorite Internet search.

Confirm that you did it correctly:

  1. Close and re-open the web browser (to avoid accidentally re-posting the original "add a new web part").
  2. Select the web part’s arrow drop-down and choose "Modify Shared Web Part" from the menu.
  3. The tool panel opens to the right.
  4. The panel has changed from its usual set options to this:
  image
   

“Cannot get the list schema column property from the SharePoint list” — description/work-arounds

This week, we finally reproduced a problem that had been reported by a remote user: When she tried to export the contents of a list to excel, things would seem to start working, but then Excel would pop up an error: "Cannot get the list schema column property from the SharePoint list".  She was running office 2003, windows XP and connecting to MOSS. 

I searched the Internets and saw some speculation but nothing 100% definitive.  Hence, this post.

The problem: Exporting a view to excel that contains a date (date = the data type of the column).

What worked for us: Convert the date to a "single line of text".  Then, convert it back to a date.

That solved it.  It was nice to see that the conversion worked, actually.  It was quite nervous that converting things this way would fail, but it did not. 

This bug has thrown a huge shadow over the date data type in the client’s mind, so we’re going to be seeking out a definitive answer from Microsoft and hopefully I’ll post and update here in the next short period of time with their official answer and hotfix information.

Other references:

http://www.kevincornwell.com/blog/index.php/cannot-get-the-list-schema-column-property-from-the-sharepoint-list/

http://forums.microsoft.com/MSDN/ShowPost.aspx?PostID=2383611&SiteID=1

<end>

Subscribe to my blog.  

 

Technorati Tags: ,

Quick and Simple: Send an email with embedded hyperlink from SharePoint Designer workflow

Once or twice month, someone posts a forum question: "How do I include hyperlinks to URL’s that are clickable from a SharePoint Designer email?"

Presented without further comment:  (well, actually there is further comment after the image):

image

Becky Isserman follows up with a helpful explanation on how to embed a link to an item in the email: http://www.sharepointblogs.com/mosslover/archive/2007/11/20/addition-to-paul-galvin-s-post-about-sending-an-e-mail-with-hyperlinks-in-spd.aspx

 

New release: SharePoint Designer Workflow Extensions (string manipulation functions)

UPDATE: See here for my thoughts on commercializing this project: http://paulgalvin.spaces.live.com/blog/cns!1CC1EDB3DAA9B8AA!569.entry

I’ve been busy working on my Codeplex project which is presently focused on providing string manipulation extensions to workflows created via SharePoint Designer.

See here for details:

Project home: http://www.codeplex.com/spdwfextensions

Release: https://www.codeplex.com/Release/ProjectReleases.aspx?ProjectName=spdwfextensions&ReleaseId=8280

Version 1.0 includes the following new features:

Function Description (if not same as .Net function)
Num-entries() Returns the number "entries" in a string as per a specified delimiter. 

For example: Num-entries in a string "a,b,c" with delimiter "," = 3.

Entry() Returns the nth token in a string as per a specified delimiter. 
Length String.Length
Replace() String.Replace()
Contains() String.Contains()
Returns the word "true" or the word "false".
Substring(start) String.Substring(start)
Substring(start,length) String.Substring(start,length)
ToUpper() String.ToUpper()
ToLower() String.ToLower()
StartsWith() String.StartsWith()
Returns the word "true" or the word "false".
EndsWith() String.EndsWith()
Returns the word "true" or the word "false".

A BDC runtime error explained

I caused a BDC error this week that manifested itself on the user interface and in the 12 hive log at runtime.

First, this appeared in the user interface:

Could not find fields to insert all the Identifier Values to correctly execute a SpecificFinder MethodInstance with Name … Ensure input Parameters have TypeDescriptors associated with every Identifier defined for this Entity.

