SharePoint Server 2016 IT Preview Web Templates

The following table documents all Web Templates available in SharePoint Server 2016 IT Preview.  For a downloadable version see alsohttp://1drv.ms/1Lf6Cin.

Name	Title	Description	Compatibility Level
ACCSRV#0	Access Services Site	Microsoft Access Server	14
ACCSRV#0	Access Services Site	Microsoft Access Server	15
ACCSRV#1	Assets Web Database		14
ACCSRV#3	Charitable Contributions Web Database		14
ACCSRV#4	Contacts Web Database		14
ACCSRV#5	Projects Web Database		14
ACCSRV#6	Issues Web Database		14
ACCSVC#0	Access Services Site Internal	Microsoft Access Server Internal	15
ACCSVC#1	Access Services Site	Microsoft Access Server	15
APP#0	App Template	A base template for app development. It provides the minimal set of features needed for an app.	15
APPCATALOG#0	App Catalog Site	A site for sharing apps for SharePoint and Office	15
BDR#0	Document Center	A site to centrally manage documents in your enterprise	14
BDR#0	Document Center	A site to centrally manage documents in your enterprise	15
BICenterSite#0	Business Intelligence Center	A site for presenting Business Intelligence content in SharePoint.	14
BICenterSite#0	Business Intelligence Center	A site for presenting Business Intelligence content in SharePoint.	15
BLANKINTERNET#0	Publishing Site	This template creates a site for publishing Web pages on a schedule, with workflow features enabled. By default, only Publishing subsites can be created under this site. A Document and Picture Library are included for storing Web publishing assets.	15
BLANKINTERNET#0	Publishing Site	This template creates a site for publishing Web pages on a schedule, with workflow features enabled. By default, only Publishing subsites can be created under this site. A Document and Picture Library are included for storing Web publishing assets.	14
BLANKINTERNET#1	Press Releases Site	This template creates the Press Releases subsite for an Internet-facing corporate presence website.	14
BLANKINTERNET#1	Press Releases Site	This template creates the Press Releases subsite for an Internet-facing corporate presence website.	15
BLANKINTERNET#2	Publishing Site with Workflow	A site for publishing Web pages on a schedule by using approval workflows. It includes document and image libraries for storing Web publishing assets. By default, only sites with this template can be created under this site.	14
BLANKINTERNET#2	Publishing Site with Workflow	A site for publishing Web pages on a schedule by using approval workflows. It includes document and image libraries for storing Web publishing assets. By default, only sites with this template can be created under this site.	15
BLANKINTERNETCONTAINER#0	Publishing Portal	A starter site hierarchy for an Internet-facing site or a large intranet portal. This site can be customized easily with distinctive branding. It includes a home page, a sample press releases subsite, a Search Center, and a login page. Typically, this site has many more readers than contributors, and it is used to publish Web pages with approval workflows.	15
BLANKINTERNETCONTAINER#0	Publishing Portal	A starter site hierarchy for an Internet-facing site or a large intranet portal. This site can be customized easily with distinctive branding. It includes a home page, a sample press releases subsite, a Search Center, and a login page. Typically, this site has many more readers than contributors, and it is used to publish Web pages with approval workflows.	14
BLOG#0	Blog	A site for a person or team to post ideas, observations, and expertise that site visitors can comment on.	15
BLOG#0	Blog	A site for a person or team to post ideas, observations, and expertise that site visitors can comment on.	14
CENTRALADMIN#0	Central Admin Site	A site for central administration. It provides Web pages and links for application and operations management.	14
CENTRALADMIN#0	Central Admin Site	A site for central administration. It provides Web pages and links for application and operations management.	15
CMSPUBLISHING#0	Publishing Site	A blank site for expanding your Web site and quickly publishing Web pages. Contributors can work on draft versions of pages and publish them to make them visible to readers. The site includes document and image libraries for storing Web publishing assets.	15
CMSPUBLISHING#0	Publishing Site	A blank site for expanding your Web site and quickly publishing Web pages. Contributors can work on draft versions of pages and publish them to make them visible to readers. The site includes document and image libraries for storing Web publishing assets.	14
COMMUNITY#0	Community Site	A place where community members discuss topics of common interest. Members can browse and discover relevant content by exploring categories, sorting discussions by popularity or by viewing only posts that have a best reply. Members gain reputation points by participating in the community, such as starting discussions and replying to them, liking posts and specifying best replies.	15
COMMUNITYPORTAL#0	Community Portal	A site for discovering communities.	15
DEV#0	Developer Site	A site for developers to build, test and publish apps for Office	15
EDISC#0	eDiscovery Center	A site to manage the preservation, search, and export of content for legal matters and investigations.	15
