I would like to be able to supply external users (customers, potential leads, suppliers) across organisations and internal users inside my organisation with documents.
The documents should be organisable per user individually. E.g. Customer A should be able too see documents for the product he bought, not more and not less documents.
No further functionality is currently needed besides that.
Is SharePoint the right tool for that job?
If not what other tools can you recommend from your experience?
I see you tagged SharePoint 2019, I'd advise against using on-prem SharePoint for Sharing documents externally. It is possible, but to do it securely is complex and expensive.
O365 on the other hand is pretty simple and the security is already implemented for you. You can determine the level of access that your external users have and you can extend that by using additional tools provided by Microsoft Information Protection.
You can secure access by forcing guests to login or simply have anonymous links. To add to that you can automate your publishing processes using Power Automate, the O365 workflow.
Take out a trial subscription and make sure it meets all your requirements first.
Related
I'm currently working on migrating a big company's data from DropBox to SharePoint and i can't quite decide on how to structure the whole SharePoint environment.
So as you may know DropBox has an admin section where you add your members, groups and content to share and it is pretty straightforward on how to implement simple things and by that, i mean that you get your members on some groups and then you share specific folders (from your content) to that group directly.
As of SharePoint now, i found out that it has more or less the same functionality but it really gets pretty inconvenient on how to implement this. I created a new site, then i created my groups and added some users to them, then i created as many document libraries as my shared folders were on DropBox, i stopped inheritance from the site and added groups directly to the document libraries. All that, took me quite a while, more than 8 hours, for 30 document libraries and 20 groups mostly due to the back and forth i had to go through settings, permissions, libraries etc.
Would it be, let's say, more practical or rather make more sense to create a new site for every shared folder i have on DropBox and add members directly from the site's homepage?
What would you do for such a case?
Thanks in advance
PS. The migration tool that SharePoint admin center provides it comes pretty handy and it works good, but transfers data quite slowly.
TLDR: Use sites, not libraries, for different user groups.
SharePoint makes the following things easy:
Sharing a whole site (by inviting people as members (edit) or visiors (read))
Sharing a single file (with a person that you don't want to have access to the other stuff on the site)
SharePoint makes the following very hard:
sharing specific libraries with distinct groups of people. This requires a lot of setup work and is a maintenance nightmare. You also need to be an administrator of the each site and know where in the depth of the SharePoint settings you can find the switch to break permissions and invite other people to a library.
It is not recommended practice to share libraries like that.
In your scenario, you would be served better with individual team sites using O365 groups. Then add members via the home page sharing button. The site should be the permission boundaries and these permissions should not be broken for any site content.
If the need arises to break permissions for certain content, it's time to move that content to a separate site with its own membership groups.
Using O365 groups, any site membership can then be viewed, managed and audited in the SharePoint admin portal and the M365 admin portal. No SharePoint knowledge or SharPoint site access is required for admins to manage membership. Membership assignment can also be automated with various tools like PowerShell or Power Automate.
Users can see only the sites they have access to, and will not suffer the bad user experience of clicking a library, only to get an error message for "You do not have access".
One of my client want to allow their users to view the related contacts of an account, even if they are not shared with them. I've suggested some solutions that were including workflows, plugins or teams. But he is still insisting that if a user can access to accounts then he should have access to the related contacts.
Can anybody is there to share his views on it.
If upgrading is an option for you, 2013 and later have Access Teams which are meant for sharing permissions without messing the ownership.
Lots of useful info here http://garethtuckercrm.com/2013/11/24/crm-2013-new-features-access-teams/
Basically, once you enable Access Teams for an entity, you can relate Users to a specific record and those users will gain access to the record itself (in a manner similar to Sharing, but you can define templates) and child records too if you want.
Sharing through teams or directly to a user is the only answer you can give to your customer.
I'm developing a document management based on the crm sharepoint integrations at the moment. It is realy a nice way to take advantage of the sharepoint document capabilities inside crm 2011.
BUT!:
I see a huge drawback with this attempt, because the sharepoint security model differs from the crm security model. This way, even if a user has no acces to a account entity, for example, it is possible for him to go to the sharepoint site and look at the documents of this entity, because he got permissions on the list for his own account entities.
Why the heck there is no thread about this big security problem? Is there maybe a simple solution to get around this problem?
I hope someone is able to help me.
Best regards,
Gerrit
There exists a commercial out-of-the-box solution solving this problem from Connection Software company (http://connecting-software.com/index.php/en/solutions/products/cb-dynamics-crm-privileges-to-sharepoint-permissions-replicator).
