Sharepoint Item Level Access & performance - sharepoint

i have created a workflow activity that do give the item creater of a specific list full control on the item and set everyone else to read only access (permission)
someone told me that doing it this way (if i have a lot of users) the performance will go down dramatically
is that correct ?!!
if yes what is the best solution to create a list where any one can create new items but after the item is created only the creater can edit it and the rest of the users can read it only

The accepted answer is not actually answering the question correctly...
You should not use a workflow to do this, if you want people to be able to edit items they create and only read ones they did not, use "List->Settings->Advanced Settings->Item-level Permissions", and this is available for document libraries (since they inherit from SPLIST) it just does not show up in their "Advanced Settings" in the UI. You can set the ReadSecurity property to 1 and the WriteSecurity property to 2 on the Document Library.
http://msdn.microsoft.com/en-us/library/microsoft.sharepoint.splist.writesecurity.aspx

Performance degradation will happen when you use large ACLs for each list item. Just make sure that item-level permissions basically have the minimum entries. For example:
The user that has permissions to edit that item
A single security group that contains all the users with only Reader permissions.
So, can Sharepoint offer these default permissions OOB? Not that I'm aware of. The only option that I can think of is using workflows that set these permissions dinamycally when the document is uploaded.
If you want to avoid performance degradation just make sure that you never display (or iterate using the object model) more than 2000 of those items in a Fine Grained Permissions list. THAT would definitely cause major performance issues.

Yes, you might solve this with workflows but that might be a bit clumsy and it might slow your server.
The better option is to use List Settings > Advanced Settings > Item-level Permissions.
This feature is not available for Document and Form Libraries.

It is true that a list that contains a large number of items with custom permissions applied, will slown down your server. This is document in the official Microsoft paper Plan for software boundaries.
The recommended/magic number is 2000. Going further won't break anything, but it could be that you will run into performance issues.

Related

Sharepoint permissions at document level? Probably a stupid question

Disclaimer: Please forgive me if this is a silly thing to ask but I work in a small company and our sharepoint build was outsourced and not done very well, and I'm the closest thing we have to an admin, and I'm just trying to understand what is/isn't possible when it comes to controlling access to our sharepoint content so we can have a clear idea of what we want to do when the time comes to rebuild.
So, my question: we have a set of documents that are stored in a series of libraries. We have several different types of users, who are bound by different levels of contract/NDA.
Some users need access to all our documentation, some need access to most of our documentation and some need access to only some of it.
At the moment, we have them divided into 3 separate user groups, who each have access to only their own library. and we populate each with all of the documents that each group needs access to, which means that a large sub-set of the documents are duplicated across multiple libraries.
EG: user group 1 has access to folder 1 only. User group 2 has access to folder 2 only, etc etc.
This is problematic as we end up with version control issues as people may update a doc in one location and forget that it is also in the one or more of the others.
What I would like is to find a way to maintain only 1 set of documents and be able to control who has access to it at the document level.
Now, I can see how it could be managed by splitting the documents up into separate folders by access level, and it would look something like below:
However, this just doesn't make any sense in terms of our actual content; it's not that user group 1 needs all the legal content and user group 2 needs all the commercial content, and UG3 needs technical. It's that UG1 needs all the legal, commercial and technical content, UG2 needs most of the above, and UG3 is only allowed access to a smaller amount of high level documentation on each.
In real life, it looks something more like this:
So ideally, I'd like a solution for permissions that looks something like this:
In my head, this involves creating permission levels and applying them to the individual documents, for eg: Document #123 can be access by permission level Y, which means user groups 1 & 2 can access it, but not user group 3.
Is this even something that is possible to do? Does it make sense? If I'm way off base, I'd love any suggestions on how else we could/should manage this.
NB: I'm not asking for anyone to tell me the detail of how to achieve this, as that's well beyond my capability and we'd definitely be outsourcing the doing, I'm more just looking to understand what it is we should be getting done when we do get it done, so we don't end up with a substandard solution again.
Huge thanks in advance!
L
Based on your description, I understand that you want to set unique permissions for documents. And you don’t want to put a document in different places to cause a version error.
In my opinion, you first divide users into three separated user groups. Then set unique permissions for individual documents. For example, document1 can be accessed by group1, document2 can be accessed by group1 and group2, etc. Using folders to classify documents cannot meet your requirement.
Update:
1.Select the file -> Manage access -> Advanced.
2.Stop Inheriting Permissions -> Remove permissions of users you do not want, grant permissions for users you want.