EDISC#1	eDiscovery Case	This template creates an eDiscovery case. Users create locations where they can preserve or export data.	15
ENTERWIKI#0	Enterprise Wiki	A site for publishing knowledge that you capture and want to share across the enterprise. It provides an easy content editing experience in a single location for co-authoring content, discussions, and project management.	15
ENTERWIKI#0	Enterprise Wiki	A site for publishing knowledge that you capture and want to share across the enterprise. It provides an easy content editing experience in a single location for co-authoring content, discussions, and project management.	14
GLOBAL#0	Global template	This template is used for initializing a new site.	14
GLOBAL#0	Global template	This template is used for initializing a new site.	15
GROUP#0	Group	A site template used to create a Group.	15
MPS#0	Basic Meeting Workspace	A site to plan, organize, and capture the results of a meeting. It provides lists for managing the agenda, meeting attendees, and documents.	14
MPS#0	Basic Meeting Workspace	A site to plan, organize, and capture the results of a meeting. It provides lists for managing the agenda, meeting attendees, and documents.	15
MPS#1	Blank Meeting Workspace	A blank meeting site for you to customize based on your requirements.	14
MPS#1	Blank Meeting Workspace	A blank meeting site for you to customize based on your requirements.	15
MPS#2	Decision Meeting Workspace	A site for meetings that track status or make decisions. It provides lists for creating tasks, storing documents, and recording decisions.	14
MPS#2	Decision Meeting Workspace	A site for meetings that track status or make decisions. It provides lists for creating tasks, storing documents, and recording decisions.	15
MPS#3	Social Meeting Workspace	A site to plan social occasions. It provides lists for tracking attendees, providing directions, and storing pictures of the event.	14
MPS#3	Social Meeting Workspace	A site to plan social occasions. It provides lists for tracking attendees, providing directions, and storing pictures of the event.	15
MPS#4	Multipage Meeting Workspace	A site to plan, organize, and capture the results of a meeting. It provides lists for managing the agenda and meeting attendees in addition to two blank pages for you to customize based on your requirements.	15
MPS#4	Multipage Meeting Workspace	A site to plan, organize, and capture the results of a meeting. It provides lists for managing the agenda and meeting attendees in addition to two blank pages for you to customize based on your requirements.	14
OFFILE#0	(obsolete) Records Center	(obsolete) This template creates a site designed for records management. Records managers can configure the routing table to direct incoming files to specific locations. The site also lets you manage whether records can be deleted or modified after they are added to the repository.	14
OFFILE#0	(obsolete) Records Center	(obsolete) This template creates a site designed for records management. Records managers can configure the routing table to direct incoming files to specific locations. The site also lets you manage whether records can be deleted or modified after they are added to the repository.	15
OFFILE#1	Records Center	This template creates a site designed for records management. Records managers can configure the routing table to direct incoming files to specific locations. The site also lets you manage whether records can be deleted or modified after they are added to the repository.	14
OFFILE#1	Records Center	This template creates a site designed for records management. Records managers can configure the routing table to direct incoming files to specific locations. The site also lets you manage whether records can be deleted or modified after they are added to the repository.	15
OSRV#0	Shared Services Administration Site	This template creates a site for administering shared services	14
OSRV#0	Shared Services Administration Site	This template creates a site for administering shared services	15
POINTPUBLISHINGHUB#0	PointPublishing Hub	A site template used to create a pointpublishing hub site.	15
POINTPUBLISHINGPERSONAL#0	PointPublishing Personal	A site template used to create a pointpublishing personal site.	15
POINTPUBLISHINGTOPIC#0	PointPublishing Topic	A site template used to create a pointpublishing topic site.	15
POLICYCTR#0	Compliance Policy Center		15
PPSMASite#0	PerformancePoint		14
PPSMASite#0	PerformancePoint		15
PRODUCTCATALOG#0	Product Catalog	A site for managing product catalog data which can be published to an internet-facing site through search. The product catalog can be configured to support product variants and multilingual product properties. The site includes admin pages for managing faceted navigation for products.	15
PROFILES#0	Profiles	This template creates a profile site that includes page layout with zones	15
PROFILES#0	Profiles	This template creates a profile site that includes page layout with zones	14
PROJECTSITE#0	Project Site	A site for managing and collaborating on a project. This site template brings all status, communication, and artifacts relevant to the project into one place.	15
PWA#0	Project Web App Site	Microsoft Project Web App	14
