Checking for User Permissions and Getting UnauthorizedAccessException

In a recent project I have been writing code to check if an arbitrary user can create new documents in certain document libraries. In order to do the check, I used the good old DoesUserHavePermissions method, which is present in SPWeb, SPList and SPListItem objects (securable objects).

SYMPTOMS

When using DoesUserHavePermissions() method on a securable object, you get UnauthorizedAccessException.

CAUSES

There are multiple causes for this behavior.

FIrst, the current user context is such that the current user has no rights to enumerate permissions on the SPWeb/SPList/SPListItem object. If so, the exception will be raised.

So, your first inclination is to use RunWithElevatedPrivileges to check the permissions. However, it also throws the same exception. The cause is a token check that the DoesUserHavePermissions method includes in its code (as explained by Phil Harding). The user token is compared against the current user. Somehow, the user token for elevated object is not the same as the current user in the context and the exception is being thrown.

SOLUTION

I managed to solve this issue by explicitly opening the securable object with a System Account token, instead of using RunWithElevatedPrivileges.

Access Denied with RunWithElevatedPrivileges

A strange situation happened to me few days ago, when checking a portion of SharePoint 2013 server-side code on a custom form. Basically, it uses RunWithElevatedPrivileges to check that the current user has access to a certain site and certain libraries, before uploading the file to a content organizer enabled library.

The Symptoms

The code that runs with elevated privileges on a POST event triggered "Access Denied" errors when trying to access SPWeb and SPList objects. The objects were declared under the elevated privilege code block but the ULS logs still show the "access denied" errors.

The Cause

According to MSDN blog the code running with elevated permissions has to validate the form digest before entering the elevated permissions code block. If not, it might give "Access Denied" errors.

The Solution

Just add SPUtility.ValidateFormDigest(); before the elevated permissions block and the "Access Denied" errors dissappear.

Speaking at the European SharePoint Conference in a Week

The European SharePoint Conference is less than three weeks away and I’m delighted to be part of such an exceptional line up. The conference will take place in Barcelona, Spain from the 5-8th May 2014 and is Europe’s largest SharePoint event bringing you great sessions and the latest innovations from Las Vegas.

clip_image002

Browse through the superb conference programme including 110 sessions, keynotes, and tutorials, including topics covering the latest news from SPC14 including what’s new with

  • SharePoint 2013 SP1
  • Office Graph/Oslo
  • new Office 365 REST APIs
  • Access AppsCloud Business Apps

I will be conducting a session called “Social Business Value Demystified: Real-World Experiences” aimed at Business Decisions Markers and End Users.

In this session I will outline why social technologies are useful for the business and how to align them with the business value. I will focus not on the technology but the reason why we use it. The rationale for this session topic is sharing what we have learned from the customers that use our best-of-the-breed social network for SharePoint on premises: Beezy.

Get a free whitepaper about the 4 Enablers of a Social Intranet.

The European SharePoint Conference will be run over four days and with over 1000 SharePoint attendee’s already signed up don’t miss this fantastic opportunity to mingle with the European SharePoint Community.

If you want to deepen your SharePoint expertise, to understand the trend of the SharePoint market, and to learn how to leverage Microsoft Office 365 for your business, including the revolutionary Enterprise Social wave, the European SharePoint Conference is the best place to be in 2014!

Prices start from €1150! There is also special group discounts for bookings of 3 or more people.

Book Now and I’ll see you in Barcelona in May

SharePoint Conference 2014 and Scalable App Architecture Talk

Tomorrow I will be flying to Las Vegas, for my third SharePoint Conference there (you can see my impressions from 2009 and 2012). This time, I’m honoured to be a speaker.

imageBeezy-logo-M

By the way, I can’t believe that it has been 5 years since my first SharePoint Conference in Vegas. Time really flies.

Beezy at SPC14

My colleagues from Beezy will also be present at the conference, showcasing our best-of-the-breed enterprise social network for SharePoint. Please visit them at the booth #1140. You’ll find out what Beezy is and how it can help you embrace social computing at work.

The idea for my talk came out of Beezy development. We had to design Beezy for high scalability, as it was going to be used in companies with tens of thousands of users. I have envisioned a talk that summarizes the key tenets and practices for scalable applications, especially at the back-end (API end). It’s a topic that hasn’t really entered the mainstream programming in SharePoint, but with the app model that exposes your app to potentially millions of users, it should be gaining wider audience.

7 Tenets for Highly Scalable Apps for SharePoint 2013

My session is about highly scalable apps for SharePoint 2013 and how to architect the solutions for scalability. There are several techniques that can be used to achieve scalability, such as aggressive and distributed caching, queuing, using non-relational storage, using non-blocking async calls and so on. I will try to give a glimpse of those techniques and to enable you as a developer to use those new tools in your toolbelt.

Are you attending SPC14? Join the conversation at Yammer about my session! Ask questions and post comments to help me make the session live up to your expectations.

Ongoing Sample App Code

I have also started an ongoing scalable app demo (https://bitbucket.org/ekapic/scalable-app) that I intend to evolve to a complete example app built with the core messages of my session. Right now I have the source code that I’ll use in my demos, but I will keep adding the app code in the next months. You can find the ongoing demo app code hosted at BitBucket. Feel free to fork it as you wish.

See you all in Vegas!

Failed to create a custom control ‘PublishingSiteActionsMenuCustomizer’

A very weird and hard to pinpoint SharePoint error has haunted me these last days.

The Symptoms

You have a SharePoint site collection that uses Publishing features. Suddenly, the users can’t access your site. All user accounts, including site collection administrators, get the dreaded "Access Denied" error. In my case, it was SharePoint 2010 with a custom site template with publishing features included in it.

The SharePoint log files mention this:

The Cause

It is really strange that SharePoint can’t load it’s own components. But, the real cause it that the web application that a culprit site collection is running on is missing its "superuser" settings. The SuperUsers are the users configured for Publishing infrastructure to read and write publishing cache. It seems that if the users are not correctly configured, the publishing infrastructure fails badly and SharePoint interprets it as "Access Denied".

Two blog posts were of great help: Khashish Sukhija and Nico Marten’s. Thank you guys! I checked the web application properties from PowerShell and the super user entries were empty for the web application that was behaving strangely.

The Fix

Execute the script found on Nico’s post (reproduced here for convenience, all credit is his) and IISRESET.

Come see me at the European SharePoint Conference 2014!

In case you missed it, the European SharePoint Conference 2014 programme is now available and I’m delighted to announce that I am speaking at Europe’s largest SharePoint event in Barcelona, Spain from the 5-8th May 2014. For me it’s double satisfaction: to be speaking again at the ESPC and to see SharePoint circus coming to my home city. (It’s easier to play at home)

I will be conducting a session on Social Business Value Demystified: Real-World Experiences aimed at Business Decisions Markers and End Users. In this session you will learn how to connect business value and social features of SharePoint in order to support the organizational activities, how to organize communities of knowledge and how to integrate search and metadata into your overall social enterprise strategy. clip_image002

The European SharePoint Conference will be run over four days and will feature over 100 informative SharePoint sessions and 6 preconference tutorials providing you with a fantastic opportunity for learning and building your SharePoint skills. Check out the full Conference Programme to see all sessions and topics that are being covered by me and other renowned SharePoint experts from Europe and all over the world.

If you want to deepen your SharePoint expertise, to understand the trend of the SharePoint market, and to learn how to SharePoint for your business, including the revolutionary Enterprise Social wave, the European SharePoint Conference is the best place to be in 2014!

Prices start as low as €995! There is also special group discounts for bookings of 3 or more people. Book Now and I’ll see you in Barcelona in May!

My Talk at SharePoint Summit Vancouver 2013

Last month I attended SharePoint Summit 2013 in Vancouver as a speaker. I was really looking forward to it, being my first time in Canada.

First I did a tour of Vancouver, strolling around and getting to know the neighbourhood. The city downtown is very compact and can be explored by simply walking around. I event tried the famous Japadog from the stand on Burrard St. Delicious!

DSC_0100DSC_0108DSC_0179DSC_0008

My first talk was about the hype of enterprise social networks and how to get the real business value out of them. Several very interesting questions were raised during the session. Here are the slides:

My second talk, the day after, was about how to build a highly scalable app on the cloud, leveraging Windows Azure. I explained concepts such as queuing, distributed caching and async requests (with a short and eye-opening demo). It was also received very well and sparked a debate.

The organization of the event was done very professionaly. The venue (Fairmont Hotel Vancouver) was a perfect place, very centric and friendly to the business attendees. Not to mention Mavis and Beau, two sweet dogs that are the official dog ambassadors of the hotel.

On the downside, the scheduling of the sessions could be improved as several sessions with similar audiences were being scheduled on the same time, and the "keynote" presentations were also scheduled at the same time as some of the breakout sessions, in detriment of the assistance. The organizing team should take note of that for the future editions.

The best thing about the summit was the opportunity I had to connect to speakers and attendees and exchange many ideas about the use of our favourite platform. Thank you all for a very good time in Vancouver!

