Section 508 of the 1998 Amendment to the Rehabilitation Act covers accessibility for systems in the United States Federal sector, including systems developed, maintained, used, or procured by US Federal agencies. It mandates that agencies must provide appropriate and comparable access to information to persons with disabilities, including both employees and members of the public.
Exemptions include systems for military command, weaponry, intelligence and cryptologic activities. In these cases we would expect to see this kind of accessibility addressed through the use of personnel controls, such as the act of ensuring that staff members meet the standard military health and fitness checks. (In military engineering practice, the study of accessibility falls within what they call "Human Factors", which tends to look at the question more broadly, considering things such as system usage under severe stress.)
The amendment notes the following types of systems:
- Software applications and Operating Systems
- Web-based Intranet and Internet Information and Applications
- Telecommunications Products
- Video or Multimedia Products
- Self contained, closed products.
- Desktop and Portable computers.
Alternative means
Section 508 allows for the use of "Alternative means" of providing information and data using another means, when meeting the standard would impose an undue burden. Agencies may wish to conduct a risk/cost/benefit analysis of these provisions. For example, it may be more cost-effective to provide a physical, hard copy of information on request in comparison to the effort and risk involved in tailoring complicated legacy systems.
Section 508 Compliance with SharePoint
SharePoint is a web-based application, and so accessibility compliance is often assessed against:
- The technical standards listed in Section 508 http://www.section508.gov/index.cfm?FuseAction=Content&ID=12#Web . In general SharePoint is achieves partial compliance with these requirements; and
- The standards defined by the W3C group. (The W3C group is a consortium formed of a wide range of federal and private sector bodies, including Microsoft IBM corporation, and Adobe.)The most relevant of these standards is the W3C's Web Content Accessibility Guidelines (WCAG) version 1.0. Unfortunately the web pages that SharePoint generates are not compliant with these guidelines, and fall short of web development best practice by a large margin. Microsoft appear to be addressing this in the next version of SharePoint, but for the moment tailoring SharePoint requires substantial development effort, or the usage of 3rd party products.
Section 508 Compliance can be achieved with SharePoint, but doing so typically requires substantial development effort, or the use of third-party products. Of particular concern in SharePoint are the use of a number of ActiveX browser plugin controls, the use of non-compliant markup, and overdepedence on client-side scripting.
Voluntary Product Accessibility Template (VPAT)
Vendors have created VPATs to indicate the accessibility of their own product against the criteria defined in Section 508. Microsoft provide VPATs for its products (http://www.microsoft.com/industry/government/products/section508.mspx) including Microsoft Office SharePoint Server Enterprise Edition (http://download.microsoft.com/download/c/2/3/c23bc250-5f80-4d0c-a29d-877355ff91e8/Microsoft%20Office%20Sharepoint%20Server%202007%20(Enterprise)%20VPAT.doc). Other products, including SQL Server 2008, SharePoint Designer, and Internet Explorer, are also included.
Third party software options
A number of vendors have produced products aimed at improving SharePoint accessibility and compliance.
Accessibility Kit for SharePoint v2.0
HiSoftware has produced a framework product called the "Accessibility Kit for SharePoint". It is said by vendor HiSoftware to "significantly reduce the time, knowledge, and effort required to implement a SharePoint-based Web site that conforms to the World Wide Web Consortium’s (W3C) Web Content Accessibility Guidelines 1.0 Priority 1 and 2 checkpoints, which are collectively known as WCAG 1.0 AA. The AKS can also be used to address the exceptions that have been identified in the U.S. government’s Section 508 of the Rehabilitation Act’s Voluntary Product Accessibility Template or VPAT documents for MOSS 2007."
The Accessibility Kit provides a number of artefacts that are useful in developing compliant content.
Telerik RAD Editor
The company Telerik produces a text editor that pops into SharePoint, replacing its page-content-editor control. The Telerik RAD editor can produce WCAG compliant output.
Custom development
It is possible to develop a more compliant system by re-developing a number of SharePoint assets. One of these is the minimal master page template, upon which developers can develop a relatively WCAG-compliant page layout. It is necessary to look at a number of artefacts, including master pages, page layouts, and content when developing accessible sites in SharePoint.
