I realy hate myself for not beeing at PDC. Lots of bits and pieces of Office 14 is landing in from collegues and friends “on-scene” at LA. Currently working hard on compilling all the sceenshots, videos and other stuff I got in the mail for this blog. Will be posting a long commentary about this in a day or two when I get time of from teaching classes and realy can deep dive into all the materials. Let’s just say that the things I’ve seen is REALY exciting! =)
Also as a side-note I’m proud to say that I got certified for EBS, took the beta exam sometime in august and just got the news that I passed. Which now means that I’m a charter member for TS: EBS 2008, Configuration. This is besides my sharepoint certifications my most valued certificate.. =)
A quick update about SQL 2008 and how that can enhance Sharepoint 2007. The main word is compression of data in different scenarios. Backups from SQL-server can now be compressed which saves space needed for backups, which have been a big problem for us as it admins. Also the replication traffic between sql nodes in the sql cluster is compressed which makes mirroring easier and more effective if the infrastructure isn’t a high-bandwith one. I have just installed my first SQL 2008 machine in production and will be updating with more info as soon as I have something fun to tell you about it! =)
More detailed information can be found at Technet.
Almost every week I welcome a new class at the CPLS where I work. Every week I have to teach people – who thougth they knew sharepoint security – some fundamental knowledge about security. This is a article to try and explain some of the main points.
Sharepoint security can be devided into three basic areas: Groups & Users, Permissions and Securable objects. Groups and users are thought to be straigt foward. Users are present in a database, and can be devided into groups. Groups do not have any permissions. Permissions are then set in access list at each securable object. A securable object is basicly list item, list, library, site or site collection.
- Groups are “global” (site collection)
Microsoft have made it easy for us to find to People and Groups from every sites administration section. This is a bit confusing since it’s easy to belive that the groups are defined for each site, however when creating a group its always created in the site collection. A group name is therefore also global “Owner” is not a good name, it does not describe what that person ownes and where – “Global Finances Site Owner” would be a better name. If you are used to WSS 2.0 there were something called Site Groups which were groups on the site level – this feature is NOT availiable in WSS 3.0.
- Group membership do not change on site level
If you are member of the Approvers group you are a member of the approvers group everywhere in the site collection. The actual site permissions may vary, but you are always member of the Approvers group. I think the above mentioned link adds to this confusion. I think that if you where member of the Approver group that you would have Approver rights in the whole portal; so even if groups are named “Global Finances Invoice Approver” and is used mainly on the Global Finances site it’s still global.
- Groups are not the same as permissions
When you are the member of a group, no permissions is actualy assigned by the group membership. Most standard groups have default permission set. Permissions are set at the securable object level. This is made worse I think by the default groups in sharepoint as Approver: this falsely gives you the impression that if you are a member of that group you will get a specific permission; I will admit that in standard configuration this is true but not practical. What is that person to Approve? Perhaps you would create a “Global Finances News Approver” group which would be assigned the Approve permission level on the Global Finances site – but not a right to globaly approve everything.
- Access list and inheritence
By default access lists are inherited to subordinate securable objects (except when a web application policy overrides). Groups are global, so they are not “inherited”. When breaking the inheritance a copy is created of the access list; this cannot be partly inherited – either broken inheritance or not! Permission levels are also inherited, and still inherited even if we break the access list inheritance. To break the permission level inheritance that also must be broken – almost never needed. You are always free to restore inheritance – when you do: ALL subordinate permissions and access lists are also reset to inherit!
- Some accounts are special
There is some accounts who get access even though they are not in the access lists. This is true for the Primary and Secondary site collection administration accounts. This is setup elsewhere. Members of the built in Administrators group also have access for instance.
I hope this clears up some aspects of Sharepoint security administration.
More detailed information can be found at Office Online
Just finished a installation for a customer. After thinking a bit I decided that in addition to the out-of-the-box provided iFilters the following are quite usefull and should realy cover about 90% of files. Remember that all this indexing also adds to the load of the indexer…
A great suprise in the Office 2007 pack is the support for zip-files – I have seen some realy expensive iFilters for that..
Office 2007 (.docx, .docm, .pptx, .pptm, .xlsx, .xlsm, .xlsb, .zip, .one, .vdx, .vsd, .vss, .vst, .vdx, .vsx, and .vtx): http://www.microsoft.com/downloads/details.aspx?FamilyId=60C92A37-719C-4077-B5C6-CAC34F4227CC&displaylang=en
XPS havent realy had its breaktrough yet, but the iFilter will be increasingly more sought after..
Microsoft XPS (.xps): http://www.microsoft.com/downloads/details.aspx?familyid=b8dcffdd-e3a5-44cc-8021-7649fd37ffee&displaylang=en&tm
Adobe have now released a x64 filter for PDF which finaly makes us be able to remove the FoxIT PDF iFilter if you use x64 which you should..
Adobe PDF x64 (.pdf): http://labs.adobe.com/wiki/index.php/PDF_iFilter_8_-_64-bit_Support
Today I found a good article about orphans, interaction between content db and config db etc. If you have no clue about orphans, why we should avoid them, how they occur and lots more please read it – it’s good start: http://blogs.technet.com/corybu/archive/2007/05/31/sharepoint-orphans-explained.aspx
Got a mail this weekend from Russell Davies asking me where to download the actual file for ShareCheck, a program you can find described here. And the answer was simply: nowhere! I had forgotten to upload the file! Stupid misstake, anyway; the file can now be found here. Don’t forget to run with -whatif switch when you are testing it out!
One of the most commonly asked for feature are wildcard searches. There is lots of solutions to provide this function in atleast as many different ways. One simple and easy method I have been trying a while in my lab is WildcardSearch from Corey Roth published at CodePlex. The solution work as a dropin replacement of the CoreResultsWebpart and is compatible with almost all aspects of normal search functions in Sharepoint (which most others are not!). The solution just came out in a version 2 which now support Search Scopes. You will find the download here: http://www.codeplex.com/WildcardSearch
There are a couple of cavets and sacrifices you should know about.. http://www.dotnetmafia.com/blogs/dotnettipoftheday/archive/2008/09/18/what-you-give-up-with-full-text-sql-queries-using-wildcard-search.aspx