Basically they deploy tiny plugin into CRM that collects all the event that can possibly require change of permissions. There is a extra service that is processing these events and writes folder-level permissions into SharePoint accordingly.
Eugh. Sharepoint.
In my opinion there is no easy way around this and there are other problems with the way it integrates.
I was on a project where we discussed options around this very issue but was moved on before we came to a conclusion.
My suggestion was to use the Sharepoint Security APIs to assign permissions on SP based on roles/events in CRM. All users start with no permissions in SP.
e.g.
User is assigned as owner in CRM - use plugin to call SP API to give permissions to that specific folder. Previous owner has permissions removed.
Opportunity is created. Use SP security API to give permissions to owner of Opportunity to the folder associated with the opportunity.
And etc etc and so on.
It isn't too pretty and depending on requirements could become particular pain to maintain and test, but I didn't see many other options.
But there are plenty of problems with SP integration I think I was lucky that I was moved on to another project!
We're currently investigating what kind of authentication we want to use for a sharepoint portal site : Forms Authentication or Windows Authentication. The latter has my preference.
What suprised me (I'm a sharepoint noob), is the fact that MS didn't provide a component/web-part that handles account management when using Windows Authentication.
Do you now how to do this? Without resorting to buying an additional product. Shouldn't it be very easy to access the Active Directory by code (C#)?
Windows Authentication
I echo Justin's thoughts regarding AD management. Adding users to your domain also doesn't necessarily have anything to do with adding them to SharePoint. However perhaps there is an IIS add-on that does this if you wish to pursue it.
If you don't already know, SharePoint can automatically import user profiles from your Active Directory domain. This makes them available for assigning permissions within the sites.
Some additional info from Justin's comment about changing the AD structure to administer security: With SharePoint 2007 you no longer need to rely on Active Directory to manage groups of users. It's possible to also use SharePoint groups (which can contain AD users or AD groups). This works really well when you need to create a group for a purpose that isn't applicable outside SharePoint and you don't want to bug the infrastructure team. The downside is that without education, end users probably won't manage this well and it can become a mess.
Forms Authentication
It's true there is very little provided by Microsoft for managing this. However the Community Kit for SharePoint provides this functionality. From memory I had to tweak their code a bit but I was generally happy with it.
If you are considering this option also read this MSDN article.
It's much easier to just use the regular AD management tools provided with Windows rather than trying to manage your users' permissions through a web interface (for groups and such).
...of course you'll need access to make changes to your AD structure to administer the security.
Another alternative you may want to consider is using Forms Authentication using the Active Directory provider. It'll allow you to use the Forms Auth user admin tools and still authenticate against an Active Directory environment.
IF this is for users who are not a part of your actual domain (i.e. extranet users), I suggest you take a look at ADAM, Active Directory in Application Mode. It behaves the same as regular AD, can be administered through the windows.
Also, take a look at the following codeplex project, ADSelfService, it allows users to edit their own AD profiles. Perhaps you can extend the code yourself to allow admins to edit all profiles.
AdSelfService Project
Can MOSS integrate and get user profiles from multiple Active Directory and/or LDAP stores?
I have seen from Integrating Microsoft SharePoint Server With Oracle Virtual Directory that there may be intermediary products that can help with this.
It looks like Rohati has a solution as well, but is the out of the box without third party products?
Cannot answer for non-AD LDAPs but with with multiple forests where you have a trust, one-way will work, it is no big problem.
You need to do two things, add the people to the people picker, http://technet.microsoft.com/en-us/library/cc262051.aspx, and then run a command to import the user profile information, link on above link. Besure to run the command also on your MySites so that profile is correct.
Alot more information can be found by searching for sharepoint and multiple forests.
Here is one solution SharePoint AD Information Sync, which can let you export AD user files into list. However, the trouble is you need know it just can get user profiles from Active Directory but can not LDAP stores and I am not sure it can do that from multiple Active Directory.
Anyway, it is a ugly solution. Maybe helpful to you.
One way would be to extend your website application and to attach different providers to different zones. I think there're should be something like LDAP Membership Provider you can use. But I guess that's not what you're looking for.
Another way would be to build your own Membership Provider which internally retrieves users, groups from multiple sources.
Our client found a SharePoint 2007 Shared Services Provider User Profile Importer from CodePlex that may help too.
Since the web.config entries only have one entry for hostname, port, userContainer, etc..., it is hard to see how you can do that without using a third party virtual directory product. Oracle can do it but so can Symlabs or OptimalId and probably any other VD on the market. Those are not free. But Penrose is a free LDAP Proxy and my guess is that you should be able to do it with Penrose too.