One of the very nice feature of SharePoint 2010 is the claims based authorization. There is a lot of high level documentation regarding this feature but there aren’t a lot of real life example available on the Web.

That’s what I will try to do in this post…

One of our customer is a School Board that has about 120 schools and more that 45000 users. There are different types of users:

  • Students
  • Teachers
  • School Board Employees
  • Parents

In our scenario, all the students and all the employees are in the Active Directory and all the parents will used Form Based Authentication to log into SharePoint.

The main goal of the portal is to allow teachers to create sites for their students and to be able to assign security for these sites.

The security that teachers want to be able to assign is based on information for each student.

Some example of Rules are

  • “I want to give access to all students of the School MySchool to the site”
  • “I want to give access to all students of the Year 2008 and School MyOtherSchool to the site”

All the users’ information are stored in an external system (a SQL database) called STUDENTS_DB

Here is an extract of STUDENTS_DB:

Student Year School Discipline Level
Pascal Bonheur 2005 MySchool Mathematics Primary
Nicolas John 2007 MyOtherSchool Physics Secondary
           

So now the reason why we are going to use claims is that we want to be able to give access to a site depending on these criteria. So we are going to create the following claims:

  • SchoolBoardClaimProvider:Year
  • SchoolBoardClaimProvider:School
  • SchoolBoardClaimProvider:Discipline
  • SchoolBoardClaimProvider:Level

 

Now that we have this claims defined, we are going to implement what we call a Custom Claim Provider that will enrich the native SharePoint claims.

It basically means that in addition to the native SharePoint claims (like userid=contoso\pascalbonheur, isAuthenticated=true, groupSID=123, groupSID=234…) we want to add the new claim : SchoolBoardClaimProvider:Year=2006, SchoolBoardClaimProvider:School = MySchool, SchoolBoardClaimProvider:Discipline=Mathematics,SchoolBoardClaimProvider:Level=Primary.

What it means is that instead of having to dynamically feed SharePoint groups with users by using a custom engine that is going to read from STUDENTS_DB, the security test will be based on the claims that the current user contains.

The following picture gives a high level overview of what happens:

image

So we will be able to say that a list (or a site or everywhere we can change security in SharePoint) is accessible to only the people that have the claim SchoolBoardClaimProvider:Year=2006.

In the next part, I will give additional details about the Picker that we will customize in order to be able to choose claims and assign security depending on these claims.