Set permissions for a SharePoint list item using 2013 Workflow

SharePoint 2013 Logo

Following are the steps to be implemented in a 2013 workflow to set permissions for a SharePoint list item.
This particular method set the permissions for all users in a group with a particular role permission using REST Calls

1. Build Header Dictionary and set to a variable

Name: Accept
Type: String
Value: application/json;odata=verbose

Name: Content-Type
Type: String
Value: application/json;odata=verbose

1. Set “Group ID URL” to a variable

[%Workflow Context:Current Site URL%]_api/Web/SiteGroups/GetByName('Group Name')?$Select=id

2. Set “Role ID URL” to a variable

[%Workflow Context:Current Site URL%]_api/Web/RoleDefinitions/GetByName('Role Name')?$Select=id

3. Set “Break Role Inheritance URL” to a variable

[%Workflow Context:Current Site URL%]_api/Web/Lists/GetByTitle('Library Name')/items([%Current Item:ID%])/BreakRoleInheritance(copyRoleAssignments=false, clearSubacopes=true)

4. Create Response Variables for “Group ID Response”, “Role ID Response”, “Response Headers” & “Response Code” with data type as Dictionary

5. Make GET REST call using Call Action to “Group ID URL” and assign output to above created variables in step 4

6. Use Get Action ‘d/Id’ from above “Group ID Response” variable and set it to a new variable “GroupID”

7. Make GET REST call using Call Action to “Role ID URL” and assign output to above created variables in step 4

8. Use Get Action ‘d/Id’ from above “Role ID Response” variable and set it to a new variable “RoleID”

9. Make POST REST call using Call Action to “Break Role Inheritance URL” and optionally assign output to above created variables in step 4

10. Set “Set Role URL” to a variable

[%Workflow Context:Current Site URL%]_api/Web/Lists/GetByTitle('Library Name')/items([%Current Item:ID%])/RoleAssignments/AddRoleAssignment(principalId=[%Variable:GroupID%],roleDefId=[%Variable:RoleID%])

Add Role:

 AddRoleAssignment(principalId=[%Variable:GroupID%],roleDefId=[%Variable:RoleID%])

Remove Role:

RemoveRoleAssignment(principalId=[%Variable:GroupID%],roleDefId=[%Variable:RoleID%])

11. Make POST REST call using Call Action to “Set Role URL” and optionally assign output to above created variables in step 4

Reference URL: https://msdn.microsoft.com/en-us/library/office/dn531432.aspx

Features not available in SharePoint 2013 Workflow

Following are the features which are not available in SharePoint 2013 Workflow.

  • Actions
    • Stop Workflow
    • Capture a Version of the Document Set
    • Send Document Set to Repository
    • Set Content Approval Status for the Document Set
    • Start Document Set Approval Process
    • Declare Record
    • Set Content Approval Status
    • Undeclare Record
    • Add List Item
    • Inherit List Item Parent Permissions
    • Remove List Item Permissions
    • Replace List Item Permissions
    • Lookup Manager of a User
    • Assign a Form to a Group
    • Assign a To-Do Item
    • Collect Data from a User
    • Start Approval Process
    • Start Custom Task Process
    • Start Feedback Process
    • Copy List Item (SharePoint Designer 2013 supports only the document-copying action.)
  • Conditions
    • If current item field equals value
    • Check list item permission levels
    • Check list item permissions
  • Steps
    • Impersonation Step
  • Data sources
    • User Profile lookup
  • Other features
    • Visio integration
    • Association Column
    • Content Type Association for reusable workflow
    • ‘Require Manage List/Web Permission’ feature for list/site workflow
    • Globally reusable workflow type
    • Workflow visualization option

 

Source: https://msdn.microsoft.com/en-us/library/jj728659.aspx

File Icons in SharePoint Search Results using Display Template

In SharePoint 2013 search results, the icon for a file type like .msg, .txt shows up as .html icon.
In SharePoint 2010 this was overcome by mapping the icon file type in DocIcon.xml at WFE Servers.

But now since access to WFE servers are restricted in on-prem environment and no access in O-365 environment, the only solution available is to do the following.

