SharePoint Security Fundamentals Unang / Iwasan ang mga karaniwang Pitfalls

I-UPDATE 12/18/07: Tingnan Paul Liebrand ng artikulo para sa ilang mga teknikal na mga kahihinatnan ng pag-alis o pagbabago ng default na pangalan ng grupo (tingnan ang kanyang mga komento sa ibaba pati na rin).

Pangkalahatang-ideya ng:

SharePoint security is easy to configure and manage. Gayunman, it has proven to be difficult for some first-time administrators to really wrap their hands around it. Not only that, I have seen some administrators come to a perfect understanding on Monday only to have lost it by Friday because they didn’t have to do any configuration in the intervening time. (Umamin ako sa pagkakaroon ng problemang ito sa aking sarili). This blog entry hopefully provides a useful SharePoint security primer and points towards some security configuration best practices.

Mahalagang Paunawa:

This description is based on out of the box SharePoint security. My personal experience is oriented around MOSS so there may be some MOSS specific stuff here, but I believe it’s accurate for WSS. I hope that anyone seeing any errors or omissions will point that out in comments or email sa akin. I’ll make corrections post haste.

Fundamentals:

Para sa mga layunin ng pangkalahatang-ideya na ito, mayroong apat na pangunahing mga aspeto upang seguridad: user / group, securable bagay, mga antas ng pahintulot at mana.

Mga gumagamit at mga Grupo masira sa:

  • Indibidwal na mga gumagamit: Nakuha mula sa mga aktibong direktoryo o nilikha nang direkta sa SharePoint.
  • Groups: Mapped directly from active directory or created in SharePoint. Groups are a collection of users. Groups are global in a site collection. They are never "tied" sa isang tiyak na securable bagay.

Securable bagay masira sa hindi bababa sa:

  • Mga site
  • Dokumento library
  • Indibidwal na mga item sa listahan at dokumento aklatan
  • Folder
  • Iba't ibang mga setting ng BDC.

May iba pang mga bagay securable, ngunit makuha mo ang mga larawan.

Pahintulot ng mga antas: Ang isang bundle ng mga butil-butil / low level access rights that include such things as create/read/delete entries in lists.

Pamana: By default entities inherit security settings from their containing object. Sub-sites inherit permission from their parent. Document libraries inherit from their site. So on and so forth.

Mga user at pangkat nauugnay sa securable bagay sa pamamagitan ng mga antas ng pahintulot at mana.

Ang Karamihan Mahalaga Security Panuntunan Upang Intindihin, Ever 🙂 :

  1. Groups ay mga simpleng mga koleksyon ng mga gumagamit.
  2. Groups ay global sa loob ng isang koleksyon site (i.e. walang ganoong bagay bilang isang grupo na tinukoy sa isang antas site).
  3. Ang pangalan ng grupo ay hindi withstanding, mga pangkat ay hindi, in at ng kanilang mga sarili, have any particular level of security.
  4. Groups have security in the context of a specific securable object.
  5. Maaari kang magtalaga ng iba't ibang mga antas ng pahintulot sa parehong group para sa bawat securable bagay.
  6. Web application patakaran tramp ang lahat ng ito (tingnan sa ibaba).

Seguridad ng mga administrator nawala sa isang dagat ng pangkat at mga listahan ng gumagamit ay maaaring laging umaasa sa mga axioms upang pamahalaan at maunawaan ang kanilang seguridad configuration.

