Tag Archives: Security

SharePoint 2013 Script: Hide or Disable your fields

This one has been on my list for a while. I’ve used a collection of JavaScript methods to help streamline customizing forms in lists. I have created and compiled this little collection starting probably 5-6 years ago, and over time I’m constantly updating, tweaking, enhancing it, especially more so as of late working with Office 365.

I have a lightweight JavaScript file which allows you to hide or disable (set to read-only) fields in a new or edit form. It’s pretty basic but is a big value add. Also, you can set a field to read-only for only certain groups, meanwhile allowing other groups to edit the field. You can also hide a field completely, as well as hide a field and only show it for certain groups. Pretty sweet right?

UPDATED 2/28/15 to fix a few bugs as noted in the comments.

UPDATED 10/22/15 to fix disableWithAllowance and people pickers.

UPDATED 10/23/15 to fix disable and disableWithAllowance and metadata fields.

UPDATED 5/24/16 to fix issue with disabling Lookup Fields, now will show correct value.

UPDATED 8/1/2016 to fix issue with disabling choice fields as radio buttons, now will show the single selected value.

The script is here: download from CodePlex.com.

How to use it

Include the script along with jQuery on your page. Ideally, throw this nugget into your master page and you can use it anywhere in your site.

<script src="//ajax.googleapis.com/ajax/libs/jquery/1.10.2/jquery.min.js" type="text/javascript"></script>
<script src="/SiteAssets/Lozzi.Fields.js" type="text/javascript"></script>

Once that’s in, get using it! It’s really simple, I threw this on my new form for my task list:

<script type="text/javascript">
 $(document).ready(function(){
  ExecuteOrDelayUntilScriptLoaded(function(){
   Lozzi.Fields.disableWithAllowance("Start Date", ["Project Managers"]);
   Lozzi.Fields.disable("Task Status");
   Lozzi.Fields.hide("% Complete");
  },"sp.js");
 });
</script>

This will change our New form for a typical task, from:

New SharePoint Task Form

to

New Task Form with Hidden Disabled Fields

See the difference? It’s subtle, but when working with end users, it can provide a huge benefit to help streamlining your business flow.

From here, you could have the edit form disable or hide a lot of the fields for normal users, only allowing your Project Managers, or if this is a support request list, your Support Team access to modify fields as needed. The options are endless.

More details

Lozzi.Fields.disable(fieldname)

Simply disables the field, for all users. It hides all controls in the field and displays the value instead.

Lozzi.Fields.disableWithAllowance(fieldname, groups)

Disables the field, but enables it for the users in the groups specified. Also, Site Collection Administrators are included automatically, so they can always edit the field. You can send the groups in an array, like [“Group One”, “Group Two”].

Lozzi.Fields.hide(fieldname)

Simply hides the field, for all users.

Lozzi.Fields.hideWithAllowance(fieldname, groups)

Hides the field, but shows it for the users in the groups specified. Also, Site Collection Administrators are included automatically, so they can always edit the field. You can send the groups in an array, like [“Group One”, “Group Two”].

Some other important notes

  • Currently, this script does not work on list views, meaning a user could edit the data in datasheet/quick edit view.
  • This script should work just as well on SharePoint 2010 if you so desire.

Download this script here: download from CodePlex.com.

Til next time, Happy SharePointing!

Advertisements

My Users Don’t Like SharePoint Because They Can’t Do Anything!

This is Part 3 of my series on ‘My Users Don’t Like SharePoint…

Again, let’s take the Ford Mustang metaphor from the opening post. I get my 2013 Mustang, and it’s shiny and beautiful.

Credit Ford.com

It’s new, shiny, has the new car smell, spotless. I make the decision that my kids are not allowed in it at all. Period. My wife is only allowed after she has brushed her shoes off. And then once she’s in, no drinks, no food. I don’t even bring coffee in it. Is it still a beautiful car? You better believe it is. Will anyone want to drive with me? Meh, maybe the first time, but it’ll quickly get old (make sure your feet are clean, sorry you have cat hair on you, you can’t ride in my car). No one will want to drive with me since there are so many limitations.

