Scenario
I have an InfoPath form. the user fills it in the details, and then a manager checks it over for accuracy. The manager then signs off the form to say that they are happy with the details and then the form gets submitted.
This process does not happen every time and its purpose is to validate that the user is performing the job to an adequate standard.
It is this sign off process that I need help on.
I need an easy way to authenticate the Manager. and associate the authentication with the form.
Environment
IIS6, Sharepoint 2007, SQL Server 2005, Infopath 2007, Windows XP.
I have considered using digital certificates but it seems to be overly complex for what I am trying to achieve, however happy to be proven wrong.
The easiest/simplest way would be to activate approval on the forms library and give the manager(s) the Approve permission. This way users can submit forms that remain in a draft state until a manager approves them. Draft forms will be visible only to their author and the managers. The manager that approves a form will appear in the
If you need something more than this simple 2-step process you can activate the out-of-the-box approval workflow on the forms library. With this you can define multiple approval steps to the process, add task notifications to managers etc.
As far as authentication is concerned, SharePoint checks the roles/permissions assigned to users and forms internally so you don't need to do anything more.
Certificates are serious overkill for simple approval. Certificates cryptographically sign the content of a form and guarantee that its content was created by the owner of the certificate. Sharepoint already keeps track of who created and modified a document and can also keep track of document versions, so you don't need certificates unless you have some strange legal requirements.
Related
We have a travel request application. where a user submit a request which should go into 2 stages of approval process before it gets Final Approval.
Now we did the following:-
Create a SharePoint list which contain those fields; Title, Description, StareDate, EndDate, FirstApproval (the requestor direct manager), SecondApproval (the requester regional approval), Statues (system-generated with those options; open, first-approved, second-approved, Final-Approved).
Power Apps, which send emails to the first-approval and the second-approval users , and show-hide the Approved & Reject buttons based on the item status.
Power Automate,to set item-level permissions, so for example when the item needs first-approval only the approval's direct manager can edit the item, while all stakeholders can read-only.
now the process is not 100% secure, as a requestor using API call or using SharePoint built-in forms, can easily create a new request and define its status as Final-Approved. so in other words the requestor can bypass the Power Apps business logic. so how we can secure our process? so if an item has a status = "Final-Approved", then we can 100% sure that it actually went through the 2 approvals users?
One Approach i am thinking of, is as follow:-
To create additional SharePoint list >> which stores the ItemID + ItemStatus.
Grant all users Read-Only on this new list while grant the service account Contribute.
Update this new list from Power automate Only. so for example only if the submitter's direct manager did the approval, to change the status inside the new list to First-Approved, and so on.. Also only if the submitter's regional manager approve the request + there is already an approval from the direct manager to change the status from First-Approved to Second-Approval.. so what ever the status is inside the new lit i can be sure that it has not been hacked, as end-user will have read-only on this new list.. can anyone advice please?
Thanks
I believe this question is not unique to you, many SharePoint developers need to make specific configurations or use some artifices to ensure a certain process developed in SharePoint.
Using exclusive/custom permission control into List and uses the PowerAutomate layer to conntrol List Item permission only to approver will secures some update from Rest API, for example.
If you want to block New Insert items and/or block Update items by PowerApps, you can substitute the instruction into "OnEdit" and/or "OnNew" events using ResetForm(SharePointForm1);; RequestHide();; with this instructions in these events block some user to create or update SharePoint Items.
Into SharePoint list settings, in advanced settings, you can disable attachments, disable comments in list item, disable search, disable quick edit, disable launch form in dialog.
I think that's all.
My SharePoint Environment is SharePoint 2019 On Premise
Is it possible to show alert message on the page or popup window, when user SHARE the document on the Document Library.
When we Share the document, whether or not we could modify the mail alert template/ Content.
Thanks
By 'share', I assume you mean you want to show a message anytime someone edits the permissions of a document. (Since technically, I could 'share' a document by emailing someone the link to it.)
To my knowledge, the only way to achieve this would be to build a custom-code (SPFx) solution which uses API's to interact with the document's permissions granted via app-only access. And block users' ability to access those documents in the traditional way through SharePoint. This would give you full control over the UI, and prevent users from granting access (sharing) elsewhere.
Another option you might investigate is Azure Rights Management. Sensitivity labels applied to documents/libraries can be configured to automatically display headers, footers, watermarks, and even encryption when they are accessed. Exchange can also be configured to display a 'tip', when it detects users are trying to email a sensitive document. Full disclosure: I have only worked with these features in SharePoint online and I'm not certain of their capability in an on-premise environment.
I have a scenario where I want a user when viewing a list item to be presented with a custom action to create a site. This is pretty similar to the scenario provided in the MOSS 2007 SharePoint Guidance. What makes it different is that I want the site created with the url and name taken from the list item, and then a web propertybag value set. The only user task after the site is created is for the site collection administrator to add some specific user rights to it.
I can do everything apart from prompting the user to set the site rights via the object model so should I use a workflow or just code it straight?
