Daniel Larson’s Best Practices for Elevated Privilege in SharePoint

[via Daniel Larson]

Daniel Larson, a MOSS MVP, has been ranting over the past few days about the use of the SPSecurity.RunWithElevatedPrivileges method. While I have been amused with his rants, I share his concerns and frustrations as a result of using the method in my SharePoint development experience and seeing the method abused and missused in many code reviews. Today, he posted a list of his best practices for gaining “elevated privileges” SharePoint.

Daniel Larson’s list of best practives for elevated privileges in SharePoint:

  • Avoid using SPSecurity.RunwithElevatedPrivilege to access the SharePoint object model. Instead, use the SPUserToken to impersonate with SPSite.
  • If you do use SPSecurity.RunwithElevatedPrivilege, dispose of all objects in the delegate. Do not pass SharePoint objects out of the RunwithElevatedPrivilege  method.
  • Only use SPSecurity.RunwithElevatedPrivilege to make network calls under the application pool identity. Don’t use it for elevation of privilege of SharePoint objects.
  • Always use the SPSite constructor with an SPUserToken to create an elevated privilege security context in SharePoint. To impersonate the system, use the SystemAccount.UserToken property of the current SPSite context, such as:
    var site = new SPSite(SPContext.Current.Site.ID,  SPContext.Current.Site.SystemAccount.UserToken);
  • Avoid passing SharePoint objects between different security contexts (SPSite instances), with the exception of the SPUserToken used in the SPSite ctor. An SPUser object created from SPSite A cannot (reliably) be passed to SPSite B. This can be the source of obscure bugs in production that are difficult to reproduce in development. For example, an SPUser reference created from SPContext.Current.Site cannot reliably be used in an elevated site context, as the user reference may take on a different meaning in the alternate context.
  • Never use elevated privilege to bypass security– always use it to work with security.
  • Restrict what assemblies can use elevated privilege by running in minimal trust, avoiding the GAC, and auditing any CAS policies deployed with vendor solutions.

Upcoming Conferences

Two conferences were announced last week that I want to share with you:

PDC2008 [via Andrew Connell] – Regristration for the Microsoft Professional Developers Conference 2008 is now open and is scheduled to take place in Los Angeles on October 27-30 at the Los Angeles Convention Center.

SharePoint Best Practices and Governance Conference [via Bill English] – The conference has been announced and will be taking place in Washington DC on September 15-17.

I would like to attend both of these, but I am not sure if I will be able to.

Setting up a SharePoint Development Environment to Support Silverlight Development

[via Andrew Connell]

This morning Andrew Connell held a webcast introducing ASP.NET developers to Silverlight development for SharePoint. The webcast is the third in a series of webcasts to help ASP.NET developers get primed for SharePoint development. After the webcast Andrew was kind enough to post the steps he took in preparing his SharePoint development environment for Silverlight development.

I wonder if it is possible to create a solution file to deploy the Silverlight 2 Beta 1 DLL and make the necessry configuration changes to the web.config file to make the set up of the environment easier? I might have to try that.

SharePoint Utilities and Tools

Here are some updates and announcements regarding tools and utilities for SharePoint:

Thoughts on Robert Bogue’s Post: How Best Are Your Best Practices

Robert Bogue raises some challenging questions and makes some powerful statements in his post, How Best are Your Best Practices, regarding his experiences and struggles with reaching consensus on what a best practice is and applying it. I was in the middle of posting a comment to his post when I realized my thoughts on the post were quite a bit more than a couple of lines in a comment box. And without further adeu, here are my thoughts…

Doing what we know we should do

In his post, Robert asks, “when are we going to do what we say?” This question was in context of his findings that there are very few professionals out there that actually use the best practices they know. From a consulting professional perspective, I feel that failing to do what we know we should do is ethically wrong. Clients and customers pay for our expertise and deserve to get it. While I agree that the SharePoint space is so large that even experienced professionals are learning something new about SharePoint on a daily basis, we need to ensure that make use of the best practices that we do know in every project that we undergo regardless of its size and complexity. This is our duty as professionals.

On defining best practices

I agree with Robert when he states that the definition of best practices has been a problem space in software development that has yet to be resolved. There are many reasons for this. But let me list a couple:

  • Academically, software engineering methodologies regarding the definition of development practices are still in their infancy. While a lot of progress has been made in this area in the last few decades, software development is not a hard science. Some of us consider it more of an art than a science.
  • While progress has been made academically in this problem space, there is a large disconnect between academic approaches to the problem and practical approaches used in the industry. I think some of this has to do with the cost of trying different frameworks that generate process and procedures that still end in leading a good number IT and software projects to failure.

