SharePoint Rockstar - a Nickelback Parody

This was inspired by a short twitter conversation with @cimares, @ToddKlindt and @usher about the #SharePoint #Rockstar and the potential for a rip off parody of the Nickelback song "Rockstar"..

Basically I felt like finishing the song off .. so without further ado .. to the tune of Nickelback's "Rockstar" I give you ..

SharePoint Rockstar..

I’m through with coding in line
And unghosting everything
I’m using SharePoint Designer
And I’m never gonna win
The solution didn’t turn out
Quite the way I want it to be
(Tell me what you want)

I want a brand new blog,
with the comments all filled
And a server room I can play baseball in
And a laptop full of software that
I got for free
(So what you need?)

I’ll need a Skype account that’s got no limit
A huge laptop with an SSD in it
Gonna get my own
parking space at TVP
(Been there, done that)

I want to get an invite to a conference pass
My own seat up in Business Class,
Somewhere between Spence and
Steve Smith is fine for me
(So how you gonna do it?)

I’m gonna tweet like made, adopt SharePoint zen
I’ll use the hashtag  #SP2010

[Chorus:]
‘Cause we all just wanna be big rockstars
Fixing errors in the logs that are just bizarre
I code so much I got RSI, but my User Profile Service gonna start first time!
And we’ll hang out in the SharePint bar
In the VIP with the SharePoint stars
Every ITPro and coders
gonna wind up there
With our free vendor shirts
That we just won’t wear
Hey I wanna be a SharePoint rockstar
Hey I wanna be a SharePoint rockstar

Wanna be great like Eric Schupps but without the hat
Pass every single exam I’ve sat
Talk at the User Group
So I can get my drinks for free
(I’ll have a SharePint on the house!)

I’m gonna get the latest version
Setup on my VM
Get a free Ultimate key to MSDN
Gonna date a designer
who builds all my sites for free
(so how you gonna do it?)

I’m gonna tweet like mad, adopt SharePoint zen
I’ll use the hashtag  #SP2010

[Chorus:]
‘Cause we all just wanna be big rockstars
Fixing errors in the logs that are just bizarre
I code so much I got RSI, but my User Profile Service gonna start first time!
And we’ll hang out in the SharePint bar
In the VIP with the SharePoint stars
Every ITPro and coders
gonna wind up there
With our free vendor shirts
That we just won’t wear

And we’ll hang out in the speaker rooms
With all the MVPs and whoever is cool
I’ll build you anything with cascading styles
Everybody’s got a contractor on speed dial

Hey I wanna be a SharePoint rockstar

I’ll annoy QA by writing messy code
I’ll deploy my solutions in debug mode

I’ll get an off-shore team to write all night long
Then I’ll code it again because they’ll get it all wrong ..

[Chorus:]
‘Cause we all just wanna be big rockstars
Fixing errors in the logs that are just bizarre
I code so much I got RSI, but my User Profile Service gonna start first time!
And we’ll hang out in the SharePint bar
In the VIP with the SharePoint stars
Every ITPro and coders
gonna wind up there
With our free vendor shirts
That we just won’t wear

And we’ll hang out in the speaker rooms
With all the MVPs and whoever is cool
I’ll build you anything with cascading styles
Everybody’s got a contractor on speed dial

Hey I wanna be a SharePoint rockstar
Hey I wanna be a SharePoint rockstar

Hey check out my new brick .. it looks just like a Nokia Lumia 800!

Today has not been a good day as I am now holding a completely useless "bricked" Lumia 800 .. but first let us wind back 3 weeks when my wife and I became proud owners of brand spanking new Nokia Lumia 800 phones running Windows Phone 7.5 ("Mango").

The new Nokia Lumia 800, running Windows Phone 7.5

Yep .. thats right .. we both got the same phone (she got the blue / cyan one .. I got the black one). You might think this a little sad (his and hers?) but honestly I find providing "tech support" far easier when we both have the same handset ;)

Anyway .. so we left the store, brand new phones in hand. They were very shiny, they looked slick, they started up quickly and seemed like honestly damned good phones.

We both got our email setup quickly (both Hotmail and Exchange accounts) and while my better half was merrily catching up on Facebook, I was very impressed with the SharePoint integration and how it automatically configured the Office Hub when it realised my email account was on Office 365! Very slick...

What Battery Problems?
Now I had heard that there were battery problems, but a recent software fix seemed to sort this out. One of the very first things I did (with both phones) was plug them into Zune, get them synced up and install the latest software fix (so my phone is currently fully patched and running the latest version!).

My wife's phone was having an issue with battery life before the update (it dying after 12-15 hours) but this was well documented, and after we updated the phone everything seemed to be fine ..

in short .. life in the Hatch household's mobile world was good ..

so now lets wind on to last week ..

