We have created some views that show activities assigned either to the current user OR any of the user's teams. The filtering was fairly simple:
Related Activity Parties
- Party equals current user
OR
- Party equals current user's teams
This works great if the user is a member of any team that's not the default. However, if the user is not a member of any team, the view throws an ugly error and doesn't show anything. The error log says "user is not a member of any teams".
I've been playing around with filters, and there seem to be alternative ways to get something similar, but nothing is quite exactly the same. If only there was more flexibility to use the OR and AND groupings.
So, has anyone run into similar issues? I'm thinking about editing the view XML directly, because then I can or/and filters freely and I'd be able to get exactly what I want. However, I'm not sure how well that all works and how would it look if you tried to edit the view in CRM after it was changed directly in XML.
I can confirm for you that this is an issue in CRM 2011 (still an issue as of Rollup 14.) Wish I had an easy solution. Lazy way around it is to create a do-nothing team, with no security role assigned, and just put every user in it. This is a work-around, not a solution, but it will make the issue go away. Not 'elegant' but it works.
The alternative, as you suggest in your post, is writing custom FetchXML for each query you need this on but that defeats much of the benefit of the Advanced Find Query tool and makes long term maintenance and administration more difficult.
Related
We have a (super)user who has been using VBA in an Excel spreadsheet to create and manipulate documents in a Domino database application.
The user has 'Editor' access to the application, and should normally be able to create/edit the document contents.
They have been, however, creating documents using VBA. That logic doesn't consider such important document fields as Readers, Authors, etc. .
We would like to restrict access to all Domino data so that it can only be created/modified using an IBM Notes client.
I have tried looking through the ECL, but that only restricts what 'others' do.
Since he has his Notes client available, the external logic is using his normal Notes credentials.
I have tried setting a hidden field with the Notes client and looking for that in the QuerySave event of the form design.
Unfortunately, the external code pays no attention to the form events and the save is executed despite the missing field.
Similarly, the Database Script has no bearing on the execution of external logic.
I was going to inspect the client version upon database open and restrict activity based on a variance in the version (I was hoping!).
I have de-selected the 'Don't prompt for a password...' option in the user security preferences, but that has no effect at all (suspected as much!).
The ONLY thing I have been able to suggest is to hide the database design... That's really only designed to thwart a user's efforts to understand the underlying design.
It won't prevent them from creating hundreds of thousands of documents with a fictitious form and throwing the app into disarray.
I'm hoping that there is a solution out there that I'm missing.
The user has been instructed not to undertake such activity in the future.
We were lucky that there really wasn't any malicious intent - "Just trying to be more efficient" we're told.
The effects of the activity have been remedied, and the user has been warned.
What I want to know is... how can I prevent this from ever happening again?
The circumstances are rare I know, but I would've thought there'd be a means of restricting the platforms used to manage Notes/Domino data.
Is there a way to ensure no external applications are able to access, create or modify Notes database documents?
I am currently focussing on access to Notes via COM.
I thought that, if I unregistered 'nlsxbe.dll' from the registry, that would prevent such activity - It has not.
I also tried removing the .TLB files from the Notes executable folder - removal of 'notes32.tlb' and 'domobj.tlb' have no effect at all. Removal of 'ltsci3.tlb' screws everything up (as expected!).
I'm really having no luck at all - Any/all suggestions would be most appreciated!
I'm not aware of any way to detect that a connection has been made by standalone code instead of by the Notes client, but you do have two paths available to you:
A Domino server add-in that prevents documents from being saved in that particular database if certain criteria aren't met.
An agent that is triggered to run shortly after documents are saved or modified in that particular database. The agent code can delete (or modify, if you prefer) the documents that don't conform to the required criteria.
The server add-in route would normally require coding in C, but thanks to the Open NTF Trigger Happy project, the hard part is done for you, and the rest can be filled in with either LotusScript or Java agent code that is "triggered" by the pre-written C code. You will need to have some basic knowledge of how the Notes Extension Manager interface works, but once you get past that and write your agent code to enforce your data consistency/integrity requirements, the only real hurdle is your willingness to host open source code on your server.
