I am trying to find out if the currently logged on user has a certain security role. I've looked on Google (couldn't find an answer) and the SDk examples (they seemed way too complicated). So, if you know the name of the security role and the user ID, how do you check to see if the user has that role?
If you browse the folder structure of the CRM 2011 SDK (link: https://www.microsoft.com/en-us/download/details.aspx?id=24004) to this location you will find what you are looking for:
.\SDK\SampleCode\CS\BusinessDataModel\UsersAndRoles\DoesUserBelongToRole.cs
It provides a sample built as a C# Console application. The code will work in ASP.NET as long as the app pool user is authorized to access the CRM Organization that you are trying to connect to.
Hope this helps
You should be able to find lots of examples out there. However to get the current users roles in JavaScript you can use:-
Xrm.Page.context.getUserRoles()
That however will return a list of GUID's which you then need to compare with roles in the system. This part is a bit trickier however here is an article that shows pretty clearly how to do it
http://www.infinite-x.net/2010/11/16/retreiving-user-roles-in-crm-2011/
At a high level you need to do an OData query (against RoleSet) to return the role (or roles) that you are wanting to compare. Then you compare the GUID's of those roles against the GUID's returned by the getUserRoles() function and you're good to go!
Related
I have developed a basic Teams chatbot using the Hello World Tutorial from Microsoft (with Node.js). What I would like to make this bot able to search through the Sharepoint documents library. Users could ask questions like "the contract for product B" to the bot in teams and the bot could reply with the doc url or, better, the doc itself. So :
Is it possible ?
If yes would you know a tutorial that could help me ?
Thanks
Yes, this is possible. You need to be aware that a bot is basically just a web service with a special REST endpoint, so it can do anything any other web service can do, which includes for example calling to SharePoint. The important thing for you to be aware of is that the bot / web service has no access rights by itself into SharePoint, so you need to think about authentication to the SharePoint library. In short:
You should use Microsoft Graph to connect to SharePoint, something like this: https://learn.microsoft.com/en-us/graph/api/resources/onedrive?view=graph-rest-1.0 or more specifically this: https://learn.microsoft.com/en-us/graph/api/driveitem-list-children?view=graph-rest-1.0&tabs=http
If you look at the Permissions section in the above link, notice that your service (i.e. bot) needs to have either 'Application' permissions, which means a standard permission applied to the bot itself, and granted by the tenant admin, to retrieve any files, or 'delegated' which means it can only fetch items the user has access to, and the bot operates on the user's behalf. The 2nd option requires you to implement SSO in your bot, to get the user's access token, exchange it for a Graph token (something called an "OBO" or "On Behalf of" exchange), and then calling to SharePoint.
I've tried to keep the answer focused on your question. If you want more details, especially on the 2nd part which is more detailed and might not be familiar to you, let me know, but it should be a separate question here on this site in that case.
Was not able to find a way to discover all the sites of an organization:
creating a site with user2
approving the app with an admin
using 'https://graph.microsoft.com/v1.0/sites?search=' does not show the new site.
Only once i add the admin to the site group I find the new site.
how can I find all the sites?
Do I need to get an access token for each user?
For example with this token I can access all the drives but can't find the sites.
There are a couple things going on related to what you're asking and I'll try to address each of them:
1) We don't have an officially supported way to discover all of the sites and site collections in a given tenant today. The "search=*" query may give you the results you're after but it is not guaranteed in all scenarios. We're looking at this scenario but do not have formal support in the product today.
2) Search results are security trimmed, when using delegated permissions the search API will only return sites that the logged in user has access to. This could explain why you needed to add the Admin first before it showed up.
3) To use search in scenarios where you do not want security trimmed results you will need to user Application permissions and have the Tenant Admin perform the application consent flow for the entire tenant. This is a fairly broad permission but is required for some scenarios.
I have the app that uses OneDrive API (MS graph) to access OneDrive free accounts and OneDrive for business.
The app works fine.
In docs of the API i can see same API can be used also to access Sharepoint Online sites data.
