COPYUTIL.ASPX:Its really Cool

Did you ever had the need to navigate to a SharePoint list item or document, when you only got the ID's of the item, the item's container (list or document library) and the item's web? I sure did! For example when you query SharePoint data by making use of the SPSiteDataQuery class; the resulting data table includes all those ID's (and additional properties if you want), but it doesn't include a link back to the item. You could make use of the Object Model to build the link in code, but that is both resource intensive and pretty complex. In that case you have to check out the CopyUtil.aspx page, which is also used by the Content Query Web Part by the way. The CopyUtil.aspx page is an application page to which you can provide a bunch of ID's, as a result the page will redirect you to the corresponding item or document.

You just have to build a URL like this (replace the X's with the actual ID's of course):

http://yoursite/_layouts/CopyUtil.aspx?Use=id&Action=dispform&ItemId=X&ListId=X&WebId=X&SiteId=X

And the CopyUtil.aspx page will do the rest!

I couldn't find any documentation for this page, but with a little Reflect-ering, I found out that the Action parameter can be either dispform or editform (redirecting either to the view item URL or edit item URL).

Read more...

Web Content Management, Top 12 Options

Gartner has published its Magic Quadrant for Web content management in 2009, to help CIOs and IT decide just what will meet the needs of the enterprise. Web software is now the fastest growing sector of the enterprise content management market, according to Gartner, and was valued at more $3.3 billion last year.

This annual report identifies the leaders in the industry. We've picked out the top dozen vendors aimed at enterprise content management on the Web. Here are their strengths and weaknesses, to let you get a handle on what's best for your business.

Leaders

While there's some overlap with generally popular offerings — Drupal-based solutions and open source are getting more attention than ever — most of the top dogs in ECM on the Web are specialist vendors who focus solely on the needs of enterprise. Gartner's choices for who fits inside the Magic Quadrant bear this out.

Oracle remains one of the biggest players in this area, despite being better known in many circles for its databases. What really brought them on the scene was the acquisition of Stellent in 2007, and since then their strength has been integrating WCM into their wide-ranging offerings for content management.

Autonomy, which entered the sector through its acquisition of Interwoven this year, tends to appeal most strongly to the marketing side of WCM. While they offer an ability to deliver content that's highly targeted, WCM will continue to be a sideline in terms of profit. While Autonomy can deliver right now, they lack a detailed roadmap for the future of the product.

Open Text is one of the most well-known in this space, and is the top pure play vendor for content management. Despite a close partnership with Microsoft, Garner predicts that Open Text's top competitor will continue to be SharePoint and other .NET software packages.

SDL acquired Tridion in 2007, and since then has shown impressive growth. This is the result of solid capabilities in multilingual and multichannel content management, as well as robust SharePoint integration.

Challengers

While the three companies listed at challengers by Gartner hardly seem like underdogs, software from Microsoft, IBM, and EMC are increasing in importance very rapidly.

Microsoft's SharePoint is growing enormously in market share as a Web content management solution. In addition to feeding off the trust that the Microsoft name inspires in just about every CIO, one of the strengths of SharePoint compared to current leaders is the partner ecosystem that is growing rapidly, and how tightly integrated it can be with Microsoft's other products in e-commerce, Web analytics and search. Of course, as fast as it grows in WCM, SharePoint is hated for its weaknesses as an intranet and document sharing system.

IBM's greatest strength in content management is also its greatest weakness. The fact that Lotus WCM is vertically-focused and is closely integrated with the entire Websphere Portal makes it appealing to organizations who already use the portal. But for those who don't, Lotus seems lacking without the rest of IBM's system.

EMC has been slowly brewing its WCM capabilities since it acquired the fairly popular Documentum in 2003. EMC is especially good in the sense that it works with a broader ECM solution, and can do DAM and records management of Web content too. It's also shown some of the biggest improvements in its latest release, 6.5, through adding technology first used in X-Hive, an XML database and dynamic delivery environment.

Visionaries

A list of honorable mentions shows up in the Visionaries section of the Magic Quadrant. The label might sound fanciful, but most of these up-and-coming vendors are making a real name for themselves.

Sitecore is a Denmark-based company that's also a Microsoft Gold Certified Partner. Their .NET CMS is unsurprisingly tied to Microsoft in a multitude of ways, which can be either a plus or a minus, depending on where your enterprise stands technologically.

FatWire Software has a Java software package that focuses on collaborative features and analytics, but suffers from what Gartner calls "costly" customization needs to make it play nice with related technologies.

Ektron is especially famous in the SMB market. Its CMS400.NET integrates relatively well with SharePoint Server.

Day Software sells software based on Java EE, and it's made strides in usability. Despite these improvements sales have lagged, and Gartner predicts that the partnerships with IBM and HP that this Swiss-based vendor has will decline in the future, weakening its position.

Clickability is a pure SaaS vendor in Web content management which is making progress with enterprises fed up with the costs of on-premise WCM, even if SaaS remains on shaky ground.

There are at least a dozen more vendors in enterprise-class Web content management who get short mentions in Gartner's report. Solutions such as Alfresco's open source software or Acquia's Drupal distribution might not warrant inclusion in any list of leaders yet, but they're making respectable gains.

For More details visit on : http://www.readwriteweb.com/enterprise/2009/08/the-top-12-options-for-web-content-management.php

http://mediaproducts.gartner.com/reprints/oracle/article91/article91.html

Read more...

