Feature suggestion - "security access API" or something like that

Sep 13, 2013 at 2:55 AM
Hello team,

Just want to share some ideas regarding potential improvements of SPSD framework/API.

WE do lots of custom things within custom target which might include:
  • search service provision (properties, scopes)
  • managed metadata service provision (content type hub)
  • user profile service provision (properties)
  • site collection operation (search setting adjustment and so on)
  • web application adjustments (feature activation so on)
  • sandbox solutions provision
Well, "it works well on developer machine", but real production SharePoint env has very different security model and security granularity. Hence, you cannot run one script under one account - you need either adjust security setting for every service application, or rerun script under different accounts.

So, we are thinking about addigin sort of "security assertions" API. Set of the powershell function which would help us to understand the security access and provide relevant feedback.

Something like
  • IsCurrentUserSearchServiceAdministrator
  • IsCurrentUserManagedMetadataServiceAdministrator
  • IsCurrentUserXXXXXServiceAdministrator
So these function would help to make a good if-else flow with a good feedback to the end user/administrators.

Something like "Hey, you have to have access to the user profile service in order to create new properties." instead of "Ujknown exception has been found" :)

I do understand that this is quite a big stuff to be done and implemented as well as tricky to test. But this is just an idea worth to be shared.

Let me know how it sounds to you and if there is anything I may help you with.
Sep 13, 2013 at 6:49 AM
Intersting thought.
Need to think about it.

For one I don't want to extend the scope of "solution deployment" too much. SPSD is not AutoSPInstaller or any other script to set up the whole farm.

The original purpose of SPSD was to start there where AutoSPInstaller stops.
Which would mean first the creation of content like site collections, sites, lists, activate features etc.

Anyhow, having these checks as helper functions would be so hard to integrate, the question is rather how to make them easily accessible like having a kind of "configuration" for a function which states the required permissions.

BTW, I am currently also working on a kind-of plugin infrastructure which allows you to create re-usable plugins which you just drop into SPSD and execute them from an event. There I could think of having such security assertions.

One of these plugins will be for example to create/remove a content type hub like I did here http://gallery.technet.microsoft.com/Create-and-remove-e2825aee
Sep 13, 2013 at 6:53 AM
This discussion has been copied to a work item. Click here to go to the work item and continue the discussion.