Mga Karaniwang Pitfalls:

  • Grupo ng mga pangalan ng maling magpahiwatig pahintulot: Sa labas ng kahon sa, SharePoint defines a set of groups whose names imply an inherent level of security. Consider the group "Contributor". One unfamiliar with SharePoint security may well look at that name and assume that any member of that group can "contribute" to any site/list/library in the portal. That may be true but not because the group’s name happens to be "contributor". This is only true out of the box because the group has been provided a permission level that enables them to add/edit/delete content at the root site. Through inheritance, the "contributors" group may also add/edit/delete content at every sub-site. One can "break" the inheritance chain and change the permission level of a sub-site such that members of the so-called "Contributor" grupo ay hindi maaaring mag-ambag sa lahat, ngunit lamang basahin (halimbawa). This would not be a good idea, nang walang alinlangan, dahil magiging lubhang nakalilito.
  • Groups ay hindi natukoy sa isang antas site. It’s easy to be confused by the user interface. Microsoft provides a convenient link to user/group management via every site’s "People and Groups" link. It’s easy to believe that when I’m at site "xyzzy" and I create a group through xyzzy’s People and Groups link that I’ve just created a group that only exists at xyzzy. That is not the case. I’ve actually created a group for the whole site collection.
  • Grupo ng pagiging miyembro hindi nag-iiba ayon sa site (i.e. ito ay pareho sa lahat ng dako ang grupo ay ginamit): Consider the group "Owner" at dalawang mga site, "HR" and "Logistics". It would be normal to think that two separate individuals would own those sites — an HR owner and a Logistics owner. The user interface makes it easy for a security administrator to mishandle this scenario. If I didn’t know better, Maaari ko ma-access ang mga tao at mga Grupo sa pamamagitan ng mga link sa site HR, select the "Owners" group and add my HR owner to that group. A month later, Logistics comes on line. I access People and Groups from the Logistics site, add pull up the "Owners" group. I see the HR owner there and remove her, thinking that I’m removing her from Owners at the Logistics site. Sa katunayan, I’m removing her from the global Owners group. Hilarity ensues.
  • Bagsak upang pangalanan ang pangkat batay sa mga tiyak na papel: The "Approvers" group is a perfect example. What can members of this group approve? Where can they approve it? Do I really want people Logistics department to be able to approve HR documents? Of course not. Always name groups based on their role within the organization. This will reduce the risk that the group is assigned an inappropriate permission level for a particular securable object. Name groups based on their intended role. In the previous HR/Logistics scenario, Ang dapat kong nalikha dalawang bagong mga grupo: "HR Owners" and "Logistics Owners" at magtalaga ng makabuluhang mga antas ng pahintulot para sa bawat isa at ang minimum na halaga na kinakailangan para sa mga gumagamit na iyon upang gawin ang kanilang mga trabaho.

Iba pang kapaki-pakinabang na sanggunian:

Kung nagawa mo na ito ito malayo:

Please let me know your thoughts via the comments or email me. If you know other good references, mangyaring gawin ang parehong!

Technorati Tags:

Mabilis at madali: Lumikha ng isang Data Tingnan ang Web Bahagi (DVWP)

Mayroong isang kayamanan ng mahusay na impormasyon sa mga WSS 3.0 Data Tingnan ang Web Bahagi (DVWP) on the web from several sources. Gayunman, I found it to be surprisingly difficult to find information on this first very basic step. Here is another article in the "quick and easy" serye upang tugunan ito.

Follow these steps to create a data view web part (DVWP). They are based on an "Announcements" web part, but apply to most lists.

  1. Create an Announcements web part and add it to a site.
  2. Open the site in SharePoint Designer.
  3. Open the site’s default.aspx.
  4. Select the Announcements web part and right-click.
  5. From the context menu, select "Convert to XSLT Data View".

SharePoint Designer notifies you that this site is now customized from its site definition. That’s not necessarily bad, but there are important implications (performance, upgrade, mga iba) which are beyond the scope of this little "Quick and Easy" pagpasok. To get more information on this subject, I recommend both books dito as well as your favorite Internet search.

