We have a SharePoint site and we now want to only allow users that have registered and paid to have access to the site by yearly subscription.
We would like to automate the process of managing the subscriptions and creating the users as much as possible.
I understand we will not get a turnkey solution. However, does the SO Community have any ideas on how we could do this. We will be using forms authentication.
A bit more info would be welcome, but I'll give it a try.
I assume you are running with FormsBasedAuthentication? If so, you would need to write the logic that creates the user in the database. The existing ASP.NET Membership Provider should meet all your needs. After that, you would need to add the newly created user to the appropriate sharepoint groups (this can also be done using the sharepoint object model).
The first step though would be to create your "become a member" page and make that accessible anonymously. Add a webpart / control to that page that handles the payment and then when succesful creates the ASP.NET Membership Provider user. Then adds that user to the appropriate sp groups. The easiest way to restict access would be to create a subsite of the main welcome site (root of the sitecollection), which has it's own rights and groups. make the root site accessible for anyone, allow access to the subsite for paying users only.
The codeplex project SharePoint 2007 List Membership Provider allows you to maintain your users in a SharePoint list
Related
I'm developing an ASP.NET MVC application and using Azure AD for single sign on. I'm at a point where I'm looking at how to handle user roles for authorization. I understand that I can create roles or groups from inside the Azure portal, but everything I've read seems to suggest that the only way to add or remove people to those groups or roles is from within the portal. But we don't want to be in a situation where our developer group is handling role/permission assignments for this application's users.
What I really want is some sort of interface within the application where an Admin can select an AD user, select one (or more) of the application's roles, and add the user into those roles.
Is there a way to pull a list of available application roles from Azure AD, then send back which of those roles should get attached to a user? Most of the documentation I've seen seems to assume that you have a pre-defined list of users that you manage through the portal.
Should I be using separate tables in ASP.NET Identity? I had hoped Azure AD integration would allow me to skip having a database user store.
Take a look at https://github.com/Azure-Samples/active-directory-dotnet-webapp-groupclaims . The code and ADAL reference can certainly be updated as it's quite old, but this should serve as a good starting point.
I created a website using HTML/CSS to display a SQL reports index. This has worked fine up till now because users needed access to a security group and something inside SQL to view the report and the data fields. We are now getting to the stage where there are too many reports and some have sensitive names so we need to limit access based on Active Directory security groups. Thing is that I have no clue at all how to manage access via AD Groups. I have managed to get basic AD authentication working for another project that I deployed for the company, but that didn't require access beyond Domain Users.
Could anyone please point me in the right direction to authenticate via AD, check a user for groups and then display info based on their access. The last bit should be really easy, the hardest part will be checking group info and then filling a variable that I can then use to create a loop that will display all the reports the user has access to.
I have found a partial answer. The below link is a guide on how to pull all AD groups a user belongs to and then checking to see if they are a member of a certain group. This is largely what I was looking for and if I can meld it into what I want, I think I can use this to do what I need.
http://www.c-sharpcorner.com/UploadFile/scottlysle/test-for-user-group-membership-in-Asp-Net-C-Sharp/
Alternatively Microsoft windows server can also run LDAP which has an unbelievable number of compatible libraries to code with.
tutorial linked, its just another server role/feature you can install (like ad itself)
http://osqa.sjsoft.com/questions/248/how-do-i-install-minimal-active-directoryldap-services-on-windows-server-2008
also here is a Q.A.D SO answer to querying user-groups are you using windows framework like asp? whats your server technology?
Query From LDAP for User Groups
I am developing an MVC3 application and I have gotten to the point where I need to start securing out different areas of the intranet site to particular users.
The site is being used on the intranet and uses windows authentication for login.
Within the database I have a users table which contains numerous fields that determines the users role. This is maintained in the admin area of the site.
Certain users will have the ability to access the admin area, some users will only have the ability to read certain areas of the site but not contribute, etc etc. There are some complicated business rules.
I am looking for how to secure out different areas. I have read a good few articles around using the authorize attribute on controllers for particular groups, this doesn't seem to be a good fit as I understand it I would have to control what users are in what groups from within the configuration of the application whereas the admin users of the application should be ones controlling this via the application itself.
Any suggestions are welcome.
If you are mainly concerned about managing users, ASP.NET does a great job of this with their built-in Web Application Administration Tool. On the top-right of the Solution Explorer, to the right of the refresh button, is a hammer-and -earth tool that you can click on. It allows you to manage users and roles, and from there you can assign the users to roles. Perhaps your admins can use this.
