Category Archives: SharePoint Security

“Access Denied” to Default.aspx on a SharePoint 2010 Sub Site

One of my clients went live with their SharePoint 2010 environment today.  We discovered that a certain group of users couldn’t access their default home page.  SharePoint responded with “Access Denied” and the usual “sign in as another user” or “request access” response. 

When we used the nifty “Check Access” function it confirmed that the end users really did have access.  Yet, they could not get to the page.

I followed a lot of roads to various dead ends until I decided to compare the web parts on the broken page against a similar working page.  I did that by putting the page in maintenance mode by adding “?contents=1” to the page. So, it looked like “http://server/subsite/subsite/default.aspx?contents=1”. 

This showed me two web parts named “Error” with a description like “Error” on the broken page.  I didn’t think to take a screen cap at the time.

I removed them and that solved the problem.

I’ve seen a question like this come up on the forums in the past and I was extremely skeptical about the poster’s insistence that he had security set up properly.  I *know* I had security set up right Smile  Next time, I’ll be more open and less skeptical.

</end>

Subscribe to my blog.

Follow me on Twitter at http://www.twitter.com/pagalvin

Use Workflow to Simulate Content Type Security

Another day, another MSDN-forums inspired post.

Someone was asking whether they could secure a content type such that when a user clicks on the “new” button on a custom list, only content types to which that person is granted access would appear in the drop-down list.  As we know, this isn’t supported out of the box.

This question comes up now and then and this time, I had a new idea.  Let’s assume that we have scenario like this:

  • We have a helpdesk ticketing system.
  • The helpdesk ticketing system allows users to enter regular helpdesk ticket info, such as problem area, problem status, etc.
  • We want to allow “super” users to specify an “urgency” field.
  • Other users don’t have access to that field.  The system will always assign “medium” level priority to their requests.

What we could do is create two separate SharePoint lists and two different content types, one for “super” users and the other for everyone else.

Workflow on each list copies the data to the master list (the actual helpdesk ticket list) and the process proceeds from there.

This approach might work flow a kind of column level security as well. 

I haven’t tried it, but it feels reasonable and gives a fairly simple, if pretty rough, option to implement a kind of content type and even column level security.

</end>

Subscribe to my blog.

Follow me on Twitter at http://www.twitter.com/pagalvin

Content Approval as Poor Man’s Automatic Item Level Security

There’s a common business scenario with InfoPath forms.  We want allow people to fill out InfoPath forms and submit them to a library.  We want mangers (and no one else) to have access to those forms.

This question comes up now and then on the forms (e.g. http://social.technet.microsoft.com/Forums/en-US/sharepointadmin/thread/76ccef5a-d71c-4b7c-963c-613157e2a966/?prof=required)

A quick way to solve this is to enable content approval on the form library.  Go the library’s version settings and set it up as shown:

image 

Click on “Require content approval” and that will allow you to pick a value for Draft Item Security.

It’s a little counter-intuitive because we don’t think in terms of “content approval” when all we want to do is prevent people from seeing other users’ forms.  However, it works well (in my experience).  Just don’t approve those forms and they’ll always be considered “drafts”. 

Give approval rights to the people who should be able to see them and you’ve closed the loop.

This isn’t exactly big news, but the question does come up with some regularity, so I thought it would be worth posting.

</end>

Subscribe to my blog.

Follow me on Twitter at http://www.twitter.com/pagalvin

What is Limited Access Anyway?

UPDATE 11/03/08: Be sure to read the excellent and detailed comment from Dessie Lunsford to this post.

I’ve been working on a secret tech editing project for an up-coming book and it references this blog entry by Tyler Butler on the MSDN ECM blog.  This is the first time I personally read a clear definition of the meaning of Limited Access.  Here’s the meat of the definition:

In SharePoint, anonymous users’ rights are determined by the Limited Access permission level. Limited Access is a special permission level that cannot be assigned to a user or group directly. The reason it exists is because if you have a library or subsite that has broken permissions inheritance, and you give a user/group access to only that library/subsite, in order to view its contents, the user/group must have some access to the root web. Otherwise the user/group will be unable to browse the library/subsite, even though they have rights there, because there are things in the root web that are needed to render the site or library. Therefore, when you give a group permissions only to a subsite or library that is breaking permissions inheritance, SharePoint will automatically give Limited Access to that group or user on the root web.

This question comes up now and then on the MSDN forums and I’ve always been curious (but not curious enough to figure it out before today :)).

</end>

Subscribe to my blog.

Follow me on Twitter at http://www.twitter.com/pagalvin

Technorati Tags:

Quick Tip: Configure Security to Allow Admins to Access any My Site in SharePoint

In a sign that Social Computing is beginning to take off with SharePoint, I see an increased number of My Site type questions.  One common question goes something like this:

"I am an administrator and I need to be able to access every My Site.  How do I do that?"