The skillset required of developers to do this includes skills in HTML, CSS, XML, XSLT, SharePoint control adapters, ASP.NET web controls, and ASP.NET master pages. This can be a broad set of skills, and may require roles to be filled by multiple specialised individuals.
We recommend incorporating accessibility testing into development and system assessment activities.
SharePoint 2010
We anticipate Accessibility and browser compatibility improvements in SharePoint 2010.
Recommendations
- Assess 3rd Party add-ons to address accessibility concerns;
- Establish alternate means of accessing information (for example printed copies of key documents);
- Train developers in web accessibility
- Test SharePoint deployments with web accessibility software such as screen readers.
- Monitor the market and future versions of SharePoint for improved compliance.
Microsoft have just released a "sneak peek" into the new features coming with SharePoint 2010 at http://sharepoint.microsoft.com/2010/Sneak_Peek/Pages/Overview-Video.aspx .
We couldn't see any new security-related information on the site. We expect that SharePoint will retain its current existing Role-based-access controls model, using SharePoint groups. We anticipate improvements to forms based authentication (FBA) but have not seen any public information about this. Claims-based authentication as provided by "geneva" is likely to be included, but in a manner that simply inserts users into standard sharepoint groups based on claims. Fine-grained or rules-based authorization is not addressed and is unlikely to change.
Anyway, the feature highlights include:
- New user interface including the new Ribbon - MS are moving the SharePoint user interface to the standard Ribbon-based interface as delivered with Office 2007. Microsoft is clearly not turning away from this.
- Web edit - an "in place editing" feature, as is common with a number of open source and other content management systems. Experience from other systems has shown that this style of user interaction fosters more input from users, but can get confusing when workflow and approval processes are introduced.
- Silverlight web part - for easily adding Silverlight solutions in to SharePoint.
- Rich theming - provides a number of "office-like" themes, just like in Word.
- Multiple Browser support - including Internet Explorer, Firefox and Safari. No word on Opera compatibility nor whether Silverlight is mandatory.
- Visio Services - used for rendering Visio diagrams, just like excel services renders Excel spreadsheets. MS mentions that the diagrams may be "data linked", which we take to mean that they may serve to present SharePoint data and processes.
- SharePoint Designer - provides a new UI and improved designer/developer workflows. No word on whether it will be able to author more advanced workflows than provided for in 2007.
- SharePoint workspace - Groove has been renamed. Will continue to incorporate offline-online synchronisation and other capability. No word on changes to the security model.
- Streamlined central administration - better arranged and organised central administration site. The 2007 Central administration site is quite unweildly and difficult to navigate due to the large number of links.
- Best practices analyzer - no surprises here as Microsoft provide this for a range of products. This one includes a "problem and solutions" page in central administration.
- Usage reporting and Logging - provides consolidated logs, which will aid audit, management and other tasks. SharePoint 2007 has strong logging and usage reporting capabilities, but they are not very well consolidated, resulting in a high management overhead.
- Last list resource throttling - allows performance management of "large lists" of thousands to millions of items. It's not clear - but might be the case - whether this utilises normal SQL tables for lists, rather than the "one size fits all" table structure used by 2007.
- Unattached content database recovery - allows temporary use of content databases, which will be useful for restore and recovery purposes.
- Visual upgrade - allows migration from 2007 to 2010 while retaining the 2007 theme and UI. This is likely to ease the impact of upgrade, especially in regard to training and change management overhead.
For developers
- Visual studio 2010 SharePoint tools - including a new web part designer, a new designer for the "Business connectivity services" , which replaces the Business Data Catalog (BDC) in 2007.
- LINQ for SharePoint - provides strongly typed access to SharePoint lists, which will reduce deveolper time and effort It indicates that SharePoint lists will move towards a more SQL-like table structure, even if only in querying not persistance.
- Developer dashboard - provdes centralised usage and debugging information. In 2007 debugging often requires manually attaching to the w3wp.exe process, resulting in an inefficient, manual process.
- Business Connectivity Services - replaces the Business Data Catalog and provides read and write access to line of business applications. MS also hint at offline capability.
