tags:

views:

141

answers:

3
+1  Q: 

WebPart security

What is best practice to ensure only the correct users can see a webpart in Sharepoint 2007?

Security Groups, and Audiences have both been suggested to me.

+3  A: 

It depends if you are talking about the rendering of Web Parts or adding Web Parts from the Web Part gallery. Let me explain both scenarios:

1) In MOSS 2007, you can indeed use audiences to target the rendering of Web Parts on a given Web Part page. This is exactly what the Audience property on Web Parts is designed for. However, for WSS 3.0 deployments this is not possible as Audiences is a MOSS thing.

2) Hiding Web Parts in the Web Part gallery is also possible, i.e. in case you do not want all users with design permissions to be able to add any WP in the gallery. Use item permissions on the .dwp / .webpart files in the WP gallery to restrict access.

Lars Fastrup
Great idea on item permissions in the web part gallery. I had never thought of that!
Kirk Liemohn
How do you setup the item permissions in the .dwp/.webpart file to restrict WP gallery access?
Bravax
Easy, goto site settings -> Web Parts. Then locate the .dwp/.webpart file and click the edit icon. On the Edit Item page, click Manage Permissions in the tool bar.
Lars Fastrup
A: 

As far as best practices go, it depends. If you use Audiences, use them first. This allows for central management of content accessibility. If not, item permissions is probably the next best thing. After that, you have to manage it in the Render() of the webpart itself (bad idea).

theG
+1  A: 

Although audiences are not a security mechanism, for webpart visability the effect is the same. The issue with a webpart is others can add that webpart to another page that you are not controlling the audience for if you do not set the protection for the webpart in the gallery, as Lars mentioned. As he also mentioned, the audiences are only available if you are using MOSS and not just WSS.

An additional security step is to place the logic in the webpart to prevent unauthorized use. If it is truely a security concern, I would chose this approach.

PapaDaniel