I am giving full control permission to a document under the shared library to a user that does not have any permission to the site. Sharepoint 2010 adds limited access to this user to the site itself, I believe so that user can login and see the the document.
However I can not login with this user's credentials.
What is wrong and what is the minimum access level that can be given to a user so that they only login, and see the documents they are supposed see?
You would have to provide Viewer rights to the user on document library so that user can open the document library and provide the user direct link to the view which you want to show him.
Second method is what ever rights you have provided is enough for the user just provide him direct link to the document Which would be <>/Documentname.extension
eg. http://sharepointserver:1234/shareddocuments/abc.docx
Limited access is a bit confusing because this permission level is only used to allow a user to traverse the site in order to access the items on which they have explicit (at least read) permission access. Traverse unfortunately doesn't mean browse the site, it's only used to avoid triggering the credentials prompt when accessing the ressource.
If it's just for a specific document, you should link straight to the document, like Ashutosh Singh suggested
Otherwise, if there are no sensitive information, you can add this user in the dedicated visitor group, that will grant him enough access to browse up to the relevant library and access the document.
Another solution is to create a document workspace sub site (with unique permission) and set this user as the owner / contributor. By doing so you'll allow him to have more freedom in his own little shell. While this seems like a big job, it's only a few click away and a few seconds / minutes of configuration if you have enough right on the site collection (which I presume is the case since you are able to give full right to an external user on a specific document).
Hope that helped :)
Related
not sure if this is the right place to post dev question so please point me to the right place if its not...
I have a customer that gave a user permission to one specific list.
for example:
https://[tenant].sharepoint.com/sites/qa/permissions/lists/tasks
The user cannot browse to the site:
https://[tenant].sharepoint.com/sites/qa/permissions
But he can get to the list with no problems.
When we try to get the list items using REST api, that user gets "UnauthorizedAccessException" error.
Rest API url we tried:
https://[tenant].sharepoint.com/sites/qa/permissions/_api/web/lists/getbytitle('tasks')
https://[tenant].sharepoint.com/sites/qa/permissions/_api/web/lists/getbytitle('tasks')/items
Users with at least read permissions on the site /sites/qa/permissions have no problems getting to both these API endpoints.
Is there a different way to make the REST API work for users with permissions to just one list?
Is there a limitation of the REST API and it does not support that?
Thanks!
(I posted this on technet as well, and will update here if I get an answer there)
You can deactivate the site collection feature Limited-access user permission lockdown mode.
When this feature is activated, users with "Limited access" as permissions have reduced permissions which prevent them from accessing the list item/documents properties. This will cause the Unauthorized Exception error while accessing SharePoint artefacts.
So, go to your Site Settings > Site collection features
And Deactivate the Limited-access user permission lockdown mode feature.
After that, refresh and check.
More details - Enable or disable site collection features
My team implemented a UI to assign/revoke permission levels to users on a certain SharePoint list. The UI supplies an "undo" feature to restore the rights the user had before they were changed through our UI.
Now there is a problem if the user had the "Limited Access" permission level: This permission level is removed when you do a change over the UI. When trying to Undo, the permission level should be added again, which leads to a
You cannot grant a user the limited access permission level.
SharePoint grants that permission level automatically when a user gets access to some entity beneath the site. It cannot be granted manually. This permission level is then inherited by all lists in the site. However, after breaking inheritance on a list, I can revoke the right manually, only, I cannot re-grant it afterwards.
So SharePoint treats that permission level quite particularly and I'm wondering how to work around that in our undo feature.
My questions:
Did I get it right that this "limited access" is granted by SharePoint on the site level only, and all the lists beneath only contain that accidentally through inheritance?
Does that permission level have any effect at all on a list, or does it only apply to the site itself?
So, would it be save to just remove it from a list and do not add it anymore when the user clicks "undo", since it has no effect anyway?
