How to allow READ ONLY/unauthenticated SharePoint users to add an Item in a SharePoint List using an Application Page without giving them “View Application Pages” List Permissions.

Case: I have a SharePoint Site that has a few lists, site pages, application pages etc. One of my application Page was custom coded to allow end users to add an item in a SharePoint List after successful submit a success message was showing using a popup dialog page.

My Permissions are supposed to be set so that end-users should have Read Only permissions and they should not be able to see (i.e. Site Contents to prevent them showing all SharePoint lists or document libraries) any system Pages to system and application pages except the Contact Us and popup dialog so that end users can effectively add a new item in one of the list.

Please note the solution I am describing is one of the possible. There are and can be alternatives to mine. I am merely providing the approach that I have used. My main aim is to do minimum work and get the site working with most of customization. I planned to have a permission set that can allow me to access to Site Pages, and one or more application pages that I deployed. I wanted to make sure that System and other application pages are not accessible. I also wanted end users to have site access.
Hence I have created and customized one permission set and apply it to a group on parent level hence not indulging with breaking Inheritance issues. Finally I used UnsecuredLayoutsPageBase to drive my application pages that I wanted end users to have access.

I have achieved this by following steps:

1.      I created a Permission Level as following

a.      Under List Permissions Only two permissions– Select “Add Items”, it has dependency on “View Items” so let both of them be selected.

b.      Under Site Permissions Only five permissions-> Select “View Pages”, “Browse User Information”, “Use Remote Interfaces”, “Use Client Integration Features” and “Open”.

A note, if I select "View Application Pages" then it works but problem is that you will see other application and system pages as well.

2.      I created a Group and assigned the newly created permission set to it.

4.      I opened my Application and Popup pages and change the code so that they are inherited from UnsecuredLayoutsPageBase rather than SecuredLayoutsPageBase. I also made sure that code that is actually adding an item in the list, is running with Elevated Privilege.

5.      Deploy and test.

Error while retrieving data from SharePoint 2013 External Content Types: An error occurred while retrieving data from "Name of Secure Store Target Application". Administrators, see the server log for more information.

Error Message: An error occurred while retrieving data from <Name of Secure Store Target Application>. Administrators, see the server log for more information.

Problem: When try to read data from an external data source using SharePoint’s External Content Type functionality. Your users are getting above error. You might have tried to play with Business Data Connectivity Permissions including granting all permissions (Edit, Execute, Selectable In Clients, Permissions) in either/both “Set Object Permissions” or “Set Metadata Store Permissions” but with no success.

Edit Execute Selectable In Clients Set Permissions

Propagate permissions to all methods of this external content type. Doing so will overwrite existing permissions.

If above is true then its worth to check your permissions for Secure Store Target Application. You have to update and add your users/group who need to access the data from Secure Store Application into “Members”.

There are essentially two steps to grant permissions on your External Content Types after you successfully created and tested it, so that intended users should be able to use external data.

1.  Make sure you provide “Execute” permission to your users in Central Administration à Manage Service Applications à Business Data Connectivity Service à Double click on it and select your External Content Type à then Click on “Set Object Permissions”à Add your user/group here and assign only “Execute” permission. You can assign more permissions if needed here.

2.  Make sure you provided a mapping of your end users with the credentials you are using to access your external data. Normally you associate one account that will be used by secure store to connect with external data source. Once the connection is successful you have to provide a group/people who can use Secure Store Target Application. In order to do so, you will have to go to Central Administration à Manage Service Applications à Secure Store Service à Double Click it à Select your Secure Store Target Application à Double Click on it à It will open edit screens à Navigate to next screen and then next again à On final page you would see two groups à One for Secure Store Target Application Administrators (The people in this group would be able to modify the Secure Store Target Application settings, if they have permission for Central Administration site.), the other for Secure Store Target Application Members, this is the group we should add our target users/group on SharePoint that we want to provide access to external data.

Please refer attached screens.

The first screen shows how to set permission on "Business Data Connectivity Service".

The Second screen shows how to set permission on "Secure Store Service"