Track changes to InventoryCD for Stock Items

I'm creating a contract API solution to keep items in sync between multiple tenants. Is there any way to track the changes to InventoryCD? In this case one Franchiser would like to update items in their 6 franchisees. It's easy for me to find the records that changed, but harder to know when the CD has changed (importantly what it chagned FROM). Certainly I could write customization to do it, but I thought maybe Acumatica has some option inbuilt.
Ideally I'd like to have a log of the changes with old and new CD. It's hosted so I don't think I can make it happen with DB Triggers (which is how pre-Acumatica me would have handled id)
Thanks in advance.
It depends on the Acumatica version. But have you tried looking at Business Events? I believe there is the ability to access the old and previous values.
Also look at Acumatica's Audit history capabilities but be careful to only turn on the fields you need to track as the DB can grow very large if you turn on all fields on the Stock Item screen or for any screen.

How can I fix a SharePoint workflow returning "Error Occurred" due to being unable to update an item?

We recently migrated from MOSS 2007 to SP 2010 platform. We have this heavily-used SharePoint Designer workflow (500 and more instances per day) that uses InfoPath to submit data. It is basically a serial Approval workflow involving many approval levels. Post-migration almost 90% of our workflow runs end in "Error Occurred" state with the following description of the error:
The workflow could not update the item, possibly because one or more columns for the item require a different type of information.
There is no set pattern for the workflows that result in an error and restarting the workflow always resolves the issue.
We have matched all columns/content type and there is no difference in MOSS 2007 and the new forms library
Permission levels of Users are not changed
A lot of sites mention introducing a pause in the workflow before the update event, but I am skeptical in doing it. What could be the possible cause/solution to it? We cannot identify anything that is common or direct us to the root cause among these 90% failing workflows. Some of the workflow instance also result in an error:
the workflow could not update the item as it was checked out to another user.
I've had the same issue in the past and the 1 minute delay resolved it. In my experience, the inconsistencies in terms of which items fail and which don't, had us looking down the path of a lock issue. It didn't make any sense otherwise. If we took one specific item in the list and tested against it, sometimes the workflow would run successfully and other times it would fail. Depending on the hardware we used, we'd get entirely different results with the same configuration.
Others with a similar issue report locking as the issue. http://social.technet.microsoft.com/Forums/en-US/sharepoint2010customization/thread/fc4e1073-d67f-449a-b443-e5805f5358c7
It appeared to me that maybe it was a locking/timing issue....it
appeared the workflow kicked off and tried updating fields in the doc
library item before the locks were released on the InfoPath form that
created the item!
When you did the migration, was new hardware involved? Also factor in that SharePoint 2010 requires more power than 2007 ever did.
The problem seems to be in fact related to attempt of changing the locked field. If you don't want to introduce 1 minute delay to your workflow before changing previously updated fields in your workflow (that should always work..) you may want to add Wait for Field Change in Current item action between updates of the same field. In some circumstances that is possible and worked quite well in may case.
There may be many cause for the issue, for me it was related to user permissions:
workflow was creating an item in another list on behalf of the user and he was having only read permissions on that list, by giving contribute permissions on another list it worked.
Before assuming a locking/timing issue, ensure that your workflow isn't updating to the incorrect column type. In our case, we were trying to update a Person or Group field with invalid data.
If it is happening randomly, probably pretty safe to rule out permissions issue. I think I was able to solve my issue, and based on my testing - so far so good.
http://www.eveningblog.com/archive/sharepoint-2010-error-the-workflow-could-not-update-the-item/

best practice for permission implementation in a system?