There may be two other possibilities, but I can't say if either will solve or deal with the issue...
In the ECL you can disable 'COM' access for the user (also known as OLE or ActiveX) automation since VBA access is usually via COM. This has stopped Notes using external COM access for me, but I don't know if also prevents VBA using Notes. Additional steps may be needed to enforce the ECL and apply to the specific users.
There is an (old) notes.ini 'DisableExternalApps' (or something similar) that disables some external access. This can affect many things (DDE/Prompts/#dblookups) but again I don't know if this will disable VBA/COM and its not user specific, but server wide.
I would have thought that removing the nlsxbe.dll or restricting access to execute it might work, but the ECL may be the best bet.
Alternatively, rather than add hidden flags to your design (and the documents), and then delete the offending documents, your agent could apply the correct author/reader fields to the documents instead.
Very tricky. Did you find a better solution?
I have a request of a customer who wants his dashboards to be send weekly/daily to him via E-mail (PDF or IMAGE). I have searched for hours to find a decent solution, but I can’t seem to find one. This should work on “CRM Online” and on “IFD”.
I have found some code that can take a snapshot of a Webpage, but there I have the “Log-In” problems. Each time you execute the page, you see a page with the “MICROSOFT PASSPORT” or “ADFS” sign in box. I tried the “wkhtmltopdf”-method and “WebBrowser”-method and 3rd party tools.
There is also no “JavaScript” or “JQuery” that is able to generate screenshots from the current page. I’ve created a Webresource in CRM 2011 with an iFrame and in that iFrame I’m able to show the “Dashboard”. If I would be able to take a snapshot of that page, I could create an attachment and put in the CRM.
I think I’m on the right way of doing this, but I can’t seem to get over the last difficulties. I hope someone here on the forum already has done something like that. I’m almost sure it must be possible, because a partner of us was able to take a screenshot of the Dashboard and put it in their application. Of course they don’t want to share that piece of code with me.
I don't believe there is a way to possibly implement the functionality requested with out some major "hacks" that would be brittle and most likely break with any type of CRM/Browser update. I would work with the customer and advise them that what they are asking really doesn't make sense from a cost / maintenance standpoint. I'd try to see if they'd be willing to live with these work arounds:
Send a weekly e-mail with a link to CRM. Downside is the user has to be able to have rights to login and see the data, but it would be super easy.
Create custom reports that recreate the dashboard data. You should be able to schedule e-mails for this through SSRS
Good luck!
For the life of me I can't find any documentation on how to See the Work items in the new "my work" feature in 2012. I want this to ultimately be in a SSRS report.
I've looked everywhere in the warehouse as well as sql db. I've also looked for documentation and can't find any. I have also looked at the object model and although I can find traces thereof there isn't nearly enough to let me know where I can find this.
I think this is an excellent dashboard to see what my developers are currently working on, any suggestions as to where I can look?
By default this is meant for your personal work items and not for monitoring all your developers work items. However since it is query based you can modify the query based as per your needs. Click the Open Query under any of the categories in your My Work pane and modify it to whatever suites you.
I am developing a sharepoint 2010 project.
I want to restrict users view on lists based on their identity. (e.g. the branch of organization they work in, but in fact the ristrictions can be more complicated).
What solutions do you recommend?
With out of the box features this is not possible. You can go to great lengths to remove the list's view selectors and other navigational elements that let people cruise around a the schema and metadata for a list but it is not a security mechanism.
If a user has read permissions to an item, they'll have read access to all the fields of that item.
There is an outside chance that it you disabled all RPC mechanisms, SOAP, RESTful web services, Client Object Model and the office clients that you might be able to claim this as a security mechanism. If you don't there will always be a way around your "security" scheme.