What do you mean you can't turn it on ??
The first sign of problems was actually on my wife's phone (the blue/cyan one for those of you paying attention!). She was coming to meet me in London after work and the usual agreement of "I'll send you a text message when I'm outside your office" .. now the work day came, went and started slipping when I finally got a phone call from a pay-phone ... my wife was frantic as her phone had turned itself off despite still having over 20% battery life remaining! and it would not turn on!

Eventually I managed to meet up (strangely difficult without constant-on communication .. how on earth did I manage before I had a mobile phone?) and I looked at the handset itself... I tried 6 times in a row to turn the phone on and kept trying periodically for another 10-15 minutes ... I tried it again one final time and it worked, buzzing into life like a defibrillator had just kicked it into life. I quickly logged in, went to the Settings and checked the "Battery Saver" and it said it had 23% battery with approximately 15 hours remaining .... how bizarre ...We didn't see the problem happen since (and we both use our phones quite a lot every single day) so I put it behind me and we kind of forgot about it ..

now lets wind on to today (or more accurately last night)

Congratulations! Its a Brick!
I was heading over to a friend's house .. now this particular friend has been having problems with his Android phone and was quite keen on looking at the latest flagship Windows Phone .. so I took mine out of my pocket and tried to unlock it ... nothing .. dead as a doornail.

I tried to turn it on .. nothing ... held down the power button for up to 30 seconds ... tried again .. still nothing. So then I thought .. "maybe the battery is dead??". So I borrowed his micro-USB charger and left it to charge for 20 minutes. I then came back .. still won't power on.

So now I am panicking .. I took my precious new phone home and left it on charge for 9 hours overnight but this morning? Nothing .. no life .. completely dead.

Now I have since attempted various tricks on the internet from various forums:

• Some people said it can't recharge if the battery hits 0% so heat the phone up and THEN try plugging it in .. this didn't work!
• Tried holding down the power button for 8 seconds (apparently this resets the power-cycle) .. that didn't work
• Tried unplugging and re-plugging the charging cable several times in a row while either holding down or randomly trying the power button ... didn't work
• Tried a "hardware reset" by holding down the Volume Down, Camera and Power buttons ... that didn't work either!

So what now? My new shiny Lumia 800 is officially bricked!

I will be taking this back to the Orange store that I got it from ASAP .. I expect them to replace it .. but I have already seen evidence of this strange issue on my wife's phone last week .. so will this keep happening?

I really hope this is a software bug (so they can release an update) .. or perhaps a really rare glitch in hardware that just HAPPENS to have struck both me and my other half at the same time.

If any of you have experienced the same problem please let me know in the comments... Otherwise I'll see what happens when I get mine replaced / repaired and let you all know!

21 Things I would do if I was an evil SharePoint overlord!

1. All site collections will be deployed with site collection quotas allowing only 1 sandbox resource point
2. The Site collection storage limit warning will be set at 1mb for My Sites with the entire company set as the warning email address
3. I will insist that all site collections are created with their own host name URL. This will force any BI tools to require new SPNs for Kerberos configuration
4. Ideally, each of these sites will have their own Web Application, and their own application pool, which will force them to buy new servers so keeping within the "10 application pools per server" guidelines which I will give them
5. Every web application will have a custom service connection proxy group, so every time a new service application is created they will have to manually add it to each web application's custom proxy group
6. All databases will be created through Powershell by concatenating random GUIDS (in addition to the ones SharePoint creates automatically)
7. While developing, all of my API classes will be public with internal constructors
8. All default site content will be deployed using HTML encoded XML, with multiple unecessary nested divs and empty spans.
9. Feature Stapling will be banned .. as will Content Types
10. I will configure all Diagnostics Log categories to "Verbose", disable flood protection and only keep log files for 1 day, making it a painful and arduous task to troubleshoot issues.
11. Each SharePoint server will install to a non-default directory. This will be different for each server to keep the admin team on their toes.
12. I will include a script which adds expiration policies to the "Document" content type in each site collection .. this will bombard the author with emails if they don't update their documents every 2 weeks, therefore keeping the content fresh
13. SharePoint Designer will be unblocked, and its usage will be encouraged!
14. The User Profile database will be configured to crawl every 2 minutes .. keeping the process continually running so no-one can modify the connections
15. For contrast, the default Search content source will only index User Profile content every 56 hours .. so no-one can be exactly sure when it will be updated
16. Each web application will be given different URLs for each department. IIS bindings will be put in place, but no alternate access mappings so they cannot share links or embedded urls with each other.
17. The default zone will be set as Read Only via a policy so that items found in search results cannot be edited. there will be an alternate URL, but access mappings won't exist so users will have to swap it out manually
18. The reply-to email address for all notificatiosn will be set as the company switchboard.
19. All custom web parts will, where possible, be deployed as Farm Features .. so that everyone can see them, but will only be configured to work on specific sites.
20. We will not have specific servers .. all farm servers will run all of the services. I will convince the IT team that this makes their lives easier as they only need 1 server spec when buying new machines.
21. I will set the qouta of the my site host to 10MB so that only the first few users will be able to upload their profile picture.