This tells you how:
http://www.asp.net/mvc/tutorials/mvc-music-store/mvc-music-store-part-7
As far as having to put authorize attributes on the controllers/methods, I don't see any way around that. Let me know if I have misunderstood your question.
Assign users to roles and use AuthorizeAttribute.
I have written and deployed a custom security extension for SSRS 2008r2 and it works beautifully apart from when trying to deploy reports from within BIDS 2008/Visual Studio.
The architecture for the security extension handles logins via multiple authorities and I manage this by creating a user session in LogonUser(), persisting this in a database and then loading the session in the client proxy class for the RS web service using a UID passed by cookie from the service, then rewriting the authentication ticket to contain the session UID plus user roles for the current user. These values can then be used in the custom authorization extension to manage user permissions on SSRS actions and objects.
The problem I have run into is that it does not work when deploying reports from BIDS. Its accesses the service directly and therefore the service proxy class is not required. I have tried handling the post-authentication event on the HTTP context but alas the session cookie is not persisted by the RS service so I cannot access the session values.
So what am I missing? Is there another method for controlling user roles & permissions that does not require hard coding usernames anywhere? Like I said, logins can be made using multiple authorities so managing permissions via just a username is not possible (and the thought of it makes me cringe).
One possible solution I thought of is writing an extension or plugin for BIDS that essentially acts as a proxy for the web service which would allow me more control over the login process, but I have no idea if this is possible (google is no help...)
Any help would be gratefully accepted!
Are you using the IAuthenticationExtension interface? The following link provides a sound example of access control if that is what you require.
http://blogs.msdn.com/b/jameswu/archive/2008/07/15/anonymous-access-in-sql-rs-2008.aspx
I would imagine that the nt username can be tracked here and then lookups made against active directory groups etc. The main headache I can see here would be enabling the correct trust policy in the ssrs policy configuration.
Well I gave up on finding an elegant solution so I have gone down the road of least resistance and followed what I gather is the SSRS guideline of having a 'master' account, which I will specify is to be used for report deployment and subscriptions. This account will need to be hard coded in or pulled from a settings file I'm not sure if there is any other way. Cheers.
Update: I have gone down this road and it works fine. If a user is logged in through the web front end they can deploy reports there, but if they want to deploy from the development environment (BIDS) they need to log in using the master account when it the login dialog shows. I have restricted the deploying account to only this specific use.
I've an InfoPath form that the filler needs to specify people. A workflow later assigns tasks to these people. What I'm looking for is a people picker like what SharePoint has for user fields, but that I can use in InfoPath. I've already designed a form to do this where the filler can put in a name or email and the form will list results from the site.allusers group.
The problem is, what if the person that needs to be added into the form has never accessed this particular site collection before. Their account isn't going to be listed in the AllUsers list.
Where in the object model can I search for a user that is able to authenticate with SharePoint?
Why not just use the OTB one in InfoPath and configure it to point to your SharePoint environment?
http://www.sharepointassist.com/2009/02/27/adding-a-contact-selectorpeople-picker-to-an-infopath-form/
If your running MOSS with AD integration, then it should automatically retrieve everyone that's in your domain if AD synch is enabled.
I think that the problem here is that even if you do find a list of users, the workflows won't trigger any actions if the users don't exist in the User Information List.
If the users don't exist in the User Information List, then you won't be able to find them via the SharePoint object model because they don't exist in SharePoint. You will have to find them some other way.
So basically, it depends on how the authentication is configured on your SharePoint server :
If you are using FBA, then the users who can authenticate with SharePoint must exist in a SQL database somewhere. Membership.Provider will give you a hook on your FBA membership provider (whether it's a SqlMembershipProvider or something else). You can then use methods like
Membership.Provider.GetUser(username)
to see if a user exists. You can also loop through your users or find all the existing usernames which you could then display in your people picker.
If you are using windows authentication, you will have to look in your AD to find the potential users. The DirectoryEntry object is what you'll need. I imagine that only users from a certain AD group can access SharePoint? If so, then isolate that group with the DirectoryEntry object, loop through the users and you will have your data source for the people picker.
As I said above though, either method will give you the possible users, but it won't make the workflow work if the users have not logged in. Workflows will only work properly with users that do exist in the User Information List.
When someone picks a user that doesn't exist in SharePoint, you will probably have to create it via code. A safe way to do this is with the SPWeb.EnsureUser.
Checks whether the specified login
name belongs to a valid user of the
Web site, and if the login name does
not already exist, adds it to the Web
site.site.
So really, to answer your question, nowhere. You need to look for them where they could be coming from.