There are so many things I didn’t get to talk about in the user management talk. There’s so much more to say about the stuff I did get to. Here are the questions – and some answers from the web cast on user management.
Q: When you extend SharePoint to multiple zones so you can have one with forms based authentication, do you have one IIS virtual server/web application or multiple?
A: Multiple. Forms based authentication requires a few different web.config file entries.
Q: Is there a way to secure data based on the relationship to the data? i.e. allow sales folks to only see their customers?
A: It’s technically possible but not included out of the box and can be technically challenging.
Q: Did you have to set anonymous access on the web site for forms based authentication?
Q: Can I send alerts to exchange distribution groups or AD security groups?
A: Yes, any entity that has an email address can receive alerts.
Q: When using SPWeb.DoesUserHavePermissions how do you resolve a role?
A: You don’t. You can, however, use SPWeb.RoleAssignments.GetAssignmentsByPrincipal(SPContext.Current.Web.CurrentUser) to retrieve roles for the current user.
Q: Where is the provider logging project that I spoke about?
Q: Is there a way to programmatically tell if you’re using FBA or Windows Authentication?
A: Yes. I’d recommend that you look at Professional ASP.NET 2.0 Security, Membership, and Role Management for a more complete discussion about forms based authentication, users, etc. It will give you all the background. The short of it is that you can check the HTTP context to see if it’s anonymous. If you have a user and it’s an anonymous request you’re using FBA.
Q: How do you extend permissions at runtime?
A: Use SPSecurity.RunWithElevatedPrivileges() method. This will allow you to behave as if you are the application pool account. I recommend caution with this method.
Q: What is the difference between user management in WSS and MOSS?
A: There isn’t any. MOSS offers additional functionality in the form of user profiles but fundamentally this is new functionality not a change to base functionality.
Q: Are there best practices for user management on a portal that has 2000 users?
A: There aren’t best practices that are that generic. You need to decide if you’re going to manage users through AD groups or SharePoint groups.
Q: Some user management code works fine outside of SharePoint but not as a SharePoint Web service, do you know why?
A: No, but I’d turn Off custom errors and set the callstack true in the SharePoint tag to try to see the real error and the location.
Q: How do I use SharePoint Designer if I’m using forms based authentication?
A: I setup another URL, port, and web application which uses windows authentication and I point SharePoint Designer to that URL/port combination.
Q: How long are the audit entries stored?
A: Indefinitely – until you clear them.
Q: Is there any way to do mixed mode authentication using the same URL?
A: Technically it’s possible but it’s not easy nor recommended. Essentially you would have forms based authentication and would have it determine if the user could log in via windows authentication and if so write the forms based authentication cookie.
Q: Can user attributes containing private information like a phone number be hid from SharePoint administrators?
A: No, in the demo in fact, I used policy for web applications to bypass all security for my forms based authorization user.
Q: What is the impact to SharePoint when auditing is enabled?
A: There’s no one answer. If you turn on auditing for views … it will be pretty big. If you enable for check ins, it won’t be that bad because check ins are a relatively small percentage of the overall transactions.
Q: Can we install SharePoint on Windows 2008?
Q: Are there any good integrations with authorization manager (AzMan)?
A: None that I’ve seen.
Q: I’ve been having problems with people picker, are there any alternatives?
A: None that I know of. However, problems with people picker usually are caused by two things: 1) problems with active directory. It can’t resolve a global catalog server, there’s a DNS misconfiguration, etc. Stuff like having the server pointed at both external DNS and internal DNS causes all sorts of issues. 2) In a FBA mode the people picker wildcards need to be set.
Q: Can auditing be used to do usage reporting?
A: Yes, this is the way Nintex Reporting 2008 does it.
Q: How can you set anonymous access restrictions per list rather than per site?
A: You can’t. You can, however, put a web part on pages that you don’t want anonymous users to see that redirects them off the page. I do this in some situations where I want to discourage them from seeing certain pieces of a site but it’s not a security issue – it’s just a appearance issue. Technically the anonymous user would still have access to the data.
Q: Can you use a non-authenticated page for changing password, etc?
A: Yes, just treat it like a login page. See my article “Customize a SharePoint Login Page”
Q: If you have WSS 3 and it implements forms authentication and restricts content to specific users, do you have to have client access licenses?
A: I would have to refer you to a licensing specialist – however, I know that the most common license people forget when they expose WSS to the outside is a Windows Internet Connection license. (It’s bundled with Web Edition but not the other versions of Server)
Q: Can I have a list that contains permissions for a user?
A: No, you must use the permission constructs in the API.
Q: Can you extend auditing with your own events?
Q: Can we use a different database for authentication?
Q: Can we use a different database for authentication?