Here’s a screen shot:

clip_image001

 

I could also cause this message to appear in the 12 hive log at will (using my patented high-tech-don’t-try-this-at-home  "mysterious errors" method):

11/14/2007 09:24:41.27         w3wp.exe (0x080C)         0x0B8C        SharePoint Portal Server         Business Data         6q4x        High         Exception in BusinessDataWebPart.OnPreRender: System.InvalidOperationException: The Identifier value ”, of Type ”, is invalid. Expected Identifier value of Type ‘System.String’. at Microsoft.Office.Server.ApplicationRegistry.MetadataModel.Entity.FindSpecific(Object[] subIdentifierValues, LobSystemInstance lobSystemInstance) at Microsoft.SharePoint.Portal.WebControls.BdcClientUtil.FindEntity(Entity entity, Object[] userValues, LobSystemInstance lobSystemInstance) at Microsoft.SharePoint.Portal.WebControls.BusinessDataItemBuilder.GetEntityInstance(View desiredView) at Microsoft.SharePoint.Portal.WebControls.BusinessDataDetailsWebPart.GetEntityInstance() at Microsoft.SharePoint.Portal.WebControls.BusinessDataDetailsWebPart.SetDataSourceProperties()

I searched around and found some leads in the MSDN forum, but they weren’t enough for me to understand what I was doing wrong.  I watched a webcast by Ted Pattison that my company has squirreled away on a server and came to realize my problem.

In my ADF, I’m connecting to a SQL database as shown:

            <Property Name="RdbCommandText" Type="System.String">
              <![CDATA[
                SELECT
                      SETID, CARRIER_ID, EFFDT, DESCR, EFF_STATUS, TAXPAYER_ID, NETWORK_ID, FRT_FORWARD_FLG, ALT_NAME1, ALT_NAME2, LANGUAGE_CD,
                      COUNTRY, ADDRESS1, ADDRESS2, ADDRESS3, ADDRESS4, CITY, NUM1, NUM2, HOUSE_TYPE, ADDR_FIELD1, ADDR_FIELD2, ADDR_FIELD3,
                      COUNTY, STATE, POSTAL, GEO_CODE, IN_CITY_LIMIT, COUNTRY_CODE, PHONE, EXTENSION, FAX, LAST_EXP_CHK_DTTM, FREIGHT_VENDOR,
                      INTERLINK_DLL, TMS_EXCLUDE_FLG
                FROM
                      dbo.PS_CARRIER_ID_VW WITH (nolock)
                WHERE
                  (SETID <> 'SHARE') and
                  (lower(CARRIER_ID) >= lower(@MinId)) and
                  (lower(CARRIER_ID) <= lower(@MaxId)) and
                  (lower(DESCR) LIKE lower(@InputDescr))
                ]]>
            </Property>

I was provided that SQL from a DBA person and I’m given to understand that it’s a special view they created just for me.  The unique key there is CARRIER_ID.

Here is the bug I introduced:

      <Identifiers>
        <Identifier Name="CARRIER_ID" TypeName="System.String" />
        <Identifier Name="DESCR" TypeName="System.String" /> 
</Identifiers>

Somewhere along the line, I had managed to confuse myself over the meaning of <Identifiers> and added DESCR even though it’s not actually an identifier.  I took DESCR out of the identifiers set and presto! It all worked.

I hope this saves someone some grief 🙂

Technorati Tags: , , ,

You Can’t Beat SharePoint’s Reach

During the last two days, I have participated in two meetings during which we presented the results of a SharePoint project.  The CIO and his team joined the first meeting.  That’s standard and not especially notable.  The IT department is obviously involved in an enterprise rollout of any technology project.  The second meeting expanded to include a V.P. from marketing, several directors representing HR, Logistics, Manufacturing, Capital Projects, Quality, Purchasing, Corporate development and other departments (some of whom were not even directly involved in the current phase).  That’s a mighty wide audience.

In my prior life, I primarily worked on ERP and CRM projects.  They both have a fairly wide solution domain but not as wide as SharePoint.  To be fully realized, SharePoint projects legitimately and necessarily reach into every nook and cranny of an organization.  How many other enterprise solutions have that kind of reach?  Not many.

SharePoint clearly represents an enormous opportunity for those of us fortunate enough to be in this space.  It provides a great technical opportunity (which is somehow turned on its head here under "Technologies You Must Master").  But even better, SharePoint exposes us to an extensive and wide range of business processes through these engagements.  How many CRM specialists work with the manufacturing side of the company?  How many ERP consultants work with human resources on talent acquisition?  SharePoint exceeds them both.

Like anything, it’s not perfect, but it’s a damned good place to be.

For the love of [fill in your most loved person/higher being], don’t change the ‘Title’ site column.

 

On the SharePoint forums, someone occasionally asks about "changing the label of Title" or about "removing title from lists".

Bottom line: Don’t do it!

