I have imported users from AD and keep syncing them for a while. Today two of users' display names have been changed on AD and SharePoint synced them correctly. Just to be sure, I checked users from User Profile Service App which looks OK. New names are appearing correctly.
Yet when I try to add a list item and select user from people picker, I get old user info. This also happens when I try to insert a list item programmatically.
Tried to delete users from SharePoint, however I still get same old users. Do you have any idea for solving this situation?
Thanks in advance.
I found the solution. There was an another User Profile Service Application which was not used and not properly configured. Weird point is, that malconfigured app was not listed on service applications. I found it by using Get-SPServiceApplication cmdlet and removed it. After removal, did a full synchronization and voila! Now I can get current information.
This is may be because entry in SharePoint's hidden user-list - User Information List.
Browse to this list - http://{SiteCollectionURL}/_catalogs/users/detail.aspx
Check for the display name of the users you have updated. If you see old user name instead of new/updated, delete these users from this list.
After this ask user to login to the same site again.
Related
I have exported a solution from one of my existing CRM Online instance, and imported to another new instance which is also CRM Online 2016.
The solution contains customized Opportunity entity (forms, views, fields, processes, etc), and a custom Security role.
The solution contains one custom field "Follow up Contact" which is of lookup type and referencing to Users entity.
After importing the solution, I have assigned one of the user to the custom security role in new instance.
Now, when I try to create a new opportunity, and try selecting "Follow up Contact", I am seeing no user in the list, whereas the associated view is expected to display at least 5 users. Also, when I try clicking on "Look for more records", I get following error -
"You do not have sufficient privileges to open this Lookup dialog box."
Whereas, users with same security role in the source solution can see the items in the "Follow up Contact" dropdown, and also that "Look for more records", work fine for them.
Any idea what could be the possible reason? Are there any changes in terms of security roles in latest upgrade of CRM Online?
Well strange things do happen!!
I opened the form in designer mode.. disabled the execution of the particular method which contains scripts for setting default value to the lookup control.
Published the solution.
Then again, enabled the script execution...
and to my surprise, the lookup field started working...
Just had this problem and here is what worked for us.
We had a custom entity that was related to the out-of-the-box Account entity. We had 3 lookups on that custom entity to Account. Even with System Administrator role, none of our users could get any records to return from the lookup search and we got the error message specified in the title.
We ended up deleting ONE of the lookup fields (picked the one with least dependencies). We added that field and its dependencies back in. It was annoying manual process, but after this all THREE of our lookup fields were fixed.
I'm guessing the Account-Custom Entity relationship XML behind the scenes was corrupted somehow, and deleting/recreating cleaned it up.
I have the following scenario:
My Add-In allows to write posts. Any user may "Like" that post. That likes are being saved into a list.
Of course the Add-In needs permission to write that entry into a list. But as (IMHO) I cannot use any elevated privileges inside a SharePoint - hosted Add-In, the user needs to have that permission, right?
So: How can I protect my lists that the user don't just go into the list and modifies the value himself and increases the "likes" for example?
(remark: This is no real-world scenario. I know there are better ways to use a social network-feature. Just wanted to break down my much more complex app)
SharePoint-hosted add-in cannot use App only policy as provider-hosted add-in can to use add-in context with more permissions then user has. SharePoint-hosted add-in is running completely in the context of current user.
I see 3 possible solutions:
Redesigning the add-in to be provider-hosted)
Implement custom web service and calling this web service from your add-in. That web service can store sensitive information in either custom database or list in app web with customized permissions. But remember that SP admin can modify these permissions.
Store semi-sensitive information into extended properties of item. There's no UI allowing user to manipulate with it but this is not as secure as permission. Advantage of this is that this information is directly connected to the "affected" item and you don't need to afraid of loosing connection between item and like storage. Disadvantage is that extended properties can contain only limited amount of data and user must have permission to update item. You can also use this approach combined with your list.
I would make each user's 'like' click create a new item in a list that has the Item-level Permissions set to:
Create items and edit items that were created by the user
That way even if they did somehow get into the back end and start monkeying around with the list they would only be able to change the items they created.
You'd just need to manage how the list grows over time depending on the scale of the app.
You are correct. The user would require the something like "Contribute" permissions to accomplish what you are talking about. Personally, here is what I would do...
1) Ensure the list I want to protect has an obscure name. Remember, the UI is not the same as in the host web (i.e. Site Contents). The user never has to know in what list such data is stored. Taking it a step further, ties between lists could be made by something like a GUID instead of something obvious like "Title", making it more difficult to determine exactly how data relates.
https://sharepoint.stackexchange.com/questions/96360/hide-list-from-browser-site-lists-lisname
2) Delete all views in your sensitive lists. This would prevent navigation in the browser. These lists would be modified through REST or CSOM, so you do not need them.
3)I haven't tested this possible solution, but it may work. You should be able to configure the edit.aspx (or create your own custom one) so that even if the user somehow made it past Steps 1 and 2, there was no available fields to edit anyways...