The trick here is that each My Site is its own site collection.  SharePoint security is normally administered at the site collection level and this trips up many a SharePoint administrator.  Normally, she already has access to configure security in the "main" site collections and may not realize that this doesn’t automatically work for My Sites.

Site collections collectively live inside a larger container, which is the web application.  Farm admins can can configure security at the web app level and this is how admins can grant themselves access to any site collection in the web application.  This blog entry describes one of my personal experiences with web application policies.  I defined a web application policy by accident: http://paulgalvin.spaces.live.com/Blog/cns!1CC1EDB3DAA9B8AA!255.entry.

Web application policies can be dangerous and I suggest that they be used sparingly.  If I were an admin (and thank goodness I am not), I would create a separate AD account named something like "SharePoint Web App Administrator" and give that one account the web application security role it needs.  I would not configure this kind of thing for the regular farm admin or individual site collection admins.  It will tend to hide potential problems because the web app role overrides any lower level security settings.

</end>

Subscribe to my blog.

Follow me on Twitter at http://www.twitter.com/pagalvin

Technorati Tags: ,

Views and Columns on Lists and Document Libraries Cannot Be Secured

UPDATE (02/29/08): This new codeplex project seems to provide a method for securing individual columns: http://www.codeplex.com/SPListDisplaySetting.  If you have any experience working with it, please leave a comment.

Forum posters frequently ask a question like this: "I have a manager view and and a staff view of a list.  How do I secure the manager view so that staff can not use it?"

They also frequently ask a related question: "I want to secure a specific metadata column so that only managers may edit that column while others may not even see it."

These  answers apply to both WSS 3.0 and MOSS:

  • SharePoint does not provide out-of-the-box support for securing views.
  • SharePoint does not provide out-of-the-box support for security columns.

There are several techniques one can follow to meet these kinds of security requirements.  Here’s what I can think of:

  • Use out-of-the-box item level security.  Views always honor item level security configuration.  Event receivers and/or workflow can automate security assignment.
  • Use personal views for "privileged" views.  These are easy enough to set up.  However, due to their "personal" nature, these need to be configured for each user.  Use standard security configuration to prevent anyone else from creating a personal view.
  • Use a data view web part and implement some kind of AJAXy security trimming solution.
  • Roll your own list display functionality and incorporate security trimming at the column level.
  • Modify the data entry forms and use JavaScript in conjunction with the security model to implement column-level security trimming.
  • Use an InfoPath form for data entry.  Implement column-level security trimming via web service calls to SharePoint and conditionally hide fields as needed.
  • Roll your own ASP.NET data entry function that implements column level security trimming.

None of those options are really that great, but there is at least a path to follow if you need to, even if it’s hard.

NOTE: If you go down any of these paths, don’t forget about "Actions -> Open with Windows Explorer".  You want to be sure that you test with that feature to make sure that it doesn’t work as a "back door" and defeat your security scheme.

If you have other ideas for or experiences with securing columns or views, please email me or leave a comment and I’ll update this posting as appropriate.

</end>

Subscribe to my blog.

Technorati Tags:

Solution: System.IO.FileNotFoundException on “SPSite = new SPSite(url)”

 

UPDATE: I posted this question to MSDN here (http://forums.microsoft.com/Forums/ShowPost.aspx?PostID=2808543&SiteID=1&mode=1) and Michael Washam of Microsoft responded with a concise answer. 

I created a web service to act as a BDC-friendly facade to a SharePoint list.  When I used this from my development environment, it worked fine. When I migrated this to a new server, I encountered this error:

System.IO.FileNotFoundException: The Web application at http://localhost/sandbox could not be found. Verify that you have typed the URL correctly. If the URL should be serving existing content, the system administrator may need to add a new request URL mapping to the intended application. at Microsoft.SharePoint.SPSite..ctor(SPFarm farm, Uri requestUri, Boolean contextSite, SPUserToken userToken) at Microsoft.SharePoint.SPSite..ctor(String requestUrl) at Conchango.xyzzy.GetExistingDocument(String minId, String maxId, String titleFilter) in C:\Documents and Settings\Paul\My Documents\Visual Studio 2005\Projects\xyzzy\BDC_DocReview\BDC_DocReview\DocReviewFacade.asmx.cs:line 69

Here is line 69:

using (SPSite site = new SPSite("http://localhost/sandbox"))

I tried different variations on the URL, including using the server’s real name, its IP address, trailing slashes on the URL, etc.  I always got that error. 

I used The Google to research it.  Lots of people face this issue, or variations of it, but no one seemed to have it solved.