Suggestions are welcome in the comments :)

I'm speaking at the International SharePoint Conference

Yep, its that time again and one of the biggest, most innovative and best SharePoint conferences is back for another year.

This conference has been through a few iterations in its time going by the names "SharePoint Best Practice Conference" and "SharePoint Evolution Conference" but they have now dropped those for a more simplified "International SharePoint Conference".

The conference is held in London, Westminster  (April 23rd - 25th) and this year promises to be an absolute cracker! The best thing about this year's conference is that they are doing "Solution" tracks, following a single thread from concept all the way through. This will involve all angles from IT Pro, Developer, Information Worker .. and really helps to tie together all those pieces that make up a single complex problem. For the first time you won't have a session saying "well .. this next bit is really important but we don't have time .." at this conference they will make the time, whether they need 3, 4 or even 6 sessions to get through the whole problem.

One of the best quotes comes from the organiser, Steve Smith (@SteveSmithCK):

As you can see it is very exciting and different unlike any other agenda attempted by a SharePoint conference.

For example: A total of 10 solutions over the three Information Worker tracks based on different real world scenario's with one solution alone covering 7 sessions to completion and speakers working together over the sessions to build the solution.

A lot of people have asked me how I have been able to build such an agenda. The answer is pretty straight forward. unlike most SharePoint conferences that are run by conference events companies Combined Knowledge actually understands SharePoint and we know the people out there who are specialists in those subject areas to come and talk on it, we have been working with SharePoint for 10 years and over those years I have had the privilege to meet some very smart people in the SharePoint world and therefore I personally build the agenda and along with some specialist from each track we are working with the speakers to make it happen.

I also look at the current maturity model of the product and what type of content people are searching for and then finding the best way to deliver that content in a format that people will enjoy watching and listening to as well as learn from it. In my opinion that is the only way you can truly deliver a conference that provides the attendees with the knowledge needed to take away and use in the real world.

The Agenda and Speaker List looks amazing .. if you haven't bought a ticket yet then you are most definately missing out!

I'm speaking too ...

And this year I have my own slot talking about Real World: Building a global Business Intelligence Extranet, from End Users to Support and Operations.
(CS701).

This is basically a combination of technical and logistical problem solving involved at my main project over the past 12 months delivering a global Business Intelligence extranet in SharePoint 2010.

The main thing here is that we are not just talking about the technical problems (like multiple languages and scalability) but more about the operations and admin side of things, like how do you track and manage security for thousands of databases and thousands of users at the same time?

There is also the problem of processing and updating tens of thousands of OLAP cubes every month, and add to this other third party BI tools (which sit alongside Excel Services, PerformancePoint Services and Reporting Services) and you have a big challenge on your hands.

Well, I certainly hope to see you there. Even if you don't make to my session (there are loads of great session tracks on all three days) then grab me during one of the breaks, or one of the SharePints afterwards and I'll be happy to chat.

DNS Records required to use Lync Online (Office 365) with a Vanity Domain

Note - this only applies if you have your own "vanity domain" such as companyname.com. This does not apply if you are using the Microsoft Online domains "onmicrosoft.com"

I've seen quite a few people asking for help with this, and struggled a little bit when I first set this up myself, so I thought I would post the DNS entries that are required to get Lync Online working.

These are generic DNS records, so it doesn't matter what server / service you have.

Now, first off you will need to get yourself a relatively advanced DNS Management Service. I personally use the most excellent Zone Edit (www.zoneedit.com). This is completely free and allows you a very high level of control over what records you can create. I have found with some of the other DNS management sites that sometimes you cannot create some of the required records (such as SRV records).
DNS Records described by Office 365 Portal

There is 1 SRV record and 2 CNAME records that you need to create.

You can find these in your Office 365 Portal under "Domains" and "verify DNS Settings". Below is the screenshot from my own Portal Site for my domain "hatchsolutions.co.uk".

The thing to note is that it gives you the full host-name entry for each of the records you need to create. When you actually create these (depending on your DNS management tool) you will probably only need the prefix for the host name.

