Background - How users are given access to a SharePoint Site
Some background on how users actually get access to a SharePoint site:
The Adobe Sign for SharePoint Online installation package is available to any enterprise level account that is interested in installing the Adobe Sign solution. Prior to installation, contact your Success Manager to ensure the account is established in the correct channel to enable the required API functionality.
The Adobe Sign integration for Microsoft SharePoint provides an integrated solution for creating, sending, tracking and managing electronic signatures.
This documentation, and the installation package it refers to, are developed for Microsoft SharePoint Online multi-tenant (generally referred to as “SharePoint” throughout this guide).
The solution is developed as an add-in application for SharePoint and provides:
To configure the solution, you MUST be both a SharePoint site admin and an Adobe Sign account admin. If you are not Adobe Sign account admin, please work with him or her to configure the integration.
The Adobe Sign solution can only be installed and configured by a Microsoft SharePoint site administrator. Please consult SharePoint documentation and your organization’s SharePoint site, or tenant administrator, for additional systems permissions that may be required to install SharePoint site solutions.
In the Microsoft Office 365 tenant, the first name, last name and work email address must be set for all SharePoint users who want to access the Adobe Sign add-in on their SharePoint sites.
All users of the Adobe Sign solution need to be present the SharePoint site's default site members or default site owners group. All Adobe Sign users need to have at least Edit permissions on the site.
The current version of Edge, Chrome, Firefox, and Safari browsers are all supported.
Private/Incognito browser sessions are not supported.
In order for SharePoint add-ins to work with Edge browsers, some configuration of Trusted Sites is required. Internet Explorer and legacy versions of Edge are not supported.
Additionally, Edge users need to explicitly edit their Trusted Sites settings to include the following URLs:
To edit your Trusted Sites:
1. Open Edge
► Press Windows + S
2. Type Internet Options into the search field
3. The Internet Options menu opens. Select the Security tab
4. Click on the Trusted Sites icon
5. Click the Sites button
6. Enter one of the URLs above, and click Add
7. Repeat for each URL above
8. Close the Internet Options menu when done.
Adobe Sign for SharePoint v2.0 requires additional permissions to be approved via OAuth (webhooks and web form permissions).
Customers that are upgrading from v1.x must update their OAuth credentials to gain access to these new permissions:
1. Update the Adobe Sign add-in to the 2.x package
2. Update the connection to Adobe Sign:
The person who is both the Office Tenant Administrator and an Adobe Sign Account administrator must bring up the settings page for the sharepoint sign integration tenant.
All sites in the tenant which use the tenant connection should now be able to use web form features
It’s important to close or refresh the settings tab even if you want to immediately start setting up web form mappings after re-authentication with Adobe Sign.
Failure to refresh the settings window produces errors on the web forms tab until you do.
If the SharePoint Administrator and the Adobe Sign Account Administrator are different people, both need to collaborate to configure the solution.
For every site that uses the integration, the person who is both the SharePoint Administrator and an Adobe Sign administrator for that particular site must update the site connection for that site:
Once done, users of that particular site should be able to use web form features
It’s important to close or refresh the settings tab even if you want to immediately start setting up web form mappings after re-authentication with Adobe Sign.
Failure to refresh the settings window produces errors on the web forms tab until you do.
If the SharePoint Administrator and the Adobe Sign Account Administrator are different people, both need to collaborate to configure the solution.
It is not recommended to batch install the Adobe Sign for SharePoint Online add-in on multiple sites via tenant scoped deployment because of the following limitations.
To install the online edition of the Adobe Sign for SharePoint package:
1. Authenticate to the site
2. Navigate to: Site Contents > New > App
3. Click SharePoint Store
4. Search for Adobe Sign in the Find an app search box (top right of the page)
5. Single click the Adobe Sign icon to select it from the search results.
6. Click the ADD IT button to start the automatic installation
The App installation takes few minutes.
Once the package is installed, you can navigate to the Adobe Sign Settings page and access links for both this admin/configuration guide, as well as the User guide, and other Adobe Sign resources.
Once the application is installed, there are only two steps required to start sending agreements:
Adobe Sign establishes an OAuth connection with your SharePoint environment to facilitate the seamless usage of the application for all users.
To establish the relationship, you must use an account-level admin in the Adobe Sign application as well as on SharePoint.
It is recommended that a functional email address be used (e.g.: AdobeSignAdmin@MyDomain.com) if possible to reduce the risk of the admin account being inactivated for any reason.