Sadly, the user interface allows a one-way change of that column label as shown:

image

Title is a column associated with the "Item" content type. Many, many, many CT’s use this column and if you change it here, it ripples out everywhere.  There’s a good chance that you didn’t intend for that to happen.  You were probably thinking to yourself, "I have a custom lookup list and ‘Title’ just doesn’t make sense as a column name, so I’m going to change it to ‘Status Code’ and add a description column."  But if you follow through on that thought and rename ‘Title’ to ‘Status Code’, every list’s title (including document libraries) changes to "Status Code" and you probably didn’t intend for that to happen.

The real problem is that this is a one-way change.  The UI "knows" that "title" is a reserved word.  So, if you try and change "Status Code" back to "Title", it will prevent you and now you’ve painted yourself into a corner using paint that never dries 🙂

So what happens if you already changed it?  I haven’t seen the answer we all want, which is a simple and easy method to change the label back to ‘Title’.  Right now, the best advice is to change it to something like "Doc/Item Title".  That’s a generic enough label that may not be too jarring for your users.

I have few other ideas which are on my to-do list of things to research:

  • Contact Microsoft.
  • Do something with the object model, maybe in conjunction with a feature.
  • Figure out the database schema and manually update SQL.  (You should contact Microsoft before doing this though; it will likely void your support contract).

If anyone knows how to solve this, please post a comment.

Update late afternoon, 11/15: I found this link that describes a method for creating a type of list that does not have a title column: http://www.venkat.org/index.php/2007/09/03/how-to-remove-title-column-from-a-custom-list/

BDC ADF and your friend, CDATA

I’ve noticed some awkward and unnecessary hand-encoding of RdbCommandText in some examples (including MSDN documentation).

I wanted to point out to newcomers to BDC that commands can be wrapped inside a CDATA tag in their "natural" form.  So, this awkward construction:

<Property Name="RdbCommandText" Type="System.String">
SELECT dbo.MCRS_SETTLEMENT.id, dbo.MCRS_SETTLEMENT.settlement from dbo.MCRS_SETTLEMENT
    WHERE (id &gt;= @MinId) AND (id &lt;= @MaxId)
</Property>

can be better represented this way:

<Property Name="RdbCommandText" Type="System.String">
  <![CDATA[
    SELECT dbo.MCRS_SETTLEMENT.id, dbo.MCRS_SETTLEMENT.settlement from dbo.MCRS_SETTLEMENT
      WHERE (id >= @MinId) AND (id <= @MaxId)
 
]]>
</Property>

</end>

BDC Primer

Intro to BDC

Functional Example: BDC ADF that connects to SQL database with embedded user id and password

I needed to wire up MOSS to a SQL database via BDC.  For testing/POC purposes, I wanted to embed the SQL account user id and password in the ADF.  Starting with this template (http://msdn2.microsoft.com/en-us/library/ms564221.aspx), I created an ADF that connects to a particular SQL server instance and logs in with a specific user id and password and shown in this snippet:

  <LobSystemInstances>
    <LobSystemInstance Name="ClaimsInstance">
      <Properties>
        <Property Name="AuthenticationMode" Type="System.String">PassThrough</Property>
        <Property Name="DatabaseAccessProvider" Type="System.String">SqlServer</Property>
        <Property Name="RdbConnection Data Source" Type="System.String">actual server\actual instance</Property>
        <Property Name="RdbConnection Initial Catalog" Type="System.String">actual initial catalog</Property>
        <Property Name="RdbConnection Integrated Security" Type="System.String">SSPI</Property>
        <Property Name="RdbConnection Pooling" Type="System.String">false</Property>

        <!-- These are the key values: -->
        <Property Name="RdbConnection User ID" Type="System.String">actual User ID</Property>
        <Property Name="RdbConnection Password" Type="System.String">actual Password</Property>
        <Property Name="RdbConnection Trusted_Connection" Type="System.String">false</Property>

      </Properties>
    </LobSystemInstance>
  </LobSystemInstances>

It is not a best practice, but it’s useful for a quick and simple configuration for testing.  This was surprisingly difficult to figure out.  I never found a functional example with search keywords:

  • adf embedded userid and password
  • embed user id and password in adf
  • embed user id and password in adf bdc
  • sharepoint bdc primer
  • sharepoint embed user id and password in adf

</end>

 Subscribe to my blog.