UPDATE 11/03/08: Ziurtatu bikaina eta zehatza iruzkina irakurtzeko Dessie Lunsford post honetan.

Izan dut bat sekretua edizio teknologiako proiektua sortu-Datozen liburu baten alde lan egiten du eta erreferentziak Tyler Butler by sarrera MSDN ECM blog honetan blog. This is the first time I personally read a clear definition of the meaning of Limited Access. Here’s the meat of the definition:

SharePoint en, anonimoak’ Eskubide dira Sarbide Mugatua baimenik maila zehazten. Sarbide mugatua berezi baimen maila hori ezin da erabiltzailea edo taldea zuzenean esleitzen. Arrazoia existitzen da duzu liburutegia edo subsite galtzen duela, zeren eta hautsi baimenak herentzia, eta erabiltzaile / talde bat sartzeko aukera ematen dizu hori bakarrik liburutegia / subsite, izateko bere edukia ikusteko, erabiltzailea / taldea root web sarbide batzuk izan behar. Bestela erabiltzailea / taldea ezin liburutegia / subsite nabigatu ahal izango dute, nahiz eta eskubideak dituzte han, daude erro web gauzak behar diren gune edo liburutegian errendatu delako. Hori dela eta, talde baimenak eman duzu soilik subsite edo liburutegi baimenak herentzia da hausteko, SharePoint automatikoki pasatzen mugatua duten talde edo erabiltzaileak Sarbide erro web orrian.

Galdera hau dator, orain eta gero, MSDN foroetan, eta beti izan naiz bitxia (Bitxia da, baina ez da nahikoa irudikatu nahi, gaur egun lehenago :)).

</amaiera>

Nire blog Harpidetu.

Follow me on Twitter http://www.twitter.com/pagalvin

Seinale bat Gizarte Informatika hori off hartzeko SharePoint hasita en, I see an increased number of My Site type questions. One common question goes something like this:

"I am an administrator and I need to be able to access every My Site. How do I do that?"

The trick here is that each My Site is its own site collection. SharePoint security is normally administered at the site collection level and this trips up many a SharePoint administrator. Normalean, she already has access to configure security in the "main" gune bildumak eta, agian, ez dira konturatzen hau ez dela automatikoki Nire lan egiteko guneak.

Gune bildumak kolektiboki handiago edukiontzi barruan bizi, which is the web application. Farm admins can can configure security at the web app level and this is how admins can grant themselves access to any site collection in the web application. This blog entry describes one of my personal experiences with web application policies. I defined a web application policy by accident: http://paulgalvin.spaces.live.com/Blog/cns!1CC1EDB3DAA9B8AA!255.entry.

Web application policies can be dangerous and I suggest that they be used sparingly. If I were an admin (eta eskerrak ez naiz), I would create a separate AD account named something like "SharePoint Web App Administrator" and give that one account the web application security role it needs. I would not configure this kind of thing for the regular farm admin or individual site collection admins. It will tend to hide potential problems because the web app role overrides any lower level security settings.

</amaiera>

Nire blog Harpidetu.

Follow me on Twitter http://www.twitter.com/pagalvin

UPDATE (02/29/08): Berri honen codeplex proiektua dela dirudi banakako zutabe bermatu metodo bat eskaini nahi da: http://www.codeplex.com/SPListDisplaySetting. If you have any experience working with it, Mesedez, utzi iruzkin bat.

Foroa kartelak maiz eskatu horrelako galdera bat: "I have a manager view and and a staff view of a list. How do I secure the manager view so that staff can not use it?"

Era berean, maiz eskatu erlazionatutako galdera bat: "I want to secure a specific metadata column so that only managers may edit that column while others may not even see it."

These answers apply to both WSS 3.0 eta MOSS:

• SharePoint ematen ez out-of-the-box aldiz bermatu laguntza.
• SharePoint ematen ez out-of-the-box segurtasun zutabeak laguntza.