MOSS Trust Level and Code Access Security

Default Security Permissions in Windows SharePoint Services

Windows SharePoint Services defines two security permissions by default as part of the Microsoft.SharePoint.Security namespace located in the Microsoft.SharePoint.Security.dll. Each permission contains one or more attributes as follows:

SharePointPermission. Controls rights to access resources used by Windows SharePoint Services.

Attribute	Description
ObjectModel	Set to TRUE to use the Microsoft.SharePoint object model
UnsafeSaveOnGet	Set to TRUE to save data on HTTP-GET requests
Unrestricted	Set to TRUE to enable all rights associated with this permission.

WebPartPermission. Controls rights to access Web Part resources

Attribute	Description
Connections	Set to TRUE to participate in Web Part to Web Part communications
Unrestricted	Set to TRUE to enable all rights associated with this permission.

ASP.NET and SharePoint Security Policies

You can specify a level of trust that corresponds to a predefined set of permissions for ASP.NET applications. By default, ASP.NET defines the following trust levels:

• Full
• High
• Medium
• Low
• Minimal

With the exception of the Full trust level, all trust levels grant only partial trust to the application folder of a virtual server instance. For more information on the ASP.NET trust levels, see Code Access Security for ASP.NET [ http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/a55fb31b-5b42-476d-9cae-050ab3fae307.mspx ] .

Additionally, Windows SharePoint Services defines two trust levels of its own:

• WSS_Minimal
• WSS_Medium

The trust levels extend the Minimal and Medium trust levels of ASP.NET for Windows SharePoint Services. The trust levels are defined in security policy files, wss_minimaltrust.config and wss_mediumtrust.config. By default, Windows SharePoint Services stores these files in the following location:

local_drive:\Program Files\Common Files\Microsoft Shared\web server extensions\60\config

By default, when you extend a virtual server with Windows SharePoint Services, Windows SharePoint Services sets the trust level to WSS_Minimal. This helps provide a secure trust level in which assemblies operate with the smallest set of permissions required for code to execute.

The following table outlines the specific permissions granted with the custom security policy files included with Windows SharePoint Services.

Permission	WSS_Medium trust level	WSS_Minimal trust level
AspNetHostingPermission	Medium	Minimal
Environment	Read: TEMP, TMP, OS, USERNAME, COMPUTERNAME
FileIO	Read, Write, Append, PathDiscovery:Application Directory
IsolatedStorage	AssemblyIsolationByUser, Unrestricted UserQuota
Reflection
Registry
Security	Execution, Assertion, ControlPrincipal, ControlThread, RemotingConfiguration	Execution
Socket
WebPermission	Connect to origin host (if configured)
DNS	Unrestricted
Printing	Default printing
OleDBPermission
SqlClientPermission	AllowBlankPassword=false
EventLog
Message Queue
Service Controller
Performance Counters
Directory Service
SharePointPermission	ObjectModel = true
WebPartPermission	Connections = true	Connections = true

Note By default, Windows SharePoint Services does not grant access to the Microsoft SharePoint object model. To grant access, you must raise the associated trust level by one of several methods. The next section discusses these methods.

Setting the Trust Level for a Virtual Server

You can determine the trust level for a virtual server by the value of the level attribute of the tag in the web.config file. By default, Windows SharePoint Services sets the trust level to WSS_Minimal. In the web.config file of a virtual server extended with Windows SharePoint Services, you can find the following :

By default, you can use any one of the seven predefined trust levels outlined in the preceding section.

Note After changing the trust level of a virtual server, you must reset the Web service such as by using iisreset.

Specifying a trust level in the web.config file results in the following:

• The trust level specified in the web.config file applies to all assemblies used by the specified virtual server.
• All SharePoint sites associated with the specified virtual server apply the same trust level.

Frequently Asked Questions

The following is a list of questions that apply to code access security and Windows SharePoint Services.

What does partial trust mean the Web Part developer?

If you install assemblies into the BIN directory, you must ensure your code provides error handling in the event that required permissions are not available. Otherwise, unhandled security exceptions may cause your Web Part to fail and may affect page rendering on the page where the Web Part appears.

The following is a typical example of a security exception:

Request for the permission of type
Microsoft.SharePoint.Security.SharePointPermission,
Microsoft.SharePoint.Security, Version=11.0.0.0, Culture=neutral,
PublicKeyToken=71e9bce111e9429c failed

As stated previously, the WSS_Minimal trust level does not grant permission to the SharePointPermission.ObjectModel to assemblies in the BIN directory for an application. Therefore, if your code attempts to use the Microsoft SharePoint object model, the common language runtime (CLR) throws an exception.

Since the minimal permission set provides the smallest set of permissions required for code to execute, the likelihood of additional security exceptions is increased.

Recommendation Try-catch critical areas to address situations where you may not have the necessary permissions to accomplish a specified objective.

What if my assemblies are installed in the GAC?

By default, assemblies installed in the global assembly cache (GAC) run with Full trust. Although, installing your Web Part assembly in the GAC is a viable option, it is recommended that you install Web Part assemblies in the BIN directory for a more secure deployment.

How can I raise the trust level for assemblies installed in the BIN directory?

Windows SharePoint Services can use any of the following three options from ASP.NET and the CLR to provide assemblies installed in the BIN directory with sufficient permissions. The following table outlines the implications and requirements for each option.

