Deploy SharePoint 2010 Feature Claims based Authorization using VS 2010

With Visual Studio 2010, you can have a provision to deploy multiple SharePoint 2010 features. VS2010 provides the following project templates for SharePoint 2010.

1. Empty SharePoint Project - To deploy Site collections, custom Web parts, etc.
2. Visual Web Part - Project to deploy individual Web part to the Site
3. Site Definition - To create site definition template with default themes, format, master page layouts, etc.
4. Import SharePoint Solution Package - This provides you the Sand Box solution to import WSP and publish it.
5. Sequential Workflow - To create and publish WWF custom workflow to SharePoint Workflow
6. Business Data Connectivity Model - For integration BDC (Business Data catalog) features. It will be used for integration with multiple systems.
7. Event Receiver - This project can be used for Alerts and notification.
8. List Definition - To create and publish SharePoint list
9. Many more…

Last but not the least, a very powerful feature is WSP builder.
With the SharePoint groups, we realize that one SharePoint group (Like “Contributor”) will have limitations to handle 15,000 + users. Transactions and access to the SharePoint sites will highly impact in terms of low performance for handling more users. Sometimes, it crashes. If we manage this using AD groups, this limitations can be avoided. However, still does it make sense to create so many roles in AD and provide transactions to the AD group? I am sure it does not.

With SharePoint, there are three ways to handle roles:

1. SharePoint Groups
2. AD Groups
3. Claim based authorization

SharePoint’s security boundaries are of four ways:

1. Individual User: From any system perspective, giving individual permissions is not feasible, considering the amount of users it has.
2. SharePoint Group
3. Active Directory (AD) Group
4. Claim based Authorization

Claim Based Authorization

This feature is really new and it is more flexible to use. In your organization, if roles are handled differently, then claims can be created for those roles and login user (Windows or form based) can get access to the sites, sources based on this claims. Further at the SharePoint items level, folder level, Web parts level permission can be assigned based on this role.

There, all real time business scenarios can be handled using Claim based authorization.

1. Providing role based access to different systems in an organization based on claims.
2. Providing role based access to the Services if you have SOA enabled architecture
3. Syncing between multiple ((like CRM, Task Management, PeopleSoft, SAP, etc.) role based system in an organization. In any system with different groups and hierarchy.

SharePoint 2010 Claims

SharePoint Claims can be created by writing custom claim provider to create claims for all roles defined in different system and provide access to the Site based on this claims. Existing restricted Roles can be migrated to Claims in SharePoint, i.e., only those roles which are really required by SharePoint UI.

Claims provider in SharePoint 2010 is can be used to do claims augmentation (adding more attributes to claims) and to provide name resolution.
Picture here:

Implementation Steps for Claims in SharePoint 2010

You need to perform the following implementation activities to provide claims in SharePoint.

1. Create Claim provider
2. Consumed services in claims (if claims are required to be fetched from different systems)
3. Populate claims inside SP People Picker
4. At Web application, given permissions depend on claims

Objective Create Provider Class for Generating Claims

Design

• Create custom class that inherits from SPClaimProvider class.
• To add claim in SharePoint for login user, you need to implement FillClaimsForEntity method. This method will consume the RHMS service and retrieve roles and this roles acts as claim in SharePoint.
• To populate all the claims in People picker, you need to implements FillSearch method. This method fetches all the roles from RHMS and shows in people picker depending on search criteria.
• To resolve all the claims in People picker, you need to implement FillResolve method. This method fetches all the roles from RHMS and shows in people picker depending on search criteria.
• Link for claim based implementation can be found at http://myspserver:8587/sites/CRM/Pages/HRWorkspace2.aspx.

Custom Claim Provider Class Diagram

Follow the below steps to create your own custom provider:

1. Create a new project as class library and add references of “Microsoft.Identitymodel”, “Microsoft.SharePoint” and “Microsoft.SharePoint.Security” DLLs.
2. Create custom class that inherits from SPClaimProvider class, and override all the required methods.
   C#

   [SharePointPermission(System.Security.Permissions.SecurityAction.Demand,ObjectModel=true)]
   [SharePointPermission(System.Security.Permissions.SecurityAction.LinkDemand,
                         ObjectModel=true)]
   public class CustomRoleClaimProvider : SPClaimProvider
   {
   }

   • Register DLL in GAC.
   • Create console application to deploy the custom claim provider on the SP farm. This application will use the below class to deploy custom claim provider:
     • SPClaimProviderManager and
     • SPClaimProviderDefinition
3. Then Create claim based application, and try to add permission from people picker. This will get all claim return from the custom claim provider. Example: Give permission for specific web part in web part gallery, add claim in the users using people picker, then this web part will be visible to only to those users having added claims.

Challenges: Converting exiting Classic mode Web App to the Claim based Web App
For sample code, refer to this post [^].