Application Security Testing: An Integral Part of DevOps
Within any organization, a user is more than just the account he or she uses to log in to the network and the unique ID (for example, CustomerID, VendorID, or EmployeeID) he or she is assigned. A user has a name, a phone number, an address, a title, and maybe even a photograph and food preferences. An organization usually maintains such information in disparate databases. For instance, HR would have information such as emergency contacts and mailing address, whereas payroll may have tax and salary information.
This valuable information usually is locked away in systems that do not talk very well with each other. If all this information could be stored in one system, specific content could be targeted to specific users. So, for example, a new law that applies only to offices in California would be viewed only by users whose PositionState field is CA.
Microsoft Office SharePoint Server 2007 (MOSS 2007), or simply SharePoint 2007, provides just such a solution by introducing the concept of User Profiles. User profiles allow you to associate metadata with every UserID. In MOSS 2007, this metadata can then be kept in sync with the other systems in the organization using BDC, an Active Directory domain controller, or an LDAP server. Having such metadata from disparate systems aggregated and synchronized into one single system.MOSS 2007.presents a very valuable proposition to any organization.
It is quite reasonable to expect that a MOSS User Profile would be an amalgamation of information from various sources. Thus, MOSS provides you with the means to fine-tune such information and its import. This article examines the SharePoint 2007 User Profile feature, beginning with a discussion of what it takes to set up metadata.
User Profiles Setup
By default, SharePoint 2007 automatically detects the domain controller and imports the user information from the Active directory service. It is worth nothing that some subtle differences exist between Windows SharePoint Services (WSS) and MOSS (see the section at the end of the article). With the user information imported, instead of seeing "Welcome Domain\smalik" on the top left-hand corner on a SharePoint site, I would see "Welcome Sahil Malik" (see Figure 1).
Figure 1: Top Left-Hand Corner on a SharePoint Site
Clicking on the "My Settings" link in WSS shown in Figure 1 takes me to a page where I, the logged-in user, can maintain information about my own profile (see Figure 2).
Figure 2: Maintain Information About Your Own Profile
In MOSS, the end user can maintain this information in his or her "My Site" using the "Edit Profile" link.
Depending upon the specific network setup in your organization, you may not find all the information populated. You may want to add to the information shown in Figure 2. For instance, a "Mobile Phone" item would be nice for "Sales personnel". The Mobile Phone information may be sitting inside a SAP system accessible via a web service/business data catalog connection.
User Profiles are managed through the shared service provider for a site. Under Shared Services, you will find a section for "User Profiles and My Sites". You can manage User Profile information mainly using the first two links in that section as described in the following section.
User Profiles and Properties
Clicking on the "User profiles and properties" link takes you to a page where you can manage the Profile and Import settings, as well as the various properties you wish to maintain on user profiles.
In the first section on this page, Profile and Import settings, you can view existing profiles, set up import connections, add new profiles, and view current statuses and logs for the import process. You can configure the Shared Service provider to import user profile information from either Active Directory, a business data catalog. or an LDAP server. To do so, you would first have to create a suitable import connection and then specify a full import schedule and an incremental import schedule.
In the second section, you can configure the various User profile properties. Imagine that you were setting up MOSS for an organization that was spread across the United States and the UK, and one of the bits of user profile information you wanted to track was zip codes. Americans call them zip codes, but Brits call them postal codes. By using this second section of profile properties, not only can you add newer properties in a user profile, but you also can define a mapping between source and target. Thus, you can choose a common name (ZipCodes) to represent a piece of information that may have different names (ZipCodes vs. PostalCodes) in different systems. Not only that, but you can choose various other parameters of the property such as visibility, "editability" by the end user, whether or not the property is indexed for searches, which data connection is the specific property populated from in case you were amalgamating user profile information from disparate sources, and so forth.
Profile Services Policies
The second link under the "User Profiles and My Sites" section of the shared service provider is the "Profile services policies" link. Under Profile Services Policies, you will see a section titled "User Profile Properties" where, as the name suggests, you can specify a policy for each profile property. For instance, if you were tracking "Manager" information for any specific user, you probably wouldn't want the user to be able to edit that. If you were tracking "Salary", you probably wouldn't want the user to edit that, nor would you want that information to be visible to the general public. However, a user's birthday is something you want to be both visible and end-user editable. You can specify such policies for each user profile property using this section (see Figure 3).
Figure 3: User Profile Properties Section
Migrating User Profiles
Any good software development environment has development machines, a QA server, a staging server, and a production server. Your environment may also have multiple production servers. For instance, you may have MOSS running both on the intranet and the extranet. For security reasons, the extranet server may be set up on a physically separate machine that may not be able to communicate directly with the domain controller that sits inside the firewall. Also, it is quite possible that the development machines may be under different network topologies than the various servers in your network.
Thus, you need a way to set up user profiles on a server, and be able to migrate them easily to another physical machine.
User Profiles cannot be migrated using the SharePoint UI. However, like many other things in SharePoint, you can manipulate the profiles easily by using the SharePoint API. Currently, two open source command line utilities are available with full source code that will help you achieve this task:
- ProfilePropertyMgr: ProfilePropertyMgr is a utility for importing/exporting profile properties. Once you set up the specific properties you want to track on a specific SharePoint installation, you can export them to an XML file and then import the XML file into another SharePoint installation.
- Profile Importer (PI): PI is a utility that allows you to import/export actual user profile data between SharePoint sites and XML. So, if your intranet server has access to the domain controller, you can schedule an export of user profile data from the intranet server to an XML file, and an import from the XML file to the extranet SharePoint server.