Sharepoint Server
Bravura Security Fabric can list regular users who have permissions to access a site, as well as SharePoint managed accounts, service accounts and servers in farm for Microsoft Office SharePoint Server systems.
Connector name |
|
Connector type | Executable |
Type (UI field value) | SharePoint Server |
Connector status / support | Customer-Verified Clients may contact Bravura Security support for assistance with this connector. Troubleshooting and testing must be completed in the client's test environment as Bravura Security does not maintain internal test environments for the associated target system. |
The following Bravura Security Fabric operations are supported by the agent for Microsoft Office SharePoint Server (agtshrpt):
create account
delete account
update attributes
list account attributes
add user to group
delete user from group
create group
delete group
add owner(user) to group
remove owner(user) from group
add owner(group) to group
remove owner(group) from group
List:
accounts
groups
members
attributes
SharePoint managed accounts
service accounts
servers in farm
When the Managed group/Network resource target system type is set to "SharePoint Resource" the connector will use the nrshrpt program to:
List network resources
List permissions for each network resource
List the owners of a network resource
Add or delete owners for a network resource
For a full list and explanation of each connector operation, see Connector operations.
The connector is called by the Transaction Monitor Service (idtm). When Bravura Identity is installed, the connector is run by the View and update profile (IDR) module whenever users view resource details or manage group owners.
The following sections show you how to:
Prepare for SharePoint integration
Target the SharePoint server
Create template accounts for SharePoint target systems
Set up SharePoint network resources for management via Bravura Identity
Set up access to SharePoint Management Shell
This chapter also describes:
How Bravura Privilege lists SharePoint managed accounts, service accounts and servers in farm.
How Bravura Identity handles special attributes, which are used when creating or modifying accounts on the SharePoint target.
Overview
SharePoint is a web application that relies on Microsoft Active Directory to integrate with Bravura Security Fabric . Active Directory must be integrated with Bravura Security Fabric before SharePoint can be fully integrated.
Active Directory holds all the password information, and many SharePoint attributes are actually Active Directory attributes. Essentially, SharePoint extends the Active Directory schema, and adds a few additional attributes.
Integrating SharePoint allows Bravura Security Fabric to manage groups on sites and webs, as well as managing groups on libraries. This is made possible with the help of a plugin named nrshrpt . You can enable nrshrpt from the page by setting the Managed group/Network resource target system type to "SharePoint Resource."
In SharePoint, updating managed account’s password requires resetting each account password in Active Directory and then updating account password on all of the services that are associated with the account on all servers in the farm. Bravura Privilege is able to manage SharePoint managed account passwords which simplifies password management in SharePoint to avoid manual password update tasks across multiple accounts, services and web applications etc.
Note
Bravura Privilege only manages SharePoint managed accounts password but not regular users on the SharePoint server type target system. Regular user’s password should be managed by Active Directory connector.
Preparation
Before Bravura Security Fabric can list regular users, managed accounts, service accounts and servers in farm, you must:
Know the name of SharePoint site where Bravura Security Fabric lists users, managed accounts, service accounts and servers in farm.
Create at least one template account.
Configure a target system administrator.
Provide access to the SharePoint Management Shell.
Target the SharePoint server.
Creating a template account
The following steps are used in SharePoint 2013. The steps may vary in other versions.
In order to create a template account for SharePoint, you must create an account in Active Directory and then import it into SharePoint.
Note
When creating a template account, ensure that the User logon name and User logon name (pre-windows 2000) fields match, or new accounts created using this template may be created with an incorrect value.
If you wish to use different Active Directory and pre-Windows 2000 logon names, you must modify the configured action for the corresponding attributes in Bravura Security Fabric .
To import the Active Directory template user into SharePoint, navigate to the central administration page for your site, then:
Click Site Actions > Site Settings.
Click People and Groups.
Choose the group you want the template user to be a member of. The template user will receive their permissions based on that group.
Click New > Add Users.
Enter the name of the template user you created in Active Directory, then click Check Names.
Click OK.
Configuring a target system administrator
Bravura Security Fabric uses a designated account (for example, psadmin) on the SharePoint target system to list users and manage accounts.
