Skip to main content
Sign In |
  Help (new window)

SharePoint Objects

Go Search
Home
Blog
Content By Type
Alpe d'Huzes
SharePoint Objects
  

Other Blogs
There are no items in this list.
Ton Stegeman > SharePoint Objects

9/13/2009

Security Blueprints - introduction

SharePoint 2007 contains a lot of options for security configuration. In larger site collections, it is very easy to loose the overview of how the security in your site collections is configured. Publishing parts of the content in your site collections for anonymous users, makes this even harder. And if you grant your power users the permissions to manage the security settings themselves, it suddenly is impossible to keep an overview. If you have done support for a SharePoint environment and have tried to solve security issues, you probably are familiar with this problem. Security blueprints can help you in this scenario. These blueprints are a report of all security related settings in your sites. In the first version of the product, these reports are published as XML files. By creating your own XSLT stylesheets, you can use this product to create your own reports on the security setup of your SharePoint sites.

A number of sample support questions that can be addressed easier using Security Blueprints:

  • I am getting all these request e-mails asking me to grant users permissions. How do I find all places where my e-mail address is configured to be the contact for access requests?
  • The Table of Contents web part does not take permissions into account. We have a number of sub sites with unique permissions, but my users see all subsites. In my other site collection, this works as expected. Using a security blueprint, you can easily check the permissions on these sites and find out users see the subsites in the navigation, because anonymous access is turned on for these sites.
  • I have granted my project managers our custom permission level that allows them to add people to specific SharePoint groups, but it does not work. They cannot add users. In another site collection, this works as described. By comparing security blue prints from the 2 site collections, you can quickly find out the custom permission level misses one of the critical permissions.

The most important settings that are (currently) included in the report:

  • SharePoint sitegroups and their permissions
  • Permission levels
  • Lists / Document libraries and their security settings
  • Anonymous settings
  • Request Access settings
  • Activated Site Features
  • Activated Site Collection Features
  • Site Collection Administrators

Security blueprints are generated manually by a site administrator, or on a scheduled basis by the Security Blueprints timerjob. See the installation article on this weblog for the installation and setup instructions. The reports are published as XML files in an automatically created document library. This library can be added to every site collection, or to a central storage location. Every time a blueprint is generated (manually or scheduled), the library is checked if a report was previously published for the site collection. If this is not the case, the report is published as a Full Report. If a report was previously published, this report is compared to the new report. If there are changes, a new Full Report is published. If there are no changes, a No Changes report is published.
You can exclude specific parts of your site collections by configuring Endpoints. See the installation article for details.

The screenshot below shows the blueprints library after the first 3 runs of the process in an empty site collection based on the Collaboration Portal template. After the first run, I have created custom permissions for the Reports site and the document library in the document center. This results in a new full report in the second run. In the 3rd run, there were no changes, as can be seen in the screenshot. To get an idea of what a security blueprint report looks like, the last Full Report of this site collection is available on this link.

image

Another scenario where security blueprints can help is when you have multiple site collections that upon launch have the same structure and security setup. Before the lauunch of your new site collections, you create a blueprint of the new site collection. Now your site collection administrators can go wild and do their thing. By automatically publishing a new security report if something changes in the security setup, it is much easier for you to track when security settings are changed. This can make troubleshooting these nasty secuity issues a lot easier. It allows you to identify the differences between the original security setup (the blueprint) and the current setup in your site collections.

Download

You can download Security Blueprints on the SharePoint Objects site on CodePlex.

Posted at 8:30 AM by Ton Stegeman | Permalink | Email this Post | Comments (0)
Security Blueprints – installation

This article describes how to install the Security Blueprints in your SharePoint environment. The first step is to install the solution package. After you have done this, this article shows you how to configure the security blueprints. The last part of this article describes how you can manually start the process for 1 site collection.

Step 1 – Install the solution package

The first step is to install the Security Blueprints software to your environment. Unzip the file that you have downloaded from CodePlex to a folder on the server that is running Central Administration.