This is also a common scenario for SharePoint, but sometimes it is deployed and locked down so tight that everything of significance is filtered through IT. All lists have requests and approval workflows setup. No one is allowed to create new lists or sites. Since it’s all going through IT help desk, a request takes an annoyingly long time to complete and eventually users decide to not bother with it.

Or following the second post in this series, if you just spent all of this time and effort cleaning, scrubbing, and reorganizing SharePoint, you may lean towards locking it down so much that it can never happen again.

from PhotoBucket

Loosen up!

I know, I’m sending you mixed signals. Last post I said to apply governance and kick people out of doing things, tighten down the reigns, now I’m telling you to loosen up.

There’s a balance.

I’ve worked with enough IT departments to know what they think of their end users. I understand most users don’t know how to change their screen resolution or use the Windows key. I honestly had someone think the CD-ROM was a cup holder, and used it as such… I’ve had a VP complain his laptop stopped working after he spilled coffee on it… I’ve had someone report that their new hard drive wasn’t working properly, upon assessment it wasn’t plugged in, it was resting on the computer… I’ve had a tech support rep from a computer company tell me to reboot and give it 24 hours for the settings to sink in… I’ve told users to straighten out their keyboard wires or the letters will appear upside down… ID-10T… and there’s more. I’m sure you have a long list as well. I know the stories and the pain. I do, I’ve been there, done that, got the T-shirt.

Since I know where you’re coming from, let me take a moment to vent… As the IT department, your job is to support and provide services to your users, assisting them in completing their jobs, not telling them how to do their jobs. Too many times the business is run by IT; IT is making business decisions (or forcing the business into choices) based on technology, instead of hearing and understanding what the business needs and then doing everything they can to make it work. Without the business, there’s no need for an IT department. IT departments can a note from consultants: do everything you can to make the customer happy. Just sayin… now back to SharePoint….

What I also learned is that not all of your end users are mindless lemmings. There are always a select few who should be considered power users. Leverage them! SharePoint is best used when power users are granted permissions to create some customizations on their own. Your governance plan should identify this, clearly.

How do you identify your power users? They’re the ones who do some cool stuff without hassling IT. Or they do something so big, that they need IT to help fix it (this is good, they’re venturing on their own). They’re users who customize their Excel worksheets with cool functions and macros, or actually know how to use PowerPoint and maybe embed a video. Get to know them, and adopt them into your team, they don’t have to join IT, but they can be a go-to-person for their department. Provide them additional permission to create a list or library. Explain to them the importance of organization and your governance. There can be a healthy balance between the junk drawer affect and the strict IT department.

Train your users.

“Tell me and I forget, teach me and I remember, involve me and I learn” – Benjamin Franklin

This can take time and is costly. If you were deploying a new ERP, CMS or a highly customized solution, you would provide training, manuals, quick reference cards, and more. But nooooo…. SharePoint is Microsoft and should be easy. Well it isn’t.

Start with finding some resources you like (some awesome resources online on sites like www.nothingbutsharepoint.com and sp365.co.uk, videos from www.criticalpathtraining.com, and many books are available as well). Take what you like and paraphrase it, highlight what you think your users need to know, and reference these sources in your own manuals.

Take screen shots or small videos to help explain the steps. Check out a great free screen shot app and 5 min video recorder: Jing by  TechSmith.

Hold small training sessions, I find that SharePoint training can be intimidating to users and they tend to ask loads of questions; small groups make it more manageable for the trainer. Make sure to allow time for question and answers, SharePoint can do a lot, let your users play with it and explore and come back with questions later on. Consider bringing in a trainer or consulting firm that can help train and answer the questions effectively.

Once your larger user base knows what is possible, two things can happen:

1. They appreciate your SharePoint implementation, they understand what it’s for and what it can do for them. This will drive user adoption and improve your users’ point of view.

2. They come back with additional ideas and feature requests: “since it can do ABC, can we have it do XYZ?”. Nothing drives user adoption better than buy-in.

Give them some space.

To play that is. After you spent the time to train your users, or provided the ideal manuals and guides, give them their space. Turn on My Sites and let them bang on their own site collection. They are their own masters in their My Site. Set quotas so they can’t run wild on space. If they blow up their site, wipe it out and create them a fresh one. No harm no fowl. Letting them play will help get additional buy-in and improve user adoption.