Option	Pros	Cons
Increase the trust level for the entire virtual server. For more information, see "Setting the trust level for a virtual server"	Easy to implement. In a development environment, increasing the trust level allows you to test an assembly with increased permissions while allowing you to recompile assemblies directly into the BIN directory without resetting IIS.	This option is least secure. This option affects all assemblies used by the virtual server. There is no guarantee the destination server has the required trust level. Therefore, Web Parts may not work once installed on the destination server.
Create a custom policy file for your assemblies. For more information, see "How do I create a custom policy file?"	Recommended approach. This option is most secure. An assembly can operate with a unique policy that meets the minimum permission requirements for the assembly. By creating a custom security policy, you can ensure the destination server can run your Web Parts.	Requires the most configuration of all three options.
Install your assemblies in the GAC	Easy to implement. This grants Full trust to your assembly without affecting the trust level of assemblies installed in the BIN directory.	This option is less secure. Assemblies installed in the GAC are available to all virtual servers and applications on a server running Windows SharePoint Services. This could represent a potential security risk as it potentially grants a higher level of permission to your assembly across a larger scope than necessary In a development environment, you must reset IIS every time you recompile assemblies. Licensing issues may arise due to the global availability of your assembly.

I changed the trust level in the web.config file—now my entire site fails to render. What should I do?

If you change the trust level in the web.config file, Windows SharePoint Services may fail to render on subsequent requests. The following is an example of a typical error:

Assembly  security permission grant set is incompatible
between appdomains.

To resolve the conflicting trust setting, reset Internet Information Services (IIS) such as by using iisreset.

Note This is a known issue related to the architecture of ASP.NET and the .NET Framework.

My assembly refers to a library assembly. Everything works when the assembly is installed in the GAC, but fails once the assembly is placed in the BIN directory. What is going on?

Assuming you granted the required permissions to an assembly, the reason your assembly cannot run may be related to how the library assembly was built. By default, strongly named assemblies allow only callers who are granted Full Trust. Therefore, the CLR blocks a partially trusted assembly from calling into a Full Trust-only assembly.

You have several possible solutions, both of which have security implications that you must consider:

1. When compiling the assembly, you can add the AllowPartiallyTrustedCallersAttribute [ http://msdn.microsoft.com/library/default.asp.aspx?url=/library/en-us/cpref/html/frlrfsystemsecurityallowpartiallytrustedcallersattributeclasstopic.asp ] attribute to the specified library assembly.

   Important You can only add this attribute to the source code. If you are using a third-party assembly and do not have access to the source, you cannot choose this option. If you choose this option, you are allowing partially trusted callers to execute code from within the library. This could represent a potential security risk as it opens the specified library assembly for use by other callers with partial trust.

2. You can give your assembly Full trust by installing it to the GAC.

   Important Assemblies installed in the GAC are available to all virtual servers and applications on the server running Windows SharePoint Services. This could represent a potential security risk as it potentially grants a higher level of permission to your assembly across a larger scope than necessary.

3. You can give your assembly Full trust by creating a custom policy file as outlined in the previous section.

   Important It is recommended that you choose this option as it allows you to explicitly grant the required minimum level of permission to your assembly without increasing the scope of access to a larger number of callers.

I am trying to access a Web service by using a Web Part. When I do so, I get a Security Exception as follows:

Request for the permission of type System.Net.WebPermission, System,
Version=1.0.5000.0, Culture=neutral, PublicKeyToken=b77a5c561934e089
failed.

By default, assemblies in the BIN directory do not have the required permission, System.Net.WebPermission [ http://msdn.microsoft.com/en-us/library/system.net.webpermission(VS.71).aspx ] .

I want to access a Web service from my Web Part. When I do so, I get an InvalidOperationException as follows:

One or more assemblies referenced by the XmlSerializer cannot be called
from partially trusted code.

When you create a reference to a Web service, Microsoft Visual Studio®.NET creates and places one or more objects in your assembly to store the argument data passed to the method(s) in the Web service. These objects are serialized using the XmlSerializer class when you invoke one or more of the methods in the Web service. By default, if your assembly is strongly named and resides in the BIN directory, callers with partial trust cannot access objects within that assembly. When you make the call to the Web service method, the XmlSerializer detects that there are partially trusted callers on the callstack (i.e. your assembly) and prevents the serialization from taking place even though the object resides in the same assembly.

You have several possible solutions, both of which have security implications that you must consider:

1. You can add the AllowPartiallyTrustedCallersAttribute[ http://msdn.microsoft.com/library/default.asp.aspx?url=/library/en-us/cpref/html/frlrfsystemsecurityallowpartiallytrustedcallersattributeclasstopic.asp ] attribute to the specified library assembly.

   Important You can only add this attribute to the source code. If you are using a third-party assembly and do not have access to the source, you cannot choose this option. If you choose this option, you are allowing partially trusted callers to execute code from within the library. This could represent a potential security risk as it opens the specified library assembly for use by other callers with partial trusts.

2. You can give your assembly Full trust by installing it to the GAC.

   Important Assemblies installed in the GAC are available to all virtual servers and applications on the server running Windows SharePoint Services. This could represent a potential security risk as it potentially grants a higher level of permission to your assembly across a larger scope than necessary.

