Thursday, October 9, 2014

Best practice to implement NextLabs policy to manage SharePoint entitlement

Our company is implementing SharePoint 2013 NextLabs entitlement management tool to restrict users access to certain site collections even they might have already granted permissions. This is implemented to configure NextLabs policy that will include the Portal Resource component that references the SharePoint site collections we would need to block.

While we add the following SharePoint site collection URLs like sharepoint://** to Portal Resource component, we found the policy applies to some sites. In our cases we have a “Deny” policy and defined users will be blocked to some sites but not all sites listed in the NextLabs Portal Resource component. After extensive debugging and we found one of major issues is that NextLabs picks up the site URLS differently based on the on the page the user is accessing that is causing this issue. Here are two scenarios.

Scenario #1 - If user accesses sites/test/sitepages/home.aspx, NextLabs SharePoint Enforcer component (SPE) considers the user is accessing the site instead of some content in the site, and thus pass in sites/test to the Policy Controller
Scenario #2 - If user accesses sites/test/sitepages/foo.aspx, NextLabs SharePoint Enforcer (SPE) component considers the user is accessing a page/content in the site, and thus pass in sites/test/ to the Policy Controller

As a result, if we configure sharepoint://** in the policy, it will only block the second scenario but not the first scenario. You might find that this configuration would likely to apply ALL SharePoint sites site created from SharePoint Publishing Portal or sites with portal publishing feature enabled. This configuration would NOT apply to team sites without portal publishing feature enabled. Now the mystery resolve, the sites that are blocked are all Publishing Portal sites and the sites that were not blocked are team sites w/o portal publishing feature enabled!

Now you should understand the best practice we could configure NextLabs Portal Resource component. If you plan to block the site like, you should add the following two entries into the NextLabs Portal Resource component to cover both scenarios discussed above. I would also recommend to add “**” at the end of the server domain since it will cover the port number passed by the SharePoint.

  • sharepoint://**/sites/test/**
  • sharepoint://**/sites/test


You should NOT use the following list

It will block all the site like  and any variations starts with

We will discuss how we could automate the policy later.

No comments:

Post a Comment