PWA#0	Project Web App Site	Microsoft Project Web App	15
PWS#0	Microsoft Project Site	A site that supports team collaboration on projects. This site includes documents, issues, risks, and deliverables which may be linked to tasks in Project Web App.	14
PWS#0	Microsoft Project Site	A site that supports team collaboration on projects. This site includes documents, issues, risks, and deliverables which may be linked to tasks in Project Web App.	15
SGS#0	Group Work Site	This template provides a groupware solution that enables teams to create, organize, and share information quickly and easily. It includes Group Calendar, Circulation, Phone-Call Memo, the Document Library and the other basic lists.	14
SGS#0	Group Work Site	This template provides a groupware solution that enables teams to create, organize, and share information quickly and easily. It includes Group Calendar, Circulation, Phone-Call Memo, the Document Library and the other basic lists.	15
SPS#0	SharePoint Portal Server Site	This template is obsolete.	15
SPS#0	SharePoint Portal Server Site	This template is obsolete.	14
SPSCOMMU#0	Community area template	This template is obsolete.	14
SPSCOMMU#0	Community area template	This template is obsolete.	15
SPSMSITE#0	Personalization Site	A site used for hosting personal sites (My Sites) and the public People Profile page. This template needs to be provisioned only once per User Profile Service Application, please consult the documentation for details.	15
SPSMSITE#0	Personalization Site	A site used for hosting personal sites (My Sites) and the public People Profile page. This template needs to be provisioned only once per User Profile Service Application, please consult the documentation for details.	14
SPSMSITEHOST#0	My Site Host	A site used for hosting personal sites (My Sites) and the public People Profile page. This template needs to be provisioned only once per User Profile Service Application, please consult the documentation for details.	14
SPSMSITEHOST#0	My Site Host	A site used for hosting personal sites (My Sites) and the public People Profile page. This template needs to be provisioned only once per User Profile Service Application, please consult the documentation for details.	15
SPSNEWS#0	News Site	This template is obsolete.	14
SPSNEWS#0	News Site	This template is obsolete.	15
SPSNHOME#0	News Site	A site for publishing news articles and links to news articles. It includes a sample news page and an archive for storing older news items.	14
SPSNHOME#0	News Site	A site for publishing news articles and links to news articles. It includes a sample news page and an archive for storing older news items.	15
SPSPERS#0	SharePoint Portal Server Personal Space	This web template defines a Personal Space for an individual participating on a SharePoint Portal.	14
SPSPERS#0	SharePoint Portal Server Personal Space	This web template defines a Personal Space for an individual participating on a SharePoint Portal.	15
SPSPERS#10	Storage And Social SharePoint Portal Server Personal Space	This web template defines a minimal Personal Space with Storage, on-demand Social and Multilingual User Interface with document parser disabled at web level features for an individual participating on a SharePoint Portal.	15
SPSPERS#2	Storage And Social SharePoint Portal Server Personal Space	This web template defines a minimal Personal Space with both Social and Storage features for an individual participating on a SharePoint Portal.	15
SPSPERS#3	Storage Only SharePoint Portal Server Personal Space	This web template defines a minimal Personal Space with Storage features for an individual participating on a SharePoint Portal.	15
SPSPERS#4	Social Only SharePoint Portal Server Personal Space	This web template defines a minimal Personal Space with Social features for an individual participating on a SharePoint Portal.	15
SPSPERS#5	Empty SharePoint Portal Server Personal Space	This web template defines a empty Personal Space.	15
SPSPERS#6	Storage And Social SharePoint Portal Server Personal Space	This web template defines a minimal Personal Space with Storage and on-demand Social features for an individual participating on a SharePoint Portal.	15
SPSPERS#7	Storage And Social SharePoint Portal Server Personal Space	This web template defines a minimal Personal Space with Storage, Social and Multilingual User Interface features for an individual participating on a SharePoint Portal.	15
SPSPERS#8	Storage And Social SharePoint Portal Server Personal Space	This web template defines a minimal Personal Space with Storage, on-demand Social and Multilingual User Interface features for an individual participating on a SharePoint Portal.	15
SPSPERS#9	Storage And Social SharePoint Portal Server Personal Space	This web template defines a minimal Personal Space with Storage, on-demand Social with document parser disabled at web level features for an individual participating on a SharePoint Portal.	15
SPSPORTAL#0	Collaboration Portal	A starter site hierarchy for an intranet divisional portal. It includes a home page, a News site, a Site Directory, a Document Center, and a Search Center with Tabs. Typically, this site has nearly as many contributors as readers and is used to host team sites.	14
