Recently in one of our document center portal we had a very specific requirement of providing the security to the document based on the region it was applicable. Example: A contract ABC is applicable to North America - USA & Latin America - Mexico. In this situation the document should only be visible to people who belong to those specific country.
Knowing SharePoint there is no OOB way to do it, we could have used audiences but then it requires a identifier attribute in Active Directory which will be used for identifying region and secondly audiences only limit in what is visible / presented to the end user. By that what I mean is that if the document was just presented using Audience Targetting then the document wouldn't have been visible; but if someone knows the URL of document then they could very well be able to view the document.
The solution that we ended up taking is to use workflows for identifying the region to which document belongs (by looking at a mandatory metadata column) and based on that we would assign Active Directory group for the region. The solution works in theory but the question now was how to model the AD groups?
AD groups can be created in 3 different ways but for it to work with SharePoint; it should only be created as Domain Global Security Group or Domain Universal Security Group. Domain Local just doesn't work. Because we had 2 different forests to take care of we ended up creating regional group for each forest.
One for forest ABC and other for DEF.
I wanted to create a blog for the solution as it may help someone with similar needs, please don't hesitate to contact me if any further details are required about the solution. Lastly would like to credit Joel Oleson's blog
that helped in designing my solution.
Knowing SharePoint there is no OOB way to do it, we could have used audiences but then it requires a identifier attribute in Active Directory which will be used for identifying region and secondly audiences only limit in what is visible / presented to the end user. By that what I mean is that if the document was just presented using Audience Targetting then the document wouldn't have been visible; but if someone knows the URL of document then they could very well be able to view the document.
The solution that we ended up taking is to use workflows for identifying the region to which document belongs (by looking at a mandatory metadata column) and based on that we would assign Active Directory group for the region. The solution works in theory but the question now was how to model the AD groups?
AD groups can be created in 3 different ways but for it to work with SharePoint; it should only be created as Domain Global Security Group or Domain Universal Security Group. Domain Local just doesn't work. Because we had 2 different forests to take care of we ended up creating regional group for each forest.
One for forest ABC and other for DEF.
I wanted to create a blog for the solution as it may help someone with similar needs, please don't hesitate to contact me if any further details are required about the solution. Lastly would like to credit Joel Oleson's blog
that helped in designing my solution.
No comments:
Post a Comment