There are several techniques one can follow to meet these kinds of security requirements. Here’s what I can think of:

• Use out-of-the-box item level security. Views always honor item level security configuration. Event receivers and/or workflow can automate security assignment.
• Use personal views for "privileged" aldiz. These are easy enough to set up. Hala eta guztiz ere, due to their "personal" izaera, these need to be configured for each user. Use standard security configuration to prevent anyone else from creating a personal view.
• Erabili ikuspegi datuak web parte AJAXy eta segurtasun-irtenbide trimming mota batzuk ezartzea.
• Bildu zeure zerrenda pantailako funtzionaltasun eta segurtasun txertatu zutabea mailan trimming.
• Aldatu datuak sarrera inprimakiak eta JavaScript erabili segurtasun eredu batera zutabe-mailako segurtasun trimming ezartzeko.
• Use an InfoPath form for data entry. Implement column-level security trimming via web service calls to SharePoint and conditionally hide fields as needed.
• Bildu zeure datuak ASP.NET sarrera funtzioa zutabe segurtasun maila trimming inplementatzen.

Aukera horiek ez dira benetan handia duten, baina, gutxienez bide bat behar izanez gero jarraitu behar da, bada ere, zaila da.

OHARRA: Behera joan behar bada, bide hauetako edozein, don’t forget about "Actions -> Open with Windows Explorer". You want to be sure that you test with that feature to make sure that it doesn’t work as a "back door" eta garaitzeko zure segurtasun eskema.

Duzu, beste ideia edo esperientziak bada zutabe bermatu edo ikusia, mesedez email me edo utzi iruzkin bat, eta eguneratu egokiak posting dut.

</amaiera>

Nire blog Harpidetu.

UPDATE: Galdera hau argitaratua dut MSDN hemen (http://forums.microsoft.com/Forums/ShowPost.aspx?PostID=2808543&SiteID=1&mode=1) and Michael Washam of Microsoft responded with a concise answer.

Web-zerbitzu gisa jarduteko sortu dut BDC errespetatzen fatxada to a SharePoint list. When I used this from my development environment, fina lan egin ezazu. Hori migratu dut zerbitzari berri bat, Errore hau aurkitu da I:

Hemen da line 69:

erabiliz (SPSite gune = new SPSite("http://localhost/sandbox"))

URL buruzko aldaera ezberdinak saiatu naiz, zerbitzari horrek benetako izena erabiltzen barne, Bere IP helbidea, amaierako an URL barrak, etc. I always got that error.

Erabiltzen dut Google to research it. Lots of people face this issue, edo aldakuntzak, baina inork ez zirudien izan da konpondu.

Tricksy MOSS emandako zehatza error, esaterako, ez zuen ez dela gertatzen me egiaztatzeko 12 hive logs. Azkenean, buruz 24 ordu ondoren nire lankide Horretarako gomendatzen dut, Out hautatuta dut 12 hive erregistroa, eta hau topatu:

Salbuespena gertatu tokiko baserriko eskuratzeko:
System.Security.SecurityException: Eskatutako erregistroan sarbidea ez dago baimendua.
System.ThrowHelper.ThrowSecurityException at(ExceptionResource baliabide) at
(Kate izena, Boolearrak idazgarria) at
(Kate izena) at
() at
() at
(SPFarm& Baserriko, Boolearra& isJoined)
Batzar Zona de huts egin zen:  MyComputer

Hau ireki ikerketa-bide berriak, beraz, itzuli zen nahi Google. Ekarri dit hau foroa post: http://forums.codecharge.com / posts.php?post_id = 67135. That didn’t really help me but it did start making me think there was a database and/or security issue. I soldiered on and Andrew Connell en post finally triggered the thought that I should make sure that the application pool’s identity account had appropriate access to the database. I thought it already did. Hala eta guztiz ere, nire lankide joan eta aplikazioa igerilekua nortasuna kontuan sarbide osoa eman SQL.

Bezain laster, aldaketa hori egin zuen, everything started working.

Zer gertatu da hurrengo onena da adierazita Haiku poema:

Arazoak planteatzeko eskuak.
You swing and miss. Try again.
Arrakasta! But how? Zergatik?

Berak ez zuen nahi, gauzak utzi bakarrik horrelako, gutxieneko beharrezko baimenik emateko nahiago (eta, seguruenik, blog sarrera bat idaztea begi batekin; Bere beat dut zulatu du, muhahahahaha!).

Ondoz baimenak kendu zuen app igerilekua nortasuna kontuan arte … there was no longer any explicit permission for the app pool identity account at all. The web service continued to work just fine.

We went and rebooted the servers. Everything continued to work fine.