Tricksy MOSS provided such a detailed error that it didn’t occur to me to check the 12 hive logs.  Eventually, about 24 hours after my colleague recommended I do so, I checked out the 12 hive log and found this:

An exception occured while trying to acquire the local farm:
System.Security.SecurityException: Requested registry access is not allowed.
at System.ThrowHelper.ThrowSecurityException(ExceptionResource resource) at
Microsoft.Win32.RegistryKey.OpenSubKey(String name, Boolean writable) at
Microsoft.Win32.RegistryKey.OpenSubKey(String name) at
Microsoft.SharePoint.Administration.SPConfigurationDatabase.get_RegistryConnectionString() at
Microsoft.SharePoint.Administration.SPConfigurationDatabase.get_Local() at
Microsoft.SharePoint.Administration.SPFarm.FindLocal(SPFarm& farm, Boolean& isJoined)
The Zone of the assembly that failed was:  MyComputer

This opened up new avenues of research, so it was back to The Google. That led me to this forum post: http://forums.codecharge.com/posts.php?post_id=67135.  That didn’t really help me but it did start making me think there was a database and/or security issue.  I soldiered on and Andrew Connell’s post finally triggered the thought that I should make sure that the application pool’s identity account had appropriate access to the database.  I thought it already did.  However, my colleague went and gave the app pool identity account full access to SQL.

As soon as she made that change, everything started working. 

What happened next is best expressed as a haiku poem:

Problems raise their hands.
You swing and miss.  Try again.
Success!  But how?  Why?

She didn’t want to leave things alone like that, preferring to give the minimum required permission (and probably with an eye to writing a blog entry; I beat her to the punch, muhahahahaha!).

She removed successive permissions from the app pool identity account until … there was no longer any explicit permission for the app pool identity account at all.  The web service continued to work just fine.

We went and rebooted the servers.  Everything continued to work fine.

So, to recap: we gave the app pool identity full access and then took it away.  The web service started working and never stopped working.  Bizarre.

If anyone knows why that should have worked, please leave a comment. 

</end>

Technorati Tags:

Minimum Security Required For InfoPath Forms

I needed to meet a security requirement for an InfoPath form today.  In this business situation, a relatively small number of individuals are allowed to create a new InfoPath form and a much wider audience are allowed to edit it.  (This is new-hire on-boarding form used by Human Resources that launches a workflow).

To meet that objective, I created created two new permission levels ("create and update" and "update only"), broke inheritance for the form library and assigned permissions to a "create, update" user and a separate "update only" user.  The mechanics all worked, but it turned out to be a little more involving than I expected.  (If you feel a little shaky on SharePoint permissions, check out this blog post).  The required security configuration for the permission level was not the obvious set of granular permissions.  To create an update-only permission level for an InfoPath form, I did the following:

  1. Create a new permission level.
  2. Clear away all options.
  3. Selected only the following from "List permissions":
    • Edit Items
    • View Items
    • View Application Pages

Selecting these options allows a user to update a form, but not create it.

The trick was to enable the "View Application Pages".  There isn’t any verbage on the permission level that indicates that’s required for update-only InfoPath forms, but turns out it is.

Create-and-Update was even stranger.  I followed the same steps, 1 through 3 above.  I had to specifically add a "Site Permission" option: "Use client integration features".   Again, the description there does not make it seem like it ought to be required for an InfoPath form, but there it is.

</end>

Technorati Tags: ,

SharePoint Does Not Provide “Who Has Access” Reports

UPDATE 01/28/08: This codeplex project addresses this issue: http://www.codeplex.com/AccessChecker.  I have not used it, but it looks promising if this is an issue you need to address in your environment.

UPDATE 11/13/08: Joel Oleson wrote up a very good post on the larger security management issue here: http://www.sharepointjoel.com/Lists/Posts/Post.aspx?List=0cd1a63d%2D183c%2D4fc2%2D8320%2Dba5369008acb&ID=113.  It links to a number of other useful resources.

Forum users and clients often ask a question along these lines: "How do I generate a list of all users with access to a site" or "How can I automatically alert all users with access to list about changes made to the list?"

There is no out of the box solution for this.  If you think about it for a moment, it’s not hard to understand why.

SharePoint security is very flexible.  There  are at least four major categories of users:

  • Anonymous users.
  • SharePoint Users and Groups.
  • Active Directory users.
  • Forms Based Authentication (FBA) users.

The flexibility means that from a security perspective, any given SharePoint site will be dramatically different from another.  In order to generate an access list report, one needs to ascertain how the site is secured, query multiple different user profile repositories and then present it in a useful fashion.  That’s a hard problem to solve generically.

How are organizations dealing with this?  I’d love to hear from you in comments or email.

