Background - How users are given access to a SharePoint Site
Some background on how users actually get access to a SharePoint site:
上次更新日期:
Jun 09, 2021 08:56:27 PM GMT
The Adobe Sign for SharePoint Online installation package is available to any enterprise level account that is interested in installing the Adobe Sign solution. Prior to installation, contact your Success Manager to ensure the account is established in the correct channel to enable the required API functionality.
Overview
The Adobe Sign integration for Microsoft SharePoint provides an integrated solution for creating, sending, tracking and managing electronic signatures.
This documentation, and the installation package it refers to, are developed for Microsoft SharePoint Online multi-tenant (generally referred to as “SharePoint” throughout this guide).
The solution is developed as an add-in application for SharePoint and provides:
- Send an agreement from any SharePoint document library, or list, for signature
- Ability to send documents to a single recipient or group of recipients from a document library or custom SharePoint lists
- Map data from SharePoint lists as well as from a document library into documents through merge mapping when the documents get sent for signature
- Map data from form fields of signed agreements into textual columns of SharePoint lists as well as a document library through data mapping when the document has been signed and its status has been either automatically or manually refreshed through the Agreement Status page
- Leverage Adobe Sign web forms to collect data and automatically push that data to designated fields in SharePoint lists.
- Archival of all signed agreements within SharePoint
- Ability to add the Adobe Sign Manage page as a SharePoint web part, which can be used by SharePoint users for tracking and updating Agreements
Requirements
To configure the solution, you MUST be both a SharePoint site admin and an Adobe Sign account admin. If you are not Adobe Sign account admin, please work with him or her to configure the integration.
The Adobe Sign solution can only be installed and configured by a Microsoft SharePoint site administrator. Please consult SharePoint documentation and your organization’s SharePoint site, or tenant administrator, for additional systems permissions that may be required to install SharePoint site solutions.
In the Microsoft Office 365 tenant, the first name, last name and work email address must be set for all SharePoint users who want to access the Adobe Sign add-in on their SharePoint sites.
All users of the Adobe Sign solution need to be present the SharePoint site's default site members or default site owners group. All Adobe Sign users need to have at least Edit permissions on the site.
Supported browsers
The current version of Edge, Chrome, Firefox, and Safari browsers are all supported.
注意:
Private/Incognito browser sessions are not supported.
The Edge Browser
In order for SharePoint add-ins to work with Edge browsers, some configuration of Trusted Sites is required. Internet Explorer and legacy versions of Edge are not supported.
Additionally, Edge users need to explicitly edit their Trusted Sites settings to include the following URLs:
- https://*.adobesigncdn.com
- https://*.adobesign.com
- https://*.echocdn.com
- https://*.echosign.com
- https://*.microsoftonline.com
- https://*.sharepoint.com
To edit your Trusted Sites:
1. Open Edge
► Press Windows + S
2. Type Internet Options into the search field
3. The Internet Options menu opens. Select the Security tab
4. Click on the Trusted Sites icon
5. Click the Sites button
6. Enter one of the URLs above, and click Add
7. Repeat for each URL above
8. Close the Internet Options menu when done.
Upgrading from v1.x
Adobe Sign for SharePoint v2.0 requires additional permissions to be approved via OAuth (webhooks and web form permissions).
Customers that are upgrading from v1.x must update their OAuth credentials to gain access to these new permissions:
1. Update the Adobe Sign add-in to the 2.x package
2. Update the connection to Adobe Sign:
The person who is both the Office Tenant Administrator and an Adobe Sign Account administrator must bring up the settings page for the sharepoint sign integration tenant.
- Bring up the integration settings
- In the “Connect Adobe Sign” panel:
- Click the Update button (next to Update your Office 365 tenant connection)
- Sign in with the same credentials as before
- The email address used for the original connection is displayed in the first paragraph
- Click the Update button (next to Update your Office 365 tenant connection)
- Close the settings by going back to SharePoint or refresh the window
All sites in the tenant which use the tenant connection should now be able to use web form features
注意:
It’s important to close or refresh the settings tab even if you want to immediately start setting up web form mappings after re-authentication with Adobe Sign.
Failure to refresh the settings window produces errors on the web forms tab until you do.
If the SharePoint Administrator and the Adobe Sign Account Administrator are different people, both need to collaborate to configure the solution.
