Setting Site Permissions during the Site Provisioning

Setting custom permissions during site provisioning can be a confusing affair. With some investigation, I was able to get the concepts clear. 

Below is the design we used for Groups and permissions in one of our projects during the site provisioning. Hope it helps you in your projects as well.

Note: All groups are created at the Site collection level. They will be visible at all the webs that will be created under it.

SiteCollection Feature Activation

1. Create custom RoleDefinitions (Permission Set) {ViewEditRD, ViewAddEditRD} at the Site Collections. This will get inherited at all the webs. Don’t get confused with the Permission breaking at the Web level.

2. Create an Admin group (SiteAdmins) at the SiteGroups collection. This will be used to provide admin activities on the Sub webs or Lists that will undergo inheritance breaking.

New Project Provisioning

1. Create the Project with Inheritance of the Permission broken.

2. Create the Custom Groups {PMGroup, TeamMebersGroup} for every Web created.

3. Associate the Custom Groups created at the Site Collection with Read permissions.

4. Associate the Custom Groups created at the Web Level with appropriate RoleDefinitions {ViewEditRD/ViewAddEditRD}. SPRoleDefinition defines the set of permissions permitted on SharePoint objects. 

5. Associate the SiteAdmins group at the Administrator role at the Web level.

6. Break the Permissions at the List level and apply the Required RoleAssignments based on the RoleDefinition and Groups. SPRoleAssignment class is used to bind together a Group and RoleDefinition with a SharePoint Object (web, list or a document library). 

Working with SharePoint Online using NodeJS

SharePoint Online (SPO) data can be accessed using Server Object Model (Restricted API Set as it is for Sandboxed solution), but, only when the application is hosted within the SPO site collection. For rest of the scenarios you will need to use Client Side Object Model (CSOM). 


There are three approaches to accessing SharePoint/SPO data from client applications: 
CSOM (JavaScript, Silverlight, .Net Managed)  
Web Services
REST Interfaces



Accessing remote SPO data from hosted applications using Silverlight/JavaScript is not possible as browser clearly rejects such requests treating them as cross-site scripting (also, known as XSS Attack). The only way to access such data is to either use desktop based applications or write server side code on your web server using .Net Managed, Web Services or REST interfaces. Before you can access the data you need to Remotely get authenticated to SPO site. 

The flow to remotely get authenticated is to, 

1. Send using SAML 1.1, the credentials (over an https) to the SPO STS endpoint https://login.microsoftonline.com/extSTS.srf. If the request is successful, then STS returns a Token.
2. Pass this token to SPO and fetch two cookies (called FedAuth and rtFa). 
3. You need to pass these two cookies on every request made to SPO.


Note: FedAuth cookies are written with an HTTPOnly flag. This means that client side browsers are instructed to not allow any scripts to read cookies and thereby preventing a cross-site scripting (XSS) attack.


Demonstrating with an example, I will use REST interfaces and for the sake of learning some new platform, I have chosen NodeJS (A platform built on Chrome's JavaScript runtime for easily building fast, scalable network/web applications.) as the server technology.


Steps: 
1. Create an Office 365 free trial using http://www.microsoft.com/en-us/office365/free-office365-trial.aspx?WT.z_O365_ca=Try_free-office365-trial_header_en-us . Say, your domain is mydomain.sharepoint.com
2. Navigate to the newly created SPO site http://mydomain.sharepoint.com (http is for P-plans and https is for E-plans).
3. Create a Custom List 'Contacts' and add a couple of list items.
4. Install NodeJS from http://nodejs.org/#download
5. Copy the cotents of the https://github.com/lstak/node-sharepoint.git into a folder.
6. Through a console, Navigate to the folder and execute the command $npm install sharepoint If that doesn’t work then try the following $npm install sharepoint@0.0.5
7. Create a new file under the same directory and name it as spo.js and put the code snippet provided below.
8. Execute the command $node spo.js
9. While the server is waiting on for requests make a request to http://127.0.0.1:1337/


Output: You will see 'Hello World' on the browser, but behind the scenes the server has made a request to your SPO team site and fetched the data. Verify this by checking the  logged information on the Server console. 

 var http = require('http');
http.createServer(function (req, res) {
 res.writeHead(200, {'Content-Type': 'text/plain'});

 var SP = require('./sharepoint');

 // use the domain name which you have access to.
 var spo = new SP.RestService("http://mydomain.sharepoint.com/teamsite/");
 spo.signin('prashanthkn@mydomain.onmicrosoft.com', 'password', function(err, data) {
  // check for errors during login, e.g. invalid credentials and handle accordingly. 
  if (err) {
  console.log("Error found: ", err);
  return;
  }

  // start to do authenticated requests here....
  var oList = spo.list('Contacts');

  oList.get(function(err, data) {
   data.results.forEach(function(item) { 
   console.log(item.Id); 
   console.log(item.Title); 
   });
  });  
 });

 res.end('Hello World\n');
}).listen(1337, '127.0.0.1');

console.log('Server running at http://127.0.0.1:1337/');

Once you have the data, you can decide how you would want to share it with your clients.

Go through the NPM (Node Package Manager) documentation @ http://npmjs.org/doc/install.html
Good read about SPO Authentication under the hood. http://www.wictorwilen.se/Post/How-to-do-active-authentication-to-Office-365-and-SharePoint-Online.aspx


Hopefully, this gets you started on evaluating NodeJS and SharePoint Online integration.