  1. Edit the existing display template (I use custom display template with results shown in table and following is based on that) or create a new template for existing for the following located at (SiteCollection/All Files/_catalogs/masterpage/Display Templates/Search) accessible by using SharePoint Designer.
    1. xxxSearchTableResults.html
    2. xxxSearchTableItem.html
  2. Add the following codes and it should show correct icons.

Search Results Display Template:

<div style="width:15px;display:table-cell;text-align:left;font-weight:bold;padding: 5px 0px 4px 10px;">                                       
</div>

Search Item Display Template:

<div style="min-width:16px;max-width:16px;display: table-cell;white-space:nowrap;overflow:hidden;-ms-text-overflow:ellipsis;-o-text-overflow:ellipsis;text-overflow:ellipsis;">                                       
<!--#_
 var extObj = new Object();
extObj["FileExtension"] = ctx.CurrentItem.FileExtension;
 var iconUrl = SP.Utilities.HttpUtility.htmlEncode(Srch.U.ensureAllowedProtocol(Srch.U.getIconUrlByFileExtension(extObj, null)));
if(ctx.CurrentItem.IsContainer)
iconUrl = "/_layouts/15/images/icdocset.gif";
if(ctx.CurrentItem.FileExtension === "msg")
iconUrl = "/_layouts/15/images/icmsg.gif";
//console.log(ctx.CurrentItem.FileExtension);
 _#-->
<img id="_#= $htmlEncode(id + Srch.U.Ids.icon) =#_" onload="this.style.display='inline'" src='_#= iconUrl =#_' />
 </div>

Notes:
ctx.CurrentItem.FileExtension always return the file extension name which seems to match with the file name in the /_layouts/15/images/ folder.

For example msg = icmsg.gif or icmsg.png

Once done, the search results will show-up as following

Search-Icon

SharePoint 2013 Authentication – SAML Based

Sharepoint 2013

SharePoint 2013 – SAML Based Authentication

The following is the interaction between

  1. Client Computer
  2. SharePoint Server
  3. Active Directory Federation Service (AD FS)
  4. Active Directory Domain Service (AD DS)

Notes:

  1. AD FS & SAML Claims are not required if AD DS is the provider in which the forest and domains trust each other
  2. AD FS must trust the AD DS for which the AD FS is issuing the SAML security tokens
  3. Here the trust might be implicit as the AD FS is the member of AD DS domain and hence trusts the domain controllers
  4. AD FS must also trust the SharePoint locations
  5. Hence AD FS is configured with SharePoint’s web application URLs as relying parties
  6. SharePoint server also must trust the AD FS’s SAML token.
  7. This trust is obtained via a signed certificate which the AD FS has and it signs the tokens with this certificate
  8. The SharePoint server is also configured with the public portion of the above mentioned signed certificate which AD FS uses and SharePoint trust those signed tokens using this public portion

The SAML Based Authentication Process

  1. User does anonymous request to secured SharePoint Webpage
  2. SharePoint redirects the user to AD FS’s login page for user to enter credentials
  3. User types in the credentials and sends back to AD FS using the client computer
  4. The AD FS server then validates the credentials with AD DS
  5. Once user is validated, the AD FS then creates a SAML token, signs and send it back to client computer
  6. The client computer now sends a new request to SharePoint server now with SAML token provided by AD FS
  7. SharePoint then creates a claims based security token using Security Token Service and this claims is based on the claims which it found in SAML token which the AD FS has sent to client computer
  8. Then SharePoint stores this security token with Distributed Cache Service on the farm
  9. SharePoint server then generates and send the federated auth cookie back to client computer
  10. The fed auth cookie has encryped key or index to security token
  11. This fed auth cookie is used by the computer for subsequent requests

The following Video will explain the Forms based authentication in SharePoint 2013. This video is part of the Authentication overview for SharePoint 2013 article located at https://technet.microsoft.com/en-us/library/jj219571.aspx

For more information on SharePoint Claims check out more articles at http://social.technet.microsoft.com/wiki/contents/articles/14214.sharepoint-2013-claims-based-authentication.aspx