</end>

SharePoint Security Fundamentals Primer / Avoid Common Pitfalls

UPDATE 12/18/07: See Paul Liebrand’s article for some technical consequences of removing or modifying the default group names (see his comment below as well). 

Overview:

SharePoint security is easy to configure and manage.  However, it has proven to be difficult for some first-time administrators to really wrap their hands around it.  Not only that, I have seen some administrators come to a perfect understanding on Monday only to have lost it by Friday because they didn’t have to do any configuration in the intervening time.  (I admit to having this problem myself).  This blog entry hopefully provides a useful SharePoint security primer and points towards some security configuration best practices.

Important Note:

This description is based on out of the box SharePoint security.  My personal experience is oriented around MOSS so there may be some MOSS specific stuff here, but I believe it’s accurate for WSS.  I hope that anyone seeing any errors or omissions will point that out in comments or email me.  I’ll make corrections post haste. 

Fundamentals:

For the purposes of this overview, there are four fundamental aspects to security: users/groups, securable objects, permission levels and inheritance.

Users and Groups break down to:

  • Individual users: Pulled from active directory or created directly in SharePoint.
  • Groups: Mapped directly from active directory or created in SharePoint.  Groups are a collection of users.  Groups are global in a site collection.  They are never "tied" to a specific securable object.

Securable objects break down to at least:

  • Sites
  • Document libraries
  • Individual items in lists and document libraries
  • Folders
  • Various BDC settings.

There other securable objects, but you get the picture.

Permission levels: A bundle of granular / low level access rights that include such things as create/read/delete entries in lists. 

Inheritance: By default entities inherit security settings from their containing object.  Sub-sites inherit permission from their parent.  Document libraries inherit from their site.  So on and so forth.

Users and groups relate to securable objects via permission levels and inheritance.

The Most Important Security Rules To Understand, Ever 🙂 : 

  1. Groups are simply collections of users.
  2. Groups are global within a site collection (i.e. there is no such thing as a group defined at a site level).
  3. Group name not withstanding, groups do not, in and of themselves, have any particular level of security. 
  4. Groups have security in the context of a specific securable object. 
  5. You may assign different permission levels to the same group for every securable object.
  6. Web application policies trump all of this (see below).

Security administrators lost in a sea of group and user listings can always rely on these axioms to manage and understand their security configuration.

Common Pitfalls:

  • Group names falsely imply permission: Out of the box, SharePoint defines a set of groups whose names imply an inherent level of security.  Consider the group "Contributor".  One unfamiliar with SharePoint security may well look at that name and assume that any member of that group can "contribute" to any site/list/library in the portal.  That may be true but not because the group’s name happens to be "contributor".  This is only true out of the box because the group has been provided a permission level that enables them to add/edit/delete content at the root site.  Through inheritance, the "contributors" group may also add/edit/delete content at every sub-site.  One can "break" the inheritance chain and change the permission level of a sub-site such that members of the so-called "Contributor" group cannot contribute at all, but only read (for example).  This would not be a good idea, obviously, since it would be very confusing.
  • Groups are not defined at a site level.  It’s easy to be confused by the user interface.  Microsoft provides a convenient link to user/group management via every site’s "People and Groups" link.  It’s easy to believe that when I’m at site "xyzzy" and I create a group through xyzzy’s People and Groups link that I’ve just created a group that only exists at xyzzy.  That is not the case.  I’ve actually created a group for the whole site collection.
  • Groups membership does not vary by site (i.e. it is the same everywhere the group is used): Consider the group "Owner" and two sites, "HR" and "Logistics".  It would be normal to think that two separate individuals would own those sites — an HR owner and a Logistics owner.  The user interface makes it easy for a security administrator to mishandle this scenario.  If I didn’t know better, I might access the People and Groups links via the HR site, select the "Owners" group and add my HR owner to that group.  A month later, Logistics comes on line.  I access People and Groups from the Logistics site, add pull up the "Owners" group.  I see the HR owner there and remove her, thinking that I’m removing her from Owners at the Logistics site.  In fact, I’m removing her from the global Owners group.  Hilarity ensues.
  • Failing to name groups based on specific role:  The "Approvers" group is a perfect example.  What can members of this group approve?  Where can they approve it?  Do I really want people Logistics department to be able to approve HR documents?  Of course not.  Always name groups based on their role within the organization.  This will reduce the risk that the group is assigned an inappropriate permission level for a particular securable object.  Name groups based on their intended role.  In the previous HR/Logistics scenario, I should have created two new groups: "HR Owners" and "Logistics Owners" and assign sensible permission levels for each and the minimum amount required for those users to do their job.

Other Useful References:

If you’ve made it this far:

Please let me know your thoughts via the comments or email me.  If you know other good references, please do the same!

Technorati Tags: