I have to update code made for CRM 4. It consists of custom aspx pages which are in ISV folder.
I created a custom web site and hosted it on the same server where CRM is. It is configured with anonymous authentication and I pass a user id as query string parameter to set it as CallerId on the proxy. Code builds a hierarchy tree of an entity. Most of users have Business Unit level of privileges, but some records from other BU are shared with a team they are member of.
The problem is that the code runs far much slower than as ISV deployed. What could be the reason for this? When I run the code with crmadmin credentials, it goes faster, even if I run RetrievePrincipalAccessResponse for each product, it runs faster.
Appriciate any suggestion
Related
I'm developing a document management based on the crm sharepoint integrations at the moment. It is realy a nice way to take advantage of the sharepoint document capabilities inside crm 2011.
BUT!:
I see a huge drawback with this attempt, because the sharepoint security model differs from the crm security model. This way, even if a user has no acces to a account entity, for example, it is possible for him to go to the sharepoint site and look at the documents of this entity, because he got permissions on the list for his own account entities.
Why the heck there is no thread about this big security problem? Is there maybe a simple solution to get around this problem?
I hope someone is able to help me.
Best regards,
Gerrit
There exists a commercial out-of-the-box solution solving this problem from Connection Software company (http://connecting-software.com/index.php/en/solutions/products/cb-dynamics-crm-privileges-to-sharepoint-permissions-replicator).
Basically they deploy tiny plugin into CRM that collects all the event that can possibly require change of permissions. There is a extra service that is processing these events and writes folder-level permissions into SharePoint accordingly.
Eugh. Sharepoint.
In my opinion there is no easy way around this and there are other problems with the way it integrates.
I was on a project where we discussed options around this very issue but was moved on before we came to a conclusion.
My suggestion was to use the Sharepoint Security APIs to assign permissions on SP based on roles/events in CRM. All users start with no permissions in SP.
e.g.
User is assigned as owner in CRM - use plugin to call SP API to give permissions to that specific folder. Previous owner has permissions removed.
Opportunity is created. Use SP security API to give permissions to owner of Opportunity to the folder associated with the opportunity.
And etc etc and so on.
It isn't too pretty and depending on requirements could become particular pain to maintain and test, but I didn't see many other options.
But there are plenty of problems with SP integration I think I was lucky that I was moved on to another project!
I have integrated our SharePoint site and our Dynamics CRM 2011 system so that we can upload documents from CRM. But i had a thought that through security in CRM users can only see records relevant to them, but if they just went to the SharePoint site they'll be able to see documents related to any record even if they couldn't see it in CRM.
So i was wondering if its possible in some way to 'sync' the security from CRM into SharePoint so that users can't see what they're not meant to in either system.
Thanks
It is possible out-of-the-box. There is a commercial CB Replicator solution that solves exactly this problem. It performs complex mapping of CRM security model into SharePoint groups and and folder level permissions.
Shortly described it deploys tiny plugin into CRM that collects all the events that could require change of permissions. There is a standalone service that gets these events and write proper permissions into SharePoint as item level permissions on referenced folders by sharepointdocumentlocation entity.
It support various action in CRM that lead into permissions change, e.g.s security roles, business unit hierarchy, privilege depths, team membership, access team, access team templates, sharing.
Unfortunately this isn't possible out of the box. SharePoint's security model is usually based on AD groups, whilst CRM uses in-app security roles applied per user.
To keep these in sync would require some custom development on the server side, that is if it's possible at all.
I'm trying to get the total count of subsites created in a very large Sharepoint collection. Please note, I don't have direct access to the server.
Is there any native sharepoint feature I'm missing that will provide a site count?
Is there a webservice that can crawl the collection? (we have google analitics)
Are there any other options short of running a powershell script on the server?
Thanks!
I would suggest using the 'Webs' Web Service - you can invoke it by putting /_vti_bin/webs.asmx on the end of your site URL. It has a method GetAllSubWebCollection.
