SharePoint Folders vs. Metadata

There are many posts out there extolling the virtues of using metadata over folders for organizing information in SharePoint 2007. I certainly believe that metadata is a great tool for for classifying information, but it is incorrect to ask whether to use folders or metadata to organize information. Rather, it is more appropriate to ask when to use folders and when to use metadata. This post is not intended to be an in-depth discussion of information architecture. Instead, I wanted to provide a few pointers on when to use folders and when to use metadata. The following is a brief comparison between folder and metadata capabilities in the SharePoint platform. The context of the comparison is only out-of-the-box (OOTB) capabilities. With enough custom code, folders and metadata could be made equivalent.

 

	Folders	Metadata
Security	Folders can be used to propagate permissions and control the access to the resources the folders contain.	None.
Content Type Order	Folders can control which content types users can create using the New menu on the list toolbar. Folders can also control the order in which the content types appear in the menu.	None.
Navigation	Folders are intrinsically part of the navigational infrastructure in the SharePoint platform.	Metadata can be used to control navigation, but this requires creative approaches. List View web parts showing filtered list views can provide metadata-based navigational capabilities. While this requires no custom code, it can be labor intensive to add the web parts to a large number of pages. Additional metadata-based navigation can be accomplished through custom code.
Url	Folder names form portions of the Urls of the SharePoint resources the folders contain.	None.
Tools Support	Most Microsoft and 3rd party tools inherently know how to work with folders in the SharePoint platform.	Metadata support in 3rd party tools is spotty. While a tool from one vendor will generally understand how to handle its own metadata, the tool will generally not understand how to handle the metadata from another vendor’s tool. This can make it challenging to incorporate metadata from multiple vendors’ tools into a single SharePoint information architecture.
Search	None.	Metadata is indexed by SharePoint search and will return results based on keyword searches. MOSS 2007 also supports promoting selected metadata to searchable properties.
Sort	None.	Metadata can be used to control the order in which items are displayed in list views.
Filter	List views can be configured to show only the list items contained within a folder and its sub folders.	Metadata can be used to control the which items are displayed in list views.
Group	None.	Metadata can be used to group list items together in list views. List views limit grouping to two hierarchical levels.

 

As you can see, folders and metadata each have their own capabilities and affects on a SharePoint information architecture. A proper SharePoint information architecture will contain the judicious use of both folders and metadata.

Technorati Tags: WSS,MOSS 2007,SharePoint

Free Blog Importer: Blogger to SharePoint blog

Black Blade Associates (my company) has released a free tool that will let you import your Blogger blog into a SharePoint blog site. This is the tool I used to import this blog to the company SharePoint blog site. Here’s some info about the tool from the Black Blade site:

• Simple wizard-driven interface
• Supports importing from Google Blogger
• Import all or only selected posts
• Map blog authors to SharePoint users
• Imports categories
• Re-targets links to posts to target blog site
• Re-running the import won't duplicate posts
• Supports standard SharePoint blog sites or CKS EBE-enhanced blog sites

Go to the Black Blade Blog Importer site to read more, view screenshots, and download the tool and source code.

Technorati Tags: SharePoint,WSS,MOSS 2007,Blogger

Identity and Access Management Simplified, Part 1

I’ve talked to many customers who were looking to make the various applications in their organizations behave as a single system to their end users. This is a great goal as it leads to many benefits from higher user productivity to lower training costs. However, the discussion invariably comes around to the question of how users will interact with the various applications. Because the login is the first part of a user’s interaction with a system, the discussion begins to focus on identity and access management (IdM or IdAM).

I’ve found that the discussion quickly becomes very confused and muddied. In retrospect, most of the confusion seems to stem from a lack of understanding of all of the moving parts involved in identifying a user or in giving that user access to a resource. I find that rather than talking about IdM as a whole first and drilling down into greater detail later, it is better to start with a clearly defined list of the components involved in IdM and then see how they fit together.

This post is not intended to go into great detail about IdM. There are many other online resources that go into very great detail about each aspect of IdM. Instead the goal of this post is to the provide an overview of the components involved in IdM and to provide an example of how these components work together to provide users with access to a system. Ideally, a semi-technical person would be able to read this post and get the big-picture about IdM.

 

System

A system is a collection of 1 or more computing devices that have a consistent notion user identity. The more computers and devices that we can include in this collection, the better the experience will be for the user when accessing those computing devices.

Examples:

• A desktop computer
• A server
• A video game console
• A smart phone
• A group of servers and desktops tied to an organization’s user directory
• All computers and devices on the Internet
• All computers and devices in the world

 

Credential

A credential is a piece of information that a user supplies to a system to prove the user is who he/she claims to be. This information is often composed of a publicly known component, such as a username, and a private component, such as a password. A single credential (such as a client certificate) may be associated with multiple user accounts in multiple systems. This principal is often used by systems implementers in adding user single sign-on capabilities across multiple systems.

