CONTENTS
X

SharePoint Extended Security

IN THIS ARTICLE

When accessing to a SharePoint location from D365FO, the current user account is always used to log in to the default SharePoint server.

To override this default behavior for Docentric functionalities related to SharePoint, from 3.4.3 you can use SharePoint extended security settings.

Unlike the built-in D365FO, where only a single SharePoint server is supported (SharePoint Online that is configured in Document management parameters), with the new security settings you can also use SharePoint On-premises and even multiple SharePoint servers. Additionally, you can configure different login accounts for different sites and document libraries, by using Fine-grained security.

Please note that SharePoint extended security currently applies to Docentric related SharePoint functionalities only. In all other cases, current user account is used to login to a SharePoint server.

Supported via SharePoint extended security

  • Reading and saving Docentric templates stored on SharePoint.
  • Saving reports to SharePoint via Docentric File print destination > Save to SharePoint.
  • Browsing and selection of SharePoint document libraries and folders on all Docentric forms including Docentric report setup and the Print destination settings form, by using the Docentric SharePoint picker control.
  • Browsing and selection of SharePoint document library metadata fields in Docentric report setup.

Not supported via SharePoint extended security

  • Indirect saving to SharePoint through Document types via Docentric File print destination > Save to Attachments and Print archive.
  • Accessing a SharePoint location from D365FO in all other cases, e.g. when uploading a file to Attachments based on a Document type bound to a SharePoint location. On our roadmap is to support the latter in one of the next releases.

SharePoint extended security can be configured in Docentric AX parameters > Security.

SharePoint authorization types

By default, when accessing to a SharePoint location from D365FO, SharePoint Integrated authorization is used to login to the SharePoint server. More precisely, only single SharePoint Online server is supported, and current user account is always used as a login account.

To override the default behavior for Docentric functionalities related to SharePoint, you can:

(1) Keep SharePoint Integrated authorization but change the login user account in special cases, for example when reading or writing Docentric templates. Instead of the current user you can choose a different D365FO user. This way you can, for example access Docentric templates stored on SharePoint always using a dedicated D365FO user.

(2) Use a different SharePoint authorization type, such as On-premises or Online. In these cases, the credentials in form of a username and password need to be configured. This way you can, for example use a SharePoint On-premises server.

Supported authorization types

  • Integrated: Using the internal D365FO Service 2 Service authorization.
  • Online: Using Azure AD username and password to connect to SharePoint.
  • On-premises: Using Microsoft Active Directory username and password to connect to SharePoint On-premises.

SharePoint Integrated authorization not limited to current user account

So far, we introduced four different Access roles for which you can change the current user account to another D365FO user (so-called integration user) when logging in to the SharePoint Online server by using the built-in SharePoint Integrated authorization.

Access role When it is used Configured user account Login account
Template reader All report templates will be fetched from SharePoint using this user account instead of current user account. If not set, current user account is used. (not set)
or
<User Id> 		<User Id> if set, otherwise
<Current user Id>
Template writer All report templates will be saved to SharePoint using this user account instead of current user account. If not set, current user account is used. (not set)
or
<User Id>		 <User Id> if set, otherwise
<Current user Id>
Browser user Used in Docentric SharePoint picker control for browsing and selection of SharePoint document libraries and folders on all Docentric forms including the Print destination settings form. Also used for browsing and selection of document library metadata in Docentric report setup. If not set, current user account is used. (not set)
or
<User Id>		 <User Id> if set, otherwise
<Current user Id>
Report user Used when saving reports to SharePoint via Docentric File print destination > Save to SharePoint. If not set, current user account is used. (not set)
or
<User Id>		 <User Id> if set, otherwise
<Current user Id>
(Other operations) In all other cases, current user account is used when accessing to a SharePoint location from D365. This includes indirect saving reports to SharePoint via Document types (via Save to Attachments and Print archive) and uploading files to any Attachments based on a SharePoint Document type. Not supported for configuration <Current user Id>
One prerequisite for using a D365FO user account to login to SharePoint Online is that this user has previously logged in to the D365FO environment at least once. This is a necessity because then so-called External ID gets stored into D365FO database, and External ID is needed to login to the SharePoint Online server from D365FO.

SharePoint On-premises/Online authorization

If you want to use SharePoint On-premises or SharePoint Online but login via Azure AD credentials, you can use SharePoint On-premises, i.e. Online authorization instead of Integrated authorization. In SharePoint extended security you then need to configure a username and password for so-called integration user, which will be used as a single login account for all supported scenarios, please see below which ones.

