i'm using Sitecore 6.5.
I want to configure a Sitecore role to access the /system folder from the content editor.
(my end goal is to have certain user to access and edit the webforms in /system/modules/web forms for marketeers)
I have granted read rights to the system folder on the role, but the /system folder does not appear in the content editor tree.
I guess if there is some other security preventing the users to see the system folder?
I can only get a view on the system folder by granting full admin rights to the user.
First off, make sure the user has the Entire Tree and Hidden Items options ticked in the View tab.
Also, to check if it's access rights you can use the Access Viewer to see whether the user has access rights. If they don't you can click on the Read right (for instance) and see why they don't have access to the System node (for example, which role Denies the read access).
For more information, please check the Security Reference document on SDN.
Related
In the Security Editor, I explicitly denied Read rights for a user to an item. In the Access Viewer, I am able to verify that Read rights for this user and this item are denied.
As this user, when I open the item's page in my browser, I can see all the content. I would expect a 404, but I can just see the page.
I verified that it's definitely the same user and the same item by placing some temporary debug info in my layout page:
user is #(Sitecore.Context.GetUserName()) - item is #(Sitecore.Context.Item.ID) - can read: #(Sitecore.Context.Item.Security.CanRead(Sitecore.Context.User))
This informs me that the user indeed has Read rights for this item, even though both the Security Editor and Access Viewer that these rights have been denied.
What could possibly cause a difference between what I see in the Access Viewer and what I get from Sitecore.Context.Item.Security.CanRead?
(Yes, I also recycled my app pool several times to make sure that no
kind of caching is applied.)
Access right information is stored on the item itself.
Make sure that you published the page.
Remember that you can switch database from Sitecore Desktop to web, start Access Viewer and see access rights information for web database there.
I have created multiple apps in SPEAK UI and placed all quick access shortcuts on the Sitecore Launchpad.
Now, how can I restrict access for some applications while creating Users, because we have Content Area in Access Viewer?
There are a couple of ways to do this. First you need to open the desktop and switch from the Master to the Core database.
If you just want to restrict access to the shortcuts on the Launchpad - you can do this by setting access rights on the shortcut items:
Create a role that should have access to the users and give that role Read access to the button item.
Another option would be to allow access to the application. If you look at the Path Analyzer you can see that some roles are denied and some granted access:
So add security rights to roles for your SPEAK apps.
Finally when you create users make sure you give them the correct roles to match what they are able to view.
This is baffling me. I used PowerShell to add about 35 libraries to a site and then create and ADD 3 permissions groups for each library which are set to use unique permissions.
After running my code I thought all was fine. When I go to the site I see all the libraries that I made and can go into each of them and the permissions for each library are correct. However, if I go in as any other user I can't see any of the libraries. Even if I go to all "All Site Content" it's as if they don't exist.
I am the site collection admin and am part of that site's Owners group, but other people in the Owner's group can't see the libraries.
Any Ideas?
It might be that the other users who cannot see those library are not having any permission on that library,since you have broken inheritance. You can verify this by logging in as Site administrator. Open the document library--> Library settings-->Permissions for this document library --> Check Permissions. Here type in the user for whom the library was not available, then you can see if that user is actually having any permission on that library or not.
In SharePoint, it has 5 permission level: full control, design, contribute, read, limit access. Permissions are categorized as list permissions, site permissions, and personal permissions, depending upon the objects to which they can be applied; and it can be inherited from the parent, or it can have its own. if one user doesn't have the permission to a list, the user can't see it.
Permissions control is complex in SharePoint, See these MSDN articles for details:
Permission levels and permissions
About controlling access to sites and site content
I have a browser:page setup in Zope, and I have:
permission="zope2.Public"
My question is what should I change this to in order to allow only Plone administrators access, and/or logged in (non-administrators) access to this page?
On Zope, you control access to views via permissions, but to permit someone to access a given permission, you must grant such permissions to a role.
Anyone in the Plone administrators group has been granted the Manager role (on Plone 4.2 that'll change to the SiteAdmin role) generally have access to most permissions. There is also the automatic Authenticated role, which is given to anyone that has been authenticated (has logged in). The latter doesn't have many default permissions though.
Permissions are generally named after the action you want to permit. If your view's goal is to manage some aspect of your Plone portal, then the cmf.ManagePortal permission is probably what you want. You can check the full list of default permissions if you need another one.
There is some excellent documentation on how security works in Plone, which includes information on how to define new permissions too, and how to assign existing permissions to roles.
permission="cmf.ManagePortal"
This setting is about permissions not about roles.
My team implemented a UI to assign/revoke permission levels to users on a certain SharePoint list. The UI supplies an "undo" feature to restore the rights the user had before they were changed through our UI.
Now there is a problem if the user had the "Limited Access" permission level: This permission level is removed when you do a change over the UI. When trying to Undo, the permission level should be added again, which leads to a
You cannot grant a user the limited access permission level.
SharePoint grants that permission level automatically when a user gets access to some entity beneath the site. It cannot be granted manually. This permission level is then inherited by all lists in the site. However, after breaking inheritance on a list, I can revoke the right manually, only, I cannot re-grant it afterwards.
So SharePoint treats that permission level quite particularly and I'm wondering how to work around that in our undo feature.
My questions:
Did I get it right that this "limited access" is granted by SharePoint on the site level only, and all the lists beneath only contain that accidentally through inheritance?
Does that permission level have any effect at all on a list, or does it only apply to the site itself?
So, would it be save to just remove it from a list and do not add it anymore when the user clicks "undo", since it has no effect anyway?
I dare to answer my own question just for reference for future readers:
According to Microsoft's article Permission levels and permissions,
The Limited Access permission level
cannot be customized or deleted.
and
(...) Windows SharePoint Services 3.0
automatically assigns this permission
level to users and SharePoint groups
when you grant them access to an
object on your site that requires that
they have access to a higher level
object on which they do not have
permissions. For example, if you grant
users access to an item in a list and
they do not have access to the list
itself, Windows SharePoint Services
3.0 automatically grants them Limited Access on the list, and also the site,
if needed.
In practice this means that:
If you can delete it, that's only because it has been inherited and has no meaning on that certain list.
If later on a user is granted some permissions to a certain list item, so that he needs the Limited Access on the list, SharePoint will take care of adding it again.
Summarized: No concerns to remove and not re-add that access level.
Removing a user with Limited access on the top level site should not actually remove their explicit access on the list or library below (with broken permissions) but MS do say in the above mentioned article:
However, to access a list or library, for example, a user must have permission to open the parent Web site and read shared data such as the theme and navigation bars of the Web site. The Limited Access permission level cannot be customized or deleted.
This suggests that the user's Limited access should be declared on the site permissions. I think its always best to do a test on your site first before making any assumptions.