So the three records you need to create are:

• _sipfederationtls
• Type: SRV
• Port: 5061
• Weight: 1
• Priority: 100
• TTL: 3600 (seconds)
• Target: sipfed.online.lync.com
• sip
• Type: CNAME
• TTL: 3600 (seconds)
• Host-Name: sipdir.online.lync.com
• lyncdiscover
• Type: CNAME
• TTL: 3600 (seconds)
• Host-Name: webdir.online.lync.com

So you can see above, I have only used the initial part of the full hostname. Having a CNAME record called "sip" in my managed domain "hatchsolutions.co.uk" gives me the fully-qualified address "sip.hatchsolutions.co.uk".

But ... that's not all ...

I also found in my environment that one more SRV record was required, which for some reason was missing from the official instructions. I honestly can't remember where I found this (credit goes to someone wonderful person on the blogosphere somewhere) but the details are below:

• _sip._tls
• Type: SRV
• Port: 443
• Weight: 1
• Priority: 100
• TTL: 3600 (seconds)
• Target: sipdir.online.lync.com

I found that once that is also in place, everything started working. You may need to wait for 24 hours (for this to propogate round the world's DNS servers) and you should be good to go! (I think I had to wait a good few hours before mine started working .. so please be patient!)

My top missing features in Windows Phone 7 - SharePoint Contacts, Tasks and Calendars

I have been an advocate of Windows Phone 7 (WP7) for quite some time now, especially having owned and used a WP7 device for over 9 months now. However, there are some things that I really do find lacking.

Microsoft have been pushing the SharePoint integration with WP7 quite hard, especially with the recent announcements for SharePoint Online to support BCS (which basically opens up the door to have WCF calls made from your Office 365 SharePoint Online site, so you could do two-way WP7 applications which integrate tightly with your SharePoint applications!).

However, there are some features which I think would really concrete this device for small businesses as THE device to have.

Let me give you two example quotes from small businesses who were looking to implement Office 365 / SharePoint Online with a Windows Phone 7;

"Plumbing Business - We would like to use SharePoint task lists to document jobs and push those tasks to our plumbers using their phone.
Our problem is that when the plumber updates the task, we want to it write back to SharePoint.." 

"Pub Landlords - We want to use SharePoint Online to track and store all of our suppliers and contacts that we use, but how do I get those contacts onto my phone? If one of my suppliers calls, how do I know who they are?"

These are just examples of some of the reasons why I think WP7 is missing a trick.

Missing Feature 1 - Use SharePoint Contacts as Phone Book
At the moment there is no way for my WP7 device to use a SharePoint contact list as a phone book. This is a MAJOR piece of functionality I have been asked about by the last 3 clients who were implementing SharePoint Online.

They have all of their contacts centralised and through the web. They can bring them into the desktop Outlook application (with even two-way synchronisation!) but they can't even get them read-only on their phone.

You really should be allowed to "link" one or more SP contact lists with your phone book, so that when someone in your sales team get a phone call the contact details pop-up.

Missing Feature 2 - WP7 overlay with SharePoint Calendar
Pretty similar story here for the calendar. Person is out on site and wants to engage with their {Supplier | Customer | Partner}. They get asked simple requests like "can you book a meeting room for us next week?"

How awesome would it be to be able to bring up a SharePoint Calendar being used for resource bookings, central meetings or events, and overlay it with your own personal calendars (so that you get notifications and can view everyhing in one calendar).

They already do this with Hotmail / Live accounts, so why not SharePoint? This really is a must .. the ability to invite / write to that Calendar from the standard Calendar interface would be a bonus!

Missing Feature 3 - Working with SharePoint Tasks
This is a standard one here .. and really works on so many different levels;

• I want to see my tasks in a SharePoint List in my WP7 calendar
• I want to get notifications on my WP7 when a SharePoint task is overdue
• I want to be able to update the details of a SharePoint task while I am roaming, and people in the office to see those details straight away

If you can wire in the SharePoint workflow / events to the Task list this suddenly becomes very very powerful! You could build entire business centric applications using nothing other than some centrally controlled Task Lists, some Workflow (which you knocked up in SharePoint Designer in a couple of days) and an off-the-shelf WP7 device!

.....

This really is the tip of the iceberg, I could go on and on, but I really think that until this gets fixed the WP7 will continue to be nothing more than a decent consumer device, with little to offer to businesses beyond what other handsets are doing.

Any Android / iPhone / Blackberry (or lets face it .. 10 year old Nokia) can synchronise your Exchange Mailbox ... it is the SharePoint (and other LOB) integration that will make WP7 an "Enterprise" device!!

Summary of SharePoint Saturday UK 2011

Well, this was actually my first SharePoint Saturday experience and I have to say I was massively impressed! The whole day was very well organised and felt like other SharePoint conferences I have been to in the past (with a great variety of the sessions available and excellent quality and depth of the content being presented).