3. You can give your assembly Full trust by creating a custom policy file as outlined in the previous section.

   Important It is recommended that you choose this option as it allows you to explicitly grant the required minimum level of permission to your assembly without increasing the scope of access to a larger number of callers.

This article was published on msdn.microsoft.com by
Maurice J. Prather
Suraj Poozhiyil
Andrew M. Miller

Read more...

How to hide/remove "Alert Me" action menu item from Custom List/Document Library?

You can use javascript to hide Alert Me form the list view actions menu

hideListViewToolbarItems("Edit in Datasheet", "export to Spreadsheet",
"view rss feed","settings:create view");

function hideListViewToolbarItems()
{
///

/// By : Ayman M. El-Hattab ( ayman.elhattab@gmail.com )
/// http://ayman-elhattab.blogspot.com
///

var menuItem;
var menuItemName;
var menuItemIndex=-1;
var menuItemNames=new Array("edit in datasheet",
"open with windows explorer",
"connect to outlook",'export to spreadsheet','view rss feed','alert me'
,"create column","settings:create view","list settings",
"document library settings","explorer view","all documents",
"all items","modify this view",
"view:create view","new document",
"new item","new folder","upload document",
"upload multiple documents");
var menuItems = new Array("EditInGridButton",
"OpenInExplorer","OfflineButton",
"ExportToSpreadsheet","ViewRSS",
"SubscribeButton","AddColumn",
"AddView","ListSettings","ListSettings",
"View1","DefaultView",
"DefaultView","ModifyView","CreateView",
"New0","New0",
"NewFolder","Upload","MultipleUpload");

var allMenuItems = document.getElementsByTagName('ie:menuitem');
for(var i = 0; i < hideListViewToolbarItems.arguments.length; i++ )
{
menuItemName= hideListViewToolbarItems.arguments[i].toLowerCase();
for (j=0; j < menuItemNames.length; j++)
{
if(menuItemNames[j]==menuItemName)
{
menuItemIndex = j;
break;
}
}

menuItem=menuItems[menuItemIndex];

for (var l = 0; l < allMenuItems.length; l++)
{
if(menuItemName.indexOf(":")!=-1)
{
menuItemName = menuItemName.split(":")[1];
}
if (allMenuItems[l].id.indexOf(menuItem)!=-1
&& allMenuItems[l].text.toLowerCase() == menuItemName)
{
// For FireFox Compatibility
var parentNodeOfMenuItem = allMenuItems[l].parentNode;
parentNodeOfMenuItem.removeChild(allMenuItems[l]);
break;
}
}
}
}


You can use this function to hide any menu items rendered in the ListViewWebPart toolbar which is used in the list view pages, just call the function and pass the menu item names ( comma separated ) as they appear in the toolbar ignoring the case. Only one exception to that when you need to hide "Create View" which appears twice one in "List Settings" and the other one in the view selector, in order to resolve this conflict just call the function as follows : hideListViewToolbarItems("settings:create view") or hideListViewToolbarItems("view:create view").

Read more...

New tool for Sharepoint - SQL Permissions from idera

Hi Friends SQL Permissions is a another freeware tool from idera.Here is the details:

Features of SQL Permissions:

• Generates T-SQL scripts to move logins and permissions from one server to another
• Moves either a single log-in or group of logins
• Generates permissions on a single database or across all databases
• Provides a simple view of logins and permissions

What is SQL permissions?

Idera’s SQL permissions is a freeware tool for copying or moving logins and permissions settings across SQL servers. SQL permissions automates the time consuming job of configuring logins and permissions on one server to match another by generating a customizable T-SQL script to do this for you. SQL permissions also offers the flexibility to move one login or a group of logins and apply permissions across all databases on the target server, or a single database.

To Know more about more products of Idera click here.

FAQs

General Issues

• What is SQL permissions?

  Idera’s SQL permissions is a freeware tool for copying or moving logins and permissions settings across SQLservers. SQL permissions automates the time consuming job of configuring logins and permissions on one server to match another by generating a customizable TSQL script to do this for you. SQL permissions also offers the flexibility to move one login or a group of logins and apply permissions across all databases on the target server, or a single database.

  If you are looking for advanced tools to manage security and compliance on your SQL servers, then check out SQL compliance manager and SQL secure. SQL compliance manager automates the entire compliance process from data gathering to reporting and alerting; and SQL secure analyzes users’ permissions across SQL Server, Active Directory and Windows to tell you exactly who can access what on your SQL servers.

• What is Idera Freeware?

  Idera Freeware applications are tools developed by the engineering team at Idera to alleviate common, day-to-day DBA headaches. They are yours to use anywhere you like, completely free of charge.

  All the support materials that you need to install, configure and use Idera Freeware tools are provided via FAQs on the Idera website.

  We’d love to hear what you think about our freeware tools, so if you have comments, feedback or ideas for other cool tools then drop us an email at freeware@idera.com.

• Why is Idera offering SQL permissions?

  Moving permissions from one server to another is a pain to do manually, so a tool like SQL permissions can save DBAs lots of time.

  And... we think that if you like SQL permissions then you’ll love our other products like SQL compliance manager and SQL secure.

• How are Idera Freeware tools supported?

  Idera Freeware products are supported differently than our licensed software products – support is available only via online FAQs vs. 24x7 phone support, and upgrades come when they come vs. regular maintenance upgrades.

