letting the a group of users to be owner of SiteCollection....? - sharepoint-2007

Is the quoted question below is possible in sharepoint, if yes, please suggest some solution too. I will be grateful.
"Can we let a group of users to make their own site collections, and then to make them the owners of their own site collections. Mind you, other users in a group should not be able to access each others site collections. Unless, they are given permission by the sitecollection owner."
Thank you.

To do this for sites (not site collections)
create a custom group with the create
site permissions
Add the users to the
group
when they create a site, they
will be the owner of the site and can
assign permissions to that site (only
if they check the "Use Unique
Permissions") when creating the site
collection.
I am pretty sure you can do the same for site collections, however you would do that through central admin rather than the top level site itself.

Related

Microsoft Groups/Teams: Can't create plans for Planner App

I created a Group using
https://learn.microsoft.com/en-us/graph/api/group-post-groups?view=graph-rest-1.0&tabs=http
and then used
https://learn.microsoft.com/en-us/graph/api/team-put-teams?view=graph-rest-1.0&tabs=http
to create a Team. Now I am facing issue when adding a plan using a Planner app
"Failed to create the plan."
How I can fix this issue?
In my investigations, I found that the other team members are able to create plans. As an owner of the team, I am not able to create them. if I am trying graph API I'm getting an error:
You do not have the required permissions to access this item, or the item may not exist.
I'm glad you came right and that I was able to help. I'm updating the answer so that it's more clear on a few points:
Technically, this actually has nothing to do with Teams at all, it relates to Office 365 Groups, which forms the core underneath Teams, Planner, and more. You actually link in your question to the Groups docs, incidentally. I've updated the question title to reflect this.
I haven't tested this exactly, but I doubt that it needs your account exactly in the Owners and Members - I suspect the main constraint is that there needs to be at least one person in each of those roles (that means there has to be at least one Owner and at least one Member). Arguably, this is actually a bug in Planner, but it was maybe never detected by Microsoft because if you create a Group from the web interface, it automatically puts your user in as Owner and Member.
If you do put your own account into both positions, but that's not what you want long term, you could probably just take them out after creating the Planner plan.
Just a reminder that best practice is to have more than one owner of a Group, in case/when the original Owner is not/no longer available.
It's fixed after adding the creator of teams as a member too. So I had to add the user who is creating Teams in Team members too.
I made sure that there was another owner on the Team, demoted and removed the owner and the re-added them to the team. This resolved the issue that I had with multiple teams

azure active directory user group identification for asp.net mvc website

I'm actually making a website, in asp.net MVC, witch is accessible with azure active directory account sign-in. This part works great. But now, I want to make roles based on who is signed-in so they can access to different content.
I made a group in my azure active directory for admins and I tried this solution but it's not really working well :
if (principal.Claims.Any(x => x.Type == "groups" && x.Value == "id of the admin group")){ give admin rights}
Did someone knows a better solution or what's wrong with mine ?
Thanks in advance.
I'm assuming you've created an Azure AD "Application" that you're using.
The trick is that you need to modify the "Manifest" for the application to allow you to query for groups.
There isn't a UI for this in the portal, you have to just download the manifest, make the change, then upload it. Clunky at best.
You want to find the key "GroupMembershipClaims" and set it to "SecurityGroup". If you set it to all then you'll get email groups as well. The problem here is that you get a list of all the users groups and all the groups those groups belong to. In a large company, that could be a lot!
You next have to call back to get the group info which means getting a token.
If you generated the MVC app in Visual Studio and told it you wanted to use Azure AD it sticks in much of the plumbing, but there is a bug in the template. When it tries to persist the tokens, it will always retrieve the first token in the list, not the most recent. That means your demo works today, but fails tomorrow...
You can search for info on the ADAL library for more info. I recommend reading Modern Authentication with Azure Active Directory for Web Applications by Vittorio Bertocci for real insights into how it all works.
You could refer to some tutorials https://azure.microsoft.com/en-us/documentation/articles/role-based-access-control-configure , https://azure.microsoft.com/en-us/documentation/articles/role-based-access-control-manage-access-powershell/, help you to manage access.
Assign role to user/group/app...
Keep contact if you have any questions.

SharePoint Web Part Access Denied error

I have a list in my sharepoint site.The users who have contribute access is able to add items on the list.But recently some users who have contribute access was not able to add new item.The normal work around we do is we will add them to the owners group and ask them to login .Then we ask them to logout and remove them from the owners group and issue will be resolved.But the proper way shouldn't be like that.Please give the proper way to solve this issue.
The users whom you talk about, Were they added to the contribute group recently? May be the list is not inherting permission(?)
You can use this WebPart (http://accesschecker.codeplex.com/) to check individual acces to every list, lib etc in your SharePoint site.

SharePoint Permissions - User w/ Full Control cannot create page

I have two users who have Full Control permissions to their department sub-site on SharePoint. They also have Full Control to the Pages document library. The Pages doc library has distinct permission from the site itself, but those two users have Full Control on both as mentioned.
When they try to create a New Page it gives them an "Access Denied" error. I can duplicate this problem with my non-admin account as well.
What am I missing to give these users the ability to create new pages on their site?
Assuming that the user has been granted enough rights to create pages at site level in the first place but is still unable to do so even with Full Control, then there is a high possibility that the user DOES NOT have READ access to the Master Pages and page layouts library. Check the library permissions at the root site collection and grant them the specified permission level accordingly.
Hope that helps.
This is a applicable to SP10 and SP13
Thanks
Ismail
It could also be TaxonomyHiddenList.
You must paste it into your browser - you cannot navigate to it and it is at the site collection level..
http://yoursite/yoursitecollection/Lists/TaxonomyHiddenList
List Menu -> List Settings -> Permissions for this list -> Grant Permissions
Maybe it is possibly to do with the Web Feature called "Content Organiser" which is enabled and not used. If it is activated, de-activate it and test again. This feature will affect document libraries, not lists.

Securing web application on the data access level

Please consider the following setup:
Multi-tenant webapp.
Tenants create company accounts and company accounts have user accounts under them.
Users have roles, there's a special role "Owner" (the user who created the company account).
I'd like to have users to edit other user accounts (some admin tasks), but two conditions must be met:
Noone may edit owner's data (except for owner, when he's editing his own profile, and own profile editing is the same user editing).
Users may access user data and edit users only within their company account.
The app uses MVC architecture. Currently I check for those two conditions in the web layer and it works for me, but I have some concerns. If I go with some sort of API or some other type of data consumer, I may "forget" to re-inforce these conditions. Also, there will be other objects in the app with similar functionality requirements and which will have similar restrictions on them, so it's better for me to come up with some sort of pattern which will enforce my restrictions on data access level.
Could anyone recommend some approach worth looking into?
Thanks!
I beleive aspects or interceptors should be able to help you. If you work with objects you should be able to intercept requests containing your business data and check wether your user is allowed to work on it. The interceptor could then stop or proceed the execution.

Resources