SPSPORTAL#0	Collaboration Portal	A starter site hierarchy for an intranet divisional portal. It includes a home page, a News site, a Site Directory, a Document Center, and a Search Center with Tabs. Typically, this site has nearly as many contributors as readers and is used to host team sites.	15
SPSREPORTCENTER#0	Report Center	A site for creating, managing, and delivering Web pages, dashboards, and key performance indicators that communicate metrics, goals, and business intelligence information.	15
SPSREPORTCENTER#0	Report Center	A site for creating, managing, and delivering Web pages, dashboards, and key performance indicators that communicate metrics, goals, and business intelligence information.	14
SPSSITES#0	Site Directory	A site for listing and categorizing important sites in your organization. It includes different views for categorized sites, top sites, and a site map.	14
SPSSITES#0	Site Directory	A site for listing and categorizing important sites in your organization. It includes different views for categorized sites, top sites, and a site map.	15
SPSTOC#0	Contents area Template	This template is obsolete.	15
SPSTOC#0	Contents area Template	This template is obsolete.	14
SPSTOPIC#0	Topic area template	This template is obsolete.	14
SPSTOPIC#0	Topic area template	This template is obsolete.	15
SRCHCEN#0	Enterprise Search Center	A site focused on delivering an enterprise-wide search experience. Includes a welcome page with a search box that connects users to four search results page experiences: one for general searches, one for people searches, one for conversation searches, and one for video searches. You can add and customize new results pages to focus on other types of search queries.	14
SRCHCEN#0	Enterprise Search Center	A site focused on delivering an enterprise-wide search experience. Includes a welcome page with a search box that connects users to four search results page experiences: one for general searches, one for people searches, one for conversation searches, and one for video searches. You can add and customize new results pages to focus on other types of search queries.	15
SRCHCENTERFAST#0	FAST Search Center		14
SRCHCENTERLITE#0	Basic Search Center	A site focused on delivering a basic search experience. Includes a welcome page with a search box that connects users to a search results page, and an advanced search page. This Search Center will not appear in navigation.	15
SRCHCENTERLITE#0	Basic Search Center	A site focused on delivering a basic search experience. Includes a welcome page with a search box that connects users to a search results page, and an advanced search page. This Search Center will not appear in navigation.	14
SRCHCENTERLITE#1	Basic Search Center	The Search Center template creates pages dedicated to search. The main welcome page features a simple search box in the center of the page. The template includes a search results and an advanced search page. This Search Center will not appear in navigation.	14
SRCHCENTERLITE#1	Basic Search Center	The Search Center template creates pages dedicated to search. The main welcome page features a simple search box in the center of the page. The template includes a search results and an advanced search page. This Search Center will not appear in navigation.	15
STS#0	Team Site	A place to work together with a group of people.	14
STS#0	Team Site	A place to work together with a group of people.	15
STS#1	Blank Site	A blank site for you to customize based on your requirements.	15
STS#1	Blank Site	A blank site for you to customize based on your requirements.	14
STS#2	Document Workspace	A site for colleagues to work together on a document. It provides a document library for storing the primary document and supporting files, a tasks list for assigning to-do items, and a links list for resources related to the document.	14
STS#2	Document Workspace	A site for colleagues to work together on a document. It provides a document library for storing the primary document and supporting files, a tasks list for assigning to-do items, and a links list for resources related to the document.	15
TBH#0	In-Place Hold Policy Center	A site to manage policies to preserve content for a fixed period of time.	15
TENANTADMIN#0	Tenant Admin Site	A site for tenant administration. It provides Web pages and links for self-serve administration.	14
TENANTADMIN#0	Tenant Admin Site	A site for tenant administration. It provides Web pages and links for self-serve administration.	15
visprus#0	Visio Process Repository	A site for viewing, sharing, and storing Visio process diagrams. It includes a versioned document library and templates for Basic Flowcharts, Cross-functional Flowcharts, and BPMN diagrams.	15
visprus#0	Visio Process Repository	A site for viewing, sharing, and storing Visio process diagrams. It includes a versioned document library and templates for Basic Flowcharts, Cross-functional Flowcharts, and BPMN diagrams.	14
WIKI#0	Wiki Site	A site for a community to brainstorm and share ideas. It provides Web pages that can be quickly edited to record information and then linked together through keywords	15
WIKI#0	Wiki Site	A site for a community to brainstorm and share ideas. It provides Web pages that can be quickly edited to record information and then linked together through keywords	14

