Understanding SharePoint Security Scope

Similar Messages

• Domain Users AD group disappearing from SharePoint security

  After applying SharePoint 2010 SP2 and the September 2014 cumulative update (KB 2883103) to our SP2010 farm, we've discovered the system is automatically removing the 'Domain Users' active
  directory group from SharePoint security.  It's not affecting any other AD groups or users or when Domain Users is a member of a SharePoint group.  Only when Domain Users has been explicitly added to a site, library, list or document.
  For example, we give Domain Users access to the root of most our site collections and then break inheritance for certain libraries or lists that need more security.  Now Domain Users has disappeared from every site.  I can say
  with 100% confidence that this has not been done by anyone in the organization.  Nothing else changed besides SP2 and Sept2014 CU. 
  Yesterday we fixed a few sites by re-adding Domain Users.  This morning those were missing again, so it must be a timer job or other cleanup process that is causing this.  Again, this does not affect SharePoint groups/membership or any other
  AD object, only Domain Users.
  Has anyone ran into this issue or have any suggestions on a resolution?  We have enabled audit logging but have not seen any related logs yet. 

  Sometime between noon and 1:00pm this afternoon we lost the Domain Users group again from all sites where we re-added it.  Audit logging is showing this for one particular site:
  {072c340a-42cb-4861-a182-38102b53bc52}
  {072c340a-42cb-4861-a182-38102b53bc52}
  Site
  System Account   <SHAREPOINT\system>
  2014-10-21T18:53:52
  Security Role Bind Update
  SharePoint
  <roleid>-1</roleid><principalid>DOMAIN\domain   users</principalid><scope>67A6138A-CBFA-42BD-87EF-86D558047D63</scope><operation>ensure   removed</operation>
  Does anyone know if any additional logging can be enabled to see WHY this is occurring?
  So far our solution has been to setup another AD security group and nest the domain users security group inside.  Not exactly a solution but at least a work around. 

• Security Scopes: All instances of the objects that are related to the assigned security roles greyed out

  So the guy who built our SCCM server is no longer in the company and his AD account no longer exists.  I noticed in SCCM however his account as the "All instances of the objects that are related to the assigned security roles"
  is selected. however the option is greyed out for everyone else.
  This option is the one found under Administration/Security/Administrative Users select the user and open properties then select the Security Scopes tab.
  Is there a way we can provide another user this same level access when we can no longer access through the original build account?
  Already looked into tombstone resurrection of his account thats a no go.
  

  Hi,
  I recommend you rebuild SCCM or open a case with Microsoft.
  We
  are trying to better understand customer views on social support experience, so your participation in this
  interview project would be greatly appreciated if you have time.
  Thanks for helping make community forums a great place.

• Errors with SharePoint Security Token Service: "The revocation function was unable to check revocation for the certificate"

