Securing & Hardening SharePoint Sites – Part 3

Previously, we discussed how the CorasWorks platform enables working with data anywhere in your SharePoint farm, followed by some masterpage changes you can make to secure away SharePoint’s system pages within a site. In our third and final part of this series, I’ll describe how CorasWorks can be used to essentially create a secure “proxy” for use within your SharePoint-based applications.

Typically in SharePoint, if you want a user to be able to see some data, or even enable them to perform inserts/updates/deletes, you have to give that user at least direct access to the item(s), if not the parent List or even Site the data is in. However, with the CorasWorks External Data Provider – don’t let the word “external” fool you – you can actually create secured connections between a user interface on one SharePoint site and the data on another, without the logged in user actually having any access to said data.

Sounds crazy, or worse, unsecure? Not at all! The architecture supported is not unlike integrating with a line-of-business database application; a SharePoint admin can create and enable the equivalent of a service account that will be given the necessary rights to the underlying data to support the application requirements. That account’s information is then stored in secure web.config app keys. On the CorasWorks side, you can then reference the corresponding app keys in your configuration of an External Data Provider to make HTTP Post calls to any URL said account has access to – these can be calls to native SharePoint service endpoints or, even better, our own API.

From there, you can now focus on creating the optimal UI for your users and let CorasWorks handle the proxied connections between the UI and the data. The users accessing the application will only need Read rights to the UI elements, and so even if they ever figure out where the data is coming from (which they won’t, because you’ll have secured that away too), they still won’t be able to access it outside the UI you create.

If this sounds like a design pattern you need, email steve@corasworks.net and we’ll setup an architectural review to help get you started!

Comments are closed.