Building a Document Routing Hierarchy with SharePoint Subsites and Content Organizer

In this occasion I have been exploring the possibility of an auto-organizing document hierarchy in SharePoint 2010, made with Content Organizer functionality. As you may recall, the Content Organizer allows the documents to be routed according to rules that use metadata to decide where the document should go. This greatly enhances the usability of a document repository in SharePoint, as the end users don’t have to know where exactly should the document be uploaded. By leveraging the content organizer rules, we automate the exact logistic organization of the documents and significantly lower the possibility of incorrect classification.

Content Organizer out-of-the-box

The straightforward Content Organizer works great when you cope with different document libraries on a single site. You get one “Drop Off Library” where you should upload the documents to. Once uploaded there, the documents will be routed to the right document library and optionally inside a specific folder.

The user interface for dropping a document in Content Organizer notifies you that the document will be routed:

image

As you can see in the Content Organizer Rule editor, we only get local site lists and libraries as the destination option:

image

What happens when you have a hierarchy that spans multiple subsites that all share the same base content type but are strictly separated in different subsites for security reasons? Well, in this case you have to tweak the Content Organizer a bit to accommodate the subsites.

Routing Documents to a different site

In order to allow a content organizer to route a document to a different site, you have to create a “Send To” connection in the Central Administration. Go to “General Application Settings”, then choose “Configure send to connections” in “External Service Connection” section. In this page you will have to add the absolute path of the content organizer service of the site that you wish to route the document to. The URL is always the same:

  •  Site URL followed by /_vti_bin/officialfile.asmx

In this example, there is a subsite called “Global” and the “send to” connection" called Global is created. Please remember that the Send To Connections configuration is stored for each web application, so make sure that you are changing it for the right web application.

image

Once you have the Send To connection registered in Central Administration, you have to change two things in the site that you wish to be the entry point to the system. Go to “Site Settings”, “Content Organizer Settings” and make sure that the checkbox “Sending to Another Site” is set.

SNAGHTML1c7e8ab7

Now you can go to “Site Settings”, “Content Organizer Rules” of the site and create a rule that can target another site.

image

There is one limitation to this approach: you can target a different site but you can’t target a specific document library on that site. The document will be routed to the Content Organizer on that site and its rules will be enforced. So, in order to overcome this limitation you have to add a rule on the destination site that will route the document into a specific document library.

As it begins to become a little tricky to explain in words, I’ll draw a quick diagram to explain how my system works:

image

I add the routing rules to the Root Site that will send the newly uploaded document to the correct site, according to a Type column (in my case it’s a Managed Metadata column but it could be any type of column that can be compared to). When the document arrives to the Content Organizer on the destination site, I put two simple rules there:

  • If the Type of the document is the correct one, I move the document to the corresponding document library
  • If the Type of the document is not the correct one, I route the document again to the Root Site

The purpose of this loop is to minimize the number of rules for the correct classification. If the user uploads a Sales document on a HR site, I’d have to write the rule that moves it to the Sales site. By keeping all the routing logic for the different site at the Root Site level, I just have to send the document to the root site in order to get classified correctly.

Note: this setup can cause infinite loop if you mess with the rules and conditions, so please double-check them.

PowerShell to the Rescue

So, we have seen how to organize a multiple-site hierarchy with the Content Organizer feature. I admit that the only boring thing in the whole process is the act of building the “Send To” connections by hand. I have created a tiny PowerShell script that will do that for you. It will parse the given web application URL, iterate over all the sites in the site collections and then will add the sites with active Content Organizer to the “Send To” connections.

image

Congratulations Microsoft MVP 2013!

This is the subject of the email I received on the Fool’s Day. Luckily it was not a joke, it was the confirmation of my nomination as SharePoint MVP. I still don’t believe it fully, but I slowly begin to adapt to it.

In the Catalonian SharePoint User Group event SharePoint 2013 Novedades y más allá we expressed our long-term view in which Barcelona should become the “SharePoint City”. Now we have 2 SharePoint MVPs here who are keen to keep the things in motion. We want to host the European SharePoint Conference 2014 in Barcelona, please!

MVP_Horizontal_FullColor

What is MVP?

MVP, or Most Valuable Professional, is an award bestowed by Microsoft upon the professionals that excel in the contribution to the technical community, within the scope of a Microsoft product. Microsoft official MVP page explains it in depth.

And now, what?

Well, the idea is to keep sharing the little I know with the people who find it interesting and to keep helping the community from the humility and service. In a nutshell, what I have been doing the last years. In a couple of months I’ll find a way to merge this blog and my Spanish language blog and give a new visual identity to the new, unified blog. Ideas are welcome!

To all of you who have kept encouraging me to contribute to the comminity in all these years, a big thank you!