SQL Server : sp_who2 - filtering and sorting the results for connections

The stored procedure sp_who2 lists all current processes connected to a SQL Server :

exec sp_who2

A typical resultset from Management Studio is :




sp_who2 is one of the most useful and widely used stored procedures, along with its predecessor sp_who. However it is also one of the most frustrating as it only takes a single parameter and the results cannot be ordered. For a large server with a lot of connections this can be a real nuisance. I usually store the results in a temporary table and then filter and/or order the results from there :

CREATE TABLE #sp_who2 (SPID INT,Status VARCHAR(255),
      Login  VARCHAR(255),HostName  VARCHAR(255), 
      BlkBy  VARCHAR(255),DBName  VARCHAR(255), 
      Command VARCHAR(255),CPUTime INT, 
      DiskIO INT,LastBatch VARCHAR(255), 
      ProgramName VARCHAR(255),SPID2 INT, 
      REQUESTID INT) 
INSERT INTO #sp_who2 EXEC sp_who2
SELECT      * 
FROM        #sp_who2
-- Add any filtering of the results here :
WHERE       DBName <> 'master'
-- Add any sorting of the results here :
ORDER BY    DBName ASC
 
DROP TABLE #sp_who2

Some people encapsulate the above code in a stored procedure and run that, but my preference is always to run it as a script.

Finally

A word of warning. Sp_who2 is undocumented, meaning that Microsoft could change it in the future without warning. I've tested the code above on SQL Server 2005, 2008 and 2008 R2, however it's possible that the columns or datatypes returned could change in future versions which would require a small change in the code.

Impersonation and Elevation of Privilege - SharePoint

Introduction

Microsoft's SharePoint Services and Technologies (SharePoint) has a robust security model. Every operation attempted within the SharePoint framework is subject to the security settings and policies that apply to the affected objects. This article discusses the methods provided by the SharePoint framework that allow developers to accomplish tasks regardless of a user's permissions.

Need Alternate Security Context

When writing an application that is based on the SharePoint framework, it is common for the program to update or create a SharePoint object. A typical scenario is a feedback form on an anonymous website.The form needs to write data to a SharePoint list, but granting write permission to the anonymous user is not acceptable.

This article includes code and screenshots from anIdentity Web Part that displays information about identities used in the current request.

Note: The Identity Web Part is availablefrom the downloads library of this site.

Impersonation versus Elevation

Before discussing this topic further, we need to define the meaning of elevation of privilege and impersonation. The SharePoint Software Development Kit (SDK) provides the following descriptions:

Impersonation: Enables developer to perform actions on behalf of another user.