Beraz,, to laburpena: we gave the app pool identity full access and then took it away. The web service started working and never stopped working. Bizarre.

Edozeinek daki zergatik lan egin behar bada,, Mesedez, utzi iruzkin bat.

</amaiera>

I needed to meet a security requirement for an InfoPath form today. In this business situation, a relatively small number of individuals are allowed to create a new InfoPath form and a much wider audience are allowed to edit it. (Hau da, berri-kontratatu on-barnetegi inprimaki Giza Baliabideetako ek erabiltzen duen workflow bat jarri du abian).

Helburu hori bete ahal izateko, Sortu sortu dut bi baimen mailak ("create and update" and "update only"), broke inheritance for the form library and assigned permissions to a "create, eguneratu" user and a separate "update only" Erabiltzaileak. The mechanics all worked, but it turned out to be a little more involving than I expected. (Sentitzen duzu, pixka bat bada, dar-dar SharePoint baimenak, begiratu blog post honetan). The required security configuration for the permission level was not the obvious set of granular permissions. To create an update-only permission level for an InfoPath form, Honako hau egin nuen:

1. Berri bat sortzeko baimenik maila.
2. Garbitu kanpoan aukera guztiak.
3. Selected only the following from "List permissions":

• Elementuak editatu
• Ikusi elementu
• Ikusi aplikazio orrialdeak

Aukera horiek hautatzean, erabiltzaileak inprimaki bat eguneratzeko, baina ez da sortu.

The trick was to enable the "View Application Pages". There isn’t any verbage on the permission level that indicates that’s required for update-only InfoPath forms, baina bihurtzen da.

Create-and-Update was even stranger. I followed the same steps, 1 bidez 3 Goiko. I had to specifically add a "Site Permission" aukera: "Use client integration features". Berriz, deskribapena dago, ez du dirudi InfoPath inprimaki bat egon behar da, behar bezala, baina ez da.

</amaiera>

UPDATE 01/28/08: Codeplex proiektu honetan gai hori jorratzen du: http://www.codeplex.com/AccessChecker. I have not used it, baina itxaropentsua badirudi hau arazo bat zure ingurunean jorratuko behar duzu bada.

UPDATE 11/13/08: Joel Oleson idatzi zuen oso ona post bat, segurtasun handiagoa, kudeaketa gai hemen: http://www.sharepointjoel.com / Lists / Mezuak / Post.aspx?List=0cd1a63d-183c-4fc2-8320-ba5369008acb&ID = 113. It links to a number of other useful resources.

Foroa erabiltzaile eta bezeroei, askotan galdetu Ildo horretan, galdera bat: "How do I generate a list of all users with access to a site" or "How can I automatically alert all users with access to list about changes made to the list?"

There is no out of the box solution for this. If you think about it for a moment, ez da zaila zergatik ulertzeko.

SharePoint security is very flexible. There are at least four major categories of users:

• Anonimoak.
• SharePoint Erabiltzaile eta taldeak.
• Active Directory erabiltzaile.
• Oinarritutako autentifikazio Inprimakiak (FBA) erabiltzaile.

Malgutasuna esan nahi du segurtasun-ikuspegitik duten, any given SharePoint site will be dramatically different from another. In order to generate an access list report, gune nola dagoen jakiteko segurtatu behar bat, query multiple different user profile repositories and then present it in a useful fashion. That’s a hard problem to solve generically.

Nola egiten dira erakunde honen aurre? I’d love to hear from you in comments or e-posta.

</amaiera>

UPDATE 12/18/07: Ikusi Paul Liebrand artikuluak kendu edo aldatzea lehenetsia taldearen izen tekniko ondorio batzuk (ikusi bere iruzkina behean bai).

Orokorra:

SharePoint security is easy to configure and manage. Hala eta guztiz ere, it has proven to be difficult for some first-time administrators to really wrap their hands around it. Not only that, I have seen some administrators come to a perfect understanding on Monday only to have lost it by Friday because they didn’t have to do any configuration in the intervening time. (I admit to having this problem myself). This blog entry hopefully provides a useful SharePoint security primer and points towards some security configuration best practices.