I have an application which contains different kinds of permissions. As mentioned in (Role Bases Security) RBC ,I grouped users into roles and assigning different permissions to roles. (and permissions are in this style :
public enum Permission {
View = 1,
Create =2,
Edit =4,
Delete =8,
Print = 16
}
everything is ok in simple systems but when the system becomes a little complex , specific permissions come to the system such as :
View Just His Issued Invoices
View All Invoices
Edit Just His Issued Invoices
Edit All Invoices
Create Sale Invoice
Create Purchase Invoice
Create Proforma
Create Sale Report On His Own Invoices
Create Daily Sale Report
Create Monthly Sale Report
-....
As you see different kind of permissions arises in system (it can grows to about 200 different permissions). So the problems are :
I cannot put them all in one enum . then using binary pattern (1,2,4,8,..) cannot be used because in its best case(int64) it supports up to 64 different permissions.
a big enum (with about 200 items) is not so good in coding
what are your ideas in this case?
thanks in advance :-)
I'm not sure why you feel that you need to try to shove all the permissions into a single flags (or so I'm inferring from the vales) enum. Permission requests and grants can be represented using lists as opposed to a single ORed value. If you use a list approach, you become free to create whatever permission representation you like. For example, you could use a non-flags enum or even multiple enums to represent your permissions.
It sounds like you need a level of indirection...
For example, you need a category (represented by an object, say) that represents "His Issued Invoices". You need a way to grant a role any of your basic permissions on that object. You need a way to test whether something is a member of that category.
Suppose "Jane" tries to view an invoice. Then you just need to check: Does Jane have a role which has View access to some category of which this invoice is a member?
This check might be slow, since you have to check all of Jane's roles against all of the invoice's categories. But presumably you can cache the result... Or your can use a "capability based" approach, where Jane asks the security manager for a handle (pointer) to the invoice with View access. The security manager does the check and hands Jane the handle, after which she can use that handle to do whatever Viewing operations the handle supports with no additional security checks.
I agree with Nicole it does seem like you are performing what may have seemed like a good optimization but you are encountering issues with scale.
Many RBC systems deal with a large number of permissions, which is one reason roles exist - regular users need only know what role they are in - leave it to the developers to figure the role-permission mapping out. Larger systems might provide a GUI for superusers to do the role-permission mapping, or even create permissions, but only to provide the power user ultimate flexibility.
However, because of J2EE, at the code level it all boils down to checking 'roles' programmatically. That tends to confuse things when what you actually want to test for is the permission to perform an operation. Just keep that semantic gap in mind.
In terms of optimization, consider not the method of assignment of permissions, but when and how you perform the check. In a web application, you may only need to check when the call from the front-end comes in, and perhaps network latency will dwarf any optimizations you perform here.
If you decide you do still want to optimize, you'll probably find simply caching the permissions at login is enough. The actual search for a permission will be all in memory, so will be tiny after the initial load from the database.
To avoid the combinatorial explosion of permissions, establish some strong logic up front - write it down - and make sure you're covering all your bases. If you see the need for new dynamic permissions to be created, such as when new entities are added in to your system, then watch out - this is better done in a mediator or manager pattern that can check your business rules before handing out the protected entity. Here you are stepping into the realm of libraries like Drools which serve to expose business logic from your application so that it can be updated based on changing business requirements.

SharePoint interview questions [closed]