The target system administrator must be a member of the Domain Administrators group to list users, and should have the following permissions for password and account operations:
Read All Properties
Write All Properties
Modify Permissions
All Extended Rights
Setting up access to SharePoint Management Shell
When listing SharePoint managed accounts, service accounts and servers in a SharePoint farm, access to SharePoint Management Shell is required. The following steps describe how to set up access to SharePoint Management Shell.
On the SharePoint server:
Add the SharePoint target system administrator into following local user groups by using server manager:
Remote Desktop Users
WinRMRemoteWMIUsers__
WSS_ADMIN_WPG
Note
Local group WinRMRemoteWMIUsers__ is not installed by default in Windows later versions, such as Windows 2016. It can be added by using command:
net localgroup /add WinRMRemoteWMIUsers__Launch the SharePoint Management Shell as an Administrator
Execute the following command to enable Windows Remote Management (WinRM):
Enable-PSRemoting -ForceExecute the following command to enable Credential Security Support Provider (CredSSP) authentication on the SharePoint server:
Enable-WSManCredSSP -Role ServerExecute the following command to grant the target system administrator the SharePoint_Shell_Access role:
Add-SPShellAdmin -UserName Domain\UsernameReplace the Domain\Username with the target system administrator.
Execute the following commands to grant the target system administrator access to SharePoint web application:
$webApp = Get-SPWebApplication -Identity "SharePoint site URL"$webApp.GrantAccessToProcessIdentity("Domain\Username")Replace "SharePoint site URL" with your site’s URL.
Replace the Domain\Username with the target system administrator.
The following steps describe how to configure the client computer where the connector(agtshrpt) is installed.
If the connector(
agtshrpt) is installed on Bravura Security Fabric server:
Launch Windows PowerShell as an Administrator.
Execute the following command to enable Credential Security Support Provider (CredSSP) authentication:
Enable-WSManCredSSP -Role client -DelegateComputer "<SharePointServerName>"
If the connector(
agtshrpt) is installed on the SharePoint server:
Install the Proxy Service (
psproxy) on the SharePoint server by using a domain administrator account as the proxy service account.Install Connector Pack which should match the setup of Bravura Security Fabric server Connector Pack.
Launch SharePoint Management Shell.
Execute the following command to grant the proxy service account SharePoint_Shell_Access role:
Add-SPShellAdmin -UserName "proxy service account"
Targeting the SharePoint server
For each Microsoft Office SharePoint Server domain, add a target system in Bravura Security Fabric (Manage the System > Resources > Target systems):
Type is SharePoint Server.
Address uses the following options
URL The main URL of the site.
The URL specified in the target address must only contain the root of the site. For example, the web browser might display
http://sharepoint1/site1/Pages/site-home.aspxbut the target address can only containhttp://sharepoint1/site1/.Add the port number to the site URL if you are not using the default port. For example:
http://sharepoint1:4589/site1/(key: url)
Authentication type The authentication type being used for the site; claims-based or classic. The default is claims-based authentication.
Ensure the authentication type matches the actual authentication type being used in the site to allow the agent to discover the actual accounts you wish to list.
(key: auth)
Server The SharePoint server name
(key: svr)
Server is required when targeting a SharePoint site without using proxy service and it should be the fully qualified domain name (FQDN) of the SharePoint server.
Account type Select
Regular usersorManaged accounts.Regular usersThe agent lists all users who have permissions to access a SharePoint site.Managed accountsLists SharePoint managed accounts.(key: accttype)
Since Bravura Privilege only manages SharePoint managed accounts’ password but not regular users’ password, it is recommended to select Managed accounts to list managed accounts from SharePoint farms, and create another target system to list regular users from SharePoint sites.
The address is entered in KVGroup syntax:
{url=http://sharepoint1:2427/site1/site2/;auth=claim|classic;+[+svr=<server>;+]+accttype=managed|regular;}Set Managed Group/Network resource target system type to SharePoint Resource if you want to use the
nrshrptplugin (recommended).The Administrator ID is the domain name, followed by a backslash, then the Sharepoint administrator name, for example:
domain-name\administrator
The full list of target system parameters is explained in Target System Options .
Users can be listed without Active Directory, but you cannot create SharePoint users with Bravura Security Fabric until Active Directory has been setup.