Product Feature Questions

• How do I install SQL permissions?

  Installation of SQL permissions is very easy and takes only minutes. Simply download the installation package and follow the prompts. Refer to the product Quick Start Guide for help getting started using the product.

• How do I use SQL permissions to copy permissions from one server to another?

  SQL permissions generates a customizable TSQL script to move user logins and permissions from one server to another. To generate the TSQL script, follow these easy steps:

  1. Install and launch SQL permissions
  2. Select a login method
  3. If you select SQL Server Authentication, please enter your username and password.
  4. Select (or type in) the name of the SQL Server that you want to copy permissions FROM
  5. Select (or type in) a single database name or select ALL for database(s) that you want to copy permissions FROM.
  6. Select the User account whose permissions you would like to copy. Use CTRL + Shift to select multiple accounts.
  7. Click “Generate” to produce the TSQL script. You will be prompted to enter a path and file name where you would like to save the script. You can then edit the TSQL script as needed to customize it further.
  8. To run the TSQL script, locate the saved SQLpermission.sql file.
  9. Move the file to the server where you wish to replicate the user logins and permissions.
  10. Double click the SQLpermission.sql file. Microsoft SQL Server Management Studio will be launched.
  11. When prompted, enter the server name and credential information to connect to the SQL Server you wish to apply the logins and permissions to.
  12. Once connected, select Query > Execute to run the script.
• What type of user interface is provided for SQL permissions?

  SQL permissions provides a graphical user interface (GUI) where you can enter the information required and generate your TSQL script.

• Does SQL permissions install any code on the database server?

  No, SQL permissions does not install any code on the database server.

• How is Idera SQL permissions different from Idera SQL secure?

  While SQL permissions helps you transfer logins and permissions from one server to another, it cannot verify that users have the appropriate access rights on your SQL Server.

  Idera SQL secure is a permissions analysis tool that analyzes users’ rights across SQL Server, Active Directory and Windows to determine exactly who can do what on your SQL Servers. A free trial of SQL secure is available here.

Technical Questions

• What are the system requirements and prerequisites for SQL permissions?

  SQL permissions requires Microsoft .NET 2.0, and a supported OS:

  • Microsoft Windows 2000 SP4
  • Microsoft Windows 2003
  • Microsoft Windows XP
  • Microsoft Windows Vista
  • Microsoft Windows 2008
• What Windows security permissions are required?

  A windows domain account with local administrator privileges is required to install and run SQL permissions. This account must also have login access to the SQL Servers from which you want to copy logins and permissions.

• What SQL Server security permissions are required to use SQL permissions?

  The account you use to connect to a SQL Server should have administrator privileges.

• What versions of Microsoft SQL Server does SQL permissions support?

  SQL permissions supports the following versions of Microsoft SQL Server:

  • SQL Server 2000 (SP3a+)
  • SQL Server 2005 (SP1+)
  • SQL Server 2008
• Do we offer a 32- and 64-bit version of SQL permissions?

  We currently offer only a 32-bit version of SQL permissions.

• Does SQL permissions offer International language support?

  No. SQL permissions does not currently offer International language support.

• Do I need to make any changes to the script before I apply it to the target server?

  On occasion, the scripts created by SQL permissions may need editing before they can be applied to the target server. Please thoroughly review the script detail and make any necessary modifications before attempting to run the script on the target server.

  NOTE: All SQL login accounts are generated as Disabled and with a random password.

• What object types are not supported by SQL permissions?

  SQL permissions does not support the following object types for SQL Server 2000, SQL Server 2005 and SQL Server 2008:

  • System Objects
  • Application roles
  • Fixed roles
  • Public role

To Know more about Idera products, Click here.
To Download, Here is the link : http://www.idera.com/Products/Free-Tools/SQL-permissions/

If you have comments, feedback or need assistance with a topic that is not covered in the FAQ, please email us at freeware@idera.com.

Read more...

Configuring Multiple Authentication(form based authentication) Providers for SharePoint 2007

Windows SharePoint Services (WSS) V3 contains several new features around authentication and authorization that make it easier to develop and deploy solutions in Internet facing environments, especially extranets. In the previous version of WSS, all security principals needed to resolve at some point to a Windows identity – either a user account or group. WSS V3 is built upon the ASP.NET 2.0 Framework, which allows the use of forms-based authentication (FBA) to authenticate users into the system. By riding on top of ASP.NET 2.0’s pluggable authentication provider model, you can now support users stored in Active Directory as well as SQL Server, an LDAP directory, or any other directory that has an ASP.NET 2.0 Membership provider. Although WSS V3 will not ship with any Membership providers, Microsoft Office SharePoint Server (MOSS) 2007 will include an LDAP V3 Membership provider, and ASP.NET 2.0 includes a SQL Server provider. But if you want to use a directory and can’t find a Membership provider for it, you can write your own! This is a key technology enabler for heterogeneous environments.

In a typical extranet environment, content will have two points of access: one on the intranet for employee use and the other on the extranet, where trusted partners can access specific sites, lists and libraries or individual items. Listed below are the WSS V3 features that support this scenario -- some are new while others are just terminology changes:

· Web Application: A web application is what was called a virtual server in the previous version of SharePoint. A single web application only supports a single authentication provider, such as Windows, Forms, etc.