SharePoint 2013 Authentication – Forms Based

Sharepoint 2013

SharePoint 2013 Authentication – Forms Based

The following is the interaction between

  1. Client Computer
  2. SharePoint Server
  3. ASP.NET Membership provider

The Form Based Claims Authentication Process

  1. User does anonymous request to secured SharePoint Webpage
  2. SharePoint responds with form based login page
  3. User types in the credentials and sends back using the client computer
  4. SharePoint server then validates the credentials with membership provider
  5. SharePoint server then queries the roles provider for user’s associated roles
  6. This becomes the role claims for user’s account
  7. SharePoint then creates a claims based security token using Security Token Service
  8. Then SharePoint stores this security token with Distributed Cache Service on the farm
  9. SharePoint server then generates and sends the federated auth cookie back to client computer
  10. The fed auth cookie has encrypted key or index to security token
  11. This fed auth cookie is used by the computer for subsequent requests

The following Video will explain the Forms based authentication in SharePoint 2013. This video is part of the Authentication overview for SharePoint 2013 article located at https://technet.microsoft.com/en-us/library/jj219571.aspx

For more information on SharePoint Claims check out more articles at http://social.technet.microsoft.com/wiki/contents/articles/14214.sharepoint-2013-claims-based-authentication.aspx

SharePoint 2013 Authentication – Windows Claims

Sharepoint 2013

SharePoint 2013 – Windows Claims Authentication

The following is the interaction between

  1. Client Computer
  2. SharePoint Server
  3. Active Directory Domain Service

The Windows Claims Authentication Process

  1. User does anonymous request to secured SharePoint Webpage
  2. SharePoint requests back Windows Credentials (It can be a NTLM or Kerberos or basic)
  3. If user is in intranet zone, the browser sends back the logged in credentials to SharePoint, else user is prompted for credentials
  4. For both the cases the browser send back the credentials to SharePoint
  5. SharePoint then validates this credentials with Active Directory Domain Services (AD DS)
  6. AD DS then responds back to SharePoint with Windows Security Token
  7. SharePoint then checks, to which security groups the user belongs in AD DS
  8. SharePoint then creates a claims based security token using Security Token Service
  9. Then SharePoint stores this security token with Distributed Cache Service on the farm
  10. The IIS Server in SharePoint server then send the auth code to the user’s computer
  11. The client computer then uses this auth code for subsequent requests

The following Video will explain the Windows claims authentication in SharePoint 2013. This video is part of the Authentication overview for SharePoint 2013 article located at https://technet.microsoft.com/en-us/library/jj219571.aspx

For more information on SharePoint Claims check out more articles at http://social.technet.microsoft.com/wiki/contents/articles/14214.sharepoint-2013-claims-based-authentication.aspx

Setting up Provider Hosted App

There are many articles which explain how to setup the Remote Web & SharePoint On-Prem. The following articles explains everything end to end.
http://blogs.msdn.com/b/russmax/archive/2014/06/23/part-1-intro-to-provider-hosted-apps-setup-the-infrastructure.aspx
http://blogs.msdn.com/b/russmax/archive/2014/06/26/part-2-intro-to-provider-hosted-apps-develop-package-and-deploy.aspx

Error: The root of the certificate chain is not a trusted root authority – Register-SPWorkflowService – SharePoint 2013

When I was trying to register Workflow Service with SharePoint 2013 Server, I was getting error “The root of the certificate chain is not a trusted root authority”.

The reason for this error is while registering the service we point to workflow site with https as shown below, this site has a certificate which the SharePoint server doesn’t trust.

Register-SPWorkflowService –SPSite “http://spapp/sites/dev/” –WorkflowHostUri “https://wfserver:12290/” –AllowOAuthHttp

There are 2 things to check.

