Applies to: Office 365
This article describes different NITRO components that can directly work with AD security groups along with unsupported cases.
Microsoft SharePoint supports granting permissions at site/list/item level to security groups directly without needing to use SharePoint groups. NITRO works on top of SharePoint, so NITRO does not need any special integration for working with standard SharePoint features.
We have NITRO specific features like below that could work directly with AD groups along with SharePoint groups and direct users.
- NITRO Forms
- Tab/column permissions
- Submit actions permissions
- NITRO custom actions
- Permissions
- NITRO Security Settings
- Automatically redirect selected users to different site
Whenever the form/custom action etc. need to work with Active Directory groups, we need to grant permissions to “Crow Canyon Azure AD API”. This way NITRO can read the AD groups and its members and check if the logged in user is allowed to perform the operations or not.
Steps: Go to site settings, Crow Canyon NITRO Site Settings, expand “Azure Active Directory Connection Settings” and “Grant Permissions” as shown below.
“Allow Crow Canyon Azure AD API to read from Azure Active Directory” permission is sufficient for working with permissions in NITRO components.
NITRO Forms
We can configure permissions on different NITRO Forms components like ‘Tabs/sections’, ‘columns’, ‘actions (submit actions, custom actions, script action)’. All these components have similar settings shown below.
- “When to apply this permission” -> “If logged in user:” -> “In Users/Groups” setting supports different scenarios mentioned below.
- Grant permissions to direct user(s)
- Grant permissions to direct security group(s) from AD
- Grant permissions to SharePoint groups that have direct users as members
- Unsupported scenario
- SharePoint group(s) that have AD security groups as members
- “When to apply this permission” -> “If logged in user:” -> “In Column” setting supports different scenarios mentioned below.
- Grant permissions to direct user(s) saved in the selected column on the item.
- Grant permissions to direct SharePoint group(s) saved in the selected column on the item and that SharePoint group has direct users as members.
- Grant permissions to direct AD security group(s) saved in the selected column on the item.
- We need to enable “Load Current User AD Groups” property in “Extended Settings”, under ‘advanced’ section on the left side panel of the NITRO Form designer as shown below to get this feature to work.
- This additional configuration is provided to not always load the logged in user’s membership AD groups when not required, this is to improve the form performance.
- Unsupported scenario
- SharePoint group(s) are saved in the selected column on the item and that SharePoint group has AD security group(s) as member.
NITRO Custom Actions
We can configure permissions on NITRO custom actions to allow/restrict selected user(s) from executing the custom action using “Conditions” setting shown below.
We can configure branches using “Gateway” available under “Events and Controls” section shown below and it has the permissions setting.
These components have the permissions settings same as the permissions settings described in NITRO Forms section earlier in this article.
Supported and unsupported scenarios are same as NITRO Forms cases.
Regarding the “Grant permissions to direct AD security group(s) saved in the selected column on the item” case, we need to enable “Load Current User AD Groups” checkbox in action settings dialog shown below.
NITRO Security Settings
We can use NITRO Security Settings to allow/redirect logged-in user to a different site when accessing a site.
Steps: Go to site settings, Crow Canyon NITRO Site Settings, expand “Security Settings”, configure as shown below.
For using direct AD security group(s) in this setting, we need to grant permissions to “Crow Canyon Azure AD API” mentioned in the description section of this article.