 

Access role When it is used Configured user account Login account
Integration user

Used for Docentric functionalities related to SharePoint, which include reading and writing Docentric templates stored on SharePoint and saving reports to SharePoint via Docentric File print destination > Save to SharePoint.

Also used in Docentric SharePoint picker control for browsing and selection of SharePoint document libraries and folders on all Docentric forms including the Print destination settings form. Used for browsing and selection of document library metadata in Docentric report setup as well.

 <Username> / <Password> <Username> / <Password>
(Other operations) In all other cases, a login attempt to the SharePoint server occurs from D365FO always using current user account. This includes indirect saving reports to SharePoint via Document types (through Save to Attachments and Print archive) and uploading files to any Attachments based on a SharePoint Document type. Not supported for configuration <Current user Id>

Fine-grained security

If the basic configuration in Docentric AX parameters > Security > SharePoint extended security settings doesn’t cover all your scenarios, you can configure additional security settings in Fine-grained security.

For example, let’s say that you want beside SharePoint Online server to use SharePoint On-premises as well, and you need to use different Report users when saving reports to different SharePoint document libraries on the SharePoint Online server.

With Fine-grained security you can configure SharePoint security settings per SharePoint server, site or document library in cases when you need to use multiple SharePoint servers or different login accounts for different sites and document libraries.

 

Fine-grained security settings are based on SharePoint server, site and document library, whereas SharePoint site and document library can be empty. These three data uniquely determine which security settings will be used when accessing a certain SharePoint location, which can be a SharePoint server, SharePoint site, document library, folder path or file.

So, for a given SharePoint URL, the SharePoint server, site and document library are parsed out and used against the Fine-grained security setup first. If no record that matches the server, site and document library is found, the default settings in Docentric AX parameters > Security > SharePoint extended security settings are then used for a given scenario (reading a Docentric template, opening a SharePoint picker control, etc.).

For Integrated authorization type and the SharePoint browser user access role, Fine-grained security cannot be configured.

Which SharePoint security settings are used when accessing a SharePoint location

Let’s implement a case we mentioned above:  We want to use SharePoint On-premises for all supported by Docentric scenarios, with one exception – when saving reports via Docentric File print destination > Save to SharePoint.

Moreover, when saving reports to SharePoint Online document library https://docentric.sharepoint.com/Main/Invoices/, we want to use a user ALICIA as an access account, and for all other SharePoint Online document libraries, we want to use a user CHRIS.

With this setup only, we enabled SharePoint On-premises for all Docentric functionalities by using a single integration user d365fo@docentric.com, including saving reports to any SharePoint target document library or folder. Of course, if the target SharePoint location is not on this very server, the security error will be thrown, and no report will be saved.

To achieve the second part of our case and enable saving reports under different user accounts when the target SharePoint locations are located on SharePoint Online, we need to add two records into Fine-grained security.

So, if one configures Docentric File print destination > Save to SharePoint on the Print destination settings form to point to https://docentric.sharepoint.com/Main/Invoices/, the reports will be saved to this document library or any subfolder using the user account ALICIA.

If the target SharePoint document library is, for example https://docentric.sharepoint.com/Main/PurchaseOrders/ or any subfolder, or any other site, document library or folder on the docentric.sharepoint.com server, then the fallback user account CHRIS will be used.

And if the target SharePoint document library is https://spdev.docentric.com/LegalPortal/Archive/, which is located on the SharePoint On-premises server spdev.docentric.com, a fallback to the default settings in Docentric AX parameters > Security > SharePoint extended security settings will happen, and integration user d365fo@docentric.com will be used.

 

On top of that if we want to introduce an option to save reports to https://spdev.docentric.com/LegalPortal/Archive/ located on the SharePoint On-premises server by using a different integration user than d365fo@docentric.com, e.g. reportwriter@docentric.com, we need to add an additional record in Fine-grained security as follows:

Using similar approaches, you can be very flexible in configuring different security access to multiple SharePoint servers, sites and document libraries, regardless of their deployment (On-premises or Online).

Test access to SharePoint URL

To test SharePoint extended security for a given SharePoint URL, you can use the Test access menu items on both the Fine-grained security form and the Docentric AX parameters > Security > SharePoint extended security settings form.

 

The Test access form actually implements the process described above, and by using it, you can check which users will be used for which scenarios considering the existing SharePoint extended security setup. You can also check if the current user account (your account) has access to a certain SharePoint location, which can be a SharePoint server, SharePoint site, document library, folder path or file.

 

See also

SharePoint Template Storage >>
Saving Reports to SharePoint with Metadata Fields >>
How to Set Up Global Parameters >>

IN THIS ARTICLE