As it currently stands, this question is not a good fit for our Q&A format. We expect answers to be supported by facts, references, or expertise, but this question will likely solicit debate, arguments, polling, or extended discussion. If you feel that this question can be improved and possibly reopened, visit the help center for guidance.
Closed 11 years ago.
Let's have a list of some good interview questions for SharePoint developers. Please provide one question per entry, and if possible, the answers.
Also, please feel free to suggest corrections if the provided answers are wrong.
I will go first:
Q: How does SharePoint store pages?
A: How-to-locate-sharepoint-document-library-source-page-on-the-server?
Q. When running with SPSecurity.RunWithElevatedPrivileges (web context) what credentials are being used?
A. The App Pool Identity for the web application running SharePoint.
Q. When modifying a list item, what is the "main" difference between using SPListItem.Update() and SPListItem.SystemUpdate()?
A. Using SystemUpdate() will not create a new version and will also retain timestamps.
Q: When should you dispose SPWeb and SPSite objects? And even more important, when not?
A: You should always dispose them if you created them yourself, but not otherwise. You should never dispose SPContext.Current.Web/Site and you should normally not dispose SPWeb if IsRootWeb is true. More tricky constructs are things along the line of SPList.ParentWeb.
Bonus Points if the candidate knows Roger Lambs Blog Post.
Q: What is the difference between System.Web.UI.WebControls.WebParts.WebPart and Microsoft.SharePoint.WebPartPages.WebPart?
A: Microsoft.SharePoint.WebPartPages.WebPart is provided in MOSS 2007 to provide backwards compatability with MOSS 2003 webparts. In MOSS 2007, it is recommended to use System.Web.UI.WebControls.WebParts.WebPart instead.
sometimes I like to ask more open ended questions to get the prospect talking.
If I want to find out technical depth
Q: What bugs have you found in SharePoint? then Q: And what did you do to work around them?
Q: What is the performance impact of RunWithElevatedPrivileges?
A: RunWithElevatedPrivileges creates a new thread with the App Pool's credentials, blocking your current thread until it finishes.
[via rexm]
Q. If you have an ItemUpdated or ItemUpdating event receiver and it causes an update to the item, how do you prevent another ItemUpdated and ItemUpdating event from being fired during your update?
A. Before performing your update, call DisableEventFiring(). After update, call EnableEventFiring().
Q. What is a site collection, why would you create a new site collection as opposed to a site?
A. Bit of a long answer, but they should know about site collection administration, quotas, seperation of assets, security model etc.
Dave Wollerman has a good article on some of the whys and wherefores.
Q: Describe the difference between a list and a library.
A: Lists are collections of metadata or columns, that can have attached documents. Libraries are collections of documents (Excel, InfoPath, Word, etc.) plus optional metadata.
Edited per ktrauberman's feedback.
Q: (i) Describe the purpose of a content type and;
(ii) give an example of where they might be used.
A: (i) A content type groups a set of list columns together so that they can be reused in the same way across sites.
(ii) They could be used as a set of metadata columns that need to be applied to every document in a site collection.
Q: Explain how SharePoint render its content.
A: Beyond scope here, but you can find some good information here: http://g-m-a-c.blogspot.com/2008/04/how-sharepoint-2007-renders-its-content.html
The applicant should at least get around the SharePoint's template rendering mechanism, and what's in the 12/TEMPLATE/CONTROLTEMPLATES/ and what it's used for with emphasis on DefaultTemplates.ascx. This is absolutely essential knowledge if you wish to do any kind of SharePoint customization.
Q: Name at least two shared services available in MOSS 2007
A: Shared Services Providers in MOSS 2007 can provide the following shared services:
User Profiles
Audiences
Personal Sites
Search
Excel Services
Forms Services
Business Data Catalog (Requires Enterprise Edition)
Q. What is the difference between MOSS & WSS
A. MOSS uses the Shared Service Provider for search, profile import, etc... (see the answers posted by Lars Fastrup for a more complete list)
Q: How would you programmatically retrieve a list item?
A: SPQuery and SPSiteDataQuery. Bonus points for knowledge of CrossListQueryCache, PortalSiteMapProvider. Negative points for use of foreach.
Good ones. here are some really useful ones.
http://megasolutions.net/qs/Sharepoint_Portal_Interview_Questions.aspx
Q: Why would you use a custom column?
A: It allows you to re-use the column in multiple libraries. Particularly useful if you use a Choice type to restrict the user input to a predefined set of answers, and when that list of answers will likely change.
Q. What base classes do event receivers inherit from?
A:
SPListEventReceiver, SPItemEventReciever, and SPWebEventReceiver inherit from the abstract base class SPEventReceiverBase.
SPWorkflowLibraryEventReceiver inherits from SPItemEventReceiver.
SPEmailEventReceiver inherits directly from System.Object.
Also see a collection of SharePoint Questions on: http://qmoss.blogspot.com/
Q: What are the built in ways to backup a SharePoint install?
A: Through the central administration and the stsadm command
Q: (more advanced) You've created and deployed a Web Part, when you deploy to the server you get a page saying your Web Part couldn't be loaded, click here to go to the Web Part maintenance page, etc. to disable the web part. What step(s) should you take to get a stack dump from your web part instead of that error page?
A: Go to the web.config file for your website and find the CallStack Attribute in the SafeControls element and set the value to true.
Describe your experiences in applying custom branding to SharePoint 2007. What are some pitfalls to avoid? How do you deploy your custom branding to the farm?
When/why should you/shouldn't you make direct changes or additions to the files in the 12 hive?
Q. How would you create a Master/Detail page?
A. Creating a Content type inheriting from Folder Content Type for the master, and another Content type inheriting from Item and using them both on a List
Describe the Business Data Catalog (BDC), and provide at least one of a tangible application for it.
Q: What is a way of elevating SharePoint privileges without using RunWithElevatedPrivileges?
A: Pass the System Account User Token from the SPContext to the SPSite constructor.
A majority of times a developer can accomplish what they need using this method without needlessly elevating network credentials.
I would rather ask some open ended questions like
Tell me something which you consider as an error that Microsoft has made in SharePoint?
Possible answers are...
For lookup columns you need to know the lookup field GUID in advance and you can’t easily provision a lookup field as a feature.
MOSS does not have site level events such as an event for creating of lists.
SharePoint designer is a crap and add unwanted stuff which increases the page size.
Lack of user group based trimming control as only permission based trimming is available by deafult (of cause you can create a custom security trimmer that does this)
Q. What are the data types which are supported as Lookup column in SharePoint.
A. Only Single Line of Text and Calculated columns are supported as lookup columns.
Also I have consolidated some more questions on: http://qmoss.blogspot.com/

Resources