Important Note:

This description is based on out of the box SharePoint security. My personal experience is oriented around MOSS so there may be some MOSS specific stuff here, but I believe it’s accurate for WSS. I hope that anyone seeing any errors or omissions will point that out in comments or email me. I’ll make corrections post haste.

Fundamentals:

For the purposes of this overview, there are four fundamental aspects to security: users/groups, securable objects, permission levels and inheritance.

Users and Groups break down to:

• Individual users: Pulled from active directory or created directly in SharePoint.
• Groups: Mapped directly from active directory or created in SharePoint. Groups are a collection of users. Groups are global in a site collection. They are never "tied" to a specific securable object.

Securable objects break down to at least:

• Sites
• Document libraries
• Individual items in lists and document libraries
• Folders
• Various BDC settings.

There other securable objects, but you get the picture.

Permission levels: A bundle of granular / low level access rights that include such things as create/read/delete entries in lists.

Inheritance: By default entities inherit security settings from their containing object. Sub-sites inherit permission from their parent. Document libraries inherit from their site. So on and so forth.

Users and groups relate to securable objects via permission levels and inheritance.

The Most Important Security Rules To Understand, Ever 🙂 :

1. Groups are simply collections of users.
2. Groups are global within a site collection (I.E. there is no such thing as a group defined at a site level).
3. Group name not withstanding, groups do not, in and of themselves, have any particular level of security.
4. Groups have security in the context of a specific securable object.
5. You may assign different permission levels to the same group for every securable object.
6. Web application policies trump all of this (see below).

Security administrators lost in a sea of group and user listings can always rely on these axioms to manage and understand their security configuration.

Common Pitfalls:

• Group names falsely imply permission: Kutxa Out, SharePoint defines a set of groups whose names imply an inherent level of security. Consider the group "Contributor". One unfamiliar with SharePoint security may well look at that name and assume that any member of that group can "contribute" to any site/list/library in the portal. That may be true but not because the group’s name happens to be "contributor". This is only true out of the box because the group has been provided a permission level that enables them to add/edit/delete content at the root site. Through inheritance, the "contributors" group may also add/edit/delete content at every sub-site. One can "break" the inheritance chain and change the permission level of a sub-site such that members of the so-called "Contributor" group cannot contribute at all, but only read (adibidez). This would not be a good idea, jakina,, since it would be very confusing.
• Groups are not defined at a site level. It’s easy to be confused by the user interface. Microsoft provides a convenient link to user/group management via every site’s "People and Groups" lotura. It’s easy to believe that when I’m at site "xyzzy" and I create a group through xyzzy’s People and Groups link that I’ve just created a group that only exists at xyzzy. That is not the case. I’ve actually created a group for the whole site collection.
• Groups membership does not vary by site (I.E. it is the same everywhere the group is used): Consider the group "Owner" and two sites, "HR" and "Logistics". It would be normal to think that two separate individuals would own those sites — an HR owner and a Logistics owner. The user interface makes it easy for a security administrator to mishandle this scenario. If I didn’t know better, I might access the People and Groups links via the HR site, select the "Owners" group and add my HR owner to that group. A month later, Logistics comes on line. I access People and Groups from the Logistics site, add pull up the "Owners" group. I see the HR owner there and remove her, thinking that I’m removing her from Owners at the Logistics site. Izan ere,, I’m removing her from the global Owners group. Hilarity ensues.
• Failing to name groups based on specific role: The "Approvers" group is a perfect example. What can members of this group approve? Where can they approve it? Do I really want people Logistics department to be able to approve HR documents? Of course not. Always name groups based on their role within the organization. This will reduce the risk that the group is assigned an inappropriate permission level for a particular securable object. Name groups based on their intended role. In the previous HR/Logistics scenario, I should have created two new groups: "HR Owners" and "Logistics Owners" and assign sensible permission levels for each and the minimum amount required for those users to do their job.

Other Useful References:

• Web application policy gotcha’s: http://paulgalvin.spaces.live.com/blog/cns!1CC1EDB3DAA9B8AA!255.entry
• Clearinghouse for SharePoint security: http://www.sharepointsecurity.com/
• Links from Joel Oleson: http://blogs.msdn.com/joelo/archive/2007/08/23/sharepoint-security-and-compliance-resources.aspx

If you’ve made it this far:

Please let me know your thoughts via the comments or email me. If you know other good references, please do the same!