Matthias Einig's ESPC session heavily focused on Customization Governance, the first step any organization should consider before Customizing SharePoint.
8. Deployment Models in SharePoint
Farm Solutions
&
Sandboxed Solutions
Apps/Add-ins
&
SharePoint Framework
Citizen
Development
9. Sandbox
• WSP files
• No control over server
• Less flexible
• Sandboxed code no longer supported in SPO
With less power comes great frustration
Farm & Sandboxed Solutions
Full Trust
• WSP files
• Full control over server
• Flexible
• Complex
• Hard to maintain
With great power comes great responsibility
10. Manifest xml in the solution
package introduces the
feature framework
elements and code
Provisioned content types
And site columns have
dependency on element xml
files
Feature framework feature
with element xml files for
content type and site
columns.
WSPpackage
1
2
3
Anatomy of a Farm Solution
11. What could go wrong?
1. Memory Leaks
2. Performance Problems
3. Impersonation / Privilege Elevation
4. Overwritten system files
5. API Reflection / Support issues
6. Deployment / Upgrade problems
7. Stuck Artifacts
17. SharePoint Apps/Addins
App / Add in
• .app files
• Still new to many people
• Separate hosting model
• Various Hosting and usage models
• Complex authentication model
Flexible & Powerful
19. What could go wrong?
1. Authentication (App Security vs. User Security)
2. Technical Limitations
3. Standardization
(.NET vs. PS vs. JS/TypeScript)
4. PnP vs. Roll your own
5. Hosting
21. Apps/Addins & SharePoint Framework
App / Add in
• .app files
• Still new to many people
• Separate hosting model
• Various Hosting and usage models
• Complex authentication model
Flexible & Powerful
SPFx
• .spapp files
•GA since March 2017
•Currently only Client Parts and Extensions
•Separate hosting model
•Available on-prem on from SP2016 SP2
Very new development model to 'traditional'
SharePoint Devs
22. Anatomy of a SharePoint Framework solution
Content Delivery Network
or SharePoint
23. What what could go wrong?
1. Malicious Code injected via CDN
2. Bad Performance
3. Lack of Standardization
4. 3rd party Framework Lifecycle
5. 3rd party component conflicts
6. Code runs ”as the user”
7. Maintaining knowledge
29. SharePoint
Developer Admin Validation Process
End Users
• Monitoring
• Version management
• Issueresolution plan
• Provider hosted add-in
infrastructure
• High trust / low trust
• New app notifications
• Feedback channels
• End user support & training
• Development support
• Test environments
• Pre-Verificationprocesses
• ALM process
• Testing process
• Validation process
• Who, what,when
• Approvals
• QA, UAT environments
Governance Considerations
30.
31. Basic Governance Plan Questions (1)
1. What types of customizations are allowed?
2. Who is allowed to customize?
3. Which tools are approved to create customizations?
4. Which 3rd party components should be used in which versions and
where should they be referenced to / hosted?
5. How to implement and update customizations (SDLC)?
32. Basic Governance Plan Questions (2)
6. How are the customizations versioned?
7. How do you package and deploy customizations?
8. How are customizations piloted and tested?
9. Who validates and who delivers them?
10. Who is allowed to update when something changes and
who fixes it when it breaks?
33. Basic Governance Plan Questions (3)
11. What defines a business critical customization?
12. What is the SLA?
13. How to run and maintain customizations?
14. Who is responsible for ongoing support?
15. How do you monitor customizations
to know if they are working as expected?
34. Summary
1. SharePoint governance includes also customizations
2. Customizations have a high impact on the platform
3. Customization governance starts before you build them
4. The later you govern the more costly it will become
5. Tools can support and enforce the governance plan
This is the Pre-Title Screen.
Please do not place any content on this screen.
To add your image, first delete the place holder image as shown in the white box.Then insert your picture and scale it to be bigger than the size of the white box shown.Finally, right click on your image and select ‘Send to back’ – your image should now be framed correctly.
Please add co-speaker image directly below, if applicable
Conformity to Guidelines
D
M
M
Give examples
M
M
Complex security
Add-in security vs User security
Limited ability to specify what the add-in wants to do
Powerful: full access to C# / .NET ecosystem
Rich APIs
CSOM
REST
Microsoft Graph
Not a replacement for Add-Ins but rather another option
Simple security
The solution users has the same rights as the user using it
Powerful: access to the full JavaScript ecosystem
Rich APIs
JSOM
REST
Microsoft Graph
Manifest deployed to SharePoint AppCatalog by Tenant Admin (what is the solution, where is the JS hosted, what does the customization do, but does not contain the code)
Code can be hosted in SharePoint or external CDN and loaded into page
Governance plan, where do we host it
Which 3rd party libraries do we use, and from where are they referenced.
Code executes under the context of the current user (full trust)
D
Who is allowed o update a script an how
Verisoning
SPFx tenant wide install to the app catalog
And SPFx runs in user account with all the priveledges of the user
Fallback Add-in model, permission checkups, isolation, scripts cannot act on behalf of the user.
Standardize client-side libraries usage
Define a policy on using external scripts
which locactions are considered safe
Standardize hosting location for SPFx solutions
technically you don’t have refer external scripts, so you could bundle react into your SFPx but this makes it harder to maintain and conflicts may occure with differen SPSx components.
Communicate preconditions to project teams upfront
Make explicit agreement with ISVs
Can the solution be updated without your knowledge
What is the SLA
Where is the code hosted?
Where is the data stored?
How is the security enforced?
Verify that solutions meet your requirementsThe more libraries are on a page the page size grows, conflicts with multiple libarires, updating
Agree on preconditions upfront
Guide customer if they don’t have a governance plan in place
Develop good practices for your organization/team
How do you test solutions?
Locally
QA
UAT
How do you release solutions?
Where are they deployed to?
Who governs them?
What’s the SLA?