Allow them to customize their own web part pages. With the Personal Permissions section enabled (enabled on the Contribute rights by default), users can customize their own web part pages. The page has a shared and a personal view, allowing users to add and remove web parts as they want. As an admin, you can lock down web parts so they cannot be removed, which is important to ensure the company message is still present. Also, with this permission set, users can create their own personal views on any lists they have permission to. This enables users to create their own views of the data without bugging admins. Train your users on how to use this and you’ll have a happier user base.

If you get enough [happy | satisfied | content] people behind your SharePoint, and key stakeholders get wind of it, you have a better chance of additional resources for improving SharePoint (increase budgets for training, software, hardware, consultants, etc.).

Til next week, Happy SharePointing!

Managing SharePoint Sites Suck?

I’ve discovered that most complaints about SharePoint are from the self-imposed or top-down-imposed SharePoint administrators who are stuck with managing SharePoint sites. I do feel sorry for you guys, you didn’t ask for it, or even if you did you probably thought it was suppose to be easier. In most cases, SharePoint was slapped together at your organization and instantly became adapted as a new network drive, so now you have a site with a ton of data everywhere.

These scenarios can be hectic, chaotic, and down right annoying. The biggest issue in most cases is governance: the art of controlling and governing your data and information flow. Managing your SharePoint site should be an easy task, and should be minimal, without a doubt. Poor governance is one large factor which provides for a mind numbing experience. SharePoint should be easy once it’s been implemented correctly.

A quick story. I was assistant coach for my son’s little league team. It was his first year playing, and the team had all boys from ages 6 to 8. For a lot of them, this was their first time playing. The excitement and joy poured out of the kids and into hyper activity. It was a little crazy at our first practice: kids running around, swinging bats at each other, etc. It was crazy but really fun to watch and experience. I let my son go to town and run around like a maniac as well.

The coach instantly set some rules: no one holds a bat unless they’re up to bat. Boom, I felt safer and stopped flinching (and governance was applied). If you wanted to play, you had to pay attention and listen quietly (more governance); no climbing on the fences (more governance); no leaving the dugout during a game (more); no throwing dirt (more); no helmets on unless you’re batting (more) and so on. As the season progressed the governance rules were tweaked, some were eased up and others were tightened. All the meanwhile, the boys still had a blast and the coach and parents had fun too.

Much like playing baseball with 7 year olds, governance is also essential for a successful SharePoint site. Governance within SharePoint utilizes site topology, permissions, audiences, and data categorization. Control who has access to what, where and how much.

  • Site topology is the site map, it helps define where sites and libraries live in relation to each other. It’s like the lay of the land. No topology makes governance very difficult.
  • Permissions control who have actual permissions to what, for example who can update files, who are read-only, and who have no access at all. Permissions is the core of governance. Permission management is a whole other ball of wax and should be done right.
  • Audiences help manage what your users see, it doesn’t necessarily stop them from doing certain things, but helps them see what they should. They might still figure out how to get to something in the back end library, and if they’re not supposed to, use permissions to lock them out.
  • Data categorization is less involved within governance, if at all, but I think it’s important to note. Categorization is initially defined by site topology, HR docs will be in the HR site (a category of data). Additional data categorization can include meta data and meta tags. The additional information help control how data is found and navigated to.

The latter two items, audiences and data categorization, should be considered in your governance plan, though I’ve seen more often it’s not. Governance (controlling who has access to what) can easily use audiences and meta data to help control what people can see. Filtering views can help control who sees what, but still allows users to access more if they really want to dig in deeper.

If we didn’t apply governance to our little league team, I’d be saying “managing my little league team sucks” because it would. I’d be going to practice with a protective cup, other kids might have black eyes, a broken leg from falling off the fence, etc. it would be a terrible experience for all, much like poorly governed SharePoint sites.

As a side note, it appears governance is simply saying No, no hitting, no throwing dirt, no saving a file there, no editing a file here. That’s one way of looking at it. I prefer, being the eternal optimist that I am, to look at it like you’re allowed to edit this file, you’re allowed to save a file here, you’re allowed to play baseball, etc.