Ensure the target system administrator has sufficient permissions to access SharePoint farm when listing managed accounts, also enable PowerShell remote access for SharePoint management on the server if the connector needs remote access to SharePoint.
Setting up network resources
This section shows you how to set up network resources for management via Bravura Identity.
All shared resources to which users are going to request access must be correctly configured in SharePoint. Bravura Group’s ability to successfully control access to the resources depends heavily on how the resources are configured in SharePoint.
Some thought must be given to planning how many groups need to be created and what resources they will have permission to access, so that adding/removing a user’s membership in a group provides them with the exact access to network resources that they need.
In general, you must do the following:
Ensure that each SharePoint group has an owner (recommended).
Bravura Identity can use group owners as authorizers for requests to join the group.
Ensure that all resources to be managed have the correct groups assigned to them.
Ensure users have a SharePoint account. The easiest way to do this is to add an Active Directory group to the SharePoint Visitors group. All users in the Active Directory group will have visitor access and can then request access to SharePoint network resources.
The following SharePoint operations are supported by nrshrpt, shipped with Connector Pack in the agent directory:
nrshrpt plugin operationsSupported Operations | Description |
|---|---|
ShowSubSites | Show site sub-resources |
ShowLibraries | Show document libraries |
ShowPermissions | Shows the group permissions for a site or document library |
ShowOwners | Shows the owner of a managed group |
ShowMembers | Show the members of a managed group. |
Documents
A document must be added for each SharePoint site before you can access the document libraries of that site. Adding a document in Bravura Identity grants access to all SharePoint document libraries on that particular site.
To add a document:
From the Manage the system (PSA) module module, click Resources > Network resources > Documents.
Complete the:
ID a unique ID for this document
Description a brief description of this document
URL of the resource the location of the SharePoint site.
Target system of the resource the SharePoint target system created for the SharePoint site.
Click Add.
Discover service accounts and servers in farm
The SharePoint connector(agtshrpt) can list services accounts and servers in SharePoint farm when discovery options are enabled. To enable discovery options you need:
Open the target system configuration page
Select the tab:
Select Load computer server objects to list servers in farm
Select Load sharepoint service accounts to list service accounts.
Handling account attributes
You can view the complete list of attributes that Bravura Security Fabric can manage, including native and pseudo-attributes, using the Manage the system (PSA) module. To do this, select SharePoint Server from the Manage the system > Resources > Account attributes > Target system type menu.
For information about the native SharePoint attributes managed by Bravura Security Fabric , consult your SharePoint documentation.
Bravura Security Fabric explicitly handles the following attributes when creating or modifying recipient accounts for SharePoint targets:
Email This attribute maps directly to the Email attribute in SharePoint. This is pre-configured.
Name This attribute value is assembled using a PSLang expression. Bravura Security Fabric separates first name and last name, so the PSLang expression joins them together into one field for SharePoint. This is pre-configured.
Notes This value is not pre-configured by default, but is configurable.
domain This value is not pre-configured by default, but can be overridden either by setting it directly or by mapping it to a profile and/or a request attribute to deal with SharePoint accounts from different domains.
groups This is not an attribute on the target system, but rather a list of groups that have been harvested from the target system. This is used primarily during user creation or updates. For example – these values can be defined in a template, which can be used to create a new user.
AutomaticChange A Boolean attribute that states if the SharePoint managed account has automatic password change enabled or not on the target system.
UserType This attribute states whether or not the account is a SharePoint server managed account or a regular user.
Troubleshooting
Regular users not being listed
SharePoint regular users can only be listed by domain. If you have multiple SharePoint domains, you must set up a separate target system in Bravura Security Fabric for each of your SharePoint domains.
SharePoint managed accounts, service accounts or servers in farm not being listed
If you experience any issues in listing SharePoint managed accounts, service accounts or servers in farm, verify that:
The target system administrator has permission to access SharePoint farm.
PowerShell remote access for SharePoint management is configured properly on the computer if the connector contacts SharePoint server remotely.
Randomizing managed accounts failure
If you experience issues in randomizing managed accounts in Bravura Security Fabric , verify the password to ensure its in compliance with the SharePoint domain password policy.