Start setup.exe and click Next. image
The installer runs a system check. If none of the checks fails, you can continue the installation by clicking Next. image
In this dialog, select the web applications that will use the Security Blueprints features. Click Next. image
The installer will now install the software to your SharePoint environment. Click Next after the process completes. image
If all steps were successfull, click the Close button. image

SharePoint Objects Security Blueprints are now installed in your SharePoint farm. The installation process has installed these files and folders to your server(s):

Name Location
TST.SharePointObjects.SecurityBluePrint.dll Global Assembly Cache
CreateSecurityBlueprint.aspx 12\TEMPLATE\LAYOUTS\TST\
CreateBluePrintsTimerJobSettings.aspx 12\TEMPLATE\ADMIN\TST\
tstfeature.gif 12\TEMPLATE\IMAGES\TST\
feature.xml 12\TEMPLATE\FEATURES\TST.SharePointObjects.SecurityBluePrint.Menu\
menu.xml 12\TEMPLATE\FEATURES\TST.SharePointObjects.SecurityBluePrint.Menu\
feature.xml 12\TEMPLATE\FEATURES\TST.SharePointObjects.SecurityBluePrint.CreateBluePrintsTimerJob\

Step 2 – Configure the timer job

Security blueprints are generated by a SharePoint timerjob, that can be installed by activating a feature. Navigate to the Central Administration of your SharePoint farm. On the Application Management tab, select Mangage Web application features. On this page, find the web application that runs the site collections that you want to monitor using the security blueprints. Then click the Activate button for the feature ‘SharePoint Objects - Security Blueprint Menu’.

image

The timer job is now installed, it can be configured by using a special administration page. The menu to navigate to this administration page can be activating a site collection feature. Navigate to the Site Settings of the Central Administration site. In the Site Collection Administration section, click Site collection features. Find the feature called ‘SharePoint Objects - Security Blueprint Menu’ and click Activate.

image

If you now navigate to the Application Management tab in Central Administration, you will find a new section called ‘SharePoint Objects’. This section now has a menu option called ‘Configure timerjob for creating security blueprints’. Click this link to configure the timerjob. The first section on this page lets you choose a web application.

image

If you select a web application that does not have the Security Blueprint Timerjob featere activated, the Status field will notify you the timerjob is not activated. If the feature is activated, the Status field will show the last run time of the timerjob. In this section you can also set the display title for the timerjob and the schedule.

The second section on the configuration page allows you to configure the location where the blueprints will be stored. When the blueprint timerjob runs, it creates a security blueprint for every site collection in the web application. This blueprint is saved as a XML file in an automatically created document library. By configuring the Library Site Url setting, you can decide where the timerjob publishes the blueprint.

image

There are 3 options:

  • Leave the setting empty
    The blueprint library is created in the root site of each site collection.
  • Enter a relative url (e.g. ‘/admin/blueprints’)
    The blueprint library is created in each site collection, in the subsite with this url. If there is no subsite found on this url, the blueprints are saved in the root site of each site collection.
  • Enter an absolute url (e.g. http://admin.intranet/blueprints)
    All blueprints of all site collections are stored in 1 document library. The timer job creates a subfolder for each site collection. These folder are hidden from the user in the view. This allows you to manage the blueprints in a central location.

The last section of the timerjob setup page allows you to configure endpoints. Endpoints are relative urls to specific sub sites in your site collections. The blueprint process stops generating the blueprint XML at this site, if the url equals one of the endpoints. Suppose you have a subsite called ‘Projects’. This site has a number of subsites for a number of projects. You are interested in the security settings of this Projects site, but the security settings for each project site are not important. You can enter ‘/Projects’ as an endpoint, meaning the Projects site is the last site in the tree to be included in the blueprint. You can now add new project sites to your site collection(s) without changing the security blueprint for your site collection. Otherwise every new project site is seen as a change to the security blueprint of the site collection, and a new report is published.

image

You can enter multiple endpoints by putting every endpoint on a new line in the text box.

Step 3 – Start the process manually

The Security Blueprints allow you to start the process manually for a single site collection. If you do not have the feature activated for the site collection, navigate to the Site Settings of the root site in your site collection. In the Site Collection Administration section, select Site collection features. Find the feature called ‘SharePoint Objects - Security Blueprint Menu’ and click the Activate button.

image

If you navigate to the Site Settings page, this page will have a new section called SharePoint Objects. This section has a menu option called ‘Create security blueprint’. This link is available for every subsite in the site collection. This allows you to create a blueprint for just 1 subsite, instead of a full report for all sites in the site collection. The root site of the site collection is always included in the blueprint.

image

After clicking this link, you can manually start the process by clicking the Create button. You can publish the blueprint to a specific location or a central location in your farm by entering a url. See Step 2 in this article for the details. The paragraph also contains an explanation of the endpoints you can configure.

image

After clicking the Create button, the blueprint is created and you are redirected to the library that contains the report.-

Posted at 7:06 AM by Ton Stegeman | Category: Security Blueprints | Permalink | Email this Post | Comments (0)

 ‭(Hidden)‬ Admin Links