Examples:

• Username and password
• Client certificate
• Smart card and pin
• Biometrics

 

Authentication Token

An authentication token is a passkey (usually temporary) to one or more systems that is independent of the credentials and authentication mechanism. Depending on the system and the form of the authentication token, the authentication token may be encoded, digitally signed, and encrypted. One of the most important characteristics of an authentication token for suitability with single sign-on (SSO) is the transportability of the token. Many types of tokens are not transportable from the computing device to which they were issued, leading to what is referred to as “the double hop issue.”

Examples:

• Windows logon token
• Kerberos ticket
• SSO cookie
• Session ID

 

Authentication Mechanism

The authentication mechanism is the protocol that a client uses to transmit credentials to a service and the service uses to transmit an authentication token back to the client. Different authentication mechanisms have differing characteristics, such as their encryption strength and network protocol requirements.

Examples:

• NTLM
• Kerberos
• HTTP Basic
• HTTP Digest
• OpenID
• Windows Live ID

 

Security Principal

A security principal is an entity that is able to have permissions within a system. It is important to note that while many systems have a one-to-one correlation between user accounts and security principals, systems are not required to treat user accounts as security principals. In fact, some systems make explicit distinctions between user accounts and security principals. Users of these systems must explicitly select a security principal in whose context they will use the system after login, and can often switch their security principal context as they use a system.

Examples:

• User account
• Group
• Role

 

User Account

A user account is an entity within a system through which the user interacts with the system and to which the system can link one or more credentials, security principals, and authentication tokens. All other user properties not used to enable user logon are part of the user profile.

Examples:

• User account
• Service account
• Computer account

 

User Profile

A collection of properties representing a person within a system. A user profile may have 0, 1, or more user accounts associated with the profile. Most systems however, associate a single user profile with each user account. The user account and user profile information may be stored in the same physical store or in different physical stores. Systems generally use user profiles to provide users with a more personalized usage experience. User profile information is generally not used to log users into a system.

Examples:

• Name
• Street address
• Email address
• Tax identification number

 

Securable Object

Any resource to which the system can restrict access using access control lists.

Examples:

• Network file share, folder, or file
• Document
• Site, page
• Mailbox

 

Permission

The right to perform a particular action on a securable object. The types of available permissions will vary depending on the type of the securable object.

Examples:

• Create
• Read
• Update
• Delete
• Delegate
• Take ownership

 

Access Control List (ACL)

A list of three-tuples in the form of [securable object, permission, security principal]. Most systems store and retrieve ACLs using the securable object as the key value for storage and retrieval. This allows the systems to easily answer questions like, “Who has what type of access to this securable object?” However, it makes it much more difficult for the systems to answer the questions like, “What are all of the securable objects to which this security principal has access,” or “What are all the security principals that have this permission to any securable object within the system?”

Examples:

• Access permissions for a security principal on a network file share, folder, or file
• Access permissions for a security principal on a site or page
• Access permissions for a security principal on a mailbox

 

User Identity

All of the knowledge that a system has about a real person across all actions the user takes within the system. User identity is not the same as a user account. Just as a person (a user identity) may have multiple bank accounts, a person may also have multiple user accounts. Unfortunately, most systems do not support associating multiple user accounts with a single user identity.

Examples:

• Eugene Rosenfeld
  • List of user accounts
  • List of user profiles
  • List of security principals
  • List of access control lists
• Outlook associates multiple email addresses and instant messaging address with a single contact (user identity)
• Palm Web OS associates multiple user accounts with a single contact (user identity) in its contact application
• Trillian instant messaging client associates multiple instant messaging service accounts (MSN, Yahoo, AIM, ICQ, etc…) with a single instant messaging contact (user identity)

 

Single Sign-On (SSO)

There are many definitions for single sign-on (SSO). SSO is not really a core component of identity and access management. Rather, SSO is the very desirable goal of a system’s IdM implementation that a user has to provide only one set of credentials to gain access to all system resources and all systems to which the user has access. SSO does not necessarily ensure that the user has a single identity across all systems, only that the user only has to provide only one set of credentials to access the systems. SSO typically does not control permissions. SSO is there to ensure that a user can get to another application within a system or to another system. Once at the other application or system, it is up to that application or system to determine what privileges the user has, and to which resources the user has access, if any.