Elevation of privilege: Enables developers to programmatically perform actions in code using an increased level of privilege.

What is not clear in these definitions is the difference in the requirements to use these approaches. For example, in order to impersonate you typically require the user's credentials. In order to elevate, the elevated privileges must be available in the execution environment. Both of these approaches can be used in SharePoint.

Identities

SharePoint is built on the ASP.NET infrastructure. However, since a complete discussion of the ASP.NET infrastructure is outside of the scope of this paper, we will explore the concept of identities at a high level. Details that are omitted in this paper can be reviewed in the ASP.NET documentation on MSDN.

There are a few different identities in the ASP.NET pipeline. The first is the process identity that is set via the application pool in which the Web application is configured. In ASP.NET, the Default Application Pool is running with the System Identity. When SharePoint is installed, a new application pool is created and configured to use the service account specified during the configuration wizard. This is commonly referred to as the AppPool identity. (There is also a thread identity. The web server process spawns threads to handle each request, and these threads also use the process identity.)

 

The next identity is the context identity. When the ASP.NET framework processes a request, the impersonation and authorization settings in web.config indicate how the context identity is created. As indicated in the following code, the default SharePoint configuration uses Windows authentication and has impersonation enabled:

1. <authentication mode="Windows" />
2. <identity impersonate="true" />

Refer to the MSDN article titled "Authentication in ASP.NET: .NET Security Guidance" for more information on this topic.

The net effect of these settings is that the identity of the user running the browser is also the identity of the request. This identity is exposed to pages and controls as the Windows identity. The Windows identity is available to server-side code via the static method: System.Security.Principal.WindowsIdentity.GetCurrent().

SharePoint also requires an identity to perform security checks. In the SharePoint object model, the SharePoint identity is represented by the SPUser object. During the request pipeline, the SPUser is set to the same value as the Windows identity. However, they are not the same object, which means they can be altered independently.

Use the following code to retrieve the SharePoint value in code running on a Web page such as a Web Part:

1. SPWeb web = SPContext.Current.Web;
2. SPUser user = web.CurrentUser;

Note: Youcannot create an SPUser object. Instead, the SharePoint framework creates this object in the context ofa site collection (SPSite) based onthe context identity.

Identity Web Part

In Figure 1, the Identity Web Part is shown on the home page of a blank site. This Web Part displays the current values of the Windows identity and SharePoint identity. It also contains buttons to perform both elevation and impersonation. The current user account, which is Victor Visitor in this example, is a member of the site visitors group and has only read access to the site.

 

Figure 1 - Default Identities

Impersonation

There are a few scenarios in which impersonation of another user is helpful. One such scenario is the restricted access of a sensitive resource such as a database. This is the case for SharePoint when a service account is configured to access the content databases. This service account is then impersonated and the data retrieved. However, the users do not have permission to the database. The service account scenario is accomplished by storing and later retrieving the credentials of the impersonated account.

 

Note: Since the details about impersonation in ASP.NET are outside the scope of this whitepaper, refer to the "Impersonation and Delegation" article on Microsoft's ASP.NET Community site for more information on this topic.

 

Another common scenario is a background or deferred process that executes a user initiated function. This background process acts on behalf of several users, which means it runs with credentials such as LocalSystem that are appropriate for a background process. In this scenario, the requesting user account is impersonated and the requested action is performed.

In addition, there is a system account provided by the SharePoint platform that functions similar to a service account. The system account has permission to all SharePoint objects and can be used to update items using code that would denied if attempted by the requesting user account.. The system account can be impersonated without a password, which makes it a powerful alternative to granting user permissions throughout the farm.

Impersonate a User

To impersonate a user in the SharePoint framework, you must have a SPUserToken object. This object can be obtained by referencing the UserToken property of the SPUser object. However, the SPUser class cannot be created in code. Instead, a user token must be accessed and stored during a page request.

1. SPUseruser = SPContext.Current.Web.CurrentUser;
2. SPUserTokentoken = user.UserToken;
4. // store token

At this point the background process can retrieve the token and use it to impersonate the requestor. The actual impersonation is performed by SharePoint during the creation of a SPSite object. Creating the SPSite object also requires the objects GUID or the site collection URL.