Confirm that you did it correctly:

  1. Close and re-open the web browser (to avoid accidentally re-posting the original "add a new web part").
  2. Select the web part’s arrow drop-down and choose "Modify Shared Web Part" from the menu.
  3. The tool panel opens to the right.
  4. The panel has changed from its usual set options to this:
imahen

“Hindi makakuha ng mga listahan ng schema haligi ari-arian mula sa listahan ng SharePoint” — paglalarawan / work-arounds

Sa linggong ito, namin sa wakas ay muling ginawa ng problema na ay iniulat sa pamamagitan ng isang remote user: Kapag siya sinubukan upang i-export ang mga nilalaman ng isang listahan sa excel, mga bagay na gusto tila upang simulan ang nagtatrabaho, ngunit pagkatapos Excel nais magpa-pop up ang isang error: "Cannot get the list schema column property from the SharePoint list". She was running office 2003, windows XP and connecting to MOSS.

Hinanap ko ang Internets at nakita ang ilang mga haka-haka ngunit walang anuman 100% definitive. Hence, ang post na ito.

Ang problema: Ine-export ng tanawin sa excel na naglalaman ng isang petsa (= petsa ng data uri ng haligi).

Ano nagtrabaho para sa amin: Convert the date to a "single line of text". Pagkatapos, convert ito pabalik sa isang petsa.

That solved it. It was nice to see that the conversion worked, talaga. It was quite nervous that converting things this way would fail, but it did not.

Bug na ito ay itinapon isang malaking anino sa ibabaw ng data uri petsa sa isip ng client, kaya kami ay pagpunta sa ma-out naghahanap ng tiyak na sagot mula sa Microsoft at sana ay kukunin ko na mag-post at i-update dito sa susunod na maikling panahon sa kanilang mga opisyal na sagot at hotfix impormasyon.

Iba pang mga sanggunian:

http://www.kevincornwell.com/blog/index.php/cannot-get-the-list-schema-column-property-from-the-sharepoint-list/

http://forums.microsoft.com/MSDN/ShowPost.aspx?PostID=2383611&SiteID=1

<dulo>

Mag-subscribe sa aking blog.

Technorati Tags: ,

Mabilis at simpleng: Magpadala ng isang email na may naka-embed na hyperlink mula sa SharePoint Designer workflow

Sa sandaling o dalawang beses buwan, isang tao post ng forum tanong: "How do I include hyperlinks to URL’s that are clickable from a SharePoint Designer email?"

Itinanghal nang walang karagdagang komento: (mahusay, talaga doon ay karagdagang komento pagkatapos ng larawan):

imahen

Becky Isserman sumusunod up sa isang kapaki-pakinabang na paliwanag sa kung paano i-embed ang isang link sa isang item sa e-mail: http://www.sharepointblogs.com/mosslover/archive/2007/11/20/addition-to-paul-galvin-s-post-about-sending-an-e-mail-with-hyperlinks-in-spd.aspx

Bagong release: Extension ng SharePoint Designer workflow (string pagmamanipula ng mga function)

I-UPDATE: Tingnan dito para sa aking mga saloobin sa commercializing ang proyektong ito: http://paulgalvin.spaces.live.com/blog/cns!1CC1EDB3DAA9B8AA!569.entry

Ko pa abalang nagtatrabaho sa aking Codeplex proyekto na kung saan ay kasalukuyang nakatuon sa pagbibigay ng string ng mga extension ng pagmamanipula sa daloy ng trabaho na nilikha sa pamamagitan ng SharePoint Designer.

Tingnan dito para sa mga detalye:

Proyekto ng bahay: http://www.codeplex.com/spdwfextensions

Bitawan: https://www.codeplex.com/Release/ProjectReleases.aspx?ProjectName=spdwfextensions&ReleaseId=8280

Salin 1.0 Kabilang ang mga sumusunod na mga bagong tampok:

Tungkulin Paglalarawan (kung hindi pareho. Net function na)
Num-entry() Returns the number "entries" in a string as per a specified delimiter.

Halimbawa: Num-entries in a string "a,b,c" with delimiter "," = 3.

Pagpasok() Returns the nth token in a string as per a specified delimiter.
Haba String.Length
Palitan() String.Replace()
Naglalaman ng() String.Contains()
Returns the word "true" or the word "false".
Substring(simulan) String.Substring(simulan)
Substring(simulan,haba) String.Substring(simulan,haba)
ToUpper() String.ToUpper()
ToLower() String.ToLower()
StartsWith() String.StartsWith()
Returns the word "true" or the word "false".
EndsWith() String.EndsWith()
Returns the word "true" or the word "false".

