Talking SharePoint Security
SharePoint Metadata and Classification and more

In its latest release, TITUS Metadata Security for SharePoint Version 3.2 has greatly increased the support for SharePoint Managed Metadata.  In particular, TITUS Metadata Security can work with managed metadata terms in a more meaningful way as part of the conditions that it evaluates when determining if a specific policy needs to be enforced on a document or item.  These conditions which can be part of any policy are referred to as “Conditional Expressions”.

For many versions, TITUS Metadata Security has been able to use any metadata column and any metadata field type as part of its conditional expressions.  When authoring a policy and specifying a conditional expression, an administrator could choose any column that was currently configured for the list or library.  For example, a conditional expression of [Classification] = “Secret” meant that for a particular item in the list or library if the Classification column was set to a value of “Secret” then TITUS Metadata Security would enforce that policy on that item.  And in this case, the “Classification” column could be a managed metadata column type.  However, in previous versions, the comparison between the value of this column and the conditional expression in the policy was simply a text comparison.

In version 3.2, this comparison can still be a simple text comparison, however TITUS Metadata Security has now provided the additional option of performing this comparison between the actual managed metadata “term” specified for an item and the “term” specified in the policy, regardless of the text value specified for that term.  This has several advantages:

• If the text value of a managed metadata term changes, then TITUS Policies do not need to be updated to take into account the new value (for example, if the term “confidential” within a classification term set is renamed to “classified”)
• If multiple language variants are specified for a particular term, for example “confidential” for English and “vertraulich” for German, then TITUS Policies will evaluate correctly regardless of which language the end user has used to specify the metadata term for an item
• If managed metadata terms are reused within a complex metadata hierarchy, TITUS Policies will evaluate correctly for a particular term regardless of where in the metadata hierarchy the term is defined

So, let’s see how we configure this:

• In order to create policies, you must first navigate to the TITUS Metadata Security Administration screen, which can be accessed from the Site Settings page on a subsite or site collection, or from the Library/List Settings page.  This depends on the rights you have of course.  Click the “TITUS Metadata Security Administration” link on the page.
• The Administration page shows you 2 different tables: Permission Policies and Dynamic Policies
  • In either case, this view displays the currently “Published” policies.  These are the policies that are currently being enforced.  You may not have any policies yet.  Click the “Edit Rules” link under either table.
  • Clicking Edit Rules takes you to a page where you can add, modify or remove policies.  These are the current “Draft” policies – those which are being edited, have been saved, but are not yet published (so not yet enforced).  Click the “Add New Rule” link.
  • Now to specify a new rule, you must first give the rule a name, decide if it will be enabled or not, and then add a security action.  Depending on if you have selected Permission Policies or Dynamic Policies different security actions will be available.
  • When configuring TITUS Metadata Security Policies,  you can select for policies to always apply (this is the default) or to apply only under certain conditions.  These conditions are the conditional expressions mentioned above.  In order to specify a conditional expression, you must click the “Only if the following conditional expression is true” radio button.

• Then a conditional expression is made up of a Resource, an Operator and a Value.

• First you must select a Resource to evaluate in your expression.  The options available here are “Metadata” or “Claim”.  The “Claim” option only appears if you have configured your web application for claims based authentication.  Since we’re exploring how to use Managed Metadata Terms, select the “Metadata” option in the Resource dropdown.
• The second dropdown in the Resource column will now populate with the metadata fields that are currently available.  If you are administering from the list or library level, this will display the metadata columns available on this list or library.  If you are administering from the site level, then a limited set of columns are displayed out of the box.  For policies at the site or site collection level, a site collection administrator must first navigate to the “Configure Metadata Columns” page that is available with TITUS Metadata Security (available from the Site Settings page to site collection administrators only) and select which metadata columns can be used as part of TITUS Policies. To work with managed metadata terms, you must select a metadata column from this second dropdown which is a managed metadata column.
• Once selected, you may select any operator available from the Operator dropdown.  The default is equals.
• Once a managed metadata column is selected for the Resource, the Value dropdown provides a number of options, including “Type in Value”, “Claim” and “Managed Metadata”.  The administrator can select “Type in Value” if they wish a simple text comparison to occur when evaluating the condition, or they can select “Managed Metadata” if they want the actual term selected for the policy to be compared to the term selected as part of an item’s metadata.  Select Managed Metadata from the Value dropdown.
• The user interface for specifying a value now changes to allow the administrator to click a Get Term button to select a term from the metadata column’s predefined term set using the SharePoint’s common Managed Metadata Term selection window. You would have specified the term set for a managed metadata column when the column was defined.

• Click the Get Term button and the following windows will appear allowing the administrator to select the appropriate term to compare within the policy.

• Once the managed metadata term is selected, click the Add Condition button, and the conditional expression will be updated with this condition. You’ll notice that the ID of the term is saved within the policy, so that comparisons between the metadata term on an item or document against the term specified in a policy can be much more meaningful than a simple text comparison.
• You may then add additional conditions to the policy’s conditional expression, and when done you can click the Update Rule button to add the policy to the current set of saved (Draft) policies.

This enhanced support for managed metadata terms allows TITUS Metadata Security to be used very effectively in environments where managed metadata plays a critical role in organizing and protecting an organization’s sensitive information.

-Antonio

This entry was posted on Saturday, February 16th, 2013 at 11:26 pm and is filed under Dynamic Access Control (DAC), SharePoint, SharePoint 2010 News, SharePoint and Claims, SharePoint and PDF, SharePoint metadata, SharePoint security. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.