I have set up an external content type with a column that contains Active Directory accounts to map each record to a user. Now I want users to only see those records in the list where the AD-account entry matches the current user's credentials.
So I tried the following approach, and succeeded in creating a user context filter on the ReadItem/create/update/delete operations. However, on the ReadList operation there is no option for it, the wizard has different filter options.
The result is that the current user can see all items in the external list, but can only open those tagged with his account, so the filter definitely works. However having the filter only on items and not on the whole list is useless (items that cannot be opened will confuse the user, a list view might expose the data anyway etc.).
I tried to filter this list with the Current User webpart, which gives us the desired result, but the list itself is of course still sitting in the background and can be opened via URL.
How can I get the user context filter applied on ReadList? And if that is not possible, where and how do you implement such a filter?
Export the BDC Metadata Model from SharePoint Designer and edit it by hand to include the UserContext filter. Then reimport the model through the BDC Service Application in Central Administration.
Related
I am developing a POC (SahrePoint 2010) where I can demonstrate that the users can be granted certain permissions on a list for a Date range (for example contribute access for a selected week). I will be breaking permission inheritance and create unique permissions for a list.
I would like the permissions to be revoked automatically after the expiry date. Also, I would like to do this using the Manage Permissions list (_layouts/user.aspx) so that I don't have to maintain a separate list.
I have a couple of questions regarding this:
1. I assume that the custom permissions for any list must be stored n some list. How can get to know in which list the permissions are getting stored?
2. If at all I get to know in which list the permissions are getting stored, will I be able to add columns to that particular list?
I hope that the question is clear.
Permissions are not stored in any list. Rather, every securable object (including sites, lists, folders, and items) has a Role Assignments property that indicates what groups/users currently have access, and what their permissions are (if not inherited).
See the SPRoleAssignment class documentation for more information.
Note that the User Information list is not a "Manage Permissions" list; it stores profile information about users who access the site, but does not store any permission-related information. Further, it's not a typical list at all, in that it does not show up in the SPWeb.Lists collection for a subsite, and its fields are automatically populated by SharePoint's User Profile Service. While you could potentially add more columns to it, you'd be better off using a separate list to store and track your permission information instead of contaminating the site collection user info list.
To have permission changes take place based on an expiry date, you'll need to implement a time-based solution that runs on a regular basis to see if any changes need to be made, such as a custom timer job, a custom site workflow that runs on a schedule, or a Windows scheduled task.
I'm new to Piranha CMS and just trying to get my head around it. I'm using the MVC implementation and I need to do the following:
I need to extend the User with a property that stores an account number.
I need a page that is only accessible once the user logs in
On this page, I need to call a REST API on another server, using the account number a parameter, to retrieve a list of documents that the user has stored on this server.
When the user clicks the document, it will be downloaded as a PDF using the REST API once again
I just need general guidance on how to do this. How do I store the account number against the user (and manage this) and do I need to create a new Region that will show the list of documents from the remote server. Is there an example of creating a new Region anywhere and maybe returning a list from SQL that I can adapt?
Any help gratefully received.
Thanks in advance
Mike
The easiest way is to implement an extension with your custom fields that you attach to the user where you store this information.
When editing a page, go in under "settings" and select which groups should have access to your page. For this purpose I suggest creating a new group for site users that are not admins.
This should be easily implemented in either the controller or model for your page. When the user is logged in "User.Identity.Name" is the user id. Get the user, load the extensions & use the account number.
See number three.
Regards
I have a custom list in my SharePoint 2010 website. When I am adding a new item to my list, I want to populate data from active directory in the respective fields when I enter the exact user Id in my first field. Can it be done through SharePoint designer or through browser?
Depending on what user information you want to populate into the list, you may find it easier to use the SharePoint API directly and call the SPUser object instead.
SPUser user = web.EnsureUser(listItem["UserField""]);
The EnsureUser() method will require you to give it a username in the format: domain\user.
That being said, you'd probably behoove yourself to just make the field in question an SPUser field in the first place. That way the default new item / editor makes the field uses the PeoplePicker object to bring in actual users. If you do need to call Active Directory directly, you can do that, too, I guess, but since virtually everything in AD can be exposed in SharePoint either automatically or by editing your User Profile Service application, there's not really a reason to invoke AD directly in most scenarios.
Here is the scenario. I have two objects Users (with username/password) and UserInfo with rest of the data related to user. The Users is an old table with thousands of records and UserInfo is fairly new. I want to get as much UserInfo as I can when the user first logs in.
I'd like to force user to a custom screen after first login and ask for the UserInfo data. Once I get the "required" data in the new screen, I dont show it till the user voluntarily wants to fill in the data under "Profile".
Since there are multiple entry points to the application, I dont want to update all the controllers to check for this.
Is there a way I can use a Spring Security filter or something which is executed on successful login? I had a look at ApplicationListener<AuthenticationSuccessEvent> but it doesnt solve the problem as if I copy paste the link in the browser, it lets me go ahead to the destination without asking for "extra information".
In a nutshell, I want a check after each login which, if fails, user is not allowed to enter the application. No matter how he tries to get in.
In your Config.groovy, configure Spring Security's defaultTargetUrl and tell it to always redirect there:
grails.plugins.springsecurity.successHandler.alwaysUseDefault = true
grails.plugins.springsecurity.successHandler.defaultTargetUrl = '/userInfo/edit'
In your UserInfoController's edit action, you can check that the required fields are present (userInfo.validate() perhaps?) and if they are, redirect to wherever you like, perhaps '/', otherwise render the edit info view.
You can adopt what #doelleri proposed and enhance the rule by those steps:
run a batch task to assign a temporary ROLE_DISABLED role to each user who does not provide supplemental information yet. If the user already had some roles, save them in some property.
setup your authorization rule as that users with ROLE_DISABLED role only allowed to access /userInfo/edit.
in /userInfo/edit, if the user has a ROLE_DISABLED role, render the information input view, and resume user's role after it successfully updated its information. Otherwise redirect to '/' or the path it requested.
I'm working on creating an administrative interface that allows managing users in groups in Active Directory.
I would like to only show groups to the active user if the user actually has the rights to add or remove other users within those groups, but I'm not sure at this point, how to determine which people can modify the groups, or whether the current person has access to modify a specific group.
I suppose the application can find out after the user tries and we get an access error, but I don't like to use error trapping as a way of determining if some feature is available and I would prefer not to tempt the users with a list of groups they can't control.
If possible, please supply an answer that targets vb.net 3.5 using System.DirectoryServices.AccountManagement as that is the environment that I am currently working within. I can translate from C# if necessary.