How to do this? When i auth a user who has Sharepoint Online account with MS graph, there is only his drive (ondrive) but there is no his site listed.
How to get access to his sharepoint site too using same API?
I have found how to work with sites using the Graph API.
To get list of sites there is the call
GET /v1.0/sites/
Then use the SITEID to get list of drives (in fact, top level folders)
GET /v1.0/sites/SITEID/drives
Then to get contents of a drive user
GET /v1.0/sites/SITEID/drives/DRIVEID/root/children
And all next calls are same as for onedrive drive
However, there is the problem i still can not solve. How to create new top level folder (new drive on a site). There is no API call for this
I believe what you are looking for is the sites API. It lets you interact with a SharePoint site if you know the path or the id of the site. You can find the documentation for the api here:
https://dev.onedrive.com/resources/site.htm
There is no easy way to discover sites as of now. You can however search for a site. You can read more about it here:
https://dev.onedrive.com/sites/search.htm
This endpoint to get the list of sites is not working, so the last answer is not valid anymore.
https://graph.microsoft.com/v1.0/sites
I haven't found a way to do this, the discovery of sites, without admin consent. If the admin consent flow is not a problem you can try this workaround, use the endpoint of groups to ask for the groups that the user is member of, and you can use the groups to get the document libraries of the user.
To get the groups:
GET https://graph.microsoft.com/v1.0/me/memberOf
With the group id, you can use this endpoint:
GET https://graph.microsoft.com/v1.0/groups/{group-id}/drive
So if someone know how to do the discovery of sites for a user without admin consent, please share.
EDIT: I'm not sure why my answer was deleted, my answer basically has 2 things:
I gave notice that one answer here is not valid anymore.
I gave a possible other solution to the problem.
Hi guys i am new to sharepoint . Actually we are using WSS not the MOSS 2007. we don't have shared service provider installed and no user profile service web service installed.Now I need to populate the active directory data to sharepoint list and after that I have to sync both Active directory and sharepoint list.which means the changes happened to Active directory data it must reflect in sharepoint list also.
What we are doing is extracting active directory data to SQL Server database and populating sharepoint list from SQL server database. I need a solution to populate sharepoint list from SQL Server database and sharepoint list must synchronize with SQL Server database table or stored procedure all the time automatically.
Can anyone suggest me the best solution to solve both importing the active directory data and sync the active directory and sharepoint list.
If anyone of you provide the sample source code that will be helpful.
I just want to clarify a bit first. Not sure if you're looking to configure sync for proper user profiles (which mundeep's answer solves nicely) or a generic SP list.
If you're looking to:
AD <-> SharePoint list
It's probably easier to break this problem down into two parts:
AD -> SP list
and:
SP list -> AD
For AD -> SP list
Microsoft provides some guidance on monitoring the AD for changes. Unfortunately, neither of these methods is a specific event message system (if anyone knows of one, please chime in!) both are essentially polling.
I would create a Windows service to handle this part of the solution.
The service would (in pseudo-code):
look for records that have changed
for each record that has changed:
get the matching SP item from the SP list (probably based on username)
update/add/remove the properties of the SP item
save the SP item
For SP list -> AD
I would create a custom event handler and attach it to the SP list.
Again in pseudo-code:
On SP item delete:
remove the matching AD record (if that's the behaviour you want)
On SP item create:
create a new AD record
On SP item update:
find the matching record in the AD
update the changed properties (which are flagged in the SP event handler)
The SP side of things is a little more elegant because events are raised only when something happens. This is definitely more efficient than polling.
What I'm suggesting has the added benefit of removing SQL (explicitly) from the solution. You can use the ADSI interface in the .NET framework to handle the AD update code. It's in the System.DirectoryServices assembly.
The AD polling service could use the SP object model if it's installed on the WSS box or the web services if it's on another system.
Again, if you're just looking to use the actual WSS/SP user profiles, use mundeep's solution.
