Published: February 28, 2008

This chapter describes the administrative tasks necessary to configure and manage the functional components of the External Collaboration Toolkit for SharePoint (ECTS).

Configure ECTS

The following actions must be performed to configure the ECTS:

• Create SharePoint groups for administrative functions
• Add the Configuration Utility Web Part
• Use the Configuration Utility to configure ECTS
• Create the ECTS Management page
• Add management Web Parts to the ECTS Management page
• Create the ECTS Home page

Create SharePoint Groups for Administrative Functions

The ECTS solution requires one new SharePoint group to control access to the User Management interface and, optionally, two additional groups that control access to User Creation Workflow and Site Creation Workflow approvals respectively.

To create SharePoint groups:

1. From the root site level, for example https://collab, click People and Groups.
2. Click the down arrow on the New button, and then click New Group.
3. Type an appropriate name for each group, for example:
   • User Managers. This group would control who has access to the External User Manager Web Part.
   • User Approvers. This group would control who has access to the External User Approval Web Part.
   • Site Approvers. This group would control who has access to the Site Collection Approval Web Part.

The ECTS provides three different groups to control access so that larger organizations can delegate different operational tasks to different groups of people. For example, approval of external users might be controlled by a member of the partner management group, management of external users might be run by the help desk for password resets, and approvals for site creation could be managed by a system administrator who monitors the health and stability of the SharePoint components. In smaller organizations, it is likely that only a single small group of administrators will be responsible for all three operational tasks.

After the groups are created, users or groups from the organization’s Active Directory domain should be added as members to the appropriate SharePoint groups.

Add the Configuration Utility Web Part

The Configuration Utility Web Part can be added to any page of the SharePoint site, including, for example, the base URL of the collaboration Web application. If you followed the recommendation in the previous chapter, the base URL would be https://collab.

To add the Configuration Utility Web Part to a page:

1. Browse to a page and then click Add a Web Part.
2. Under All Web Parts, select the Configuration Utility check box, and then click Add.

If you have Full Control permission on the SharePoint site, you can now use the Configuration Utility to configure the ECTS.

Use the Configuration Utility to Configure the ECTS

The Configuration Utility Web Part allows you to set the following values that affect the behavior of the solution:

• Management URL. This is the URL that is sent to administrators when an administrative action such as External User Approval or Site Collection Approval is required. If you have followed the examples in this chapter, the URL would be https://collab/Shared%20Documents/ECTSAdminPage.aspx.

  Note   The management URL must be within the base site collection for the solution. For example, if your internal URL is https://collab, the management URL must begin with https://collab. If this is not the case, the ECTS will not work as expected.

• Enforce Password Expiration. Enter a value that represents the number of days that will pass before an external user’s password expires.

  Note   This setting is not supported in an environment in which the Active Directory Application Mode (ADAM) server is joined to an Active Directory domain. When joined to a domain, ADAM inherits Password Expiration policy from that domain.

• User Account Creation Approver Group Name. Enter the name of a SharePoint group that contains the users who should be notified that a workflow approval action needs to completed. To disable user account workflow, leave this field blank. When user account workflow is disabled, any authorized internal user will be able to request accounts for external users and these accounts will automatically be created.
• Site Creation Workflow Approver Group Name. Enter the name of a SharePoint group that contains the users who should be notified that a workflow approval action needs to completed. To disable site creation workflow, leave this field blank. When site creation workflow is disabled, any authorized internal user will be able to request sites for external collaboration and these sites will automatically be created.
• Self-Service Password Reset. Enable this feature to provide self-service password reset functionality for external users. The logon page will prompt the user to provide an answer to a question that they configured on first logon. If the answer to the question is correct, a new password will be sent to the external user in e‑mail. The site will then ask the user to change their password the next time they log on. Enabling this option carries the risk that the new password e‑mail could be intercepted and read by someone other than the intended external user.
• Email Source Address. The value entered in this field will display as the From: address for all e‑mail sent from the different components of the solution.
• SMTP Host. This is the e‑mail server through which all e‑mail will be sent. Enter either the short computer name, for example, woodgrovemain, or the computer’s fully qualified domain name, for example, woodgrovemain.corp.woodgrove.com.

Create the ECTS Management Page

The three remaining administrative component Web Parts are typically installed on the same page, which becomes the Central Administration site for the ECTS solution. If, for example, you created a new collaboration site with the URL https://collab, you could create a new Web Part page by following these steps:

1. Browse to https://collab.
2. Click Site Actions, and then click Create.
3. Under Web Pages, click Web Part Page.
4. Under Name, type a descriptive name for the page, such as ECTSAdminPage. This page can be the same as the management URL you entered in the Configuration Utility Web Part.
5. Under Choose a Layout Template, select a template. The Full Page, Vertical option works well for the ECTS Web parts.
6. Click Create.