The benefits of a workflow would be the ability to track the task and whether it has been completed or needs escalation etc.
The answer to this question is going to be found from your own staff on how they want to manage the tasks. An email notification may suite them better. Check with them on whether the benefits of a workflow are going to be worth the development cost.
The security guy ask me to make a step where the approver need to re-authenticate when he approve the list item. All of the other part of the workflow is done except this one. The best solution would be to use the built in log-in of Sharepoint, but I don't know how to do that.
I want to point out that I'm doing this workflow with visual studio 2008 and deploy to WSS 3.0.
Thanks for the help.
Havent done this myself, but a quick googling around led to these:
Credential Management with the .NET
Framework 2.0
How to show authentication dialog in
C# .Net 3.5 SP1
Maybe those topics can lead you to the right path.
You should clarify what you need, as what you request is how Sharepoint already works.
In order for the approver to approve an item he has to log-in to Sharepoint, using the built-in mechanisms. If you are using windows authentication (the default) instead of FBA, the user is logged in automatically using his Windows credentials. So there is no need (or point) for the user to re-authenticate - Sharepoint already knows who he is.
The only case where there might be an issue is when both requestor and approver have to use the same computer. Unless the requestor also has approval right, he will not be able to approve the request.
Are you perhaps concerned that a user with approval right may try to approve his own request? In this case you can prevent him from doing so by granting him read-only right to his request, ie removing the update right.
In Moss 2007 you have the ability to set the target audience for each individual web part within a page. Is there a way to preview how the page will look to another user without logging in as that user? What I am looking for is a way for someone with full control/design permissions on a site to be able to preview how the site will be displayed to another user. Any suggestions?
I have a few test accounts that our IS department uses to preview pages, however we do not allow non-IS departamental staff to use those accounts. Those staff members only have access to their one account. So, if a user makes changes the target audience on a web part on one of their pages, right now they have no way to preview how the page will look to someone else other than asking someone else to login & watching over their shoulder. I can't give out the account information for the test accounts, nor can I create new test accounts.
Thanks!
Edit: I have the ability to preview. The problem is that other users with full control of a site can't preview the page. Here's a scenarios: In my school division each school has a site. The principal has full control of his school's site. On the landing page, he wants all the school announcements to be visible. However, some should only be visible to teaching staff, while others need to be visible to the students. He uses audience targetting but cannot preview to see at a glance that the targetting is correct. A lot of the users are not computer savy so things need to be as simple as possible. Also, that was just one scenario, there are other scenarios that are not divided by school. There are many users with full control of a site with different requirements - so it's not feasible to create test accounts for all scenarios.
First I don't think it is possible to have a preview feature if you are using NT security. Maybe it is something you can do with forms authentication but I never used it.
On that subject. I think when you are developing new features or integrating stuff on a MOSS/WSS server you need a little flexibility.
With what I see you have to following things you can do. It is surely more cost effective than developing a custom solution. I assume you are using NT Security.
User accounts : Ask your domain administrator to have dedicated user accounts to play with.
Virtual Machines : Ask to have some virual machines to be able to play with that server combined with tests accounts
Sandboxed environment : Ask your IT dept to create a sandboxed MOSS environment to have to possibility to replicate your actual MOSS environment and create custom user scenarios.
Edit: After re-reading the question I released that you want the users to be able to preview a page. I think you will need to look into writing a preview control that uses Impersonation to load the page. Not sure how feasible this is, but surely someone has created a preview feature. Sounds like a pretty common scenario to me.
Old Answer:
Could you not fire up a non MS browser such as Firefox, which will prompt for the username and password.
You can then just clear the session cookies to be prompted to log in as someone else.
This is the technique I used for an ASP.Net site that used authentication against the domain in a similar manner to SharePoint.
Alternatively, you can create a control/webpart that hooks into the audiences for the site and displays the audience membership to the user (maybe from the GetMembership call). This does not preview the site, but it will give your editors a heads up on who is in each audience. Something that will help them get the audiences correct.
We have made a similar webpart for security group membership.
I think there are two approaches you can take:
Do make use of test accounts to preview the pages. You can ease the "pain" to log in as another user by making use of the RUNAS command (http://technet.microsoft.com/en-us/library/bb490994.aspx). So it's possible to just create a shortcut on the desktop that opens a browser making use of another account's credentials. Only that browser instance will work with the test account.
Make a copy (or more copies) of the page that you want to preview, store it in a secured site (so it's only accessible for the principal for example), and tweak the Audience Targetting properties of the web parts on that page/pages.
For previewing target audiences only, the only way to do it is to create a target audience that runs based on a properties in the SSP User Profile Properties.
You can then have a control that allows the editor to change the value stored thier profile, re-compile the profiles and voila (for some description of voila) the user will have change thier audience targetting values to something else.
This would need quite a bit of coding and some thought put into the rules for the audience targetting.
At the end of the day, the most cost effective way is to push back to your infrastructure guys for an account solution that will allow you to have an "reader" account people can use for this function.