To establish the OAuth connection:
1. Navigate to the Adobe Sign Settings page
2. Click the Connect Adobe Sign tab
3. Select the scope that you want to install Adobe Sign:
► Establish SharePoint site connection (Site level - for the SharePoint site administrator)
• This functionality connects the add-in to an Adobe Sign account at the current SharePoint site level
1. Authenticate to Adobe Sign using your admin user credentials
2. Click Allow Access to approve the trusted relationship between Adobe Sign and SharePoint
○ A success message will briefly display once the connection is established
When you are successfully authenticated at the Site level, you see the email and name of the user that has authenticated to Adobe Sign above the two links.
►Connect your SharePoint tenant to an Adobe Sign account (Tenant scope - for the O365 tenant admin only)
• No repetitive OAuth login is required at Adobe Sign for add-in instances connected in tenant scope
• Adobe Sign OAuth performed on any single add-in instance in the global scope sets the Sign linkage to all other installed instances linked in the tenant scope
○ OAuth must be performed on at least one tenant scoped add-in
• Any newly installed add-in instance is automatically connected to the Adobe Sign account available at the tenant scope
A confirmation box pops up indicating that you are about to link your tenant to your Adobe Sign account. This requires Microsoft Office 365 administrator login.
1. Authenticate to SharePoint using your admin user credentials
2. Click Accept to approve access to the SharePoint resources
3. Authenticate to Adobe Sign using your admin user credentials
4. Click Allow Access to approve the trusted relationship between Adobe Sign and SharePoint
○ A success message will briefly display once the connection is established
When you are successfully authenticated at the Tenant level, you see the email and name of the user that has authenticated to Adobe Sign above the two links, along with an assertion that the account is "configured for your SharePoint tenant by your Office 365 tenant administrator."
If your SharePoint deployment has multiple sites, it is possible that one or more sites can be authenticated at the site level, but a tenant level authentication can exist as well.
If both types of authentication exist, and the Site you are configuring is authenticated at the Site level, a link is exposed that can promote the authentication to the Tenant level.
There are two mechanisims to grant SharePoint users access to the Adobe Sign integration:
Seamless on-boarding is the simplest configuration for adding users.
Any user assigned the default Edit permission level for your SharePoint site automatically has permission to access and use the Adobe Sign integration.
With the Users with Edit permission option enabled, any user that opens the Adobe Sign add-in (or uses any of its features), triggers a check of the user's permissions for the SharePoint site. If the user has a set of permissions recognized as typical of Editors, access is granted to the add-in.
The table below shows the list of all SharePoint permissions, the default permissions assigned to each permission level, and the required set of permissions to be recognized as a User (User Mask) or Admin (Admin Mask):
|
Permission | Reader | Contributor | User Mask | Editor | Admin Mask | Designer | Full Access |
---|---|---|---|---|---|---|---|---|
3 | list: add items | |||||||
7 | list: Approve Items | |||||||
11 | list: Create Alerts | |||||||
5 | list: delete items | |||||||
10 | list: Delete Versions | |||||||
4 | list: edit items | |||||||
1 | list: manage lists | |||||||
8 | list: open items | |||||||
2 | list: Override List Behaviors | |||||||
12 | list: view application pages | |||||||
6 | list: view items |
|||||||
9 | list: View Versions | |||||||
32 | personal: Add/Remove Personal Web Parts | |||||||
31 | personal: Manage Personal Views | |||||||
33 | personal: Update Personal Web Parts | |||||||
17 | site: add and customize pages | |||||||
19 | site: Apply Style Sheets | |||||||
18 | site: Apply Themes and Borders | |||||||
21 | site: Browse Directories | |||||||
25 | site: browse user information | |||||||
20 | site: create groups | |||||||
15 | site: create subsites | |||||||
30 | site: edit personal user information | |||||||
24 | site: enumerate permissions | |||||||
26 | site: manage alerts | |||||||
13 | site: manage permissions | |||||||
16 | site: manage web site | |||||||
29 | site: open | |||||||
28 | site: Use Client Integration Features | |||||||
27 | site: use remote interfaces | |||||||
22 | site: use self-service site creation | |||||||
23 | site: view pages | |||||||
14 | site: View Web Analytics Data |
The number in the far left column is the order in which these permissions are displayed in the SharePoint UI.
Rows marked with are permissions assigned to the default role levels.
Rows marked with are permissions required to be recognized as a User or Admin by the Adobe Sign integration.
