White Paper : Managing large-scale Roles and Permissions Schemes with SharePoint

This white paper illustrates the extensive and powerful capabilities of Sharepoint Server, to manage multiple user roles and user-access permissions. This study is done in the context of a client project that was conducted by Inkriti.

PROJECT NEEDS

Inkriti's client is a large buying group that is comprised of thousands of nationwide dealers, who work under the branded franchise. The client wanted to build a national website, that would be able to support a unique and distinct website for each individual dealers working within their franchise.

For example, the client site might have the URL (www.company.com), while each dealer might have an automatically created URL (dealer.company.com). This dealer.company.com subsite would be unique it in ability to have custom content and custom administrative rights, while working within the context of the overall national website.

Furthermore, each dealer would be able to purchase a "package" which would provide him with a certain set of functionality -- and naturally, the more premium packages would have more functionality,while costing more.

 

Such a hierarchial network of websites/microsites, would need to managed distinctly, with an extensive group of roles with associated permissions.

 

Role Functionalities
 Super Admin
  • Create sites and subsites
  • Create New Users with Roles
  • Manage Content for National and Dealer Sites 
 Multiple Secondary Admin
  • Manage articles for the application
  • Manage Dealer Information
  • No website content management related permissions
 Dealer Admin
  • Manage content for dealer subsite (only requests for change from Super Admin)
  • Manage his details
  • Manage his team
 Dealer
  • Manage minimum content like site logo etc
  • Manage his details
  • Manage his team
 Regional Manager
  • Same permissions as a dealer
  • Based on region, regional manager can manage dealers
  • Manage his team
 Normal Users
  • Website users - no permissions to change any content

 

The client wanted to build a backroom application that would provide the above mentioned functionalities:

  • Permissions based access to the application for the different user roles. The backroom would cater to multiple user roles managing information that they have access to.
  • The backroom would document management against different channel that the client subscribe to. The document management would be driven by the varied permissions for different user roles. For example, the seconday admin and regional manager could post articles against different channels. The super admin would then approve the documents for publishing. Once published, these documents against the channels would be available to all the users of the backroom ranging from dealer managers to individual dealers.
  • The backroom would provide additional functionalities to the users like
    • managing content of various sections of the respective sites (national or dealer) based on permissions and packages.
    • managing their respective teams - again based on permissions, users can either manage their whole team or just manage their own details. 

INKRITI SOLUTION

Inkriti built a SharePoint application for the backroom and extended SharePoint functionalities to achieve the varied requirements of the project.

Extending Sharepoint's RBAC Functionality

  • In SharePoint, 3 user groups are provided by default
    • Admin
    • Contributor
    • Normal users
  • The roles for application's users are mapped internally to the above SharePoint user groups. For example, Super Admin is mapped to SharePoint's Admin user group. All the remaning roles (except for normal users) are mapped to SharePoint's Contributor user group.
  • Inkriti built a custom solution to provide region based permissions for regional managers. These regional managers can manage information for all dealers that fall under the regions they have permission to. Again, these permissions could be different for different regions - like view/add/edit/delete dealer information etc.

Controlling Access to Webparts Dynamically

  • The national and dealer website content is implemented using multiple webparts in each of the site pages.
  • Based on the role, each user is assigned permissions to these webparts dynamically. For example, Super Admin has full rights to change content of any webpart in any site (national or multiple subsites). All other remaining roles (except for normal user) can change content of a webpart he has access to through an approval process. Inkriti developed a custom solution to implement this functionality of requesting for a change to a webpart by different roles.

Permissions to various content types

  • PAGES: Permissions at page or form field level in the application is driven by the role of the user.
  • FORM FIELDS : Permissions based on user roles is used to show/hide form fields.
  • BLOGS  : Permissions were also implemented for SharePoint blogs. A Super Admin can create blogs and map those to particular categories in the site.
  • CHANNELS : Each of these roles have permissions for particular set of channels. Based on these permissions, articles related to these channels are shown to these users. Also, permissions related to posting and approving artcles for these channels are driven by roles of the application users.

 

 

© 2010 Inkriti - All Rights Reserved.