The only gotcha is that you will get filtered results based on the user being used to access the web service. For example, if you have a site collection that has a sub-web created for HR, Business, Management, Sales and IT - but your account only has access to the HR and Sales site - you will only get results back for the HR and Sales sites.
You may also find the SPServices jQuery library helpful as it has wrappers for most of the web services and can make calling them from a client much less painful.
Note: These web services exist for the 2007 and 2010 editions of SharePoint. You didn't mention a specific version but hopefully it is one of these two.
I'm curious about the best/most efficient way to do this.
I've already set up my sharepoint 2010 site, and it is configured to use FBA. What i'd like to do is allow users to create their own accounts by filling out a form (the form will sit on a public sharepoint site, and filling it out creates a user in the membership database which is used for validation to enter the FBA sharepoint site).
I'm familiar with using the asp CreateWizard tool to build user accounts as part of a .Net web application, but I'm not sure on how to develop this as a webpart for use in a sharepoint site, as a webpart doesn't have the config file to store connection string and membership/role provider info.
Can this user creation form be put in a webpart and deployed to other sites, or is there another/better way to add this functionality to sharepoint (allowing users to register/create their own FBA accounts for access)?
There's nothing not much difference between SharePoint and regular ASP.Net for this.
The membership provider will need to be configured in the SharePoint web.config, including connection strings. However, it does not actually need to be used for login, so you can still create users in that membership provide from a different site.
I use a slightly different approach though - set up an anonymously accessible page in your site (in layouts is probably easiest, though a page within a site may be better for branding) and put controls on that page to create (and log in) a new user. You will need to call EnsureUser and possibly CreateUserProfile to give the new user access to anything, but aside from that it's all standard .net.
UPDATE
I can now perform succesful UI impersonation. This was an issue with the code I was using and after viewing Jay Nathan's article I have reverted to his code and all is working great.
In response to a comment this is the code I am using to create a new site collection:
Dim newSite As SPSite = webApp.Sites.Add( _
txtWebApp.Text & "/cg/" & strURL, txtName.Text, txtDesc.Text, 1033, "SITEDEF#0", _
"DOMAIN\ACCOUNT", "NAME", "EMAIL", _
"DOMAIN\ACCOUNT", "NAME", "EMAIL")
and yes "SITEDEF#0" is a perfectly valid site defintion.
Hopefully I have overcome this issue by using an Application Page which is available as an element on the Site Actions menu (to site admins only). Using impersonation I can succesfully instigate this process. There are some additional issues which I have highlighted in another question.
ORIGINAL QUESTION
I have a need to allow non farm administrators to be able to create site collections using a very specific site definition. These people will not have access to central admin and so require a custom solution to allow the creation of these. I have tried several solutions, but want some consensus on a recommended approach.
Custom Web Service - I have written a custom web service to perform this task however this caused major headaches and even though the web service was running in an app pool using the same identity as the sharepoint app pool I could not get this to work. Also had form digest issues in trying to perform this v ia a web service.
Web Part/Application Page - No form digest issues here as we are in the SharePoint context, however I have tried using RunWithElevatedPrivileges but I still get an access denied when calling SPWebbApplication.Sites.Add(), even though all SPSite and SPWeb pbjects are being instantiated inside the elevated code block. I have tried direct impersonation at the UI level and I get an UnhandledException saying that impersonation has failed.
Application Wrapper Around stsadm - I have not attempted this yet as I am concerned about the viability of this approach, surely there is a cleaner way than this?
Some guidance on this would be useful as I cannot find much out there on this.
Thanks
I'd go with option number 1. It's probably an authorization issue. How are you accessing SharePoint? with the SDK or trough its web services?
I'd go for number 2. That code should work, maybe the impersonation code is not correct? You can't use SPContext like you normally would for instance.
Also, you are elevating to the identity of the application pool of your SharePoint site. Does this account have sufficient rights to create Site Collections?
You can check in Central Administration > Application Management > Policy for Web Application.