These methods do not manipulate the permissions to the list in any way and in the end, all of this is permissions through obscurity.
I have a specific requirement where-in I want only the uploader of the document and a specific team to be able to view it in list / library. 1) is it possible? 2) If yes, how...?
Ok. So I was able to resolve my issue with the steps mentioned below. Soon will be documenting it in form of a blog and share it:
Created the document library and modified the default view to only show documents that were created by/modified by [Me].
Added a new web page to the library and gave exclusive rights to access that to a certain set of users.
Restricted all users from creating a view with the help of creating special permission level where user only had access to upload or delete a document but not creating/updating/deleting lists/views. Also disabled private view creation.
Hope this may be helpful to others too who are looking for restricted views / disabling view creation.
You need to set item level permission through event handler:
http://www.chakkaradeep.com/post/SharePoint-ndash3b-Setting-Item-level-permission.aspx
http://msdnvietnam.net/blogs/quang/archive/2009/07/02/sharepoint-eventhandler-set-item-level-permission.aspx
#Ashish, in SharePoint 2007 GUI you cannot make a query that will show documents that belongs to a specific group, however CAML specification supports it (Membership tag), it wasn't documented until SP2010, but it works on SP2007 (i'm using it)
However this involves custom coding and this doesn't assign permissions automatically, it just enables you to filter documents by groups.
For a solution without custom coding you could consider making a seperate folder/list for every person/group and set permissions to folder/list accordingly. This will also help performance - it's better to have permissions set on high-level container than having fine grained permissions (i'm just assuming that, because i read everywhere that mass fine-grained permissions are bad for performance)
You may use current user filter web part to filter the document by whom logged in into the sharepoint site by passing the value Dispaly Name
I am currently working on a custom SharePoint web part (WSS 3.0, not MOSS) that will pull in information for all of the users in Active Directory to build an up to date employee directory. This web part shows things like phone number, address, and other similar fields. The issue that I am having is that, by default, the SharePoint web site on IIS is running as the user IUSR_. This user does not have access to Active Directory, so I am unable to retrieve any user information.
To get around this for testing I have hard coded the credentials for a test user which I added just for this purpose. This, obviously, is not ideal. If anyone removes this user or if they ever change the password then the web part will break and they will have no way to fix it (they have no in-house developers to take it over once I am finished here). To fix this problem, I would like to make the Username/Password custom properties on the web part so I can pass those to Active Directory to retrieve the information I need. The issue I am having with this is that the password is stored in plain text so anyone can read it. I would like it to display as ******** or something similar. Is there a way to make a custom property on a web part a password type?
If this isn't possible, can anyone recommend another way to accomplish what I am trying to do? At this time I cannot change the user that the SharePoint website runs as. Although, if I cannot find any other solutions I will try again to persuade them.
Thanks in advance!
We use a service account for that. That service account is solely used for that. Something like DOMAIN\SPS_AD_READ_CUSTOMER
In our documentation that we deliver when putting the application in production that account is put in the list of stuff that is needed to make the webpart run. If the webpart ever fails, the ITPro can go to the chapter and check if everything is still ok.
It's not ideal, but I don't really know another way on how to fix it.
I would go with custom Editor Part, then set up a control of TextBox with property TextBoxMode set to Password, then override methods from type EditorPart - SynchChanges() and ApplyChanges() to set and retrieve values.
tip: override method CreateEditorParts of a WebPart type to start with.
The bossman wants to know how to delete a user in Sharepoint. We've got him convinced that deleting a user is too difficult because of traces of that user through the system, so now he wants to be able to change the username to all Xs or somesuch. I've poked around the DB and found a couple of UserInfo tables, one in SharePoint_AdminContent_<guid> db and another in SharedServices. Is there a better way to change usernames? Am I on the wrong track?
Thanks.
There is "stsadm -o deleteuser". See this TechNet article. That command will delete a user from a site collection.
You can also find more options on Keith Richie's blog. That is from WSS 2.0 / SPS 2003 era but there is a lot of good information there.
Please don't access the database directly as it's not supported ; you may even destroy integrity in the process.
If you really want to "remove" all trace of a user, I suggest looking to "stsadm -o migrateuser" to rename the user to a dummy XXX user created in your membership provider.
Edit: it's migrateuser and not renameuser, my mistake
http://technet.microsoft.com/en-us/library/cc262141.aspx
The reason you cannot remove users from SharePoint is because users are not stored in SharePoint. Users are stored in the respective membership provider: AD, aspnetsqlmembershipprovider, etc.
The process for removing a user from SharePoint's environment is to first go to your membership provider and delete the user there. After you have done this, you have a choice.
You can leave the user's artifacts for legacy information. Ie, Joe Blow created a document and even though Joe Blow doesn't exist anymore (hit by bus) it's good to know that he created the document.
Alternatively, you can run the stsadm -o deleteuser command Alex mentioned (once per site collection), which should disassociate that user from all their artifacts for that site collection. Any documents the user created will now be owned by the system administrator (I believe). An example of using this option is when the user account was misspelled and you want to remove all traces before creating the correct account.