· Zones: A zone is a way to map multiple web applications to a single set of content databases. It is also can be a division of authentication providers. For example, you can create a new web application, create a content database and configure it to use Windows authentication. You can then create a second web application and map it to the first. When you do that you need to assign a zone with which the second web application is associated, such as Intranet, Internet, Custom, or Extranet. The second web application can also use a completely different authentication mechanism, such as forms.

· Policies: A policy is useful in a number of different scenarios, including configuring a web application for forms authentication. It allows you to create policies to grant full access, read only access, deny write access or deny all access to a user or group on a web application. This policy grant applies to all sites in the web application, and it overrides any permissions established within individual sites, lists or items.

· Alternate Access Mappings: In the previous version of SharePoint, it wasn’t as important in an extranet scenario to create an alternate access mapping (AAM) because SharePoint would look to IIS to get some of that information. In WSS V3, it’s imperative to use AAM or things just flat out won’t work. AAM is a way to define the different URL namespaces that are associated with a set of content databases. It effectively manages the zones relationship described above.

· Authentication Providers: So far I’ve described how WSS V3 uses the ASP.NET 2.0 pluggable authentication provider model using the Membership provider interface. As well, SharePoint also supports the Role provider interface, which enables you to surface attributes, such as group membership, about your users as well.

At a high level, creating an extranet solution in WSS V3 requires you to do the following steps. I’ll walk through them briefly and then dive into more detail below. Since MOSS 2007 is built on top of WSS V3, all of the information below applies to MOSS as well. For this scenario, assume that you want to have an intranet style site used internally by your corporate users. They are all joined to your corporate Active Directory. In addition, you have a number of trusted partners to which you wish to give access via the Internet. Note that in this scenario I will not be touching on any aspects of securing your site with firewalls, proxy servers, segmented networks, DMZ Active Directory designs, security best practices around farm configuration, etc. You can read all about that in Joel’s recent blog entry here: http://blogs.msdn.com/sharepoint/archive/2006/08/08/691540.aspx.

The process you would go through to build out such a site would be as follows.

After installing WSS V3 (or MOSS 2007) and having configured all of the services and servers in the farm, create a new web application. By default this will be configured to use Windows authentication and will be the entry point through which your intranet users will access the site. We’ll refer to this site as http://intranet. Next, create a second web application. When you create the web application, select the option to Extend an existing Web Application. When you create your second web application, map it to the Extranet zone. Give it a Host Header name that you will configure in DNS for your extranet users to resolve against. We’ll refer to this site as http://extranet.contoso.com.

If you haven’t created and populated your directory of FBA users who will be accessing the site via the extranet, then you should do so at this time. For this scenario we’ll assume that you are using FBA with the SQL Server Membership and Role providers that are included with ASP.NET 2.0.

Manually modify the web.config for the extranet site and add in the information about your Membership and Role provider (the Role provider is technically optional, but most implementations will use it). Add this same information into the web.config for the Central Administration site. Save both config files and do an IISRESET.

In the Central Admin site, go to the Application Management page and select the Policy for Web Application link. Add a user from your SQL Server directory to the Extranet zone for your web application. You should be able to type in the user name and resolve it, or use the People Picker dialog to search and find the user name. If everything is configured correctly then SharePoint will be able to resolve the user name you add. Give the user account Full access to the web application.

Navigate to the site using either entry point -- Windows or Forms-based authentication. If you use FBA, then you will need to sign in with the credentials of the user that was granted full access rights via policy. After you navigate to the site, go into Site Settings, People and Groups. From there you can add both Windows and forms users and groups to SharePoint Site Groups. Your users should now be able to access the site.

Now let’s look at some of the above steps in more detail. Creating the web applications should be fairly straightforward using Central Administration, so I won't spend any time on that. The key takeaway here is that when you create the second web application, you need to make sure that you select the option to Extend an existing Web Application and map it to the Extranet zone. Also remember to give it a Host Header name that is in your external DNS – this is the URL that external users will use to access the site via the Internet.

Next, you need to create the aspnetdb database used for storing membership and role information if you don’t have one already set up. To create the database, do the following:

Open a command prompt and change to the .NET Framework directory (by default, it's C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727).

Run the following command: aspnet_regsql -A all –E

This will create the aspnetdb database on the local SQL Server. If you wish to install it on a different server, then run aspnet_regsql /? to determine the appropriate switch to use.

If you are creating your SQL Server provider database for the first time you will also need to create one or more users and optionally, one or more roles. These will be the security principals that you add to the Policy for the extranet web application as well as the SharePoint Site Groups. There are multiple ways to do this and a quick search on the web will highlight some of those tools and methods. That’s a bit out of scope for this already lengthy blog, so I'll continue on and assume that you’ve already created the users and roles for your SharePoint site.

Now we have our web applications as well as users and roles created in SQL Server, so we need to configure the web.config for the extranet and Central Administration web applications. The first step is to look for a connectionStrings element; if it doesn’t exist then you can add it below the and above the elements. The new element should look like the following:

AspNetSqlProvider" connectionString="server=yourSqlServerName; database=aspnetdb; Trusted_Connection=True" />

You’ll want to take note of the name attribute above, because you will use that attribute name when configuring the Membership and Role providers. Add that information as follows:

Open the web.config file for your extranet web application in a text editor such as Notepad.

Add your connectionString element described above as the last item in the connectionStrings section in the web.config file.

