Clayton's SharePoint Madness

All About SharePoint, InfoPath, and SharePoint Designer!

Archive for July, 2009

InfoPath – User Roles in Browser-Enabled Forms Using AD Groups

Posted by Clayton Cobb on July 19, 2009


MAJOR REVISION – Now using GetCommonMemberships web method to determine group memberships for users without needing to use contact lists or any other manual data source!

So, you need to restrict certain controls in your InfoPath form, but it’s browser-enabled, and you just found out that User Roles are not supported, huh?  You also see that SharePoint permissions do not help restrict specific areas within your form, so what do you do?  There are probably several methods, but here is the one I have come up with that uses all built-in functions of InfoPath and MOSS 2007 without any code and leverages Active Directory Security Groups.

Special thanks to a co-worker of mine – Irene Clark – who I taught to use the UserProfileService and subsequently figured out on her own that GetCommonMemberships could help with User Roles.  She showed it to me, and I immediately jumped on it to come up with what you see here.   Thank you very much, Irene!

Here is an outline of the steps with the assumption that you already have a working, browser-enabled form.  If anyone needs me to write up the basic steps of doing creating a browser-enabled form from scratch, let me know via the Blog Request Log:

  1. Add GetCommonMemberships data connection
  2. Add necessary fields to form template and configure them
  3. Add conditional formatting to applicable controls

User Profile Service – GetCommonMemberships Method

We must add this superb web service to our form template as a data connection.  Please use the first 8 steps of Itay’s writeup to get this done as I can only give him credit for my extensive knowledge of this web service.  Once you’ve added it successfully, we need to do a few things with it using the later steps in Itay’s blog.  Here are the steps.  They are only text with no screens, so I will just paste them here.  Remember that we are leveraging a different web method than Itay, but it’s the same web service:

  • With InfoPath opened go to Tools > Data Connections, and click ‘add…’ to add a new data connection to the form. This opens up the Data Connection Wizard.
  • We want to receive data from the WS about the current user, so choose receive data’ and click next.
  • Our data source is a WS so choose ‘Web Service’ and next.
  • Now you will have to point the wizard to the WS. Type an address similar to this: http://ServerName/_vti_bin/UserProfileService.asmx  and click next.
  • Here you get a list of all methods for that WS, choose GetCommonMemberships and click next.
  • In this screen you can specify what parameters are sent to the method, we are relying on the method’s ability to return the current user name if no value is passed to it, so we will leave this as is (no value is passed to the method) and click next.
  • Click next and make sure ‘Automatically retrieve data when form is opened’ is checked.
  • Finish the wizard.

In this solution, the GetCommonMemberships (GCM) method of the UserProfileService will provide the values we need to check a user’s Active Directory (AD) Security Group (SG) and Distribution List (DL) membership.  This method also provides SharePoint (SP) Site membership, but that is not as useful as if it provided SP group membership, which it does not.  I will be focusing only on the AD group memberships for this write-up.  Here are some steps showing how to use and see what this method provides:

  • View this method’s node structure
  • Drag the whole repeating group to the canvas and preview to see the result
  • Reduce the table to the most useful fields and decide which ones you want to leverage
  • Filter to show only the AD groups
  • Create a dropdown control bound to an element in your main data source that will show a selectable list of groups for a given user
  • Use this information to apply conditional formatting on other controls

Notice that the node structure in the GCM method (Fig 1) is much more friendly than GetUserProfileByName.  You can clearly see the information that is available, and the nodes are self-explanatory for the most part.

URG1

Fig 1 – GCM Node Structure

Grab the MembershipData repeating group onto the canvas and choose Repeating Table when prompted.  This lays out the entire node structure nicely, although you will need to expand the table and the columns in order to clearly see the data (Fig 2).