So what can we do to help reach consensus on best practices? Honestly, I don’t have a good answer to this question right now. What I can tell you is that what ever practice we do try to use, whether a best practice or not, we should make the effort to take review how the practice helped or hindered us, learn from the experience, and share it so that we may continue to define new best practices and debunk those practices that are not so best anymore (assuming they really were a best practice at one time).

SharePoint Reading List

A colleague recently asked me for tips on how to prepare for the 70-630 exam (TS: Microsoft Office SharePoint Server 2007, Configuration) and asked me to look at some sites with sample questions. Frankly sample questions are great to prepare you for an exam, but they only really help if you have already studied necessary material first. I highly recommend and enjoy getting solid hands on instructor lead classroom based training (for example check out the courses offered by the Ted Pattison Group that are actually taught by SharePoint MVPs). I also highly recommend to read, read, and read (yes that includes reading authoritative material on the Internet, however, there is something about reading an old fashioned paper and ink book that I enjoy so much more). With that said, I want to share my existing SharePoint library as well as books on my shopping list.

  1. Inside Microsoft Windows SharePoint Services 3.0 by Ted Pattison and Daniel Larson – This is a must read for all SharePoint developers. If you are working with WSS 3.0 and/or MOSS 2007, then you have to read this book. Personally, I have read it cover to cover three times and refer to it on a regular basis. The book is organized very well and cover the fundamental topics for developing anything SharePoint. It also includes download-able examples that are easy use and help to expose you to best development practices and the object model rapidly without overwhelming you. Highly recommended for developers.
  2. Inside Microsoft Office SharePoint Server 2007 by Patrick Tisseghem – Another solid read. This book covers development with the added value features of MOSS 2007 that were not covered in the Pattison/Larson book (look at #1 above). I don’t use this book as much as I use the Pattison/Larson book since I find that most of my projects really only require use of the WSS 3.0 framework, but when I do need to develop against the BDC and Search (or other MOSS 2007 features) this is my reference of choice. Recommended for developers.
  3. Microsoft Office SharePoint Server 2007 Administrator’s Companion  by Bill English – As a developer, this 1200 page monster-sized book was not my typical read. It’s target audience is the system administrators, network infrastructure, and other non-developer type IT professionals that need to manage and administrate MOSS 2007. However, this book provided me with a solid foundation for preparing for the 70-630 exam. Not to mention, I believe that developers really need to understand how the platforms we develop operate to get clear insight as to how power users use the solutions and software we build (this is another topic that I need to blog about some day, great progress has been done in software engineering to consider end user interface design but the smaller audience of power users and administrators, who are also end users, get left out). Highly recommended for administrators. Recommended for developers.

That’s it. Three books. You take those three books plus the documentation and white papers on MSDN and TechNet and the great blogs (not the junk blogs which are way too abundant) that are on the Internet and you have enough resources to prepare for the 70-630 exam.

There have been some recent announcements of upcoming titles that I want to pick up and add to my library. Here is a quick list:

I know that most of these books are from Microsoft Press and that is not because I am partial to them. There are some other great books out there from Wrox other technical references. However, the books listed up there have been authored by (or with) SharePoint MVPs whose work I professionally admire and respect.

If you need more SharePoint books for your library, then check out Andrew Connell’s “Best Damn SharePoint Books” List.

SharePoint Ramp Up Webcasts for ASP.NET Developers

I wish I would have seen this schedule earlier since the first webcast was today. Nevertheless, I will be trying to catch the others live (or on demand if I miss them). Even as an experienced WSS3/MOSS2007 developer, getting the chance to see a couple of MVPs (Andrew Connell and Rob Bogue) introduce the basics is great review and a chance to check your skills.

Date (all times EDT) Topic & Registration URL Presenter
Tues, May 20 : 12-1p Web Parts Rob Bogue
Wed, May 21 : 12-1p Data Lists Rob Bogue
Tues, May 27 : 12-1p Silverlight Andrew Connell
Wed, May 28 : 12-1p Event Handlers Andrew Connell
Tues, June 3 : 12-1p Site Branding Andrew Connell
Wed, June 4 : 12-1p Workflow Rob Bogue
Tues, June 10 : 12-1p Web Services Andrew Connell
Wed, June 11 : 12-1p Page Navigation Andrew Connell
Tues, June 17 : 12-1p User Management Rob Bogue
Wed, June 18 : 12-1p Content Types Rob Bogue

If you have any interest in SharePoint development, then you don’t want to miss these webcasts.