1) Have you look into the User Information Lists & User Profiles? Sahil Malik has a very good overview of 'All you ever wanted to know about user profiles'. Keep in mind that because you are using WSS you don't have SSP Admin.
2) If you read the above article you will he mentions "How can profile information be kept up to date, if in case I am not using MOSS (and have no SSP)?" and his answer is an import/export utiltiy, the codebase of which (or even the utility itself) should give you a good start on what you want to do.
3) Also mentioned in the above article is a good diagram on how user information flows.
In Moss 2007 you have the ability to set the target audience for each individual web part within a page. Is there a way to preview how the page will look to another user without logging in as that user? What I am looking for is a way for someone with full control/design permissions on a site to be able to preview how the site will be displayed to another user. Any suggestions?
I have a few test accounts that our IS department uses to preview pages, however we do not allow non-IS departamental staff to use those accounts. Those staff members only have access to their one account. So, if a user makes changes the target audience on a web part on one of their pages, right now they have no way to preview how the page will look to someone else other than asking someone else to login & watching over their shoulder. I can't give out the account information for the test accounts, nor can I create new test accounts.
Thanks!
Edit: I have the ability to preview. The problem is that other users with full control of a site can't preview the page. Here's a scenarios: In my school division each school has a site. The principal has full control of his school's site. On the landing page, he wants all the school announcements to be visible. However, some should only be visible to teaching staff, while others need to be visible to the students. He uses audience targetting but cannot preview to see at a glance that the targetting is correct. A lot of the users are not computer savy so things need to be as simple as possible. Also, that was just one scenario, there are other scenarios that are not divided by school. There are many users with full control of a site with different requirements - so it's not feasible to create test accounts for all scenarios.
First I don't think it is possible to have a preview feature if you are using NT security. Maybe it is something you can do with forms authentication but I never used it.
On that subject. I think when you are developing new features or integrating stuff on a MOSS/WSS server you need a little flexibility.
With what I see you have to following things you can do. It is surely more cost effective than developing a custom solution. I assume you are using NT Security.
User accounts : Ask your domain administrator to have dedicated user accounts to play with.
Virtual Machines : Ask to have some virual machines to be able to play with that server combined with tests accounts
Sandboxed environment : Ask your IT dept to create a sandboxed MOSS environment to have to possibility to replicate your actual MOSS environment and create custom user scenarios.
Edit: After re-reading the question I released that you want the users to be able to preview a page. I think you will need to look into writing a preview control that uses Impersonation to load the page. Not sure how feasible this is, but surely someone has created a preview feature. Sounds like a pretty common scenario to me.
Old Answer:
Could you not fire up a non MS browser such as Firefox, which will prompt for the username and password.
You can then just clear the session cookies to be prompted to log in as someone else.
This is the technique I used for an ASP.Net site that used authentication against the domain in a similar manner to SharePoint.
Alternatively, you can create a control/webpart that hooks into the audiences for the site and displays the audience membership to the user (maybe from the GetMembership call). This does not preview the site, but it will give your editors a heads up on who is in each audience. Something that will help them get the audiences correct.
We have made a similar webpart for security group membership.
I think there are two approaches you can take:
Do make use of test accounts to preview the pages. You can ease the "pain" to log in as another user by making use of the RUNAS command (http://technet.microsoft.com/en-us/library/bb490994.aspx). So it's possible to just create a shortcut on the desktop that opens a browser making use of another account's credentials. Only that browser instance will work with the test account.
Make a copy (or more copies) of the page that you want to preview, store it in a secured site (so it's only accessible for the principal for example), and tweak the Audience Targetting properties of the web parts on that page/pages.
For previewing target audiences only, the only way to do it is to create a target audience that runs based on a properties in the SSP User Profile Properties.
You can then have a control that allows the editor to change the value stored thier profile, re-compile the profiles and voila (for some description of voila) the user will have change thier audience targetting values to something else.
This would need quite a bit of coding and some thought put into the rules for the audience targetting.
At the end of the day, the most cost effective way is to push back to your infrastructure guys for an account solution that will allow you to have an "reader" account people can use for this function.