Our company
is implementing SharePoint 2013 NextLabs entitlement management tool to
restrict users access to certain site collections even they might have already
granted permissions. This is implemented to configure NextLabs policy that will
include the Portal Resource component that references the SharePoint site
collections we would need to block.
While we add
the following SharePoint site collection URLs like sharepoint://sharepoint.mycompany.com/sites/test/** to Portal Resource component, we
found the policy applies to some sites. In our cases we have a “Deny” policy
and defined users will be blocked to some sites but not all sites
listed in the NextLabs Portal Resource component. After extensive debugging and
we found one of major issues is that NextLabs picks up the site URLS
differently based on the on
the page the user is accessing that is causing this issue. Here are two
scenarios.
Scenario
#1 - If user accesses sites/test/sitepages/home.aspx,
NextLabs SharePoint Enforcer component (SPE) considers the user is accessing
the site instead of some content in the site, and thus pass in sites/test to
the Policy Controller
Scenario
#2 - If user accesses sites/test/sitepages/foo.aspx,
NextLabs SharePoint Enforcer (SPE) component considers the user is accessing a
page/content in the site, and thus pass in sites/test/ to the Policy Controller
As a result,
if we configure sharepoint://sharepoint.mycompany.com/sites/test/** in the policy, it
will only block the second scenario but not the first scenario. You might find
that this configuration would likely to apply ALL SharePoint sites site created
from SharePoint Publishing Portal or sites with portal publishing feature enabled.
This configuration would NOT apply to team sites without portal publishing
feature enabled. Now the mystery resolve, the sites that are blocked are all Publishing
Portal sites and the sites that were not blocked are team sites w/o portal
publishing feature enabled!
Now you
should understand the best practice we could configure NextLabs Portal Resource
component. If you plan to block the site like https://sharepoint.mycompany.com/sites/test,
you should add the following two entries into the NextLabs Portal Resource
component to cover both scenarios
discussed above. I would also recommend to add “**” at the end of the server
domain since it will cover the port number passed by the SharePoint.
- sharepoint://sharepoint.mycompany.com**/sites/test/**
-
sharepoint://sharepoint.mycompany.com**/sites/test
You should NOT use the
following list
sharepoint://projectsdev.qualcomm.com**/sites/test**
It will block all the site
like https://sharepoint.mycompany.com/sites/test123
and any variations starts
with https://sharepoint.mycompany.com/sites/test.
We will discuss how we could
automate the policy later.
No comments:
Post a Comment