For every site that uses the integration, the person who is both the SharePoint Administrator and an Adobe Sign administrator for that particular site must update the site connection for that site:
- Bring up the integration settings
- In the Connect Adobe Sign panel:
- Click the Update button next to Update your SharePoint site connection
- Sign in with the same credentials as before
- The email address used for the original connection will be displayed in the first paragraph
- Close the settings by going back to SharePoint or refresh the window
Once done, users of that particular site should be able to use web form features
注意:
It’s important to close or refresh the settings tab even if you want to immediately start setting up web form mappings after re-authentication with Adobe Sign.
Failure to refresh the settings window produces errors on the web forms tab until you do.
If the SharePoint Administrator and the Adobe Sign Account Administrator are different people, both need to collaborate to configure the solution.
Installation
注意:
It is not recommended to batch install the Adobe Sign for SharePoint Online add-in on multiple sites via tenant scoped deployment because of the following limitations.
To install the online edition of the Adobe Sign for SharePoint package:
1. Authenticate to the site
2. Navigate to: Site Contents > New > App
3. Click SharePoint Store
4. Search for Adobe Sign in the Find an app search box (top right of the page)
5. Single click the Adobe Sign icon to select it from the search results.
6. Click the ADD IT button to start the automatic installation
The App installation takes few minutes.
注意:
Once the package is installed, you can navigate to the Adobe Sign Settings page and access links for both this admin/configuration guide, as well as the User guide, and other Adobe Sign resources.
Configuration - Required
Once the application is installed, there are only two steps required to start sending agreements:
- Connect to Adobe Sign with OAuth
- Grant SharePoint user permissions
Connect to Adobe Sign with OAuth
Adobe Sign establishes an OAuth connection with your SharePoint environment to facilitate the seamless usage of the application for all users.
注意:
To establish the relationship, you must use an account-level admin in the Adobe Sign application as well as on SharePoint.
It is recommended that a functional email address be used (e.g.: AdobeSignAdmin@MyDomain.com) if possible to reduce the risk of the admin account being inactivated for any reason.
To establish the OAuth connection:
1. Navigate to the Adobe Sign Settings page
2. Click the Connect Adobe Sign tab
3. Select the scope that you want to install Adobe Sign:
► Establish SharePoint site connection (Site level - for the SharePoint site administrator)
• This functionality connects the add-in to an Adobe Sign account at the current SharePoint site level
1. Authenticate to Adobe Sign using your admin user credentials
2. Click Allow Access to approve the trusted relationship between Adobe Sign and SharePoint
○ A success message will briefly display once the connection is established
When you are successfully authenticated at the Site level, you see the email and name of the user that has authenticated to Adobe Sign above the two links.
- To update this connection, you have two options:
- Update to a different Adobe Sign Account at the site level (for SharePoint site admin)
- Switch to O365 tenant level connection (for O365 admin, see details below).
►Connect your SharePoint tenant to an Adobe Sign account (Tenant scope - for the O365 tenant admin only)
• No repetitive OAuth login is required at Adobe Sign for add-in instances connected in tenant scope
• Adobe Sign OAuth performed on any single add-in instance in the global scope sets the Sign linkage to all other installed instances linked in the tenant scope
○ OAuth must be performed on at least one tenant scoped add-in
• Any newly installed add-in instance is automatically connected to the Adobe Sign account available at the tenant scope
A confirmation box pops up indicating that you are about to link your tenant to your Adobe Sign account. This requires Microsoft Office 365 administrator login.
- Click Continue.
1. Authenticate to SharePoint using your admin user credentials
2. Click Accept to approve access to the SharePoint resources
3. Authenticate to Adobe Sign using your admin user credentials
4. Click Allow Access to approve the trusted relationship between Adobe Sign and SharePoint
○ A success message will briefly display once the connection is established
When you are successfully authenticated at the Tenant level, you see the email and name of the user that has authenticated to Adobe Sign above the two links, along with an assertion that the account is "configured for your SharePoint tenant by your Office 365 tenant administrator."
- To update this connection, you have two options: update to a different Adobe Sign Account at the tenant level or switch to site level connection.
注意:
If your SharePoint deployment has multiple sites, it is possible that one or more sites can be authenticated at the site level, but a tenant level authentication can exist as well.
If both types of authentication exist, and the Site you are configuring is authenticated at the Site level, a link is exposed that can promote the authentication to the Tenant level.
Grant SharePoint user permissions
There are two mechanisims to grant SharePoint users access to the Adobe Sign integration:
- Users with Edit permission
- Users in the default members/owners group
Users with Edit permission - "Seamless On-boarding"
Seamless on-boarding is the simplest configuration for adding users.