  I'm getting these errors in the eventlog and ULS, "An operation failed because the following certificate has validation errors:\n\nSubject Name: CN=SharePoint Security Token Service, OU=SharePoint, O=Microsoft, C=US\nIssuer Name: CN=SharePoint Root
  Authority, OU=SharePoint, O=Microsoft, C=US\nThumbprint: <STS CERTIFICATE THUMBPRINT>\n\nErrors:\n\n RevocationStatusUnknown: The revocation function was unable to check revocation for the certificate."
  The errors point to the SharePoint Security Token Service as the issue ("The revocation function was unable to check revocation for the certificate") reported back by the Topology service.  This is apparent when executing a search, accessing
  the managed metadata service, issuing SPSite commands in Powershell, or anything that needs to run through the "SharePoint Web Services" site.  I've looked at the certificate assigned to that site and everything appears to be in order. 
  It would seem to me to be either an incorrect endpoint configuration (internally cached perhaps?) or related to security access for the configuration database (in order to validate the certificate root).
  What I’ve tried so far:
  I’ve been all over the certificate settings, both in the server store, and within SharePoint Token Service config.  Both appear to be configured correctly such that the root CAs can be validated.
  Re-entered the passwords for the application pool domain accounts to eliminate these as a potential cause.  I’ve also verified the service accounts reporting the error, do have access to the configuration database.
  Re-provisioned the STS service to see if that might clear out any cached issues and validated everything else according to this
  MS Tech note.
  So far nothing has worked.  Is there anything else I could be looking at that I've missed? (Full eventlog detail below)
  Log Name:      Application
  Source:        Microsoft-SharePoint Products-SharePoint Foundation
  Date:          2/20/2015 11:19:41 AM
  Event ID:      8311
  Task Category: Topology
  Level:         Error
  Keywords:      
  User:          <SP SERVICE ACCOUNT>
  Computer:      <SHAREPOINTSERVER>
  Description:
  An operation failed because the following certificate has validation errors:\n\nSubject Name: CN=SharePoint Security Token Service, OU=SharePoint, O=Microsoft, C=US\nIssuer Name: CN=SharePoint Root Authority, OU=SharePoint, O=Microsoft, C=US\nThumbprint: <STS
  CERT THUMBPRINT>\n\nErrors:\n\n RevocationStatusUnknown: The revocation function was unable to check revocation for the certificate.
  Event Xml:
  <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
    <System>
      <Provider Name="Microsoft-SharePoint Products-SharePoint Foundation" Guid="{6FB7E0CD-52E7-47DD-997A-241563931FC2}" />
      <EventID>8311</EventID>
      <Version>14</Version>
      <Level>2</Level>
      <Task>13</Task>
      <Opcode>0</Opcode>
      <Keywords>0x4000000000000000</Keywords>
      <TimeCreated SystemTime="2015-02-20T17:19:41.213852500Z" />
      <EventRecordID>1611121</EventRecordID>
      <Correlation />
      <Execution ProcessID="10212" ThreadID="10328" />
      <Channel>Application</Channel>
      <Computer><SHAREPOINTSERVER></Computer>
      <Security UserID="<SP SERVICE ACCOUNT>" />
    </System>
    <EventData>
      <Data Name="string0">CN=SharePoint Security Token Service, OU=SharePoint, O=Microsoft, C=US</Data>
      <Data Name="string1">CN=SharePoint Root Authority, OU=SharePoint, O=Microsoft, C=US</Data>
      <Data Name="string2"><STS CERT THUMBPRINT></Data>
      <Data Name="string3">RevocationStatusUnknown: The revocation function was unable to check revocation for the certificate.
  </Data>
    </EventData>
  </Event>

  Hi Darren,
  This problem seems to occur when an administrator deletes the local trust relationship of the farm from the Security section of the Central Administration website
  In order to resolve this problem, the local trust relationship has to be created. This can be done by running the following PowerShell commands
  $rootCert = (Get-SPCertificateAuthority).RootCertificate
  New-SPTrustedRootAuthority -Name "localNew" -Certificate $rootCert
  After running the above commands, perform an IISReset on all servers in the farm.
  More information:
  http://support.microsoft.com/kb/2545744
  Best Regards,
  Wendy
  Forum Support
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact
  [email protected]
  Wendy Li
  TechNet Community Support

• If I create an security scope for a group of SCCM-admins should i remove the "Default Scope"?

  Hi,
  If I create an security scope for a group of SCCM-admins  should i remove the "Default Scope”?
  /PS
  /SaiTech

  Yes, it's OK to not add the Default security scope to an administrative user. You can add any custom security scope to an administrative user and it does
  not has to include the Default
  security scope.
  Just keep in mind that you keep at least an administrative user that contains the
  All and/or the Default security scope to not lock yourself out of the console. 
  My Blog: http://www.petervanderwoude.nl/
  Follow me on twitter: pvanderwoude