Isang BDC runtime error ipinaliwanag

Ako sanhi ng BDC error sa linggong ito na ipinahayag sa sarili nito sa user interface at sa mga 12 hive log at runtime.

Una, ito ay lumitaw sa interface ng gumagamit:

Hindi makahanap ng mga patlang upang ipasok ang lahat ng mga Halaga ng Tagatukoy upang tamang magsagawa ng isang SpecificFinder MethodInstance sa Pangalan … Ensure input Parameters have TypeDescriptors associated with every Identifier defined for this Entity.

Narito ang isang screen shot:

clip_image001

I could also cause this message to appear in the 12 hive log at will (using my patented high-tech-don’t-try-this-at-home "mysterious errors" pamamaraan):

11/14/2007 09:24:41.27 w3wp.exe (0x080C) 0x0B8C SharePoint Portal Server Business Data 6q4x High Exception in BusinessDataWebPart.OnPreRender: System.InvalidOperationException: The Identifier value ”, of Type ”, is invalid. Expected Identifier value of Type ‘System.String’. at Microsoft.Office.Server.ApplicationRegistry.MetadataModel.Entity.FindSpecific(Object[] subIdentifierValues, LobSystemInstance lobSystemInstance) at Microsoft.SharePoint.Portal.WebControls.BdcClientUtil.FindEntity(Entity entity, Object[] userValues, LobSystemInstance lobSystemInstance) at Microsoft.SharePoint.Portal.WebControls.BusinessDataItemBuilder.GetEntityInstance(View desiredView) at Microsoft.SharePoint.Portal.WebControls.BusinessDataDetailsWebPart.GetEntityInstance() at Microsoft.SharePoint.Portal.WebControls.BusinessDataDetailsWebPart.SetDataSourceProperties()

I searched around and found some leads in the MSDN forum, but they weren’t enough for me to understand what I was doing wrong. I watched a webcast by Ted Pattison that my company has squirreled away on a server and came to realize my problem.

In my ADF, I’m connecting to a SQL database as shown:

            <Ari-arian Pangalan="RdbCommandText" Uri="System.String">
              <![CDATA[
                SELECT
                      SETID, CARRIER_ID, EFFDT, DESCR, EFF_STATUS, TAXPAYER_ID, NETWORK_ID, FRT_FORWARD_FLG, ALT_NAME1, ALT_NAME2, LANGUAGE_CD,
                      COUNTRY, ADDRESS1, ADDRESS2, ADDRESS3, ADDRESS4, CITY, NUM1, NUM2, HOUSE_TYPE, ADDR_FIELD1, ADDR_FIELD2, ADDR_FIELD3,
                      COUNTY, STATE, POSTAL, GEO_CODE, IN_CITY_LIMIT, COUNTRY_CODE, PHONE, EXTENSION, FAX, LAST_EXP_CHK_DTTM, FREIGHT_VENDOR,
                      INTERLINK_DLL, TMS_EXCLUDE_FLG
                FROM
                      dbo.PS_CARRIER_ID_VW WITH (nolock)
                WHERE
                  (SETID <> 'SHARE') at
                  (lower(CARRIER_ID) >= lower(@MinId)) at
                  (lower(CARRIER_ID) <= lower(@ MaxId)) at
                  (lower(DESCR) LIKE lower(@InputDescr))
                ]]>
            </Ari-arian>

I was provided that SQL from a DBA person and I’m given to understand that it’s a espesyal view they created just for me. The unique key there is CARRIER_ID.

Here is the bug I introduced:

      <Identifiers>
        <Identifier Pangalan="CARRIER_ID" TypeName="System.String" />
        <Identifier Pangalan="DESCR" TypeName="System.String" /> 
</Identifiers>

Sa isang lugar sa kahabaan ng linya, I had managed to confuse myself over the meaning of <Identifiers> and added DESCR even though it’s not actually an identifier. I took DESCR out of the identifiers set and presto! It all worked.