It’s not too late, if you’re in the muck and mire of a poorly governed SharePoint site you can still recover. Get with your governing bodies (managers, directors, etc) and figure out who should really have access to what. Start applying some governance in small doses. Use SharePoint’s web analytics to see what areas are the most popular, and apply it there. Don’t worry if you find it needing to change later, your governance (just like the US government) should be flexible, receive feedback and should react and grow with your business.

Simplifying SharePoint User Management

One of the biggest headaches I’ve heard from SharePoint users and administrators is the ability to manage users, or rather the lack thereof. It is a large task to fully understand it all, and I hope to clarify some of it now.

Quality user management is by far the most lacking area within SharePoint. There are 3rd party add-ons available which help ease the task, but now you’re looking at spending more on top of your existing investment in SharePoint. I think it’s ridiculous that I can’t click on a user in SharePoint and see all groups that person is a member of… Seriously! Can’t do that, you can in AD, but you can’t in SharePoint. I think the SharePoint guys could learn something from the AD guys…

So I take a few moments to cover some of the heads ups, gotchas, and oopsies with managing users and permissions within SharePoint.

A quick primer

Permissions in SharePoint can be very intricate and act a lot like Active Directory on how you may protect a folder or file on a network drive. You can pull in a group (AD or SharePoint group) of users and specify that this group of users should have write access to this list, and others should have only read access. You can even bring it in tighter and say that one or two users have write access to a single item within a list, and hide it from view for all others.

Adding users and groups is a simple task and can be found almost anywhere on the internet, so I won’t walk through that here. Also, check out this blog Five Key Steps to Managing SharePoint Users for some great pointers on governance and management. We will be taking a different direction in an effort to help clarify using permissions and user management in SharePoint.

Using groups of users to simplify

There are two major methods which can be utilized to manage users. The first and the more popular method, usually seen in larger deployments, is to use Active Directory groups. This allows your IT department to manage their AD groups as usual, and when users are added to their AD groups, they’re in SharePoint automatically. The other method, usually smaller deployments, is to add users directly into SharePoint as individual user accounts.

Use groups whenever possible, it should be an extremely rare case when you need to specify an individual user anywhere within SharePoint permissions (not to be mistaken for the Assigned To field ;). Site collection administrators have to be individual users, otherwise everywhere else use groups, you’ll be glad you did. A group can be an Active Directory group or a SharePoint group.

  • If you’re using Active Directory groups, still throw that group into a SharePoint group. Using SharePoint groups will give you more flexibility in the future. Consider this example, if you add your HR AD group to SharePoint and give them specific access to their sub site, and in a year your executives want access into that site, you can
    • Add the executives to your AD group HR (which wouldn’t be right since they’re technically not HR users)
    • Add the Executive AD group into SharePoint and try to replicate all of the permissions the HR group has
    • Add the Executive AD group into the SharePoint group the HR AD group is in.
    • Which sounds easier? Apparently the last one would be easiest, if this is how you configured it initially.
  • If you’re not using AD groups, start! But if you can’t for whatever reason, and you’re only pulling in individual users, then make sure they’re in SharePoint groups. This will make managing permissions the easiest throughout SharePoint.
    • One pain point is that you cannot put a SharePoint group inside of another SharePoint group. So using the example in the previous bullet, we cannot add the Executive SharePoint group into the HR SharePoint group, instead we’ll need to try to replicate their permissions as much as possible.
I recommend using Active Directory groups whenever possible. Your users are already in AD groups, somewhere in your organization, and in most cases these groups reflect the governance within SharePoint, therefore your groups would make most sense to manage your users.

Know where you are!

It’s vital to know where you are when you’re managing permissions. It’s very easy to get spun around and start changing permissions on something you didn’t mean to. The best way to know where you are is to look at the URL and the page title. The combination of the two should tell you where you are and what you’re managing.


Document Library Permissions


Site Permissions


Sub Site Permissions

Who has access to what?

Yup, the best question and the hardest to answer. Again, there are 3rd party add-ons which can answer this quickly, and if this is a reoccurring question I suggest checking them out. However, if you can’t swing the cost of another application, here’s how I do it.

