Selecting Users on Which to Perform a ControlPoint Action or Analysis
When you initiate a ControlPoint action or analysis that involves SharePoint users, the Parameters section of the workspace includes the standard SharePoint "People Picker" for selecting the user(s) you want to include.
If you initiate an operation by selecting one or more users from the SharePoint Hierarchy, the People Picker will be pre-populated with the selected user(s).
You can:
·perform the operation on all SharePoint users (by leaving the People Picker blank)
OR
·select one or more individual users.
Many ControlPoint operations also give you the option of selecting multiple users based on:
·a wildcard (*)
AND/OR
·a SharePoint user profile.
NOTE: There is a maximum number of users that can be included in a ControlPoint action. This limit is a "safety net" to prevent the operation from being carried out on more users than intended, which is especially useful when a wildcard is used. The ControlPoint Application Administrator can adjust this limit by changing the Value for the ControlPoint Configuration Setting Maximum Number of Users to Act on (MAXUSERSFORACTION), as described in the ControlPoint Administration Guide.
Selecting Individual Users
Enter the name of one or more users on which you want to perform the action or analysis. Separate each user name with a semicolon (;). You can either:
§enter a full user account name (for example, domain\username or service provider:username), then click the Check Names icon (
OR
§click the Browse icon (
If your environment includes alternate authentication providers (that is, in addition to Active Directory), when you initiate an action or analysis for a single Web application you can validate or browse for individual users managed by any authentication provider supported by that Web application. Similarly, if you use claims-based authentication and want to perform an operation on a claim, you can validate the claim if it is being performed on or within a single Web application. Because of limitations inherent in SharePoint, however, if you have selected the entire farm or multiple Web applications, you can type in alternate authentication-user account names or claims, but you can neither validate nor browse for them.
Depending on the action or analysis you are performing, ControlPoint may or may not allow invalidated users to be included in the operation. For example, you cannot add a user to a site unless the user's existence in the provider database can be validated. However, you can delete or report on an unvalidated user's permissions from a site, because it is reasonable to assume that a user who has been granted permissions to a SharePoint site may no longer exist in the provider database(s), as in the case of a former employee.
Selecting Users Based on a Wildcard
You can use a wildcard (*) to select users that you want to include in a ControlPoint operation. Only one wildcard can be used per entry and generally can be placed anywhere within the account name. ControlPoint will return all users (including Active Directory groups) whose account name matches the specified pattern. Built-in Active Directory Groups are always excluded.
For most actions and all analyses, users that match the patternalong with their permissionsare collected from the ControlPoint data cache, which is current as of the date and time of the last Discovery run. For actions that add users (such as Set User Direct Permissions and Add User to SharePoint Group) ControlPoint queries Active Directory for users that match the specified pattern. Therefore, non-Active Directory users cannot be added using a wildcard.
EXAMPLES:
|
If you want to select ... |
Enter ... |
|---|---|
|
all users and groups within thebellum domain |
bellum\*. |
|
all instances with the user name jamesjoyce, across all Active Directory domains |
*\jamesjoyce. NOTE: This option cannot be used for actions that add users and require a query against Active Directory rather than the ControlPoint data cache. For these actions, the full domain name must be used. If you want to use a wildcard to select users in different Active Directory domains, a two-way trust relationship must exist. |
|
all users with the last name Smith within the bellum domain |
bellum\*smith. |
NOTE: Currently, wildcards cannot be used within the name of a claim.
Selecting Users Based on a SharePoint User Profile
If you are running MOSS or SharePoint Server, you can select users for most ControlPoint operations based on a common property defined in the SharePoint User Profile service(s) associated with the Web application.
NOTE: To use this feature, the User Profile Service Application must be enabled and associated with each of the Web applications within the scope of the action or analysis. If more than one instance of this service application is associated with a Web application, the default instance will be used.
Requirements
In order to act on or analyze users based on a SharePoint User Profile property:
·the ControlPoint Service account must have permissions to access the User Profile Service application, and
·the User Profile Service application must be associated with the Web application(s) within the scope of the operation.
If the above requirements are not met for a particular Web application:
·In the case of an action:
§profile-based users with permissions for sites within that Web application will not be acted upon, and
§the name of each Web application that was not included in the action will be recorded in the ControlPoint Task Audit.
·in the case of an analysis:
§the analysis will not continue processing, and
§the following message will display in the analysis header: "No User Profile Application available to service the request. Contact your farm administrator."
To select users based on a SharePoint User Profile property:
1Click the profile icon (
2Select a Property Name from the drop-down.
NOTE: The Property Name drop-down includes properties whose Data Type is string, person, or boolean. If your selection has more than one associated User Profile service, the dialog will include properties from all associated profiles on the home farm.
3Select or enter a Property Value.
NOTE: Depending on the nature of the property, the Property Value drop-down may or may not be populated. For properties of the Data Type person, enter a full account name (for example, domain\user_name). For properties of the Data Type boolean (identified in the SharePoint user profile by a check box), enter true (for checked) or false (for unchecked).
4Click [Upload]