I actually brought a friend with me to SPSUK and he is mostly looking at Office 365 and Windows Phone technologies so that ended up being one of my main focuses as well. I also spent some time prepping (and packing away) from my session, as well as some time in the "Ask the Experts" room (where I met @MossLover and @SharePointBuzz for the first time :)) so I didn't get round to as many sessions as I would have otherwise liked.

Configuring Kerberos in a SharePoint 2010 Farm (#SPSUK06)
I was up first presenting this session and I was very pleased with how it went. We had a great turnout, some really good questions and (to my relief) all of the demos worked really well first time! :) This was a re-run of my SUGUK session in August on the same subject and I'm quite pleased with how the session shaped up.

It was very nice getting people coming up to me during the breaks, in the Ask the Experts session or even on twitter and email afterwards (asking questions, or just telling me how much they enjoyed the session) .. these kind of touch points really make the whole thing worth while :)

If you are looking for my slide decks then you can find them here:
They are branded for SUGUK but the content is the same so you should find everything you need :)

Download PowerPoint Slide Deck (PPTX) (zip)

View online using PowerPoint Web App

(PS - The PowerPoint Web App is powered by Office 365, so hope it works well for you. Feedback welcome!)

Extending SharePoint 2010 LOB Apps to Windows Phone 7 (#SPSUK23)
This was a good presentation by Chris Forbes (@chris_e_forbes) on Windows Phone 7 development and SharePoint 2010 integration. This is an area I am getting very interested in for two major reasons:

1. Office 365 now supports BCS in SharePoint Online, so you can write "no-code" methods of calling WCF web services (which potentially allows the Windows Phone 7 "push notification" services which Microsoft host)
2. The new "Mango" (Windows Phone 7.5) release includes back-ground tasks, which may allow a background application to respond to push notifications and execute custom code.

This really opens up the doors in terms of having a very powerful zero-infrastructure solution leveraging both Office 365 and Windows Phone 7!

Sort your processes with easy, effective InfoPath Forms and SharePoint Workflows (#SPSUK15)
My final session of the day was with Ian Woodgate (@ianwoodgate) and ran through some cool InfoPath techniques (easy cascading drop-downs) and especially the InfoPath "Approval" mechanism which is being championed by Laura Rogers (@WonderLaura).

Everytime I look at InfoPath I get more and more impressed, and with Office 365 it really does open up a lot of doors in terms of process automation, workflow and external communications without having to write any custom code (which is ideal when, in SharePoint Online, your development is limited to the SharePoint 2010 Sandbox which restricts a lot of methods).

Steve Fox - “SharePoint and the Cloud: Crash or Convergence?”
The end of the day was spent with Steve Fox (@redmondhockey) from Microsoft giving us some live demos of the new Windows Azure platform and some SharePoint 2010 integration (both on-premise and using SharePoint Online) as well as Windows Phone 7.

Wrap Up
This was a really good day. I was quite surprised at the number of people there (for a free event, all day on a Saturday) and everyone had a very relaxed non-commercial attitude to the day which was refreshing for a "conference" type event.

I will definately be going to the next one .. and I seriously recommend that you do too!

To sum up the day I'll quote from my friend (@Denyerec)

Back from #spsuk, or by its other name #WhyGoogleAppsIsIrrelevantForBusinesses. Very worthwhile day out.

Scaling to 10,000 unique permissions - Part 2 - The Solution

This follows on from my previous post; Part 1 - The Problem

The main requirement was:

• One SharePoint 2010 site
• 10,000+ uniquely permissioned objects each with a different user account

In this post we will be discussing the solution which involves programmatically creating unique permissions in a way which will scale for (what should be) well over 10,000 uniquely permissioned items...

Introducing yet another little known SharePoint API call ...

This is only possible because of one of the new SharePoint 2010 API calls;

SPRoleAssignmentCollection.AddToCurrentScopeOnly()

http://msdn.microsoft.com/en-us/library/microsoft.sharepoint.sproleassignmentcollection.addtocurrentscopeonly.aspx

This basically adds the specified SPRoleAssignment but does not create any of the Limited Access scopes on the parent objects.

This is pretty straight forward and works in exactly the same way to normal Role Assignments in SharePoint 2010, we simply use the AddToCurrentScopeOnly() method instead of using the Add() method, for example:

 

   1: // fetch the Principal object which we are granting access to

   2: SPUser user = web.EnsureUser("Domain\\UserAccount");

   3:  

   4: // create a Role Assignment binding

   5: SPRoleAssignment roleAssignment = new SPRoleAssignment(user);

   6:  

   7: // apply contribute permissions

   8: roleAssignment.RoleDefinitionBindings.Add(

   9:     web.RoleDefinitions["Contribute"]);

  10:  

  11: // grant permissions to the list item using the CURRENT SCOPE ONLY

  12: // this ensures that Limited Access scopes are NOT created

  13: // for parent objects (we're going to have to do that bit ourselves!)