• Security scopes and reporting

  Hello,
  I'm trying to plan a ConfigMgr 2012 site that will be used by multiple groups who do not interact with one another. I'd like to divide this site into managerial groups using security scopes and RBAC, ideally so members of one group cannot view or manage
  collections, applications, and updates belonging to the other group. In a lab I've created groups A and B with access to security scopes A and B, with access to collections A and B. So far this has worked out nicely in almost every area except for reporting.
  As a full administrator I can view and run reports just fine; however, users A and B (who are not full administrators, but are members of the "ConfigMgr Report Users" role in my SSRS instance) cannot view any reports from the console. Additionally when I
  click Create Report under the context of user A or B, I get the error "Could not find an installed Reporting Services point. Verify the site role is installed and accessible." To me it sounds like there is a permissions issue somewhere in SSRS or ConfigMgr
  but I haven't figured out what yet.
  Aside from that, I would like so members of group A cannot report on objects that belong to security scope B. To my knowledge this won't be inherently possible because the SSRS security model is different from the ConfigMgr RBAC model. Has anybody been able
  to come up with any workarounds to scope down the reporting capabilities of limited ConfigMgr users? Any advice or direction in this realm would be greatly appreciated.
  Thanks,
  Nick

  Yes, I know this is an old post, but I’m trying to clean them up. Did you solve this problem, if so what was the solution?
  This has been solve in CM12 R2, you can see it in the blog/video.
  http://www.enhansoft.com/blog/role-based-administration-rba-reporting-feature-in-sccm-2012-r2
  Garth Jones | My blogs: Enhansoft and
  Old Blog site | Twitter:
  @GarthMJ

• Sharing a PM's project with a TeamMember using SharePoint Security Mode

  When using SharePoint Security Mode, is it possible for a Project Manager to share a his project plan with a particular Team Member?  If so what are the steps?
  I am asking because we want certain Team Member to be the Status Manager for certain assignments in the project plan. 
  Thanks in advance,
  \Spiro Theopoulos PMP, MCITP. Montreal, QC (Canada)

  Hi Spiro,
  Have you tried assigning the particular Team member to the Owners group for that Project/Site so the team member can edit the project?
  Paul

• How to calculate unique security scopes

  I've read the http://technet.microsoft.com/en-us/library/cc262787.aspx and I have problems calculating the number of unique security scopes. For example:
  One list:
  Two items broken permission can be seen by user a ---> 1 security scope
  Two items broken permission can be seen by user b ---> 1 security scope
  Two items broken permission can be seen by users a,b ---> 1 security scope
  Two items broken permission can be seen by user a and modify by user b---> 1 security scope
  Sum of items: 8, overall security scopes in the list: 4
  Am I correct?
  Thank you
  Christos

  XristosK,
  As per my knowledge
  Two items broken permission can be seen by user a ---> 2 security scope (if you are not using a group)
  Two items broken permission can be seen by user b ---> 2 security scope (if you are not using a group)
  Two items broken permission can be seen by users a,b ---> 2 security scope (if you are not using a group)
  Two items broken permission can be seen by user a and modify by user b---> 2 security scope (if you are not using
  a group)
  Sum of items: 8+, overall security scopes in the list:
  8 + List's own security inheritance<what ever>
  Read this great article: Scaling to
  10,000 unique permissions – Part 1 – The Problem
  So what is a Security Scope then? 
  To put it simply … each time you grant access to a new principal (user account or group) then you are creating a new Security Scope.
  Please 'propose as answer' if it helped you, also 'vote helpful' if you like this reply.

• Security Scopes for Antimalware Policy

  A few others and myself have begun discussing our problems with security permissions on Antimalware Policies in a previous thread: http://social.technet.microsoft.com/Forums/en-US/ee5baed5-095b-4a02-8e60-cbe3e32b5b3c/security-scopes-and-antimalware-policies?forum=configmanagersecurity
  We require the ability to limit administrators permission "by policy". As it currently stands, the only option is to grant Administrators Full permissions which gives them the ability to modify
  every Antimalware Policy.
  This is a request to enable the ability to use Security Scopes for Antimalware Policies.
  Thank you.