Add the Membership and Role configuration information to the web.config file. It must be added below the element and should look like the following:

AspNetSqlMembershipProvider">

AspNetSqlMembershipProvider" />

AspNetSqlProvider" passwordAttemptWindow="10" enablePasswordRetrieval="false" enablePasswordReset="true" requiresQuestionAndAnswer="true" applicationName="/" requiresUniqueEmail="false" passwordFormat="Hashed" description="Stores and retrieves membership data from the Microsoft SQL Server database" name="AspNetSqlMembershipProvider" type="System.Web.Security.SqlMembershipProvider, System.Web, Version=2.0.3600.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />

Save and close the web.config file.

The name attributes of the Membership and Role providers are highlighted above. You need to note what these names are because you will enter them in Central Administration when you configure FBA for the site.

You also need to make the same exact changes to the web.config for the Central Administration site, with one minor exception. The roleManager element for the extranet web application looks like the following:

You need to change this line to read as follows:

This change is necessary because the Central Administration site still uses Windows authentication for the role provider -- that’s why the AspNetWindowsTokenRoleProvider is set as the default provider.

Now you need to configure the Authentication provider for the extranet web application to use FBA. Open your browser and navigate to your farm’s Central Administration site, click on Application Management and then on Authentication Providers. Make sure that you are working on the web application for which you wish to enable FBA. (If the correct application is not already pre-selected, click the Change button in the upper right hand corner of the page to select the application.)

You should see a list of two zones that are mapped for this web application; both should say Windows. Click on the link that says Windows for the web application in the Extranet zone and do the following:

In the Authentication Type section, click on the Forms radio button. The page will post back and expose two new edit boxes.

In the Membership provider name edit box, type in the name of your web application’s Membership provider for the current zone. That is the value that was highlighted in the defaultProvider attribute of the Membership element above.

In the Role manager name edit box, type in the name of your web application’s Role provider. That is the value that was highlighted in the defaultProvider attribute of the roleManager element above.

Click the Save button.

Your extranet web application is now configured to use FBA. However, until users, who will be accessing the site via FBA, are given permissions for the site, it will be inaccessible to them. To do this, you could go directly to the default zone (i.e. http://intranet) of the site, login with your Windows credentials, and add the FBA users. However, I'll describe an alternative approach because it's the one that you are most likely to use if you ever configure an application that only has one web application, which uses FBA.

To get started, open your browser and navigate to your farm’s Central Administration site. Click on Application Management and then click on Policy for Web Application. Make sure that you are working on the extranet web application. Do the following steps:

Click on Add Users.

In the Zones drop down, select the appropriate Extranet zone. IMPORTANT: If you select the incorrect zone, you may not be able to resolve user names. Hence, the zone you select must match the zone of the web application that is configured to use FBA.

Click the Next button.

In the Users edit box, type the name of the FBA user whom you wish to have full control for the site.

Click the Resolve link next to the Users edit box. If the web application's FBA information has been configured correctly, the name will resolve and become underlined.

Check the Full Control checkbox.

Click the Finish button.

That’s it -- that’s all of the configuration needed! You can now navigate to either web application: http://intranet or http://extranet.contoso.com. Irrespective of which entry point you use, you can add, search and resolve both Windows and FBA users and groups and add them to SharePoint Site Groups. The People Picker is smart enough to know about all of the web applications that are mapped to the site and will try all of the authentication providers that those applications use.

Lastly, there are two other things for you to remember:

Resolving group names: The People Picker can only do wildcard searches for Windows group names. If you have a SQL Role provider group called "Readers" and enter "Read" in the People Picker search dialog, it will not find your group; if you enter "Readers" it will. This is not a bug -- the Role provider just doesn’t provide a good way to do wildcard group searching.

Use Policies sparingly: The concept described above for adding a user or group via the web application Policy should only be used to provide a way for an FBA administrator to access the site. Policies are very coarsely grained compared to the fine grain permissions that can be configured and granted within individual sites, lists and items. Once you’ve added your site administrator via Policy, all other users and groups should be added from within the site itself.

Admittedly, there are many steps involved in configuring multiple authentication providers for SharePoint, but I hope that by having read this blog entry, you now understand the reasoning behind each of the steps involved and are in a better position to implement or troubleshoot this particular SharePoint configuration.

This article was published by : Steve Peschka on Http://blogs.msdn.com

Read more...

Business Data Catalog (BDC) for the Power User – List Columns

Suppose, in a Document Library I was creating Proposals, Invoices, Credit Notes, Purchase orders etc. Against all of these documents, it would be useful to store the Company Name, City, Telephone Number etc so that should I want to chase an invoice, or follow up a proposal the information is at hand, and I don't have to go looking for it in my CRM application. So using a Lightning Tools sample Database as an example, I would like to show you how to create columns that use BDC data:

1. Navigate to your Team Site where you would like to try this out.
2. Create a new document library by choosing Site Actions, Create (Site Actions, View all Site Content, Create if you have publishing switched on).
3. Choose the Document Library Template
4. Name the Document Library 'Sales Documents'
5. Accept the defaults and click Create.
6. Choose Settings, Document Library Settings
7. Under the Columns section click Create Column
8. Name the Column Company
9. Choose Business Data as the Type.
10. In the Type field, click the address book icon.
11. Choose the Entity that contains your customer data
12. Select the column that contains the data you would like to store
13. Check the columns you would like to display
14. Click OK.
15. Using the BreadCrumb trail choose the Sales documents link.
16. Click New, to create a new document
17. The Document Information Panel will display (Office 2007 required).
18. Type a customer ID in the CustomerID column, and you will see the other information from BDC returned.
19. Save and Close Word.
20. Notice in the Document Library, that the Meta Data is displayed in the default view and can be filtered/sorted etc.