  14: item.RoleAssignments.AddToCurrentScopeOnly(roleAssignment)

 

It is very important to understand that you still need to grant "Limited Access" (it wasn't put in just for laughs, it does have a purpose). Granting "Limited Access" means that the object has access to core information on parent objects to enable construction of things like the breadcrumb, and retrieval of core files needed to render the interface.

This then means it is up to us (the developers) to go back and create each of those in a more efficient way. The problem is .. you can't assign "Limited Access" programmatically...

What do you mean .. I can't assign Limited Access??

Well, I don't really know why they did this, but if you try and assign it programmatically (Limited Access is actually a "Permission Level" in SharePoint) you will get errors (admittedly you can't do this through the user interface either!).

So, the workaround (again) is to create your own permission level which includes exactly the same permissions that "Limited Access" would have granted. This is:

• View Application Pages
  
• Browse User Information
  
• Use Remote Interfaces
  
• Use Client Integration Features
  
• Open

You can call this anything you like (I called mine "SP Limited Access") as long as you know what it means.

The code to do this is as follows:

 

   1: internal SPRoleDefinition GetLimitedAccessRole(SPWeb web)

   2:         {

   3:             string strRoleDefinition = "SP Limited Access";

   4:  

   5:             // only exists in webs with unique role definitions

   6:             if (web.HasUniqueRoleDefinitions)

   7:             {

   8:                 try

   9:                 {

  10:                     // try to retrieve the role definition

  11:                     return web.RoleDefinitions[strRoleDefinition];

  12:                 }

  13:                 catch (SPException)

  14:                 {

  15:                     // SPException means it does not exist

  16:  

  17:                     // create our custom limited access role

  18:                     SPRoleDefinition roleDef = new SPRoleDefinition();

  19:  

  20:                     // give it a name and description

  21:                     roleDef.Name = "SP Limited Access";

  22:                     roleDef.Description = "Identical to standard " + 

  23:                         "Limited Access rights. " + 

  24:                         "Used to provide access to parent objects of " + 

  25:                         "uniquely permissioned content";

  26:  

  27:                     // apply the base permissions required

  28:                     roleDef.BasePermissions = SPBasePermissions.ViewFormPages 

  29:                         | SPBasePermissions.Open 

  30:                         | SPBasePermissions.BrowseUserInfo 

  31:                         | SPBasePermissions.UseClientIntegration 

  32:                         | SPBasePermissions.UseRemoteAPIs;

  33:  

  34:                     // add it to the web

  35:                     web.RoleDefinitions.Add(roleDef);

  36:                 }

  37:  

  38:                 return web.RoleDefinitions[strRoleDefinition];

  39:             }

  40:             else

  41:             {

  42:                 // try the parent web

  43:                 return GetLimitedAccessRole(web.ParentWeb);

  44:             }

  45:         }

I've created my new Limited Access Permission Level .. now what?

One thing does need to be made clear, there is absolutely no point you just creating all of the Security Scopes that SharePoint would have created (you'll end up with the same mess we were trying to avoid in the first place).

The solution is to create a group for all of the "Limited Access" users for that List or Web. It really is up to you whether you use Active Directory Security Groups or SharePoint Groups. I decided to use AD security groups; mainly because I didn't want to clog up the Site Collection "groups" functionality, and didn't want idiot Site Collection admins from removing the group members (or worse .. the groups themselves!) and breaking the site collection.

Note - I haven't included the code to create and modify Active Directory Security Groups here, if nothing else because there are thousands of resources out there showing you how to modify AD groups programmatically, and Code Project has a particularly good reference: Howto: (Almost) Everything In Active Directory via C#

You will need to create a group for each parent object which has unique permissions although in my example it is only really the SPWeb (web site) that we are worried about as the libraries and folders are well within the security scope threshold.

So we have our 20 libraries and our root web site. So in our example we would have to create 21 different AD security groups:

• One group to store all Limited Access users for the root web site


• 20 groups to store all Limited Access for the libraries (one for each library)

Then, following this example you can then use the following code to grant “Limited Access” to one of the libraries (and just rinse and repeat for the other libraries and the root web site);

 

   1: // fetch the "SP Limited Access" role definition

   2: SPRoleDefinition limitedAccessRole = GetLimitedAccessRole(web);

   3:  

   4: // get SPPrincipal object for the AD Group we created

   5: SPUser adGroup = web.EnsureUser("My Custom AD Group Name");

   6:  

   7: // set the role assignments for this group

   8: SPRoleAssignment roleAssignment = new SPRoleAssignment(adGroup);

   9: roleAssignment.RoleDefinitionBindings.Add(limitedAccessRole);

  10:  

  11: // grant "Limited Access" to the AD Group for this list

  12: // we only have to do this once! After this we simply 

  13: // need to add members to this AD Group every time we 

  14: // add users to one of the parent objects!