  Judochunk: thanks for opening a new thread.  Here are my thoughts (previously posted in the original thread).
  This is a serious problem for our site. We have 15 sub-organizations where each organization administers its own policies with its own admin personnel (a total of approximately 50 people). We have had incidents where an admin for one org accidentally modified
  the policy of another org; we need the ability to restrict access to the Antimalware policies as it was prior to SCCM 2012 SP1 or any equivalent mechanism that can be implemented.
  This has been an issue for over a year. Posts (March 5, 2013) in the previous thread indicated that a hotfix would be available and later (July 15, 2013) indicated that the fix would be available in SCCM 2012 R2.
  Could someone from Microsoft provide a definitive answer as to whether/when this will be fixed? 
  Thanks,
  Larry

• SharePoint Security Bulletin same downloads......

  This SharePoint Security Bulletin has 4 same download available on below site....which we should download?
  https://technet.microsoft.com/en-us/library/security/ms14-050.aspx

  There are versions for SharePoint Foundation, SharePoint Server, SharePoint Foundation SP1 and SharePoint Server Sp1. Pick the option that best describes your environment.
  You shouldn't need to install the Foundation and Server patch for MS14, just the Server package should suffice.

• Sync Project Online Security Group to SharePoint Security Groups

  Hi,
  Is there any way to sync prject server security group(Custom) into SharePoint Security Groups.
  My scenario is: I created a document library, I want to apply project server security on it, based on project server security groups, for that currently I created a custom group in sharepoint and manualy added the users into that group. That doesn't looks
  good, because if my project online group will change, than manually I have to change sharepoint group too. So what I want is, that sharepoint group is automatically synced with project online group.
  Or is there any other way to assign project online security in document library?
  Thanks
  PSN

  No there is no workaround other then creating a group on Office 365 server.
  SharePoint Online lets you create security groups via the Admin Overview page
  http://technet.microsoft.com/en-us/magazine/hh395478.aspx
  Just found a 3rd part. check if it can help
  http://en.share-gate.com/blog/migrate-to-office-365-configure-sharepoint-to-use-active-directory
  Active Directory Synchronization: Allows you to sync your Active Directory Objects such as users and groups to your Office 365 account. This is a one-way synchronization, which means you continue to manage users On-Premises, and your changes
  will appear on Office 365 SharePoint. However, authentication and passwords are still managed by Office 365. It will be required for Password Sync and Single Sign On (see below).
  If this helped you resolve your issue, please mark it Answered

• Security scopes and the Requirements tab on a Application Deployment Type

  I have used security scopes to isolate servers and workstations. My account is a Full Administrator that is a member of the Workstation security scope. When I create a application with my user account the "Create requirement" window does not update
  the Condition field regardless what I choose in the Category field. The Condition drop down menu is "activated", but there is nothing to choose from. Everything works if I put my user in all security scopes.
  Is this a bug?

  Ok, I found the issue.
  I did not initially realize that you have to set the security scopes for the Global Conditions that are created during install. Once I added the security scopes I created earlier, everything started working.

• Latest SharePoint Security Bulletins installation will cover old one or not?

  For SharePoint Security Bulleting installing latest one will cover all old patches or not. In below August 2014 is latest one.
  August-> 
  https://technet.microsoft.com/en-us/library/security/ms14-050.aspx
  May->
  https://technet.microsoft.com/en-us/library/security/ms14-022.aspx

  Hello,
  I donc think that the security are cumulative but ,according to this post from stefan gobner
  http://blogs.technet.com/b/stefan_gossner/archive/2014/07/10/common-question-on-hotfixes-security-updates-and-non-security-related-public-updates.aspx , it seems that the cumulative SharePoint contains the security updates, so if you keep you have the ltest
  CU, you should have all the security fix released before
  Best regards, Christopher.
  Blog |
  Mail
  Please remember to click "Mark As Answer" if a post solves your problem or
  "Vote As Helpful" if it was useful.
  Why mark as answer?