  1. Check if the WorkflowHostUri is having a Fully Qualified Domain (FQD) instead of machine name.
  2. Check if the SharePoint server trusts the workflow site’s certificate

1. Use FQD. Hence instead of using machine name for WorkflowHostUri, use full domain name, like https://wfserver.domain.com:12290/
2. Make sure the SharePoint Server trusts the certificate of Workflow site. For that do the following

  1. In the server browse the site https://wfserver.domain.com:12290/ and check if you get Certificate trust error, if so proceed to next point
  2. Start Management Power Shell as Administrator in the workflow server and run the following 2 commands
  3. $rootCert = (Get-SPCertificateAuthority).RootCertificate
  4. $rootCert.Export(“Cert”) | Set-Content C:\SharePointRootAuthority.cer -Encoding byte
  5. Navigate to the SharePoint Server and open run or command prompt and type MMC and hit Enter. This will open Console1.
  6. In Console1 navigate to file in the ribbon menu and select “Add/Remove snap-in”
  7. Add “Certificates” to the right hand side and then click “OK”. You will prompted with the Certificates snap-in. I selected “Computer account”>Next>Local computer>Finish>OK
  8. Import the certificate “C:\SharePointRootAuthority.cer” into “Trusted root certification authority” location. You can complete this by right clicking on “Trusted root certification authority” and selecting All Tasks > Import

Source:
Microsoft MSDN Forum, EPM Partners

SharePoint 2013 Service Applications

The following table lists SharePoint 2013 Service Applications which can help in deciding which edition of SharePoint 2013 can be purchased based on the solution design and scenario.

SharePoint 2013 Service ApplicationFoundationStandardEnterpriseOffice 365
Access Services
Access Services 2010
App Management Service
Business Data Connectivity Service
Excel Services Application
Machine Translation Service
PerformancePoint Service Application
PowerPoint Automation Services
Managed Metadata Service Application
Search Service Application
Secure Store Service
Site Subscription Settings Service
State Service
User and Health Data Collection Service
User Profile Service Application
Visio Graphics Service
Word Automation Services
Work Management Service Application
Workflow Service Application

 

SharePoint 2013 New Features & Changes


Following is the list of new features & changes in SharePoint 2013 which I have gathered based on the glances through various sites and books.

Shredded Storage

  1. Reduces size of content database when storing file version
  2. Reduced size of content database helps in backup timelines
  3. Shredded storage optimizes network traffic between web server and SQL server by reducing the need to transfer the entire document
  4. Since only changes are sent back and forth between client and server, a document is available in Office Document Cache (ODC – a feature implemented in Office 2010) even when SharePoint server is offline
  5. User can start working on a document while it is downloading
  6. MS-FSSHTTP (File Sync via SOAP over HTTP) helps in optimized faster document transfers between MS Office client and SharePoint which improves usability of office applications when a user saves a version and continues editing while saved version is being uploaded to SharePoint (Note: This was already available in Office 2010/SharePoint 2010 and now has been improved)
  7. SharePoint 2013 now uses MS-FSSHTTP for document transfer not only between Client and SharePoint Server but now with SQL Server also.

SQL Improvements

  1.  All Databases now conform to SQL Azure compliance criteria
  2.  Redundant, unused tables and track links indices are removed
  3.  I/O operations while browsing document libraries have been optimized
  4.  Utilization of Sparse Columns (A feature implemented in SQL Server 2008) for wide list (Using rows for column data when max columns in a row sql is reached) has been reduced
    Improvements on dependency of large list

Request Management

  1.  Route HTTP requests to different servers based on specific workloads
  2.  Recognize incoming request by looking into headers, request IP address or subnets
  3.  Based on the incoming request, can prioritize by redirecting to another server or blocking that request etc.
  4.  Request Management Rules can help route specific set of incoming request to specific set of servers. For example a rule might route a request which needs more processing to a server with high static (Identifies a server capability being powerful or weak) & health (Dynamic health of a server) weight
  5. If Catch All (*) rule is not implemented, SharePoint routes the request to the server which it thinks is healthy

Workflow

  1. A dedicated Workflow Manger Farm (Not installed by default and only utilized by SharePoint 2013 workflow and not SharePoint 2010/Legacy workflow) can offload the workflow processing from SharePoint Server improving SharePoint’s performance
    Note: SharePoint 2013 workflow templates are not available by default as SharePoint 2013 still uses only 2010 templates. Hence to utilize Workflow Manager Farm, 2013 templates needs to be created