  15: list.RoleAssignments.AddToCurrentScopeOnly(roleAssignment)

So having done this for all of the parent objects we now have our 21 custom Active Directory groups, each one of which has been granted “Limited Access” to one of the required “parent” objects for our folders.

From here on in it should be smooth sailing. You simply need to make sure that every time you programmatically add a new user to one of the folders you also make sure they get added to the relevant AD Groups (so that the “Limited Access” chain is not broken).

The following diagram really explains what we have done:

I have tested this model for over 16,000 unique AD accounts across hundreds of folders in hundreds of document libraries and I cannot notice any discernable drop off in performance (nothing that can’t be explained by simply having a really large number of libraries and folders anyway!) so initial tests show that this is working very well indeed :)

What I also ended up doing (to make this slightly more robust) is to build my own application page which users can use to Grant Permissions through the UI (so we don’t need to write custom code every time a new “Limited Access” scope is needed).

I then wrote an HttpModule to auto-redirect any requests to the out-of-the-box page (_layouts/AclInv.aspx) to the custom page so that if anyone tried to use the native user interface it would ALWAYS be executing my own custom code (which creates all of the AD Groups and SP Limited Access scopes programmatically, without the user having to worry about it!)

The great thing about this solution is that it doesn't matter how many users or groups you are adding to your SharePoint site .. you only ever have 1 Limited Access security scope for each List / Web!

Thanks for sticking with me through these two posts .. if you made it this far then thanks for reading and I would love to hear your comments! :)

Scaling to 10,000 unique permissions - Part 1 - The Problem

This post was borne out of a client requirement which popped up on my radar. I'm currently working for a leading global Business Intelligence provider in London, and they were looking to implement a particular third party piece of software. This software relies on SharePoint for file storage and my client wanted to roll this out to their customers "extranet" style with each customer having uniquely secured content (files and folders).

Now .. first off their customers include in excess of 10,000 different companies (i.e. > 10,000 users) so early warning bells immediately started ringing in terms of scalability.

Secondly, to make this worse, the software required all content to be stored in a single SharePoint site .. so now my early warning system had gone into full meltdown and a state of high alert was reached.
So to boil this down ...

• One SharePoint 2010 site
• 10,000+ uniquely permissioned objects each with a different user account

A Library with 10,000 uniquely permissioned folders?? Possible? My first instincts said no... so it was time to get my problem solving hat on and do some digging ..

Investigating the Limits of SharePoint 2010

I would like to think that any SharePoint {Consultant | Developer | Architect | <insert profession>} worth their salt would have read the Software and Capacity Planning guidelines (or at least be aware of it!) .. so that was my first pit-stop.

Note - I also stumbled across a great blog post by SharePoint infrastructure veteran Joel Oleson and his Best Practices for Enterprise User Scalability in SharePoint. This goes into detail about the specific size of an ACL (and the reason why this is limited, specifically in Windows) which although a good read wasn't really relevant to my problem.

The Microsoft TechNet article SharePoint Server 2010 capacity management: Software boundaries and limits (http://technet.microsoft.com/en-us/library/cc262787.aspx) is a great resource and contains one absolutely key entry:

Security Scope - 1,000 per list (threshold)
The maximum number of unique security scopes set for a list should not exceed 1,000. 

A scope is the security boundary for a securable object and any of its children that do not have a separate security boundary defined.  

A scope contains an Access Control List (ACL), but unlike NTFS ACLs, a scope can include security principals that are specific to SharePoint Server. The members of an ACL for a scope can include Windows users, user accounts other than Windows users (such as forms-based accounts), Active Directory groups, or SharePoint groups.

So what is a Security Scope then? Ok I admit it does tend to get a bit bogged down in terminology.
To put it simply ... each time you grant access to a new principal (user account or group) then you are creating a new Security Scope.

The other thing to consider pickup is that this is not just limited to lists! Any list that inherits permissions will pick up their permissions from the parent web (site) so you also need to adhere to this at the web level too!

This means that you should not have more than 1000 security scopes at EITHER the Site or List level.

Ignoring this limit can do real damage to your farm ...