URG2  

Fig 2 – Full GCM Repeating Table Structure with Sample Data

In my opinion, certain fields are not useful to us due to either not having data or not having data that is useful for determining User Roles.  I will delete the columns named Group Type, Privacy, ID, Member Group ID, and Group (Fig 3).  Notice that Member Group ID does have some unique info, but I am not yet sure how to leverage that data.  You may also want to remove the SourceInternal field from the MemberGroup section, because it shows the same GUID each time (at least in my system).  As for the remaining fields, here are my notes so far:

  • Source: This shows whether or not the record is an AD group (noted as “DistributionList”) – or a SharePoint site membership (noted as “SharePointSite”).  Notice, these are not SharePoint groups, but rather site memberships and only where the user has been specifically added to that site with permissions as opposed to inherting permissions through AD SG membership.  The AD groups include both SGs and DLs, which is important to know.
  • Member Group – Source Reference: This shows the Organizational Unit path in Active Directory of the DistributionLists and shows a GUID for SharePointSites.
  • Display name: This is the Display Name of the group as defined in AD.  In Outlook, this name can typically be used as an addressee for an email, and the name will resolve to the email address.  This name SHOULD be unique and will be what we use for our User Role matching later.  For SharePointSites, this is just the site name.
  • Mail NickName: This is the alias for that group in AD, and it also will resolve to the email address when used in Outlook.  However, I found in my system that there were _two_ separate contacts in the GAL with the same alias.  That should not happen, and I will be notifying the AD admins, but the fact that it did happen with a common SG I use means it is not a guarantee, so be wary of that.  The same could potentially happen for Display Name, but that is a much longer and more specific name while aliases are sometimes just a few letters.  There is no nickname for SharePointSites.
  • URL: This is the direct email address for the group in the form of mailto:name@domain.com.  This also could be a very good source for matching groups and/or for sending emails.  Again, the email address SHOULD be unique, but that all depends on how well your AD is maintained.  For SharePointSites, it shows the URL to the site.

URG3

Fig 3 – Partial GCM Table with Relevant Columns Only

If you ever plan to use this method for displaying a user’s list of group memberships, you may want to only show the DistributionList records.  To do so, simply right click on the repeating table itself and create a conditional formatting rule that hides the control if the Source node is equal to “SharePointSite” in it (Fig 4).  Interestingly, when going through the wizard to set this condition, the wizard automatically detected the available options for that node.  I am used to seeing that with my main data source, but it does not always happen when referencing a secondary data source node.  In this case, it helps to quickly choose the right selection without the potential for a syntax error.  The result will be that you only see DistributionList records in the repeating table, which is the information that would be useful.

URG4

 Fig 4 – Set Filter on GCM Table to Only Show AD groups

You may also at some point wish to show a user’s group memberships in a pulldown and then use a particular selection to trigger a rule or match some other condition elsewhere in the form.  You may even use it to see another user’s memberships (other than the current user) and then select a group to then invoke the UserGroup web service (or possibly other available web services/methods similar to this) to enumerate the users in the group.  That is outside the scope of this write-up, but it’s something to consider.  To set up the dropdown, follow these steps:

  • Create a text data element in your main data source with whatever name you prefer
  • Drag that field to the canvas, which makes a text box
  • Right-click that box and change it to a Drop-down List Box
  • Double-click the dropdown to get to its properties (Fig 5)
    • Select the radio button that says, “Look up values from an external data source
    • For the Data Source, choose GetCommonMemberships
    • For Entries, click the button, drill down through the groups, and select the MembershipData repeating group
    • For Value, choose whatever node you prefer as your primary key (unique value).  DisplayName, Nickname, and URL are all suitable.
    • For Display Name, choose the DisplayName node
  • Click OK until done and preview the form.  You should see the friendly names of your groups all listed in the dropdown.  Since this is a browser form, we cannot filter the dropdown (at least until we get SharePoint 2010!), so you will see the SharePointSites, too. 

    URG5

Fig 5 – Dropdown Bound to Main Data Source and Showing GCM Group Data

Add Necessary Fields to Form Template, Create Layout, and Configure Default Values

First, manually create all the fields and groups you see below (Fig 6).  Notice that strAdmin and strFinance have default values.  Do not mimic these in your real form, because they will depend on your group names, which we’ll get to shortly.

 URG6

Fig 6 – Data Structure

Next, we need to create our layout on the canvas (Fig 7).  For this example, I just simply have two sections that are bound to grpAdmin and grpFinance (do not include their child fields), respectively, along with some text and a color for differentiation.  I also have a repeating table bound to the MembershipData repeating group of the GetCommonMemberships method that is only showing the DisplayName element.  This is only on the form for now to show what is happening, but it would not be on the form when using this concept unless you have some reason for showing the current user’s groups.  You get this on the canvas by following the steps shown in Figures 2-4.