Rows marked with are required for correct functioning of the Admin features for the Adobe Sign integration.
Background - How users are given access to a SharePoint Site
Some background on how users actually get access to a SharePoint site:
Permissions and Permission Levels
SharePoint offers a set of 33 individual permissions that control a users ability to execute individual actions. To make the management of users permissions less cumbersome, SharePoint has the construct of Permission Levels – groups of individual permissions that can be assigned as a block to enable users to perform tasks according to traditional roles of use. Depending on the site template used to create the SharePoint site, there may be different permission roles defined, but the three essential permission levels are Full Control, Edit, and Read. These are the basis of the default access control SharePoint Groups.
A Site Admin can also define custom Permission Levels to support access for other roles
Groups
Users are afforded access to SharePoint sites by virtue of their membership in a SharePoint Group. That membership can be either direct or inherited.
1. SharePoint Groups
SharePoint Groups are simple collections of users and user-like groups that let you control access to a SharePoint site. Any member of the SharePoint group inherits the permissions assigned to the SharePoint Group.
In many ways a SharePoint Group is mostly an access control group.
When a SharePoint site is created, there are three SharePoint groups created using the Site Name. The groups are: <siteName> Owners, <siteName> Members, and <siteName> Visitors. The Owners group is assigned full control permission level to the SharePoint site and all sub sites and applications. The Members group is assigned the edit permission level to the SharePoint site and all sub sites and applications. The Visitors group is assigned the read permission level.
A Site Admin can also create a custom SharePoint group and assign that group any of the defined permission levels. This custom group is available to the Site Collection (this site and any sub-site).
Any member of one of these SharePoint groups inherits permissions afforded the group.
2. Office365 Groups
Office365 groups are more complex collections of users that control access to resources to enable collaboration. When creating a new Office365 group, an email address is created for the groups shared mailbox, a SharePoint site is created to store and organize the collaboration content, collaboration resources are allocated, and a Teams site can optionally be created to facilitate group communication. Office365 groups contain a list of Members and a list of Owners. Owners have the ability to manage the Office365 group. Members are given access to the resource that the Office365 group is assigned to.
In many ways, an Office365 Group is more of a collaboration organization than a traditional Group.
When a SharePoint site is created in the SharePoint admin center, or as part of creating a new Office365 group, a special Office365 group is created with the same name as the SharePoint site. This Office365 group is linked to the SharePoint groups that are created with the SharePoint site. The Owners of the Office365 group are added to the SharePoint Owners group. The Members of the Office365 group are added to the SharePoint Members group.
A SharePoint Admin can share the contents of the SharePoint site with another Office365 group. That group will have access to the SharePoint site and its functionality, but not the other resources, such as shared mailbox or Teams site, as the Office365 group created with the SharePoint site. Inviting an Office365 group to share the SharePoint site adds the Office365 group to the SharePoint Members group.
Sharing a SharePoint site with an Office365 group has the effect of making the Office365 group a member of one of the SharePoint (access control) Groups.
3. Azure Active Directory Security Groups
Azure Active Directory Security Groups (AD Security Groups) are collections of users and other AD Security groups that can be defined hierarchically and added to groups that manage access to resources (access control groups) to give members of the AD Security Group access to the controlled resources.
A SharePoint Admin can share the contents of the SharePoint site with an AD Security Group. That AD Security Group, and all the members of its contained AD Security Groups, will have access to the SharePoint site and its functions, but not the other resources, such as shared mailbox or Teams site, as the Office365 group that is created with the SharePoint site.
Sharing a SharePoint site with an AD Security Group has the effect of making the AD Security Group a member of one of the SharePoint (access control) Groups.
How does this new onboarding option Identify Users?
Rather than look for explicit group membership, when the Users with Edit permission feature is selected, the Adobe Sign add-in looks at the specific set of SharePoint permissions assigned to the user. If the user has the SharePoint permissions we require to be recognized as an Admin, the user allowed to use the administrative features of the add-in. If the user has the SharePoint permissions we require to be recognized as an add-in user, that user is allowed to use the regular features of the add-in.
The SharePoint permissions to be recognized as an administrator of the Adobe Sign add-in are included in the Full Control SharePoint permission level. The SharePoint permissions to be recognized as a user of the Adobe Sign add-in are include in the Edit SharePoint permission level.
Required User Permissions
To be recognized as an add-in user, the user must have the following SharePoint permissions. For lists the user must be able to Add Items, Edit Items, View Items, Open Items, and View Application Pages. For the Site the user must be able to View Pages, Browse User Information, Use Remote Interfaces, and Open the site.