Any user assigned the default Edit permission level for your SharePoint site automatically has permission to access and use the Adobe Sign integration.
- If you used the admin.microsoft.com utilities to create your SharePoint site and assigned Owners, Members, and Visitors to the group, you are done
With the Users with Edit permission option enabled, any user that opens the Adobe Sign add-in (or uses any of its features), triggers a check of the user's permissions for the SharePoint site. If the user has a set of permissions recognized as typical of Editors, access is granted to the add-in.
The table below shows the list of all SharePoint permissions, the default permissions assigned to each permission level, and the required set of permissions to be recognized as a User (User Mask) or Admin (Admin Mask):
|
Permission | Reader | Contributor | User Mask | Editor | Admin Mask | Designer | Full Access |
|---|---|---|---|---|---|---|---|---|
| 3 | list: add items |  |
 |
|
 |
|
|
|
| 7 | list: Approve Items | |
|
|
||||
| 11 | list: Create Alerts | |
|
|
|
|
||
| 5 | list: delete items | |
|
|
|
|
||
| 10 | list: Delete Versions | |
|
|
|
|
||
| 4 | list: edit items | |
|
|
|
|
|
|
| 1 | list: manage lists | |
|
|
|
|||
| 8 | list: open items | |
|
|
|
|
|
|
| 2 | list: Override List Behaviors | |
|
|
||||
| 12 | list: view application pages | |
|
|
|
|
|
|
| 6 | list: view items |
|
|
|
|
|
|
|
| 9 | list: View Versions | |
|
|
|
|
|
|
| 32 | personal: Add/Remove Personal Web Parts | |
|
|
|
|
||
| 31 | personal: Manage Personal Views | |
|
|
|
|
||
| 33 | personal: Update Personal Web Parts | |
|
|
|
|
||
| 17 | site: add and customize pages | |
|
|||||
| 19 | site: Apply Style Sheets | |
|
|||||
| 18 | site: Apply Themes and Borders | |
|
|||||
| 21 | site: Browse Directories | |
|
|
|
|
||
| 25 | site: browse user information | |
|
|
|
|
|
|
| 20 | site: create groups | |
||||||
| 15 | site: create subsites | |
||||||
| 30 | site: edit personal user information | |
|
|
|
|||
| 24 | site: enumerate permissions | |
||||||
| 26 | site: manage alerts | |
||||||
| 13 | site: manage permissions | |
||||||
| 16 | site: manage web site | |
||||||
| 29 | site: open | |
|
|
|
|
|
|
| 28 | site: Use Client Integration Features | |
|
|
|
|
||
| 27 | site: use remote interfaces | |
|
|
|
|
|
|
| 22 | site: use self-service site creation | |
|
|
|
|
||
| 23 | site: view pages | |
|
|
|
|
|
|
| 14 | site: View Web Analytics Data | |
The number in the far left column is the order in which these permissions are displayed in the SharePoint UI.
Rows marked with are permissions assigned to the default role levels.
Rows marked with are permissions required to be recognized as a User or Admin by the Adobe Sign integration.
Rows marked with are required for correct functioning of the Admin features for the Adobe Sign integration.
-
-
Permissions and Permission Levels
SharePoint offers a set of 33 individual permissions that control a users ability to execute individual actions. To make the management of users permissions less cumbersome, SharePoint has the construct of Permission Levels – groups of individual permissions that can be assigned as a block to enable users to perform tasks according to traditional roles of use. Depending on the site template used to create the SharePoint site, there may be different permission roles defined, but the three essential permission levels are Full Control, Edit, and Read. These are the basis of the default access control SharePoint Groups.
A Site Admin can also define custom Permission Levels to support access for other roles
-
Groups
Users are afforded access to SharePoint sites by virtue of their membership in a SharePoint Group. That membership can be either direct or inherited.
1. SharePoint Groups
SharePoint Groups are simple collections of users and user-like groups that let you control access to a SharePoint site. Any member of the SharePoint group inherits the permissions assigned to the SharePoint Group.
In many ways a SharePoint Group is mostly an access control group.
When a SharePoint site is created, there are three SharePoint groups created using the Site Name. The groups are: <siteName> Owners, <siteName> Members, and <siteName> Visitors. The Owners group is assigned full control permission level to the SharePoint site and all sub sites and applications. The Members group is assigned the edit permission level to the SharePoint site and all sub sites and applications. The Visitors group is assigned the read permission level.