I hope this saves someone some grief 🙂

Technorati Tags: , , ,

Hindi mo Puwede Talunin SharePoint ni Abot

During the last two days, I have participated in two meetings during which we presented the results of a SharePoint project. The CIO and his team joined the first meeting. That’s standard and not especially notable. The IT department is obviously involved in an enterprise rollout of any technology project. The second meeting expanded to include a V.P. from marketing, several directors representing HR, Logistics, Manufacturing, Capital Projects, Quality, Purchasing, Corporate development and other departments (some of whom were not even directly involved in the current phase). That’s a mighty wide audience.

In my prior life, I primarily worked on ERP and CRM projects. They both have a fairly wide solution domain but not as wide as SharePoint. To be fully realized, SharePoint projects legitimately and necessarily reach into every nook and cranny of an organization. How many other enterprise solutions have that kind of reach? Not many.

SharePoint clearly represents an enormous opportunity for those of us fortunate enough to be in this space. It provides a great technical opportunity (na kung saan ay sa paanuman naka-on ang kanyang ulo dito under "Technologies You Must Master"). But even better, SharePoint exposes us to an extensive and wide range of business processes through these engagements. How many CRM specialists work with the manufacturing side of the company? How many ERP consultants work with human resources on talent acquisition? SharePoint exceeds them both.

Tulad ng anumang bagay, hindi ito perpektong, subalit ito ay sinumpa magandang lugar upang maging.

Dahil sa [punan ang iyong pinaka-mahal sa tao / mas mataas na pagiging], don’t change the ‘Title’ haligi site.

Sa SharePoint mga forum, someone occasionally asks about "changing the label of Title" or about "removing title from lists".

Ika-line: Huwag gawin ito!

Sadly, ang user interface ay nagbibigay-daan sa isang one-way na pagbabago ng label na iyon haligi tulad ng ipinapakita:

imahen

Title is a column associated with the "Item" uri ng nilalaman. Marami, marami, maraming CT ni gamitin ang hanay na ito at kung baguhin mo ito dito, it ripples out everywhere. There’s a good chance that you didn’t intend for that to happen. You were probably thinking to yourself, "I have a custom lookup list and ‘Title’ lamang ay hindi magkaroon ng kahulugan ng isang pangalan ng hanay, so I’m going to change it to ‘Status Code’ and add a description column." But if you follow through on that thought and rename ‘Title’ to ‘Status Code’, pamagat ng bawat listahan ng (kabilang ang mga dokumento aklatan) changes to "Status Code" at marahil ay ay hindi nilayon para sa na mangyari.

Ang tunay na problema ay na ito ay isang one-way na pagbabago. The UI "knows" that "title" is a reserved word. Kaya, if you try and change "Status Code" back to "Title", ito ay pumipigil sa iyo at ngayon ikaw lagyan ng kulay ang iyong sarili sa isang sulok using paint that never dries 🙂

Kaya kung ano ang mangyayari kung mayroon ka nang ito ay nagbago? I haven’t seen the answer we all want, which is a simple and easy method to change the label back to ‘Title’. Right now, the best advice is to change it to something like "Doc/Item Title". That’s a generic enough label that may not be too jarring for your users.

Mayroon akong ilang mga iba pang mga ideya na kung saan ay sa aking to-do list ng mga bagay upang pananaliksik:

  • Makipag-ugnay sa Microsoft.
  • Gawin ang isang bagay sa modelo bagay, siguro sa pagsama ng isang tampok.
  • Figure out ang database schema at mano-manong i-update ang SQL. (Dapat kang makipag-ugnay sa Microsoft bago gawin ito bagaman; ito ay malamang na walang bisa ang iyong suporta sa kontrata).

Kung sinuman ay alam kung paano upang malutas ito, paki-post ng komento.