First, go to what you have the question about. For example, if you want to know about a list, go to List Settings. If you want to know about a site, go to Site Settings.

Second, click Permissions (Permissions for this list/library or Site Permissions for Site Settings). This will list all groups which currently have access to this list or site. Simple enough right? Welp, I’d bet you want to know who is in each group next right? From here, make note of the groups names. No, you can’t just click on them, that manages their permissions on the list/site.

Third, go to Site Actions > Site Settings > People and Groups. Now you can click on each group and determine who’s in what group, and who has access to what. Unfortunately this can be a painful exercise. If you’re using AD groups, you might be off the hook, simply pass the ball to your IT dept and ask them to give you a list of users per group. If you are the IT dept, sorry…

All People is for the entire site, NOT your current site!

This applies to SharePoint 2007, Microsoft removed this from 2010 (one improvement). You probably have seen the link in the quick launch while managing users (Site Settings > Site Actions > People and Groups) which says All People. You may click this link and see everyone. This is great, a simple list of everyone in SharePoint. Now go to one of your secure sub sites and do the same, and you’ll still see everyone. Annoying right? This list shows all users in SharePoint (in your site collection, not the current site). When you’re in your secure sub site, you may want to remove people from All People since they’re not supposed to have access to this site, unfortunately if you remove a user or group from this list you’ll remove them from SharePoint completely (unless they’re member of an AD group which has permission).

All People of the site, not the sub sites. But is it all of them?

One other weird thing that happens with this list: this list is showing you everyone who has a login account into SharePoint and has already logged in or has been added directly. If you’re not using AD groups, then you’ll see everyone who has been added to SharePoint. If you’re using AD groups, you’ll only see the users who have actually logged into SharePoint at least once. If an AD group has 200 users, and only 100 have logged into SharePoint, you’ll only see those 100 users here, the other 100 have permission to login, but until they do they won’t show in this list.

#$&%! Limited Access

“How do I use Limited Access? I don’t see it as an option.” “What does the user have limited access to?” are my two favorite questions. If you see Limited Access, curl up under your desk and cry. While you’re under there take a quick nap and then collect yourself and come back up because you have a lot of work to do. Limited Access means that user or group has some sort of unique permissions to something in your site. If you grant a user permission to a single item or list, you will see this same user under Site Permissions as Limited Access. There is no easy method to determine what and where the user has this limited access. You will also see this user as Limited Access throughout SharePoint for any list or sub site that inherits from the site.

Let me explain a different way. John Smith is a member of the Members group and the SharePoint administrator determines that he needs unique permissions to the Shared Documents library as a designer so he can approve documents. Instead of creating a new group (groups are best) and manage the group, the admin adds John Smith directly to the list. Instantly, the site permissions will list him as Limited Access, and each list, library and site which inherits the permissions also shows the same. A month later that admin looks at site permissions and sees John Smith listed as Limited Access and asks how did that happen? How do I find out what he has access to?

There are a few methods I’ve found in correcting this issue.

  1. SharePoint 2007 – Navigate and look at the permissions on every list in SharePoint. This way you’ll find which list has unique permissions. However, if unique permissions were setup on the list item, say one document in a library, then you’ll need to check permissions on every single item within SharePoint. This could be hundreds to thousands of items. It’s okay to cry.
  2. SharePoint 2010 – One improvement that makes this a little easier. Instead of having to navigate throughout the entire site to find what is unique, SharePoint 2010 now has a basic reporting tool which will provide this to you. When looking at Site Permissions, you may see a little bar above the list which states there is uniquely secured content. Click the link and it’ll show you the few lists which are unique, and which items within a list if applicable. This will make reviewing your lists a little easier.
  3. The second method is easier and a little more effective. Go to Site Permissions (Site Actions > Site Settings > Site Permissions) and remove the user. Don’t worry, this will only remove the specific permissions for the user. The user’s existing permissions through other groups will remain.
    1. This method will remove the user’s permissions, but not reset the list/library/item’s permissions to inherit again. That you’ll still need to find and fix.
Is that it?
Probably not, but outside of the normal tasks (adding users to groups, creating new groups, specifying permissions for groups), I think this covers some of the big headaches with permissions management in SharePoint. If I missed something, let me know!