I am trying to access User permissions > create subsite enable/disable feature with sharepoint API. How to access User permission for webapplications?
If you go to CA in sharepoint 2010 and click on an web application and then choose User permission in the ribbon it shows you lot of check boxes. Under site permission there is an option for create subsites. This is specifically what I am looking for.
Based on this ref: Toggle permission in WebApplication.RightsMask)
Powershell:
$webApp = Get-SPWebApplication -Identity http://mywebapp
$allowSubsites = $false
$newPermissions=$null
if ($allowSubsites){
$newPermissions=[Microsoft.SharePoint.SPBasePermissions]($webApp.RightsMask -bor [Microsoft.SharePoint.SPBasePermissions]::ManageSubWebs)
}
else
{
$newPermissions=[Microsoft.SharePoint.SPBasePermissions]($webApp.RightsMask -band [System.Int64](-bnot ([Microsoft.SharePoint.SPBasePermissions]::EmptyMask -bor [Microsoft.SharePoint.SPBasePermissions]::ManageSubWebs)))
}
$webApp.RightsMask = $newPermissions
$webApp.Update()
C#:
SPWebApplication application = sourceSite.WebApplication;
application.RightsMask = application.RightsMask | SPBasePermissions.ManageSubwebs;
application.Update();
Web applications (SPWebApplication) themselves have no per-user permissions. The highest level (in terms of the least-granual setting) are site collections (SPSiteCollection).
Related
Good day!
I just want to ask about microsoft graph Api permission, there's too many options here but my goal is to have the full access ONLY to specific account and read the mail box such as Subject, Email Body, attachment and Sender Email, the system will read the mails from the back end from the specific account only. (like a basic auth)
I'm trying to make system to my org. I don't have the full control in azure portal, so I create API Permission request.
What option need to include in my api permission request?
enter image description here
I saw the "Mail.Read" Option
but I think the scope of this option is to access ALL other mail account without signing in. correct me if I'm wrong, but then what I really need is for single account only.
Thank you in advance
Access to Graph API is normally done one of two ways:
On behalf of user
As a application (no user)
The permissions required for the access type are different and are documented for each API endpiont under the Permissions sections. The on behalf of user access requires "delegated" type permissions and application access require application permissions.
If you use "on behalf of user access" (i.e. you have a user fronting the authentication or you know the username/password) and the correct permissions for the api endponts you are using then you only have access to the data that that user has access too (even if you have permissions like ".all").
If you use "application access" then normally you need higher permissions and you can normally read all user/org data. In some specific cases you can constrain application access. Email account access happens to be one. Follow the Limit Mailbox access instructions to limit a specific application id to a specific set of mailboxes.
There is a separate Mail.Read permission for both Application and Delegated permissions. Application permissions allows the app to read mail in all mailboxes without a signed-in user where as Delegated permissions allows the app to read email in user mailboxes , check the doc for more info - https://learn.microsoft.com/en-us/graph/permissions-reference
In your case you want to check your mail only , then you need to use Delegated permissions , which doesn't required admin conesent
Hope this helps
Thanks
-- goal is to have the full access ONLY to specific account and read the mail box
Can I understand your requirement as, you may want to have a user who is admin role and only this user can query mail information for all other users?
If so, you must have a sign in popup window to let users sign in, then your application can validate the user to check if the signed in user is in admin role to determine whether allowing this user to query mails.
But you also mentioned "to run in background the signing in process, no pop up window", so I'm afraid that you want to allow anyone using your application to query mail on behalf on this specific user. In this scenario, I'm afraid you can using client credential flow directly with the application permission.
I'm trying to connect my current MS Access forms to SharePoint online. I was able to fetch and feed data without any problem. My only problem is that I want to share the front end to multiple users, but I also need to create a login form to check whether they have access to SharePoint online or not.
Is there a way to add a username/password to the below connection string?
