SharePoint as Digital Asset Management for Pimics

How to set up a Pimics-SharePoint integration

When using SharePoint as a file repository, every time you upload a digital asset to Pimics the document will be stored in SharePoint's library and a preview of the document will be created in Pimics.

Each document type can have its own separate library (Pictures, Documents, Graphics, Media). All libraries have to be on the same SharePoint site.

Steps

• SharePoint as Digital Asset Management for Pimics
  • How to set up a Pimics-SharePoint integration
    • Steps
  • Create a SharePoint site
  • Create an application in Azure Active Directory
    • Give access to specific sites only
  • Set the connection in Pimics
    • Add a new Authentication
    • Add a new SharePoint Domain
    • Add the SharePoint domain to Document Setup and set up libraries for different document types
  • Initial synchronization of files from SharePoint to Pimics
    • Run the synchronization
  • Public links
    • Get public links for files
      • Update public links on digital assets

Create a SharePoint site

The best practice is to have a dedicated site for Pimics, you can simply call it Pimics or DAM. Please refer to Microsoft's documentation for details on site creation.

Our suggestion is to create separate document libraries for Documents, Pictures, Graphics, CAD Drawings and Media, but you can also use one library for several document types.

Create an application in Azure Active Directory

To communicate with SharePoint, Pimics needs to have an application in Microsoft Entra ID. Usually we use single-tenant for customer-managed applications, and Pimics also supports multi-tenant applications for partners.

1. Create a new application
   • You can follow the steps in Microsoft's online documentation: Register a new application using the Azure portal
   • Keep Redirect URI empty
2. Open https://portal.azure.com/, search for Microsoft Entra ID (formerly Azure Active Directory), open the related link, in the left menu select Manage -> App registration and your application from point 1 (or you can go through Add -> App registration).
3. Set permissions for the application
   1. In the app details, go to API permissions
   2. Select Add a permission
   3. Since Pimics uses Microsoft Graph API to access SharePoint, select Microsoft Graph and then Application permissions
   4. Select these permissions from the list:
      • Sites.ReadWrite.All (Application) - Read and write items in all site collectionslibraries

      Note

      In this permissions:

      • Provides sufficient permissions for all Pimics DAM operations
      • Allows Pimics to search sites, read/write files, create folders, and manage thumbnails
      • Most common choice for production environments

      Alternative: Site-specific permissions If you want to limit access to specific SharePoint sites instead of all sites, use Sites.Selected instead of Sites.ReadWrite.All. This requires additional configuration steps - see Give access to specific sites only below.
      In this permissions:

      • Limits access to only specific SharePoint sites you explicitly grant
      • Requires additional PowerShell configuration to grant site-specific permissions
      • Recommended when following principle of least privilege
      • Best for multi-tenant scenarios or when Pimics should only access dedicated DAM sites

      What Pimics does with these permissions:

      • Search and list SharePoint sites and document libraries
      • Upload files (documents, images, media) to SharePoint libraries
      • Download files and thumbnails for preview generation
      • Update existing files when content changes
      • Rename files and manage folder structures
      • Read file metadata (name, size, MIME type, modification dates)
      • Create and manage thumbnails for images
      • Track file changes using delta queries for synchronization
   5. Select action Grant admin consent for ...
4. Generate a new secret for the application
   1. In the app details, go to Certificates & secrets
   2. In the Client secrets group, select action New client secret
   3. On the new page, select fitting duration in Expires (Microsoft no longer supports unlimited duration)
   4. Select Add to create the secret
   5. On the certificates page you can see the client secret in Value. Copy it and store it somewhere together with the client ID, as you won't be able to recover it later from Azure Active Directory
   6. When the secret expires, you'll have to create a new one and change the connection values in Pimics

Give access to specific sites only

If you want to limit the access to the Microsoft Entra Application to specific SharePoint sites only, follow the steps below. This uses the Sites.Selected permission instead of Sites.ReadWrite.All or Sites.FullControl.All.

When to use this approach:

• You follow the principle of least privilege
• Pimics should only access dedicated DAM sites, not all SharePoint sites in your tenant
• You have compliance or security requirements to restrict application access
• You want to explicitly control which sites the application can access

Setup steps:

1. First, follow the steps in Create an application in Azure Active Directory
2. At step 3.4 (selecting permissions), choose Sites.Selected (Application) instead of Sites.ReadWrite.All or Sites.FullControl.All
3. Grant admin consent for the permission

Unfortunately, there is no user interface to grant site-specific access to an application. You must use PowerShell to grant the application access to individual sites.

Using PnP PowerShell to grant site permissions:

The easiest way to grant site-specific permissions is to use PnP PowerShell.

If you don't have it, install it in PowerShell:

Install-Module PnP.PowerShell -Scope CurrentUser

When PnP is ready, you can use command Grant-PnPAzureADAppSitePermission to give permissions to the app.