I-update ang late afternoon, 11/15: Nakita ko ang link na ito na naglalarawan ng pamamaraan para sa paglikha ng isang uri ng mga listahan na ito ay walang isang pamagat ng haligi: http://www.venkat.org/index.php/2007/09/03/how-to-remove-title-column-from-a-custom-list/

BDC ADF at ang iyong mga kaibigan, CDATA

Napansin ko ang ilang mga hindi akma at hindi kailangan hand-encode ng RdbCommandText sa ilang mga halimbawa (kabilang ang MSDN dokumentasyon).

I wanted to point out to newcomers to BDC that commands can be wrapped inside a CDATA tag in their "natural" form. Kaya, ito nakahihiya konstruksiyon:

<Ari-arian Pangalan="RdbCommandText" Uri="System.String">
Piliin dbo.MCRS_SETTLEMENT.id, dbo.MCRS_SETTLEMENT.settlement mula dbo.MCRS_SETTLEMENT
WHERE (ID &gt;= @MinId) AT (ID &lt;= @ MaxId)
</Ari-arian>

Maaaring mas mahusay na kinakatawan sa ganitong paraan:

<Ari-arian Pangalan="RdbCommandText" Uri="System.String">
<![CDATA[
Piliin dbo.MCRS_SETTLEMENT.id, dbo.MCRS_SETTLEMENT.settlement mula dbo.MCRS_SETTLEMENT
WHERE (ID >= @MinId) AT (ID <= @ MaxId)
]]>
</Ari-arian>

</dulo>

BDC aklat ng baguhan

Intro sa BDC

Halimbawa functional: BDC ADF na nag-uugnay sa SQL database na may naka-embed na user id at password

I needed to wire up MOSS to a SQL database via BDC. For testing/POC purposes, I wanted to embed the SQL account user id and password in the ADF. Starting with ang template na ito (http://msdn2.microsoft.com/en-us/library/ms564221.aspx), Nilikha ko ang isang ADF na nag-uugnay sa isang partikular na halimbawa SQL server at mga log in gamit ang isang tiyak na user id at password at ipinakita ang snippet na ito:

  <LobSystemInstances>
    <LobSystemInstance Pangalan="ClaimsInstance">
      <Katangian>
        <Ari-arian Pangalan="AuthenticationMode" Uri="System.String">Ipinasang</Ari-arian>
        <Ari-arian Pangalan="DatabaseAccessProvider" Uri="System.String">SqlServer</Ari-arian>
        <Ari-arian Pangalan="RdbConnection Pinagmulan ng Data" Uri="System.String">aktwal na server  aktwal na halimbawa</Ari-arian>
        <Ari-arian Pangalan="RdbConnection Paunang Catalog" Uri="System.String">aktwal na paunang catalog</Ari-arian>
        <Ari-arian Pangalan="RdbConnection Integrated Security" Uri="System.String">SSPI</Ari-arian>
        <Ari-arian Pangalan="RdbConnection Pooling" Uri="System.String">hindi totoo</Ari-arian>

        <!-- Ito ang mga mahahalagang halaga: -->
        <Ari-arian Pangalan="RdbConnection User ID" Uri="System.String">isangctual User ID</Ari-arian>
        <Ari-arian Pangalan="RdbConnection Password" Uri="System.String">aktwal Password</Ari-arian>
        <Ari-arian Pangalan="RdbConnection Trusted_Connection" Uri="System.String">hindi totoo</Ari-arian>

      </Katangian>
    </LobSystemInstance>
  </LobSystemInstances>

Ito ay hindi isang pinakamahusay na kasanayan, but it’s useful for a quick and simple configuration for testing. This was surprisingly difficult to figure out. I never found a functional example with search keywords:

  • adf naka-embed na userid at password
  • i-embed ang user id at password sa adf
  • i-embed ang user id at password sa adf bdc
  • sharepoint bdc aklat ng baguhan
  • sharepoint embed user id at password sa adf

</dulo>

Mag-subscribe sa aking blog.