A Site Admin can also create a custom SharePoint group and assign that group any of the defined permission levels. This custom group is available to the Site Collection (this site and any sub-site).
Any member of one of these SharePoint groups inherits permissions afforded the group.
2. Office365 Groups
Office365 groups are more complex collections of users that control access to resources to enable collaboration. When creating a new Office365 group, an email address is created for the groups shared mailbox, a SharePoint site is created to store and organize the collaboration content, collaboration resources are allocated, and a Teams site can optionally be created to facilitate group communication. Office365 groups contain a list of Members and a list of Owners. Owners have the ability to manage the Office365 group. Members are given access to the resource that the Office365 group is assigned to.
In many ways, an Office365 Group is more of a collaboration organization than a traditional Group.
When a SharePoint site is created in the SharePoint admin center, or as part of creating a new Office365 group, a special Office365 group is created with the same name as the SharePoint site. This Office365 group is linked to the SharePoint groups that are created with the SharePoint site. The Owners of the Office365 group are added to the SharePoint Owners group. The Members of the Office365 group are added to the SharePoint Members group.
A SharePoint Admin can share the contents of the SharePoint site with another Office365 group. That group will have access to the SharePoint site and its functionality, but not the other resources, such as shared mailbox or Teams site, as the Office365 group created with the SharePoint site. Inviting an Office365 group to share the SharePoint site adds the Office365 group to the SharePoint Members group.
Sharing a SharePoint site with an Office365 group has the effect of making the Office365 group a member of one of the SharePoint (access control) Groups.
3. Azure Active Directory Security Groups
Azure Active Directory Security Groups (AD Security Groups) are collections of users and other AD Security groups that can be defined hierarchically and added to groups that manage access to resources (access control groups) to give members of the AD Security Group access to the controlled resources.
A SharePoint Admin can share the contents of the SharePoint site with an AD Security Group. That AD Security Group, and all the members of its contained AD Security Groups, will have access to the SharePoint site and its functions, but not the other resources, such as shared mailbox or Teams site, as the Office365 group that is created with the SharePoint site.
Sharing a SharePoint site with an AD Security Group has the effect of making the AD Security Group a member of one of the SharePoint (access control) Groups.
-
-
How does this new onboarding option Identify Users?
Rather than look for explicit group membership, when the Users with Edit permission feature is selected, the Adobe Sign add-in looks at the specific set of SharePoint permissions assigned to the user. If the user has the SharePoint permissions we require to be recognized as an Admin, the user allowed to use the administrative features of the add-in. If the user has the SharePoint permissions we require to be recognized as an add-in user, that user is allowed to use the regular features of the add-in.
The SharePoint permissions to be recognized as an administrator of the Adobe Sign add-in are included in the Full Control SharePoint permission level. The SharePoint permissions to be recognized as a user of the Adobe Sign add-in are include in the Edit SharePoint permission level.
-
Required User Permissions
To be recognized as an add-in user, the user must have the following SharePoint permissions. For lists the user must be able to Add Items, Edit Items, View Items, Open Items, and View Application Pages. For the Site the user must be able to View Pages, Browse User Information, Use Remote Interfaces, and Open the site.
-
Required Admin Permissions
To be recognized as an add-in administrator, the user must have the SharePoint permissions to be recognized as an add-in user, plus the following additional SharePoint permissions. For lists, the user must be able to Override List Behaviors, Delete Items, Approve Items, View Versions, and Delete Versions. For the Site the user must be able to Browse Directories. For personal settings the user must be able to Manage Personal Views, Add/Remove Personal Web Parts, and Update Personal Web Parts.
-
-
Will this new onboarding option support Office 365 Groups, AAD Security Groups, or SharePoint Default groups which I already set up?
Yes.
As long as your users can access the SharePoint site, and have been assigned to a SharePoint group with sufficient permissions to be recognized as an add-in user or admin, it doesn't matter the mechanism by which they are a member of the SharePoint group.
-
My users are in the right member groups (SharePoint group or Office365 group) but cannot use Adobe Sign. What should I do?
- Find from which SharePoint group the user has been granted access to the SharePoint site.
- Check that the permission level of that SharePoint contains the necessary minimum permissions to be recognized as an Adobe Sign add-in user or administrator.
When attempting to open the add-in, the user is presented with an error message that says: "You do not have required permission to use Adobe Sign."