Add Management Web Parts to the ECTS Management Page

Depending on the configuration of workflow for user and site creation, you will install the External User Approval and Site Collection Approval Web Parts using the same process as described for the Configuration Utility Web Part.

Although it is not strictly necessary for the proper functioning of the ECTS solution, the External User Manager Web Part should be installed to simplify the processes for managing external user accounts.

Create the ECTS Home Page

The ECTS solution provides useful tools to help internal users who lead collaboration projects with external users. These tools are provided as Web Parts that can be installed at any location on your site. A typical solution would be to create an ECTS Home page by following the same steps described to create the ECTS Management page. The major difference is that when you set permissions, you should grant permission to the Site Members group, and then all internal users who should be able to create and manage collaboration sites should be members of this group.

After you create this page, you should add the Create Site Collection and Site Collection Manager Web Parts. You should provide the base URL for this page, for example https://collab/ECTS, to users in your organization who will use the ECTS solution. From this location the internal users can request new collaboration sites, see the status of pending site requests, and manage sites that are already operational.

Administrative Operations

The following procedures describe the operational processes for site collection creation and user account creation and management.

Manage the Site Collection Creation Process

Internal users use the Create Site Collection Web Part to initiate site collection provisioning in the collaboration SharePoint site. For more information about this component and instructions for how to use it, see Chapter 4, “User Guide.” There are two basic configurations that control how this process works. If site collection workflow is configured, all site requests must be approved by an administrator as described above. If site creation workflow is not configured, the site creation process will take place as soon as the user clicks Create Site on the Create Site Collection Web Part.

Approve or Deny Site Collection Requests

When a site creation workflow process is initiated, the members of the Site Creation Workflow Approver group will be notified by e‑mail that a request needs to be approved or denied. The URL in the e‑mail message will be the Management URL that you set using the Configuration Utility.

When the administrator browses to the management URL, they will see a list of site requests waiting for approval in the Site Collection Approval Web Part. Information presented to the administrator includes the relative site URL, the name of the requester, and any business justification provided by the requester. Under Action, click Approve or Deny to approve or deny the site request. The requester will be notified by e‑mail whether the request was approved or denied.

Manage the External User Registration Process

Internal users use the Add External User link on the People and Groups page to initiate external user registration in the collaboration SharePoint site. There are two basic configurations that control how this process works. If user account creation workflow is configured, all user registration requests must be approved by an administrator as described above. If user account creation workflow is not configured, the user registration process will take place as soon as the user clicks Click here to register the external user’s e‑mail address on the Add External Users Web page.

Approve or Deny External User Registration Requests

When a user creation workflow process is initiated, the members of the User Account Creation Approver group will be notified by e‑mail that a request needs to be approved or denied. The URL in the e‑mail message will be the Management URL that you set using the Configuration Utility.

When the user account approver browses to the management URL, they will see a list of accounts waiting for approval in the External User Approval Web Part. Information presented to the administrator includes the external user e‑mail address and the name of the requester. Click Approve User or Deny User to approve or deny the request. The requester will be notified by e‑mail whether the request was approved or denied. If the request is approved, the user will also be instructed on how to communicate specifics such as the new account password without violating good security practices.

Manage External User Accounts

Common management operations for external user accounts are provided through the External User Manager Web part.

Through this interface the following operations can be performed:

• Delete User. This removes the user from the ADAM store, which makes it impossible for the user to log on. The user will also be removed from any site to which they were granted permissions.

  Note   Deleting a user from a SharePoint site does not affect the user account in ADAM. If there is any chance that the user will be given access to the same site or to a different site in the future, remove the account at the SharePoint level instead of deleting the account from ADAM.

• Enable/Disable User. The option presented is relative to the current state of the user in ADAM. If the user is enabled, they could be disabled and vice versa. Disabling a user is a less permanent way to remove a user’s access to the collaboration Web sites to which they have been given permission. Toggling between disable and enable does not change the user’s permissions on any collaboration site.
• Reset Password. If a user forgets their password and self-service password reset is not enabled, you can use this function to reset their password in ADAM. Click Reset Password to have a new password randomly generated and displayed on the page. The help desk personnel or other user administrators should have a standard secure process by which to relay the new password to the external user.
• Modify Profile. Profile information stored for the external user includes the person’s full name, telephone number, and the external company with which they are affiliated. The Modify action allows the administrator to change these attributes of the user’s profile.