This feature can't be implemented by SharePoint by now and I think neither for the next version
You can use a third part tool to achieve it, such as BoostSolutions' Column/View Permission or LightningTools' DeliverPoint
BTW, I work for BoostSolutions and I mentioned our own product because it works for your issue. Hope it helps :)
create sharepoint groups based upon your requirement or diffrent type of user base and accordingly give them rights may be item level or on complete list
and while doing these things just go through the following posts
http://blogs.gartner.com/neil_macdonald/2009/02/25/sharepoint-security-best-practices/
http://weblogs.asp.net/erobillard/archive/2008/09/11/sharepoint-security-hard-limits-and-recommended-practices.aspx
Not 100% sure on SharePoint 2010, but definitley for SharePoint 2007, there is not a way to do this, especially if the views are corresponding to security requirements on the columns users are able to see.
One way to work around this is have the list be not accessible by users, and then have code logic allow for access to the data creating the different "views" on the data in something like a Web Part. The downsides to this is search becomes an issue (since the data is hidden) and having multiple "views" of the data (if necessary) is also another item to work through.
I know its a very old question but posting it as it might help someone.
There is an work around to do it as described here
I find it easier, if possible, to create the view and lock it with the filters on the list settings page.
For example, I have a list of employees that includes their employee IDs. I use that list on other pages to gather data in other webparts. So I filter the employee list to [ME]. So the data is available to the page needing it to filter others and they cannot see anything else.
Now, what about the person who needs to manage that page? I create a view, call it HR. That view can see everything. Then I export that webpart with that list view on it through the designer. I then delete the HR view from the employee list.
This leaves no way for anyone to switch views and see everything again. I create a webpart page for the person who manages it, and I upload that webpart and set the view of the webpart to HR. In the end, I have a page that I lock down instead of trying to lock down views or list permissions separately.
Would you be able to have two lists that are joined. One that all users have access to and another that only certain people have access to, and then join them? Then maybe the people that don't have access to the other table it doesn't pull the information? Not sure, but I'll try that out later today.
I have a custom action in a workflow and would like to report an error to the user when something goes wrong. What's the best way of doing that?
UPD: Ideally I would like to put the workflow in the error state and log a message to the workflow log. That doesn't seem possible. What's the closest I can get to it? I want to a reusable solution,something that's easy for users to set up when using my custom action in SharePoint Designer.
Added more details to the question.
#mauro that takes care of storing the error, but how do I display the error to the user in a way which makes sense?
#AdamSane That's seems like a rather fragile solution. It's not a matter of setting this up once on a single site. I need something others can add using SPD.
when you throw the error your error handler can then email the user, or better if the list is massive, add the error state to the workflow item - i think this is default functionality though as the error would be mentioned there.
http://www.sharepointsecurity.com/blog/sharepoint/sharepoint-2007-development/fault-handling-in-sharepoint-workflows/
Personally I would log it to either a log file or the event log depending on the issue. I think storing it using a users permissions would be a bad idea, what happens if that user does not have the correct rights? or worse still they get elevated permissions by browsing the list in explorer view?
The log file would be the best way, that way you rely only on the file system being available - you dont have to worry about trapping errors happening whilst connecting to the database etc.
Mauro
Add the error to a hidden list with that users name. Set the visibility on the list (for users) to only read/write their own values. Then use a custom web part or FlexListViewer to view the contents of that list and display it to the user. Once they acknowledge that error, remove it from the list.
If necessary, you can add a different workflow action on that message list, that says pause for 2 days and then email. Whatever, depending on your requirements.
Otherwise you can have a custom db table that you use for pretty much the same thing, this way sharepoint does most of the work for you.
Update This can be packaged up as a feature and deployed to each site as needed. The strengths of this approach (adding a list item to a list, querying, alerting a user, and emailing a user) are all built into the sharepoint itself. In this case you can focus on your custom logic only, while letting sharepoint focus on the implementation details.
If you need the user to take some action as a result of the error (e.g. retrying the workflow) is it possible to create a task for that user with information on the error and the location of the workflow?