Chapter 24
Working with User Profiles and Security

IN THIS CHAPTER

• What’s New with User Profiles in MOSS 2007
• Working with User Profiles
• Working with the User Group Service

Identity is quite often at the top of the priority list for intranet and Internet applications, even if it is agreed that anonymous users will have access. For system administrators (and, potentially, compliance investigators) to know which users made changes to the system, and when they made the changes, the system needs to keep track of who is using it.

In addition to keeping track of which users are on the system, Microsoft Office SharePoint Server (MOSS) needs to give administrators the ability to control and secure access to the system through user groups and permissions. This chapter shows you how to use the User Groups Web Service, the User Profile Web Service, and how to work with security remotely via web services.

What’s New with User Profiles in MOSS 2007

Microsoft Office SharePoint Server (MOSS) 2007 provides many enhancements to user profiles over previous versions as well as additional functionality above and beyond the functionality provided by Windows SharePoint Services v3.0. The following is a list of just a few of the enhancements and additions that have been made to user profile support in MOSS:

• Enhanced audience support—Profiles and profile data can be used to selectively display pieces of a profile to specific users or groups of users.
• Multivalued profile property support—Profiles now support the notion of multivalued data. This means that a single profile property can contain an array of values.
• Relationships among users are deduced in a social networking manner—MOSS uses implicit and explicit links among users to compute a “social distance” factor as well as display colleagues and profiles from related users.
• Property-level security controls—Each individual profile property now has the ability to be secured individually. Users can control who sees what information on their profile, and administrators have larger scope control over profile property visibility.
• Per-site property extensions—Individual sites can extend user profile properties that are only visible to that site, providing an extremely powerful platform for extension and user customization and personalization.

Working with User Profiles

If you don’t have local access to the SharePoint object model and you want to access and manipulate user profiles, you can use the User Profile Web Service. This web service can be found at http://[server]/_vti_bin/userprofileservice.asmx. This web service is a portal-scoped web service that works with the MOSS (not Windows SharePoint Services [WSS]) user profile data store.

Table 24.1 provides a list of methods available on the User Profile Web Service.

Table 24.1. User Profile Web Service Methods

All of the methods relating to commonalities among profiles, such as GetInCommon or GetCommonManager, deal with the new social networking features inherent in MOSS 2007, such as the concept of “social distance” and implicit and explicit linking of user profiles through common links.

There are a lot of methods on the User Profile Service, some of which are more commonly used than others. One of the most common reasons why client applications consume the MOSS User Profile Service is to read profile properties.

To see how to write code that will examine profile properties, take a look at the code in Listing 24.1. This is the code for the main form of a Windows Forms application. The user of the application supplies an account name in a text box and then clicks a button to retrieve all of the profile properties (stored as name:value pairs) for that user account. The profile properties are then added to a list view on the main form.

Listing 24.1. Retrieving User Profile Properties

When this application runs and loads a valid user profile, the main form looks like the one shown in Figure 24.1.

Figure 24.1. User profile properties.

One thing you might have noticed from the code in Listing 24.1 is that the application actually has two references to web services. The first reference is to the User Profile Web Service, whereas the second is a reference to the User Profile Change Web Service. The latter provides methods for querying the change log as it pertains to user profiles.

The sample application has a button on the main form that loads a second form called ChangeLogViewer. The form is invoked by retrieving a UserProfileDataChangeContainer instance from the user profile change service:

The code for this form is shown in Listing 24.2.

Listing 24.2. Code to Display Changes to a User Profile

Although the preceding code samples are far from paragons of good Windows Forms application design, they do illustrate one of the most common use cases for the user profile services—obtaining user profile properties and a list of changes made to those properties over time. A sample of the user profile change log output is shown in Figure 24.2.

Figure 24.2. User profile change history.

Table 24.2 shows the methods available on the User Profile Change Web Service, which can be accessed at http://[MOSS root]/_vti_bin/userprofilechangeservice.asmx.

Table 24.2. User Profile Change Web Service Methods

Change tokens are mentioned quite a bit in Table 24.2. A change token is really nothing more than a string representing the last moment in time that a change took place. These tokens are useful in retrieving all changes that have taken place since that token occurred. If you were to examine the internals of SharePoint’s change audit log, you would see that every change is associated with a change token.

A change token is a delimited string with the following parts in the following order:

• Version number
• A number indicating the change scope: 0 – Content Database, 1 – site collection, 2 – site, 3 – list.
• GUID representing the scope ID of the change token
• Time (in UTC) when the change occurred
• Number of the change relative to other changes

If you have access to the SharePoint object model, you can use the SPChangeToken class for dealing with change tokens. The form displayed in Figure 24.2 displays the change token associated with the set of changes displayed on that form.

Working with the User Group Service

The User Group Web Service has a fairly obvious purpose—it provides access to read and manipulate groups, roles, and group and role memberships. See Table 24.3 for a list of User Group Web Service methods. The User Group Web Service is a WSS-provided service. As such, you connect to the service at the site collection level.

Table 24.3. User Group Web Service Methods

All of the operations performed by the User Group Web Service are done with regard to the site collection to which the client was bound. For example, operations on server/siteA/_vti_bin/usergroup.asmx will take place in an entirely different scope than methods called on server/siteB/_vti_bin/usergroup.asmx.

To illustrate how to use the User Group Web Service to obtain a list of groups on a given site as well as enumerate the list of security principles contained within those groups, this chapter includes a sample written using the Windows Presentation Foundation (WPF; part of the .NET Framework 3.0). Don’t worry if you’re not familiar with WPF; this sample makes extensive use of the monostate (see Agile Principles, Patterns, and Practices in C# [ISBN: 0131857258], pg. 331) pattern, so all you need to worry about is how to populate a business object with data from the web service and WPF takes care of the rest.

The code in Listing 24.3 shows the code for the main window of the WPF application. It simply populates an object model and lets WPF’s powerful data-binding capabilities handle the rest. Make sure that you modify the web service URL and credentials to suit your own environment.

Listing 24.3. Code-behind for a XAML Window Bound to Data from the User Group Web Service

Figure 24.3 shows an example of this application running on Windows Vista.

Figure 24.3. WPF data binding to data from the User Group Web Service.

Summary

This chapter illustrated how to work with user profiles, user profile changes, and change history, as well as how to access and manipulate user groups, roles, and group and role memberships. Knowing the difference between roles, groups, group and role memberships, user profiles and user profile changes, and how to programmatically access all of that functionality remotely via web services will add even more tools to your ever-growing arsenal of potential SharePoint development solutions.