Connect-PnPOnline -Url "<siteUrl>" -Interactive
Grant-PnPAzureADAppSitePermission -AppId "<AppId>" -DisplayName "<AppName>" -Permissions Write

Set the connection in Pimics

Add a new Authentication

1. Choose the Search icon (or use Alt + Q), enter Pimics Authentications, then choose the related link.
2. Press New to add an Authentication entry
   1. Select SharePoint on-line as Type
   2. Enter a preferred Code
   3. In group Service specify:
      1. ClientId - client identification from Azure Active Directory - Application (client) ID on the Azure app overview
      2. ClientSecret - client secret from Azure Active Directory, saved earlier
      3. Tenant - if you use Business Central SaaS it is the tenant ID, this can also be a valid PageURL or Domain - Directory (tenant) ID on the Azure app overview

   Note

   The fields Login Url, Resource and Scope will be filled in automatically 4. If you want to use this Authentication as default then activate the Default checkbox

Add a new SharePoint Domain

1. Choose the Search icon (or use Alt + Q), enter Domain Repository Setup, then choose the related link.
2. Press New to add a Domain Repository Setup entry
   1. Enter a preferred Code
   2. Select SharePoint as Repository Type
   3. Select the Pimics authentication created earlier as the Default Authentication
   4. Set the Tenant - if you use Business Central SaaS it is the tenant ID, this can also be a valid PageURL or Domain
   5. Use lookup in Site to select a site from SharePoint. The lookup will provide a list of available sites on your SharePoint and can be used to test the connection

Add the SharePoint domain to Document Setup and set up libraries for different document types

1. Choose the Search icon (or use Alt + Q), enter Document Setup, then choose the related link.
2. Select SharePoint in Repository Type
3. Select the Default Domain created earlier - this will fill in the following values with the values from the selected domain
4. In group Repository Location use lookup to select individual libraries for each document type, like in the example below:
5. Select OK to close the page and finish the setup

Initial synchronization of files from SharePoint to Pimics

Pimics provides a report that can be run on demand, or in the background as a Job Queue entry. This report checks the SharePoint library and creates objects in Pimics based on the file data it finds.

Run the synchronization

1. Choose the Search icon (or use Alt + Q), enter Pimics SharePoint File Synchronization, then choose the related link.
2. Specify the following fields

• Import Action
  • Create New will create only new files. The existing records in Pimics will be skipped.
  • Update Existing will touch only existing records in Pimics and update them by the data in SharePoint
  • Both will create new files and update existing records in Pimics
• SharePoint Drive Id - select the library you want to synchronize
• Include Subfolders - if a library contains folders, here you can tell the report that you'd like to import files from folders. Otherwise only files from root will be imported
• Get Thumbnails - keep it to Yes. You can disable it to improve performance for big libraries
• Request Size - keep the default value. This can impact the performance

3. Select OK to start the synchronization
4. If you want to run this periodically, you can define it as a Job Queue entry. If synchronization is done just once, you don't need to do the following steps
5. Choose the Search icon, enter Job Queue Entries and then choose the related link
6. Define a new job queue by following Microsoft documentation
   1. Set Object Type to Run to Report and Object Id to Run to 70113723
   2. Define your Recurrence
7. In Report Parameters set Report Request Pages to Yes and follow instructions from point 2
8. When finished, select Set Status to Ready
9. If you need to synchronize more libraries just follow steps 4 - 8 for each library

Public links

Pimics can generate public links for content residing in SharePoint. Files from SharePoint are read through the application, so everybody with the link can read a file from the library.

For testing this functionality we offer a public service under https://pimics-shpimages-dev-8i.azurewebsites.net. This is not a service for productive environments, because it runs with limited resources.

Warning

We reserve the right to rename, move, or delete the service (https://pimics-shpimages-dev-8i.azurewebsites.net) without prior notice.

For productive environments we offer 2 options:

• Service hosted & managed by Allium
• Azure subscription with your own service and advanced configuration like Azure CDN (Content Delivery Network)

Get public links for files

In Pimics, the primary setting for the Azure CDN domain/URL resides in the Document Setup page, together with the SharePoint domain setup. There are two fields for this, and they are highlighted in the picture below.

The CDN Azure URL can be taken from Azure once the CDN service is configured there.

As for the Azure Customer ID, it is a GUID unique to Pimics that identifies the CDN environment for a particular company. When clicking on the three dots at the right side of the field, a new Azure Customer ID will be generated. If more companies need to share the same SharePoint/CDN environment, they will need to have the same Azure Customer ID set up in their respective Pimics instances.

This will create the necessary authentication parameters, stored in Azure not the local BC, so that CDN will be able to access your Pimics SharePoint library.

Using Alt+Q access Domain Repository Setup. Select your current SharePoint domain, then click on Create SharePoint Client as highlighted below:

If you search for SharePoint Azure Clients with Alt+Q, you will now be able to see your newly created Azure credentials for SharePoint:

Back to the Domain Repository Setup, you will need to access your domain repository setup card, and set your newly created Azure Client ID in the relevant field highlighted below:

Update public links on digital assets

After setting up CDN, all that is left to do is to update the public links to the desired digital assets, to reflect the new access policy. You will need to first select these digital assets (pictures, documents, etc.), and then run the function Refresh Metadata. See more details in Refresh public links