This Article was published by : Brett Lonsdale (Director – Lightning Tools Ltd) Http://sharepoint.microsoft.com

Read more...

Business Data Catalog(BDC) Interview Questions

Question: Added metadata, but unable to see entities in the Entity Picker?

Business data in lists and Business Data Web Parts are driven by Business Data Catalog permissions. The minimum permission you need on an entity to use it in clients is the Selectable in Clients right.

Note Because Business Data Catalog is a Shared Service that is shared across site collections, site collection level security settings cannot be applied to it. Therefore, Site Settings has little relationship with Business Data Catalog permissions.

Question: Where is the BdcMetadata.XSD file located?

The Business Data Catalog provides a schema definition file (XSD) that defines the schema allowed in the XML file, and that defines the metadata for a business application. It is important for the XML documents to adhere to this schema.

You can find the BdcMetadata.XSD file in the \Bin directory of your Microsoft Office SharePoint Server 2007 installation, typically at \Program Files\Microsoft Office Server\12.0\Bin.

When authoring metadata in Microsoft Visual Studio 2005, copy the .xsd file to the working folder and set the SchemaReference attribute in the XML file to point to the .xsd file in the working folder. As a result, Visual Studio provides IntelliSense, which greatly simplifies editing.

Question: What is "Application Registry" in the Business Data Catalog object models?

The Business Data Catalog was originally named "Application Registry". That's why you see "Application Registry" in the namespace names and in the object model. When you see the name "Application Registry" in these contexts, you can assume it is the same as Business Data Catalog.

Question: How can I get security trimmed results from a back-end method invocation?

See Business Data Catalog Security Trimmer and AccessChecker Samples for details.

The UserContext filter limits the instances returned by a method to the current user’s context. This filter tells the Business Data Catalog to append the current Microsoft Windows user’s domain name and user name to the method call.

If a metadata author creates metadata that takes a user name as a user-controllable filter and returns sensitive personal data, a user may see another user's data. To avoid this, use the UserContext filter to pass in the user name to the method call.

For more information, see FilterDescriptor.

Question: In what scenarios would I grant View permission on an entity without giving any permission on the application?

There are valid scenarios in which you may want to give a user View permissions on an entity without giving that user any permissions on the application. Consider the case of delegated administration. The Business Data Catalog allows an administrator to delegate the administration of any object to another user. For example, he or she (domain\admin) may authorize domain\xyz to administer Entity ABC. She does this by giving domain\xyz the Set Permissions right to Entity ABC. Domain\xyz can now give himself the View permission, which enables him to view data (entity instances) for that entity. Domain\xyz does not need to have any rights on other objects (such as the application or other entities in the application).

The View permission controls the user's ability to view the data associated with the entity, in contrast to the user's ability to view all metadata objects all the time. The applications and entities are viewable in the UI by default. The View permission is equivalent to having the Execute permission to execute methods on an entity or an entire application.

Question: Can I use GUIDs in the metadata?

GUIDs are first-class Business Data Catalog primitives. They can be used as Properties, DefaultValues, and Identifiers.

Question: Where are the server logs? How can I use them to troubleshoot errors?

If you get an error when you try to use a Business Data Web Part, a Business Data column, or the object model, enable diagnostic logging in Central Administration and check the Windows Event Viewer, or the Unified Logging Service (ULS) server log files. The Business Data Catalog writes messages and run-time exceptions to the event Log and in ULS log files.

The ULS log files contain a copy of the event log information and the stack trace. As a result, you may find the event logs are friendlier to use and understand than the ULS log files. However, if you need detailed information to debug the error, ULS log files may come in handy.

The Business Data Catalog creates a ULS log file every 30 minutes. You can find the log files in the following path: \Program Files\Common Files\Microsoft Shared\web server extensions\12\LOGS. ULS log files contain useful information about all the run-time exceptions and can help you identify problems. In the ULS log files, messages are categorized and contain the following fields:

· Timestamp

· PID: Web client errors appear under the w3wp.exe PID. Search and user profile import errors appear under mssdmin.exe PID.

· TID

· Product

· Category: (the Category field is Business Data for Business Data Catalog–related errors)

· EventID

· Level

· Message

· Correlation

An easy way to find Business Data Catalog–related messages is to search for "metadataexception", "ApplicationRegistry", or "Exception" in the Message field, and then look under the Business Data category.

See Warnings and Error Messages for some common error messages and their workarounds.

Question: How can I display a database field of type BLOB that stores image data via the Business Data Catalog?

This is not supported. In SharePoint Server 2007, Business Data Catalog does not provide BLOB support for databases.

Question: Is it possible to have more than one connection to a database or a Web service within a single application definition file? Is it possible to have associations between entities located inside different application definition files?

No and no. A single application definition file can connect to just one database or a Web service. Also, both SourceEntity and DestinationEntity objects in an association should exist in the same LobSystem object.

Read more...