Examples:

• Multiple web sites using OpenID or Windows Live ID (formerly Microsoft Passport) to authenticate a user.In this case the user has one set of credentials (the OpenID or Windows Live ID) but multiple identities, one per web site. The sites do not communicate with each other so there is no cohesive system.
• Multiple web sites using OpenID to authenticate a user and correlate the user’s activities across the web sites. In this case the user has one set of credentials and one identity. The sites share information about the user’s activities on the other sites and act as one system. The user may have multiple user accounts (to which the single credential is mapped) and multiple user profiles, one per site.

 

Stay tuned for part 2

In part 2 I will provide an example or two of how a system would combine the various components described in this post to authenticate and authorize users, and to establish their identities within the system..

 

This is my first crack at this type of post. I welcome constructive comments and corrections.

 

Technorati Tags: IdM,Identity,Authorization,SSO

HOW TO: Add web parts to SharePoint Item pages

I was thrilled when I first started working with WSS V3 and saw that the list item pages for creating, viewing, and editing list items were actual web part pages. This opened up a way to customize these pages for various lists in a way that was very difficult to do in WSS V2. But then I was shocked to find that the pages lacked an option to place them into edit mode. I knew these were web part pages because I could open them using SharePoint Designer 2007 and add web parts that way, but that was not always an option, especially when working on a client’s computer.

 

I examined what happened on other pages when a user placed them into edit mode. It turns out to be fairly simple. All the web user interface needs to do is call “MSOLayout_ChangeLayoutMode(false)” JavaScript method. Thankfully, Internet Explorer 8 has a very handy way to do this using the IE 8 Developer Tools Script Console. Here’s what you do:

1. Navigate to the list’s Item page that you want to edit in Internet Explorer 8
    
   New Item  - “<list_url>/NewForm.aspx”
   View Item - “<list_url>/DispForm.aspx”
   Edit Item  - “<list_url>/EditForm.aspx”
    
2. Open the developer tools from the Tools menu or use the “F12” key
   
   
    
3. Switch to the Script tab
   
   
    
4. Execute the following JavaScript in the Run Script text box:
   window.location = 'javascript:MSOLayout_ChangeLayoutMode(false);';
   
   

 

Presto! The page is now in edit mode and you have the familiar tools to edit and remove web parts. Just be careful: do not remove the New Item form from the page or you will need SharePoint Designer to add it back. The interesting thing is that once you’ve done this once for a list form, that form will then have the Edit Page menu item back on the Site Actions menu:

Technorati Tags: WSS,SharePoint,MOSS 2007

Blog Exported to my Company’s SharePoint Site

---

Update

Black Blade has released the Blog Importer tool, the one I used to export my blog. Download the tool today.

---

I’ve exported the posts in this blog to my company’s SharePoint blog site: Black Blade Associates Blogs.

Why?

I had a few reasons for exporting the posts. First, I wanted to generate more direct traffic to my company’s site from the search engines. The best way to do that is to have content on the site for which people are searching. Since many of my posts are related to SharePoint or other Microsoft products and technologies, the people reading the posts are exactly the people I want to see the Black Blade’s site.

How?

Ok, when I started the process, I thought it would be a no-brainer. I thought there must be a tool out there to import a public blog into a SharePoint blog site. If there is, I could not find one. So I wrote my own. I have to say, that it came out pretty good. The tool is a wizard-driven Windows Forms application that accepts a Blogger export file and a SharePoint blog site Url as inputs. You can tell the tool which posts to import, how blog authors will map to SharePoint users, and whether to rewrite the links that point to posts to use the SharePoint Url rather than the public blog Url.
One odd item I ran into was that while the tool worked great when importing to a default SharePoint blog site, the posts did not appear if the blog site had the Community Kit for SharePoint Enhanced Blog Edition (CKS EBE) applied. There were no import errors, but the posts just did not show up. Since we use CKS EBE on the Black Blade blogs site, this was obviously an issue I had to fix. After a bit of tinkering, everything worked well.
“Hw do I get this tool,” you ask? We will be releasing the tool and source code for FREE to the SharePoint community soon.

What’s Next?

Now that my posts have been imported to my company’s blog, I will post new articles to both sites. How? I plan to use Windows Live Write with the xPollinate (as in Cross Pollinate or cross post) plug-in. I’ve been a fan of Windows Live Writer for a while. I’m even more pleased that I can continue to use the tool now that I have multiple blogs to which I need to post. Here’s a great article that describes using xPollinate and Windows Live Writer to post to multiple blogs. One nice thing about xPollinate is that it lets you decide on a post by post basis to which blogs it should be published.
Check back soon for news on the SharePoint Blog Import tool. Happy blogging.

Technorati Tags: SharePoint,WSS,Blogger,MOSS 2007