• Call an Non-SharePoint Secured RESTful API from a Workflow in a SharePoint Online Tenant

  I have a scenario where I need to be able to make calls to a secured web service from a SharePoint 2013 workflow that will be deployed in a SharePoint Online (Office 365) environment. It is a REST web service that is secured in a 2-legged OAuth-like manner
  (the service expects a hash of the data being sent that can then be validated on the service's end of the communication). The problem is, I can't figure out how I can hash the data, since I can't run any server-side code in the SharePoint Online environment.
  The way I figured this should work is 1) user creates an item in a List on the SharePoint Site, which kicks off the workflow process. 2) the workflow process takes the user data and hashes it using a client secret assigned by the web service. 3) the
  workflow creates a web request to the web service, passing the data and the hashed values. 4) the web service processes the input and returns. 5) the workflow continues to the next step.
  I can't figure out how to implement step 2 in that process. I thought I could do a custom workflow activity that would accomplish it, but since it would pretty much have to be a code-based activity (i.e., not declarative), it can't be deployed in SharePoint
  Online, according to the domentation I've found. I could potentially add a third layer in the process and have an auto-hosted app that I could call to do the hashing of the data, but that seems to defeat the purpose somewhat from a security perspective.
  Has anyone else run into this kind of scenario? Doing this in an on-premesis environment would be easy, but that's not really an option.
  Thanks!

  You should implement this by passing the values to a public (forms based auth) web method (secure over SSL) that does the hash for you and returns the value to your workflow so that it can pass it on to the other service.
  Chris Givens CEO, Architecting Connected Systems
  Blog Twitter

• JSP/SERVLETS NOT UNDERSTANDING JAAS SECURITY CONTEXT

  Hi ,
  Instead of using the default form action "j_security_check" for form based authentication
  .I have a custom JAAS loginmodule which is a servlet that gets calls when the
  user clicks on "OK" in the login form..
  Scenario1:
  I have a servlet(unprotected) which calls a EJB(which is protected).
  Depending on who has privileges to execute methods on the EJB bean , the authentication
  happens correctly..
  Scenario2:
  I have a PROTECTED servlet.
  When I execute the servlet in the browser , the login-form comes up .Once I click
  on OK,what is happening is I call my
  custom-loginmodule servlet which then calls the protected servlet.
  Now ..from the custom-loginmodule servlet when the request goes to the PROTECTED
  servlet ,the login-page again comes up...for some reason the servlets or JSPs'
  don't understand that the security context has already been created..
  But if the currently protected servlet is made unprotected and if it is made to
  call a protected EJB, the EJB bean gets the security context.
  I am thinking that security context is propagating but for some reason the JSP/servlet
  domain does not seem to get the already created security context.
  Another thing I noticed was with the default approach of using form-auth as "j_security_check"
  does not seem to work with URL rewriting.
  Any hints is greatly appreciated..
  Thanx,
  krish.
  Krishnan.Venkataraman
  Symphoni Interactive
  Technical Lead.
  [email protected]
  412 414 5385(mobile)
  412 446 2219(Work)
  1 800 439 7757 (# 2219) (Work)
  412 343 6549(Res)
  WEB:http://members.123india.com/krishnan

  hi,
  you may set a <servlet-mapping> in web.xml or you may use
  <form action="/servlet/HelloWorldExample" method=post>
  instead of
  <form action="/HelloWorldExample" method=post>
  the <servlet-mapping> should be:
  <web>
  <servlet>
  <servlet-name>HelloWorldExample</servlet-name>
  </servlet>
  <servlet-mapping>
  <servlet-name>HelloWorldExample</servlet-name>
  <url-pattern>/helloWorld.html<url-pattern>
  <servlet-mapping>
  </web>
  after you add the servlet-mapping, you can access the servlet with the url-pattearn, that is:
  <form action="/helloWorld.html" method=post>
  the internal operation of the first and second methods are different, and you should use second one(user servlet-mapping), and the <url-pattern> has may way to use, if you want learn more, see servlet spec. for more.