This error is caused by the SharePoint permissions for the user not being correctly set. To solve the problem you need to first know how the user has been granted access to the SharePoint site and then either adjust the permissions, or add the user to a group with the correct permissions (or both).
-
Check SharePoint group membership and Permission Level
- Sign into the SharePoint site as a Site Admin.
- From the gear menu, choose Site Permissions.
- From the Permissions panel click the Advanced permissions settings link
- From the PERMISSIONS command bar, click Check Permissions and type the email address of the problematic user in the dialog.
This shows you the user's permission level, and which SharePoint Group has granted that permission level.
-
Adjust the Edit Permission Level to include the minimum required permissions
From the Permissions list, click the Advanced permissions settings link, then click the Permission Levels option from the PERMISSIONS tab.
From the list of permission levels, select the Edit level to display the list of permissions included in the Edit Permission level. Make sure the Edit Permission Level includes the permissions underlined in yellow in the image below.
Specifically, for lists the user must be able to Add Items, Edit Items, View Items, Open Items, and View Application Pages. For the Site the user must be able to View Pages, Browse User Information, Use Remote Interfaces, and Open the site.
Users in the default members/owners group (with Edit permission)
If you require more control over who may use the Adobe Sign for SharePoint integration, this option grants access to only those users who are direct members of the <site name> Members SharePoint group.
- If you set up your SharePoint site using the modern experience, an Office365 group was created to manage your site's permissions
- That Office365 group is added as a member to the SharePoint group of the same name allowing access to be controlled from a central place.
- Adding users to the SharePoint site using the modern experience adds members to the Office365 group, not to the SharePoint group.
To add members to the SharePoint site using the modern experience:
- Open the settings panel from the gear menu on the top bar
- Select Site permissions
- This opens a new right-hand Permissions panel
- Click the Advanced permissions link
注意:
Using the Invite people button to invite people to the SharePoint site will not grant them access to the Adobe Sign Integration.
- Click on the name link for the <site name> Members group to see the members of the SharePoint Site Members group.
- Click the New button to get the dialog to add new members to the SharePoint group
When you are done the new member of the SharePoint group will be displayed in the list of members.
注意:
Once users are added to the groups, there may be several minutes delay for the Microsoft servers to properly sync up. This does not impact further configuration, but user testing/usage should be suspended during this window.
Configuration - Optional
The following optional configurations, while not required, can greatly improve the value that Adobe Sign brings.
Choose signed agreement storage
As an administrator, you can define a global target folder where all completed agreements will be deposited for the whole site. This is configured on the Signed File Settings page.
When a global storage folder is defined, all signed agreement and audit trail PDF files are saved automatically in that global storage folder. This includes agreements sent from document libraries as well as lists.
If no global storage folder is set on the Adobe Sign Signed Files Settings page, a new folder called Signed Agreements is automatically created in the document library from which the Agreement was created/sent. All completed Agreements sent from the same library have the completed PDFs returned to the same Signed Agreements folder.
Agreements sent from lists are attached to the list item (as attachments) if no global default file is identified.
Agreement storage for web forms
If you are using web forms to collect data, a similar storage process can be employed for the signed web form agreements.
The admin can define a global storage folder for all signed web forms.
If a global repository is not defined, the signed web form is stored in an automatically created folder called Signed Web Forms.
Enable audit trails
By default, Adobe Sign returns only the signed agreement PDF. However, if you enable Store audit trail with signed agreement, a second PDF is returned that contains the full Audit Trail for the agreement.
Template Mapping
Adobe Sign supports the idea of relating data between SharePoint Lists and the Agreement form fields.
By using workflows and mapping the list fields to the form fields, you can automatically pre-fill documents before sending, reducing the time for senders and/or signers to complete the form, and reducing the chance for miskeying the data.
Conversely, you can also create a mapping that extracts the form field data from a signed Agreement, to populate a SharePoint list.
The full guide for configuring template mappings can be found here.
Web form mapping
Similar to Template Mapping, Adobe Sign supports the idea of relating data between Adobe Sign web form agreements and SharePoint lists.
By mapping the web forms’ form fields to the SharePoint list columns, you can automatically route data to SharePoint, reducing the time and errors for miskeying the data.
The full guide for configuring web forms mappings can be found here.
注意:
Web form template mapping is only available to Adobe Sign for SharePoint Online v2.0+ installations.
Earlier versions must upgrade to gain access to this featrue.
登录到您的帐户