Export (0) Print
Expand All

Implementing Security

Retired Content

This content is outdated and is no longer being maintained. It is provided as a courtesy for individuals who are still using these technologies. This page may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.

The Training Management application uses custom SharePoint groups and custom permission levels to enforce security. This topic discusses the design of the security model and how it is implemented.

SharePoint Groups

The Training Management application uses two custom SharePoint groups. They are Contoso Employees and Contoso Managers. Members of the Contoso Employees group can see the available training courses, register for those courses, and see the status of their registrations. The Contoso Managers have the same abilities as the Contoso Employees, and they can also view their registration approval tasks and approve and reject registrations. Figure 1 shows the two custom groups.

Ff649767.security_groups_notheme(en-us,PandP.10).png

Figure 1
Training Management security groups

SharePoint Permission Levels

The Training Management application also uses custom permission levels to enforce the security requirements. The Training – View Only permission level allows users to view pages and list items. The Training – Participant permission level allows users to view pages, view list items, and add list items. The Training – Manager permission level allows users to view pages, view list items, add list items, and edit list items. These permission levels are applied to the Contoso Employees and Contoso Mangers groups to control their access to the following lists on the Training Management site:

  • The list of training courses
  • The list of registrations
  • The list of approval tasks

Figure 2 illustrates the different permission levels.

Ff649767.security_permission_levels_notheme(en-us,PandP.10).png

Figure 2
Training Management permission levels

Training Courses List Permissions

Both the Contoso Employees group and the Contoso Managers group have the Training – View Only permission for the training courses list. Only site administrators can add courses and edit current information. Figure 3 illustrates the permission levels for the list of training courses.

Ff649767.security_lists_training_courses_notheme(en-us,PandP.10).png

Figure 3
Permissions for the training courses list

Registrations List Permissions

Members of the Contoso Employees group have the Training – Participant permission level for the registration list. This level allows them to register for courses by adding an item to the Registrations list but not to edit the list. Members of the Contoso Managers group have the Training – Manager permission level. This allows them to both add and edit the registration list items. They need these abilities in order to update the registration status. Figure 4 illustrates the permission levels for the registration list.

Ff649767.security_lists_reg_notheme(en-us,PandP.10).png

Figure 4
Permissions for the registration list

Registration Approval Tasks List Permissions

Only members of the Contoso Managers group can access the registration approval tasks list. They need this ability in order to view their pending approval tasks. Figure 5 illustrates the permission level for registration approval task list.

Ff649767.security_lists_regapp_notheme(en-us,PandP.10).png

Figure 5
Permissions for the registration approval tasks list

Security and Permission Provisioning

A SharePoint feature receiver class performs the security provisioning for the Training Management application. This class uses the SharePoint object model to create the SharePoint groups and permission levels. Methods of this class are invoked when the site is created with the Contoso Training Management template.

The SharePoint feature receiver class is derived from the abstract class SPFeatureReceiver. For more information about the SPFeatureReceiver class, see SPFeatureReceiver Class (Microsoft.SharePoint) on MSDN.

The derived class is named WebFeatureReceiver. It implements a method named FeatureActivated that is called by SharePoint during the ContosoTrainingManagementWeb feature activation. SharePoint invokes this method because the developer specifies it in the ReceiverClass attribute of the Feature.xml file. To view the Feature.xml file, click the WSP View tab in the View pane in Visual Studio.

The following the code is for the FeatureActivated method of the WebFeatureReceiver class. It is located in the FeatureReceivers\WebFeatureReceiver.cs file in the Contoso.TrainingManagement project.

public override void FeatureActivated(SPFeatureReceiverProperties properties)
{
    SPWeb web = properties.Feature.Parent as SPWeb;
    this.ProvisionSecurity(web);
    this.UpdateDefaultAspx(web);
    this.UpdateQuickLaunch(web);           
}

This code provisions the application's security model.

To create the security groups and permission levels, the FeatureActivated method invokes a helper method named ProvisionSecurity. This method performs the following tasks:

  • It sets the current Web to use locally defined roles.
  • It creates two groups named Contoso Employees and Contoso Managers.
  • It gives site-read access to the newly created groups.
  • It creates new permissions named Training - View Only, Training – Participant, and Training - Manager with permissions that are appropriate to each permission level.
  • It sets the permission levels for the training course list, the registration list, and the registration approval task list.

Retired Content

This content is outdated and is no longer being maintained. It is provided as a courtesy for individuals who are still using these technologies. This page may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.

Show:
© 2014 Microsoft