1. stringurl = http://localhost; // use your url
2. SPUserTokentoken = user.RetrieveToken(); // a custom method
4. using (SPSite site = new SPSite(url, token))
5. {
6. // access the SPSite and its objects under the identity
7. // represented by the token
8. }

Retrievingthe SPUserToken of the system account requires similar code. Since the system account is a known principal, there is no need to store and retrieve the token.

1. SPUsersystemUser = SPContext.Current.Site.SystemAccount;
2. SPUserTokentoken = systemUser.UserToken;
4. // store token

Figure 2 shows the code for the Impersonate button of the Identity Web Part that provides the user token as it creates a new SPSite object. This step is required to obtain a new SharePoint identity.

Figure 2 - Impersonate method

Effects of Impersonation

Running the impersonate method affects the SharePoint identity of the request. The Windows identity is still set by the base ASP.NET settings. Since the SPWeb object used to retrieve the current user was created within the scope of the impersonation, the SharePoint identity is set to SHAREPOINT\system, which is the predefined value of the system account (see Figure 3).

Figure 3 - Impersonated identities

When to Impersonate

Impersonating an alternate account is appropriate whenever code must perform an action within the SharePoint platform on behalf of a user. The impersonation method only changes the SharePoint identity of the request, not the Windows identity.

Best Practice:

If the code is expected to honor the permissions of the requesting user, the users token must be used to perform the impersonation.

 

Best Practice:

For code that updates SharePoint on behalf of a user without permissions, use the System Account token to perform the impersonation.

 

Best Practice:

If the current user cannot access the system account token, use the RunWithElevatedPrivileges method to retrieve the system account token and then impersonate. Do not perform all required actions with elevated privileges.

 

Elevation of Privilege

Elevation of privilege provides an increased level of privilege. However, from where does this level of privilege come? The possible choices are the involved infrastructure frameworks, which are IIS, ASP.NET, and SharePoint. The IIS process is configured to run with minimal privilege to reduce the attack surface open to malicious code and hackers. SharePoint is leveraging the identity of the HttpContext. Therefore, the natural place is from ASP.NET.

As mentioned previously, the identity of the ASP.NET process is configured in the Application Pool (AppPool). Since the AppPool identity is set during configuration of SharePoint, we can assume it has the privileges necessary to access the resources used throughout the farm including the database, servers, and services.

Elevate Level of Privilege

In the SharePoint platform, running code with elevated privileges is accomplished using the SPSecurity.RunWithElevatedPrivileges method. This method invokes a delegate that runs with the Windows identity set to the AppPool account. The password of the AppPool account is not required, as it is with Impersonation.

Figure4 shows the code for the Elevate button of the Identity Web Part. In this method, the RunWithElevatedPrivileges method runs an anonymous function, which is identitified by the delegate keyword.

 

Figure4 - Method to elevate privilege

Effects of Elevation

As discussed previously, the RunWithElevatedPrivileges method executes the specified code with the identity of the application pool. The Identity Web Part reflects this change, as shown in Figure 5.

Behind the scenes, there is significant code that creates a new application domain that has a separate security context. Next, the code provided to the RunWithElevatedPrivileges method runs within this separate application domain, which is reflected in the different Windows identity.

Figure5 - Elevated identities

When to Elevate

Since elevation of privilege does not change the SharePoint identity, performing the elevation is appropriate only when an alternate Windows identity is required. For code running on the SharePoint platform, the AppPool identity is the only available Windows identity. This means that elevation is only effective if the AppPool identity has the necessary permissions to the secured resource.

Best Practice:

Use elevated privileges to access non-SharePoint resources to which the application pool account has the necessary permissions.

 

Best Practice:

Use only the RunWithElevatedPrivileges method of the SPSecurity class to obtain a context with elevated privileges. Any other approach is not supported.

 

Summary

This articleexplains how developers can use impersonation and elevation of privilege when working with ASP.NET identities to accomplish tasks regardless of a user's permissions. The ability to use these methods allows developers to create solutions that work with, rather than work around, security settings.