There is even a Microsoft Knowledgebase article explaining why; SharePoint performance degradation with a large number of unique security scopes in lists (http://support.microsoft.com/kb/2420771)

This is really explained in far more detail in two most excellent blog posts:

The first post describes the problem of trying to create more than 1000 security scopes, and what happens when you do this: http://wbblog.datapolis.com/2011/03/setting-item-permissions-with-workflow.html

The second post is by James Love (a.k.a. @jimmywim) and goes into real "deep dive" detail looking into the root cause of the problem (SQL Server and ACL GUIDs) and how this problem can actually bring down your ENTIRE FARM and not just the list / site you are working on!
http://e-junkie-chronicles.blogspot.com/2011/03/sharepoint-2010-performance-with-item_23.html

A quote from the second post is as follows:

"When you load up a huge list with lots of item level permissions, a single operation gets every single GUID associated with the ACL for that item and passes that back to the data access layer of SharePoint. When the database retrieves the actual list item data, it will pass in all of the ACL Guids back in as one long string, all concatenated together. The query to get the data creates a table variable re-assembles the the item level ACL Guid associated with each item. How the rest of the query deals with this is anyone's guess at the moment - this table variable might just be passed back to the calling COM object (though I thought they couldn't be used this way....) for the COM object to then sort out which item should be visible to which "scope" (or ACL).

So, what can we take away form this? Passing 640k of data about the place, for a SQL Query to do some substring math and converting to Guids will soon bring your database server to its knees. This is one request and it takes 2000ms to work. Imagine if you have 5 requests per second or more hitting this list!"

Both are excellent appendums to this post and well worth looking at for another angle and a bit more detail!

Why does this become my problem?

Now .. looking back to my original problem some of you may be thinking, OK no problem; you can just create yourself 20 different lists / libraries .. and have 500 unique permissions in each list??

Well .. so you might think .. and here I introduce the juggernaut that is Limited Access Scopes!

Anyone who has spent any time around SharePoint security will have noticed the odd "Limited Access" permission popping up in their site from time to time. "Limited Access" is automatically allocated to a parent Folder, List or Web whenever a child object has a unique permission allocated to it.

You can easily see these being created if you break permission inheritence to a list and just add a few accounts to that list. The parent Web will not have a "Limited Access" scope created for each user account you have added.

Now hopefully the bright will already have spotted the problem .. it doesn't matter how many lists or libraries you create .. every single user or group that you add will end up in the parent Web site with "Limited Access" (and every single Parent Web heading upwards).

The following diagram explains why.

You simply cannot get away from this fact. If are adding 10,000 unique permissions with different user accounts then you will end up with 10,000 security scopes at the root web!

Note - It should be noted that the number of "Limited Access" scopes created is limited to the number of Security Principals you are adding.

If you are adding from a pool of 50 users then you will only ever be adding a maximum of 50 new "Limited Access" scopes (one for each user account).

For this reason it is a good idea to use Groups when adding permissions as this limits the number of "Limited Access" scopes which are created .. but this won't solve your problem if you have over 1000 different security principals!

So that was the crux of my problem .. on investigation this does look to be a major major problem (and an "impossible fix") but it would seem not! There IS a workaround (one which I have tested to over 15,000 unique user accounts and works very very well indeed)...

The solution, workaround, and code samples are all included in Part 2 ...

Update - Publishing Features "not supported" on Office 365 Public Websites

This has been a bit of an on-running saga for many of you in the community and I have to admit I've found it as confusing (and sometimes frustrating) as the next person.

I have had an Office 365 Community forum thread running for a while now which originally stated that this was allowed:

"If there's a feature in your site that's able to be activated, you're still within the terms of your agreement if you activate it"

This was initially great news, although the euphoria was short lived as I finally got in touch with Mark Kashman (Senior Product Manager on the SharePoint Team at Microsoft, specialising in Office 365 and SharePoint Online).

We had a bit of an email dialog  and the crux of it has been updated in the community thread linked at the beginning of this post. The details have been included below:

"The SharePoint Online public-facing website does not grant use rights to leverage the publishing portal components in Office 365. These features are only supported for intranet sites within the private site collections you create from the SharePoint Online Administration Center. For now, the public-facing site is configurable by use of the Site Designer ribbon tool. Microsoft only supports what Site Designer enables."

As disappointing as this is I have to admit I'm not entirely surprised, and hopefully this will be addressed at some point in the future. In fact Mark goes on to say:

"The feedback from this thread, and companion posts in and outside of the Office 365 Community site, are important in helping guide planning for how Microsoft may offer web content management (WCM) driven public websites that can leverage the SharePoint's powerful publishing infrastructure components and are licensed appropriately. I, too, will take the action item to add additional clarity on this same point within the next update to the SharePoint Online service description here: go.microsoft.com/fwlink"

Now, I have asked the question .. does this mean we are not allowed  to activate these features, or Microsoft simply won't support our environments if we do this?

I am hoping for a response soon, and will update you when I know more! Watch this space...