 URG7

Fig 7 – Form Layout

After that, we need to assign our initial values that will play a part in the security of our form.  For this exercise, we will use two Group Check Fields. This part is important, because this is what defines the group memberships in your form that will be leveraged for User Roles.  I am using “Sharepoint Admins” and “Finance,” because those are the _exact_ words that show up in the DisplayName field of GetCommonMemberships (refer to Fig 2).  In your case, you’ll want to add a field for each group that you want to define for your User Roles and set its default value accordingly:

  • strAdmin – Set the default value to the text “Sharepoint Admins” (no function used)
  • strFinance – Set the default value to the text “Finance”
  • Remember, please use proper values for your environment based off what you see in your equivalent of Figure 2 above

Add Conditional Formatting to Sections

  • Administrators Section – We are going to set conditional formatting on this control (Fig 8) so that if the user is not in the Sharepoint Admins security group, then this control will be hidden:
    • Double-click the Administrators section on the canvas to get to its Properties, click the Display tab, then click Conditional Formatting and click Add
    • In the first field, click Select a field or group
      • In the Data Source pulldown, select the GetCommonMemberships secondary data source
      • Drill down the dataFields path until you get to DisplayName, which you should single-click
      • At the bottom of this box where it says Select, choose the phrase All occurrences of DisplayName, then click OK
    • For the Operand, choose are not equal to
    • In the last box, click the pulldown and choose Select a field or group, then choose strAdmin from the main data source
    • Lastly, in the Formatting area, check the box for Hide this control

 URG8

Fig 8 – Conditional formatting to hide sections from unintended users

  • Finance Section – Do the same thing as with the Administrators Section except in the last box of the conditional formatting setup, choose strFinance.  This will compare the current user’s list of group memberships with the exact name of the Finance security group, which is what we set the value of strFinance to be.

Now, it’s time to show it in action.  In my scenario, I have two user accounts:

  • Clayton Cobb – I am in the Sharepoint Admins SG but not in Finance
  • SharePoint Tester – He is in the Finance SG but not in SharePoint Admins

I’ll start with SharePoint Tester being logged in (Fig 9) who will open a new browser form (Fig 10).

 URG9

Fig 9 – SharePoint Tester logged in

 URG10

Fig 10 – SharePoint Tester only sees the Finance section

After saving the file as the SharePoint Tester, I will now log in as myself (Fig 11) and open the existing form (Fig 12). 

 URG11

Fig 11 – Clayton Cobb logged in

URG12 

Fig 12 – My account only sees the Administrators section

**After it is all working, be sure to remove the repeating table from your form, or if you decide to show it for some reason, you may want to make that field read-only so that users can’t manually change it.

That’s all there is to it!  You can now leverage Active Directory distributon lists and security groups for providing a mock User Roles functionality in Browser Forms without writing any code and while maintaining Domain Trust. The key here is that when looking at the same form, two separate users will see different information that is available based on their group memberships in Active Directory.  Imagine the other ways you could leverage this by restricting individual controls, whole sections, or even entire views, which is very powerful!

Advertisements

Posted in InfoPath 2007, MOSS 2007 | Tagged: , , , , , , , , , , , , , | 187 Comments »

InfoPath 2010 Rules!

Posted by Clayton Cobb on July 16, 2009


I am EXTREMELY excited by some of the new features.  The Infopath Team just announced some new features on their blog as you can see here:

What’s New in InfoPath 2010?

I do 95% of my InfoPath work with SharePoint, so I am big-time stoked about the new SP integration features.  Look at some of these things that we will be able to do that plagued us previously:

  • Modify list and library forms (new, edit, display) from IP instead of having to use the cumbersome SPD interface!! I’ve done this already for both regular list forms AND for InfoPath 2010 – Designing External List Forms
  • Rules manager for copying and pasting rules.  You can actually re-use your rules, and you can use the same conditions for a data validation, conditional formatting, or rule all on one field at the same time (not separate buttons to push anymore). You can also copy/paste entire rule sets at once. A bonus point for everyone here is that you can use the InfoPath 2010 Designer to design your 2003 and 2007 forms!!  I’m doing this exclusively now, because the interface improvements make it much faster to build forms.
  • We will now be able to use these previously-missing features in our browser forms: FILTERING!!!!, Mult-select list box, combo box, choice groups/sections.  Sweet!!  I’ve already built a browser form with cascading dropdowns (filtering) and will have a blost entry posted on the topic soon.
  • The contact Selector is now included by default in the Controls gallery (nice!).  This is nice, but be sure NOT to use it if you’re developing a 2003 or 2007 form.  The new Contact Selector does not use ActiveX, and the one in 2007 does.  If you add the 2010 Contact Selector to your 2007 canvas, it will not work.
  • There is now an InfoPath form web part so we don’t have to use page viewers nor the XMLFormView add-on that required some customization.  It also can be connected to other web parts – awesome!  This feature was a part of almost every demo/session done by the InfoPath product team at SharePoint Conference 2009.  It will be a major player in how we use InfoPath to visually display data right within web part pages along with several other connected web parts.  Also, I have learned that when you modify the list forms of a list/library, the new/edit/display pages all get auto-generated, and they each include an InfoPath form web part.  That’s how it works!

I’ve already started testing IP10, and it is freakin BAD!!!  The good “bad,” of course.  Here are some observations so far:

  • With my existing IP07 forms, the experience is seamless.  There is no upgrading that must be performed, and IP10 immediately knows to keep my IP07 browser-compatible form from getting messed up with unsupported functions.  It also auto-defaults to being saved as an IP07 form.  Everything works the same, yet I get the ease of using the new interface
  • Learning a lot so far, and I love it. It’s difficult finding everything, but I know that once I get it memorized, the ribbon will make it way better than before. It’s similar to when I first moved to Office 2007 and struggled with Word/Excel, but now I won’t even touch 2003.
  • The install gives you both a designer and editor. My presumption is that the editor may behave like Adobe Reader? I hope that it can become a free download for anyone so that only form designers/developers need the full version (licensed) while regular users would get just the Editor. If MS were to do it this way, it would have seriously positive ramifications on clients, because I am _always_ having to explain how either everyone needs IP07, or we have to do limited browser forms. I foresee great strides in the market if Editor is made free.  The IP team has not confirmed nor denied my commentary, but for now it doesn’t appear to be what I was hoping.
  • One-click publish is nice!! However, you still have to find the regular publish so that you can promote properties and such. It took me a while, but I found it, and that led me to being able to configure my Quick Access buttons. Once my publish is setup nicely, it’s very convenient to be able to just do the one-click publish for constant editing for a form template.
  • I have all my favorite buttons in the quick access at the top (save, publish, preview, rules, form load, design mode).  Putting them there makes everything very fast and easy as you get used to the interface.
  • Speaking of Form Load, it was a pain to find, since it’s no longer in the Advanced Form Options under the Open and Save tab. That menu is changed to just Save, and there is a Form Load button in the Data ribbon. I moved that to my quick access toolbar…
  • The rules management is a huge breath of fresh air. Not only can you copy and paste rules, but you can set conditions in one place to then be used by data validation, conditional formatting, and actions all in one place instead of having to always re-do conditions for each of those separately
  • In terms of Editor, I noticed a toggle option in view properties saying, “Design view for the InfoPath Editor only.” Hmmm, must find out what that’s all about.  I found out that this is just the same option that was in IP07, but it has been re-labeled to something more obscure.  Basically, if you click this box, it means that view will be allowed to have browser INCOMPATIBLE features and will thus not show up in a browser form.  Handy if you want a form to be dual-use, but not what I was hoping it meant.

Bugs:

  • I get this message very time I open IP Designer, “Some of the custom controls cannot be used: You can continue working without these custom controls, or you can modify them. Details: The following ID for the custom control is already being used by another control: {61e40d31-993d-4777-8fa0-9ca59b6d0bb}. All controls must have a unique ID.” I found out from the IP team that this is a known bug that wasn’t fixed before Technical Preview, but that means it should be taken care of before the release.

So, I’ve already created a client form (prototype) using IP 2010 as of tonight. It was previously a 2007 form, but 2010 preserved everything about it and automatically saved it as a 2007 template when I first saved. I published it to MOSS Enterprise, and it renders in the browser as expected.

Posted in InfoPath 2010, Office 2010, SPD 2010 | Tagged: , , , | 74 Comments »