Caching

  1. SharePoint 2013 now uses distributed cache, hence each server in farm doesn’t need to fetch same content from DB for similar requests going to specific server. Instead they share that content across servers and hence roundtrip to content db from each server for same request is reduced
  2. Feeds, Search (Content Search Web Part) & Logon Tokens utilize distributed cache

UI

  1. Minimal Download Strategy (MDS) now helps in loading part of the page instead of whole page when content get’s changed
    Note: MSD is not enabled for publishing sites and custom controls migrated from 2010 to 2013( Custom controls needs to be edited with MsdCompliantAttribute set and re-compiled)
    SharePoint 2013 now uses HTML5 for themes.
    Note: Since HTML5 is used as themes, creating one with Office applications to create themes is limited
  2. SharePoint 2013 has improvements in rendering content in Mobile environment
  3. Addition of geolocation field will help maintain location data in list column
  4. Contemporary view is used if Mobile supports HTML5 else Classic View is downloaded

Service Applications

  1. New Machine Translation Service uses bing to translate sites, files, pages and term sets
  2. New Workflow Management Service helps aggregate tasks from MS Exchange 2013, MS Project Server 2013 & MS SharePoint 2013 to user’s my-site with 2-way sync between them
  3. New App Management Service help manage new SharePoint Apps
  4. Search Service Application is now totally re-engineered based on SharePoint 2010 Enterprise Search and FAST Search and hence FAST search is no more a available
  5. All flavours of SharePoint 2013 (Foundation, Standard & Enterprise) use same search object model
  6. Managed Metadata Service now has properties for Tags and Tags can be pinned to avoid duplication
  7. Search Service Application now has inbuilt Web Analytics, and Web Analytics is no longer a separate service application

Office Web Apps

  1. This is now a separate product and separate license
  2. This will be installed on it’s own server in a farm and hence management/Scaling of either this or SharePoint is far more easier
    Note: Viewing office documents in SharePoint 2013 doesn’t require Office Web Apps and respective license, but if editing is required then both are required
  3. Documents can be now viewed in full screen mode
  4. PowerPoint and Word now supports multi-authoring
  5. Search result in SharePoint can show a preview of office documents when Office Web Apps is available and user hovers over the link in the search result

Business Connectivity Service

  1. BCS now has an additional connection protocol which is OData
  2. Event Receivers for external data changes is a new feature
  3. External Content Type can be scoped to SharePoint Apps as opposed to Service Application level in SharePoint 2010

Access Service

  1. Access Service has been completely re-built
  2. Access Service 2010 is for sites built from Access web database definition
  3. Access Service now stores data in SQL Server 2012 and developers/advanced users can directly interact with SQL Server for more advance report generations

Authentication

  1. SharePoint 2013’s has extended claims based authentication utilizing OAuth 2.0 and dedicated server for STS authentication
  2. Because of this new extended auth, new scenarios are possible with MS Exchange 2013, MS Lync 2013, SharePoint App Store/App Catalogue and any other service supporting server to server auth protocol
  3. Claims is now recommended as opposed to classic in SharePoint 2010 due to new improved claims which didn’t work with People Picker and SSRS (2008 R2) in 2010
  4. Classic mode web applications can now be only created using PowerShell
  5. Additional Logging is now added to troubleshoot authentication issues

Web Applications

  1. Host Named site collections is the new recommendation instead of path based site collections but needs to be analysed before implementing as some extended and hosting in multiple web apps are not supported
  2. Document Workspace, All types of Meeting Workspace Template, Group Work & Personalization site templates have been removed but migration from 2010 to 2013 is allowed and will work in 2013

Development

  1. Everything now is an app. Be it a list, a library, a custom solution etc
  2. Apps now run isolated from SharePoint Server but integrated with SharePoint Server
  3. In addition to Farm & Sandboxed solutions, Extended Client Object model is new for code to run external applications
  4. Apps can be published and made available in on-premises or cloud based market places
  5. SharePoint Apps is now preferred instead of sandboxed solutions