Using Site Sponsors to Provide Self-Service and Reduce Admin Load
ExCM has the ability to greatly reduce the workload on your IT Department by implementing what we call “Site Sponsors.” Site Sponsors can be either internal Windows or external Forms Based Authentication (FBA) users and are basically users with some elevated privileges, who are capable of managing the Extranet Users for a given site. Let’s take a closer look at Sponsorship and how it’s configured.
We access the Site Sponsors options under the “Extranet Management” menu located in Site Settings:
From that screen we can see any existing Site Sponsors, as well as the options for managing them:
How and why did we create a Site Sponsor record for sally@acme.com? Read on to learn both the how and the why.
Let's assume that the ACME Corporation is a customer of ours who uses our extranet to access information important to them. We will create a new Site Sponsor, a user from the ACME Corporation, and make her responsible for managing all the ACME users who access our extranet. This is an “extreme” example of Sponsorship (since this sponsor is outside our company), but I believe it illustrates the feature nicely and if you have very large customers who have lots of personnel that will be collaborating with you in an extranet site, you may find that it is necessary to make one of their staff a Site Sponsor in order to assist with the extranet user management admin load.
Now, let’s take a closer look at how Sponsorship is configured. After clicking on “New Site Sponsor” from the ribbon, the screen below is presented:
First, I will select an existing user to be the Site Sponsor. I will stick to using an external user for the purpose of this illustration, but I could have just as easily selected an internal user to be a Site Sponsor:
Next, we need to configure our Security Settings. This is probably the least understood topic when using Sponsorship, so let’s take a close look at each area. The first area is the “Associative Security Definition.” These are the SharePoint Groups and/or Extranet Roles to which every user this Sponsor invites to the site will automatically be added. Using Associative Security Definitions on a Site Sponsor record is one way in ExCM of enforcing security governance on your extranet site.
In this example, I have created an Extranet Role named “ACME Members” and added that Role to this site’s “Visitors” SharePoint Group. By entering “ACME Members” in this area, every external user that Sally invites will automatically be added to the “ACME Members” Extranet Role and will therefore have basic read-only access since the Role has been added to the site’s “Visitors” SharePoint group:
The next area is the “Optional Associative Security Definition.” Any SharePoint Group and/or Extranet Role entered here will be presented as checkboxes to the Site Sponsor when they invite users to the site. In this example, I have entered another Role I created named “ACME Managers” that has greater privileges than the “Members” Role because I have added it to the site’s “Owners” SharePoint Group:
The idea here is that you might wish to give a Site Sponsor some discretion to be able to grant a higher permission level to certain external users that they invite. This is ability will show up later on the New Invitation form.
Finally, we have the “Administrative Security Definition.” This includes the Groups and/or Roles that the Site Sponsor can manage. When we say “manage” in this situation, we are referring to specific permissions the Site Sponsor has been granted. Here are the possible permissions that can be assigned:
All of these are checked by default, but you can customize them to your specific needs. The best practice for the “Administrative Security Definition” is to add any Groups and/or Roles that appear in the first two Security Definition boxes. This ensures that any user the Site Sponsor Invites, they can also manage:
Important Note: if you opt to use Site CollectionSite level Security Policies, it is common to not add any GroupsRoles to the Associative and Optional Security Definitions boxes for a Site Sponsor. This approach is completely valid as your intent is to use Site CollectionSite level Security Policies, rather than Site Sponsor policies, to automatically enforce security governance. Even so, you should still add at least one SharePoint GroupExtranet Role to the Site Sponsor's Administrative Security Definition box, or the Site Sponsor will not see any accounts for them to manage when they access the Manage Accounts page.
Finally, we have the “Include Site Groups” option. When this is set to “Yes,” any SharePoint Groups the Site Sponsor is currently a member of for the site will be included by default in both the Optional and Administrative Security Definitions.
Tip: If you use SharePoint Groups only, and not Extranet Roles, it is not necessary to enter anything into the Administrative Security Definition box if you set this value to "Yes". Your Site Sponsor will automatically be able to manage external users that they invite and that get added to the SharePoint Group that they are a member of.
For this example, I will select “No” in this area since we are using Extranet Roles for security grouping rather than SharePoint Groups:
Now that we have successfully created a Site Sponsor, let’s log into our site as that Sponsor and invite a new user from the ACME Corporation. Here are the new options that the new Sponsor sees when clicking Settings menu.
From here, she can invite new users and manage existing users that she sponsors. After clicking on “Invite Users,” we see this:
Notice the “Site Access” area. As you can see, the Extranet Role that we entered into the “Optional Security Definition" appears here to allow the Site Sponsor to optionally add the new user to the Groups and/or Roles specified. And, behind the scenes, the “Associative Security Definition" will automatically be applied as well, which will add the invited user to the ACME Members SharePoint Group, in this case.
After clicking “Save,” the invitation is sent to the new user. When they open it, here’s what they see:
After completing the registration, we can review it under the “Invitations” area of the Extranet Management menu. Notice the “Sent By” and “Security Definition” areas:
So we can see that this invitation was sent by our new Site Sponsor, and that Bob was also added to the appropriate Security Definitions.
The last area we’ll review here is the Manage Accounts screen for the Site Sponsor. After logging back in as the new Sponsor and clicking Settings menu we see Manage Accounts:
From here, the Sponsor can do things like create new users (via invitation or manually), grant and remove access, change a user’s password, etc. Notice that we see an additional user in additon to the one we just invited. This is due to the “Administrative Security Definition.” The other user (Tony) is an existing external user that is also a member of the ACME Members and ACME Managers Roles, so our new Sponsor can also manage him.
To learn more about the individual Site Sponsor capabilities shown in the ribbon on the Manage Accounts page, visit these pages in the Site Sponsor Help section of this documentation:
Site Sponsorship gives IT administrators the ability to offload basic extranet administration tasks to capable, responsible users, freeing up their time for important IT work, and reducing IT labor costs.
©2019 PremierPoint Solutions. All Rights Reserved.