I dare to answer my own question just for reference for future readers:
According to Microsoft's article Permission levels and permissions,
The Limited Access permission level
cannot be customized or deleted.
and
(...) Windows SharePoint Services 3.0
automatically assigns this permission
level to users and SharePoint groups
when you grant them access to an
object on your site that requires that
they have access to a higher level
object on which they do not have
permissions. For example, if you grant
users access to an item in a list and
they do not have access to the list
itself, Windows SharePoint Services
3.0 automatically grants them Limited Access on the list, and also the site,
if needed.
In practice this means that:
If you can delete it, that's only because it has been inherited and has no meaning on that certain list.
If later on a user is granted some permissions to a certain list item, so that he needs the Limited Access on the list, SharePoint will take care of adding it again.
Summarized: No concerns to remove and not re-add that access level.
Removing a user with Limited access on the top level site should not actually remove their explicit access on the list or library below (with broken permissions) but MS do say in the above mentioned article:
However, to access a list or library, for example, a user must have permission to open the parent Web site and read shared data such as the theme and navigation bars of the Web site. The Limited Access permission level cannot be customized or deleted.
This suggests that the user's Limited access should be declared on the site permissions. I think its always best to do a test on your site first before making any assumptions.
I want to have user rights split into two. Some of the policies at the client's side mention that we should have a seperate user who has only the rights to add users and nothing else, and the Site Administrator should not be able to add users.
As of now, the Site Admin is used to Add users and to manage other configuration. Can we remove the User Addition role from Site Admin?
Is there a way to create a new User Role by writing some code?
I don't think it is possible to remove any permissions from the site administrator. You could do something wild like add security code to your master page, however. That could detect the current user and the current page, and throw an error if the site administrator were in the wrong place.
You can create a custom permission level, provided your permission sets summarise to one of the options offered by the SPBasePermissions enumeration. Unfortunately there is no specific 'add user' permission, only ManagePermissions. For reference anyway, here's a basic code sample.
I think the best approach is that given by strongopinions where a piece of code runs to check who the user is if they visit the Add User page.
How can I set the permissions for a site where I have access to do everything but NOT view documents?
Thank you.
I'm Kevin and I'm responsible for permissions in SharePoint
In SharePoint, you can grant permissions to a user or group via what we call "permission levels" - essentially sets of permissions. Out of the box we include a few of these like "Read" and "Contribute" and "Design".
It sounds like you want to provide some users with the ability to do more than the Read permission level allows, but disallow the viewing of documents. To accomplish this, you could create a new permission level (site settings > advanced permissions > permission levels). Note: we restrict permission levels from including adding or editing items without the ability to view them
If you, or anyone reading have further questions about this stuff feel free to get a hold of my via email: kevin.davis#microsoft.com
Your question is slightly confusing, I'm taking it to mean, you want to stop certain users (or groups of users from accessing documents hosted in your site. (Where you are the site administrator.)).
To do that go into each library, go to settings, then document library settings, permissions for this document library and restrict them as appropriate.
I would like to create a folder that users who do not have privileges to view the rest of the site can see. This user group would be granted access to the site, but I only want them to be able to view one particular page.
Is this possible to do without going to every single page and removing the new user group's access?
yeah, you should be able to create a new group and add the users to that list/subweb/whatever and just that. This is assuming that you didn't grant access to all users somewhere. If you did, then hopefully the default access is granted to a default user group (like sharepoint visitors) and you can alter that group to exclude the users you only want to access the limited part of the site.
If created correctly the new group shouldn't have access to the rest of the site.
If you are getting thrown off by the fact that the user/group is listed as having "Limited Access" on the ACLs on, say, the parent site/web. That's just a placeholder SharePoint uses to make sure people have access to at least the bare minimum set of objects (e.g. theme and other UI files and the parent web itself) to get to the list or item you actually want them to have access to.
As long as the group only has access on a single list, you should have to worry about them having access to anything else.