"Provider=Microsoft.ACE.OLEDB.12.0;WSS;IMEX=2;RetrieveIds=Yes;DATABASE=https://CompanySharepoint.com/Lists/;"
Nope.
Access will determine if the user is able to login using integrated authentication. This means that users that don't have access to SharePoint won't be able to access the lists.
Depending on your SharePoint config, they might get an error message, or might get a prompt asking them for a username and password. As long as you're cleaning the cache properly, they won't be able to access any data if they have no permission to view the data on SharePoint.
We have an asp.net MVC application where users connect through azure active directory. They can manage files through their sharepoint online accounts.
To access sharepoint online, we use CSOM.We want the user connected to azure active directory use his account to manipulate files without fill credentials. To do that we attach an access token to the request's header to be authenticated. It works fine.
Now we want to use excel services SOAP API in sharepoint online. To be authenticated we must fill credentials. How can we bypass it and be authenticated with the user logged ?
EDIT :
You can see below the code to access sharepoint resources with the current user context.
using (ClientContext context = new ClientContext("https://myServer.sharepoint.com"))
{
context.ExecutingWebRequest += ExecutingWebRequest;
context.Load(context.Web.Lists);
context.ExecuteQuery();
// Do some stuff with lists ...
}
private void ExecutingWebRequest(object sender, WebRequestEventArgs e)
{
e.WebRequestExecutor.WebRequest.Headers.Add("Authorization", "Bearer " + accessToken);
}
I need to do something like this to access excel services webservices with the current user context.
While most applications require authentication to gain access to private information or to execute tasks, not every authentication method is able to provide adequate security. Negligence, ignorance, or simple understatement of security threats often result in authentication schemes that can be bypassed by simply skipping the log in page and directly calling an internal page that is supposed to be accessed only after authentication has been performed.
In addition, it is often possible to bypass authentication measures by tampering with requests and tricking the application into thinking that the user is already authenticated. This can be accomplished either by modifying the given URL parameter, by manipulating the form, or by counterfeiting sessions.
Problems related to the authentication schema can be found at different stages of the software development life cycle (SDLC), like the design, development, and deployment phases:
In the design phase errors can include a wrong definition of application sections to be protected, the choice of not applying strong encryption protocols for securing the transmission of credentials, and many more.
In the development phase errors can include the incorrect implementation of input validation functionality or not following the security best practices for the specific language.
In the application deployment phase, there may be issues during the application setup (installation and configuration activities) due to a lack in required technical skills or due to the lack of good documentation.
if ( isset($HTTP_COOKIE_VARS[$cookiename . '_sid']) ||
{
$sessiondata = isset( $HTTP_COOKIE_VARS[$cookiename . '_data'] ) ?
unserialize(stripslashes($HTTP_COOKIE_VARS[$cookiename . '_data'])) : array();
$sessionmethod = SESSION_METHOD_COOKIE;
}
if( md5($password) == $row['user_password'] && $row['user_active'] )
{
$autologin = ( isset($HTTP_POST_VARS['autologin']) ) ? TRUE : 0;
}
I have an custom claims provider that uses a IP-STS on Sharepoint 2010.
I want that a particular claim that comes from the IP-STS to map the Sharepoint user profile.
i.e:
Map the http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress claim to the "work email" field on the sharepoint's user profile
I want to do this automatically on the first time the user logs in, without any additional steps.
How can we accomplish that?
Just for your information, I've been researching pretty hard about it:
Even if I map it when I install the claims provider, this way:
$map = New-SPClaimTypeMapping "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" -IncomingClaimTypeDisplayName "Email" -SameAsIncoming
I can't see the right info on the Sharepoint user profile.
Any help?
Thanks in advance
Is it possible to track user actions in SharePoint from a Web Part? Or even better...does SharePoint 2010 automatically tracks users actions?
Yes, you can enable Auditing and read the Audit log programatically :
http://msdn.microsoft.com/en-us/library/bb466223(v=office.12).aspx