Required Admin Permissions
To be recognized as an add-in administrator, the user must have the SharePoint permissions to be recognized as an add-in user, plus the following additional SharePoint permissions. For lists, the user must be able to Override List Behaviors, Delete Items, Approve Items, View Versions, and Delete Versions. For the Site the user must be able to Browse Directories. For personal settings the user must be able to Manage Personal Views, Add/Remove Personal Web Parts, and Update Personal Web Parts.
Will this new onboarding option support Office 365 Groups, AAD Security Groups, or SharePoint Default groups which I already set up?
Yes.
As long as your users can access the SharePoint site, and have been assigned to a SharePoint group with sufficient permissions to be recognized as an add-in user or admin, it doesn't matter the mechanism by which they are a member of the SharePoint group.
My users are in the right member groups (SharePoint group or Office365 group) but cannot use Adobe Sign. What should I do?
When attempting to open the add-in, the user is presented with an error message that says: "You do not have required permission to use Adobe Sign."
This error is caused by the SharePoint permissions for the user not being correctly set. To solve the problem you need to first know how the user has been granted access to the SharePoint site and then either adjust the permissions, or add the user to a group with the correct permissions (or both).
Check SharePoint group membership and Permission Level
This shows you the user's permission level, and which SharePoint Group has granted that permission level.
Adjust the Edit Permission Level to include the minimum required permissions
From the Permissions list, click the Advanced permissions settings link, then click the Permission Levels option from the PERMISSIONS tab.
From the list of permission levels, select the Edit level to display the list of permissions included in the Edit Permission level. Make sure the Edit Permission Level includes the permissions underlined in yellow in the image below.
Specifically, for lists the user must be able to Add Items, Edit Items, View Items, Open Items, and View Application Pages. For the Site the user must be able to View Pages, Browse User Information, Use Remote Interfaces, and Open the site.
If you require more control over who may use the Adobe Sign for SharePoint integration, this option grants access to only those users who are direct members of the <site name> Members SharePoint group.
To add members to the SharePoint site using the modern experience:
Using the Invite people button to invite people to the SharePoint site will not grant them access to the Adobe Sign Integration.
When you are done the new member of the SharePoint group will be displayed in the list of members.
Once users are added to the groups, there may be several minutes delay for the Microsoft servers to properly sync up. This does not impact further configuration, but user testing/usage should be suspended during this window.
The following optional configurations, while not required, can greatly improve the value that Adobe Sign brings.
As an administrator, you can define a global target folder where all completed agreements will be deposited for the whole site. This is configured on the Signed File Settings page.
When a global storage folder is defined, all signed agreement and audit trail PDF files are saved automatically in that global storage folder. This includes agreements sent from document libraries as well as lists.
If no global storage folder is set on the Adobe Sign Signed Files Settings page, a new folder called Signed Agreements is automatically created in the document library from which the Agreement was created/sent. All completed Agreements sent from the same library have the completed PDFs returned to the same Signed Agreements folder.
Agreements sent from lists are attached to the list item (as attachments) if no global default file is identified.
If you are using web forms to collect data, a similar storage process can be employed for the signed web form agreements.
The admin can define a global storage folder for all signed web forms.
If a global repository is not defined, the signed web form is stored in an automatically created folder called Signed Web Forms.
By default, Adobe Sign returns only the signed agreement PDF. However, if you enable Store audit trail with signed agreement, a second PDF is returned that contains the full Audit Trail for the agreement.
Adobe Sign supports the idea of relating data between SharePoint Lists and the Agreement form fields.
By using workflows and mapping the list fields to the form fields, you can automatically pre-fill documents before sending, reducing the time for senders and/or signers to complete the form, and reducing the chance for miskeying the data.
Conversely, you can also create a mapping that extracts the form field data from a signed Agreement, to populate a SharePoint list.
The full guide for configuring template mappings can be found here.
Similar to Template Mapping, Adobe Sign supports the idea of relating data between Adobe Sign web form agreements and SharePoint lists.
By mapping the web forms’ form fields to the SharePoint list columns, you can automatically route data to SharePoint, reducing the time and errors for miskeying the data.
The full guide for configuring web forms mappings can be found here.
Web form template mapping is only available to Adobe Sign for SharePoint Online v2.0+ installations.
Earlier versions must upgrade to gain access to this featrue.
登录到您的帐户