- Client Object Model - appears to be used to implement client-side applications (i.e. Rich Internet Applications) , which will provide a better offline or disconnected user experience, and also more a interactive UI.
Other things of note:
- Video editing capability in Powerpoint 2010.
- Visio adapted to web.
The Australian standard AS/NZS 4360:2004 Risk Management - provides a description of a versatile and widely-applied risk management approach. It defines risk as
"…the possibility of something happening that impacts on your objectives. It is the chance to either make a gain or a loss. It is measured in terms of likelihood and consequence."
The standard is based on an iterative process, centered around the following steps:
- Establish Goals & Context
- Identify Risks
- Analyse Risks
- Evaluate Risks
- Treat Risks
The standard also recommends that the processes of Stakeholder Consultation and Communication, and Monitor & Review, be undertaken in parallel with these activities, both informing and informed by them.
Figure 1 : The AS 4360 Risk Management standard process
This is a generic process framework. We outline an example implementation of this framework below.
Establish Goals and Context
What are the broader strategic goals of the organisation? What part does this project play in achieving these goals? Who are the relevant stakeholders, both internal and external? What is the general risk management approach of the organisation? What resources does the organisation have available to treat risks?
Identify Risks
What events could occur? What are the sources of these events?
Assess Risks
How likely are the identified risks to occur? What would be the consequence if they did occur, as constrained by the existing environment and controls? What is the resultant level of risk ( Likelihood multiplied by Consequence ) ?
Treat Risks
Are each of these risks acceptable? How shall they be treated? How will treatment be planned and managed?
Example implementation
Risk Management Approach to SharePoint
TBD. Coming soon.
Using SharePoint for Risk Management
TBD. Coming soon.
SharePoint and associated components produce a large number of logs.
- Audit Logging
SharePoint audit logging does not capture the MachineIP and MachineName columns (http://support.microsoft.com/kb/939246). Microsoft states that this is by design: "The values in the MachineIP column and in the MachineName column appear as NULL because of privacy concerns."
- Item version history
SharePoint lists can be configured to capture each version of an item, and optionally a comment indicating what has changed between versions.
- Custom developer logging through SPAuditEvent
The SPAuditEvent provides developers the ability to write custom audit log entries, using the SPAuditMaskType enumeration to categorise events.
- Diagnostic logging
Diagnostic logging provides "trace logs" which are written to the 12 hive's LOGS folder. (that is, C:\Program Files\Common Files\Microsoft Shared\Web server extensions\12\LOGS).
- IIS Logging
IIS can also be configured to produces logs. Being a lower-level component than SharePoint, they tend to capture more lower-level detail, such as the Requested URL, User's IP address and Username, and so on, but without the ability to 'understand' these details.
- SQL Server Logs
Once again, SQL Server itself can log interactions as well. SQL Server generates logs written to the server's event log etc. For deep, fine-grained logging and auditing, the SQL Server Transaction Logs have the most detail, but there does not appear to be any easy way to read this information.
Reporting
SharePoint provides an interface for generating and running reports against its audit logging functionality.
Log consolidation
SharePoint does not make any attempt to consolidate the above logs. Generally, it is assumed that the audit logging capability is sufficient for most needs. Should this not be the case - perhaps in the case of establishing evidence for court - separate consolidation and analysis activities will be required.
SharePoint provides an interface called ISecurableObject. This interface is implemented by the SharePoint SPList, SPListItem, and SPWeb classes.
Four methods are provided:
- BreakRoleInheritance() - detaches the item's RoleAssignments from that of its parent, allowing you to give a resource its own Access Control List permissions; and
- CheckPermissions() - checks if a user can execute a particular action against the object, throwing an exception if not allowed; and
- DoesUserHavePermissions() - checks if a user can execute a particular action against the object, returning true or false; and
- ResetRoleInheritance() - 'reattaches' the item's permissions to that of its parents, effectively resetting and throwing away any custom permissions applied to the object.
In addition to these methods, a number of public properties are provided. The most useful are these:
- RoleAssignments - provides a RoleAssignmentCollection detailing which Principals have been assigned which Roles on the resource.
- FirstUniqueAncestor - determines which of the resource's parent objects is the first to have role inheritance broken.
Most Popular
