My team implemented a UI to assign/revoke permission levels to users on a certain SharePoint list. The UI supplies an "undo" feature to restore the rights the user had before they were changed through our UI.
Now there is a problem if the user had the "Limited Access" permission level: This permission level is removed when you do a change over the UI. When trying to Undo, the permission level should be added again, which leads to a
You cannot grant a user the limited access permission level.
SharePoint grants that permission level automatically when a user gets access to some entity beneath the site. It cannot be granted manually. This permission level is then inherited by all lists in the site. However, after breaking inheritance on a list, I can revoke the right manually, only, I cannot re-grant it afterwards.
So SharePoint treats that permission level quite particularly and I'm wondering how to work around that in our undo feature.
My questions:
Did I get it right that this "limited access" is granted by SharePoint on the site level only, and all the lists beneath only contain that accidentally through inheritance?
Does that permission level have any effect at all on a list, or does it only apply to the site itself?
So, would it be save to just remove it from a list and do not add it anymore when the user clicks "undo", since it has no effect anyway?
I dare to answer my own question just for reference for future readers:
According to Microsoft's article Permission levels and permissions,
The Limited Access permission level
cannot be customized or deleted.
and
(...) Windows SharePoint Services 3.0
automatically assigns this permission
level to users and SharePoint groups
when you grant them access to an
object on your site that requires that
they have access to a higher level
object on which they do not have
permissions. For example, if you grant
users access to an item in a list and
they do not have access to the list
itself, Windows SharePoint Services
3.0 automatically grants them Limited Access on the list, and also the site,
if needed.
In practice this means that:
If you can delete it, that's only because it has been inherited and has no meaning on that certain list.
If later on a user is granted some permissions to a certain list item, so that he needs the Limited Access on the list, SharePoint will take care of adding it again.
Summarized: No concerns to remove and not re-add that access level.
Removing a user with Limited access on the top level site should not actually remove their explicit access on the list or library below (with broken permissions) but MS do say in the above mentioned article:
However, to access a list or library, for example, a user must have permission to open the parent Web site and read shared data such as the theme and navigation bars of the Web site. The Limited Access permission level cannot be customized or deleted.
This suggests that the user's Limited access should be declared on the site permissions. I think its always best to do a test on your site first before making any assumptions.
Related
This is baffling me. I used PowerShell to add about 35 libraries to a site and then create and ADD 3 permissions groups for each library which are set to use unique permissions.
After running my code I thought all was fine. When I go to the site I see all the libraries that I made and can go into each of them and the permissions for each library are correct. However, if I go in as any other user I can't see any of the libraries. Even if I go to all "All Site Content" it's as if they don't exist.
I am the site collection admin and am part of that site's Owners group, but other people in the Owner's group can't see the libraries.
Any Ideas?
It might be that the other users who cannot see those library are not having any permission on that library,since you have broken inheritance. You can verify this by logging in as Site administrator. Open the document library--> Library settings-->Permissions for this document library --> Check Permissions. Here type in the user for whom the library was not available, then you can see if that user is actually having any permission on that library or not.
In SharePoint, it has 5 permission level: full control, design, contribute, read, limit access. Permissions are categorized as list permissions, site permissions, and personal permissions, depending upon the objects to which they can be applied; and it can be inherited from the parent, or it can have its own. if one user doesn't have the permission to a list, the user can't see it.
Permissions control is complex in SharePoint, See these MSDN articles for details:
Permission levels and permissions
About controlling access to sites and site content
I have a Sharepoint library that is too large for a central administrator to manage permissions on all items, so I want to designate a few other people who are able to allow or disallow read/write access for arbitrary items in the library to users or groups. However, I don't want to give those few people total "manage permissions" ability because I don't want them granting themselves or others full control or design permissions, etc.
Is there a way to grant "manage only read/write permission"? Or is there a better way of accomplishing what I'm trying to do?
Thanks!
This question pops up all the time, and I haven't been able to find an answer that immediately makes the asker happy.
I usually suggest that you stay away from item-level permissions, and instead create libraries pretty much mapping to groups. make a library for your Company X accountants, make a "Accountants at Company X" group, give them rights to that library. You should be able to trust them enough that they get to manage their own document library. If not, keeping the permissions on a per-library basis will make the workload much less, and the site administrator(s) can most likely handle the permissions on these libraries. If you want to make it easier for them, just create a formal workflow where a user can apply for access and an administrator grant it.
There are other ways, of course, but you're pointing at one of the major reasons you should stay away from item-level security. It's just a can of worms that you need to avoid opening if at all possible.
Maybe you can try the third party tool: SharePoint Permission Manager by SharePointBoost. You can search, analyze, manage and backup SharePoint users or group permissions on a centralized platform.
I don't think there is a specific permission that meets your needs for one site. I think your best option may be to split into sites or libraries you can allow others to manage for your central administrator.
Here's a related excerpt from the TechNet article, [Plan Permissions][1], that may help you more:
Users or groups are assigned a
permission level for a specific
securable object: site, list, library,
folder, document, or item. By default,
permissions for a list, library,
folder, document, or item are
inherited from the parent site or
parent list or library. However,
anyone assigned a permission level for
a particular securable object that
includes the Manage Permissions
permission can change the permissions
for that securable object. By default,
permissions are initially controlled
at the site level, with all lists and
libraries inheriting the site
permissions. Use list-level,
folder-level, and item-level
permissions to further control which
users can view or interact with the
site content. You can return to
inheriting permissions from a parent
list, the site as a whole, or a parent
site, at any time.
How can I set the permissions for a site where I have access to do everything but NOT view documents?
Thank you.
I'm Kevin and I'm responsible for permissions in SharePoint
In SharePoint, you can grant permissions to a user or group via what we call "permission levels" - essentially sets of permissions. Out of the box we include a few of these like "Read" and "Contribute" and "Design".
It sounds like you want to provide some users with the ability to do more than the Read permission level allows, but disallow the viewing of documents. To accomplish this, you could create a new permission level (site settings > advanced permissions > permission levels). Note: we restrict permission levels from including adding or editing items without the ability to view them
If you, or anyone reading have further questions about this stuff feel free to get a hold of my via email: kevin.davis#microsoft.com
Your question is slightly confusing, I'm taking it to mean, you want to stop certain users (or groups of users from accessing documents hosted in your site. (Where you are the site administrator.)).
To do that go into each library, go to settings, then document library settings, permissions for this document library and restrict them as appropriate.
I have a user group set up in Sharepoint that has permission to access to a single site. I would like to restrict this groups access futher to a single survey within that site. Is there any way to set Sharepoint permissions to a more granular level?
You can give access to only specific lists, views or pages using the Limited Access Permission Level
Go into the list or view that you want to give people access to, go to Settings --> List Settings --> Permissions for this List
You can then give direct rights to users that do not have access to any objects higher up in the hierarchy.
I would like to create a folder that users who do not have privileges to view the rest of the site can see. This user group would be granted access to the site, but I only want them to be able to view one particular page.
Is this possible to do without going to every single page and removing the new user group's access?
yeah, you should be able to create a new group and add the users to that list/subweb/whatever and just that. This is assuming that you didn't grant access to all users somewhere. If you did, then hopefully the default access is granted to a default user group (like sharepoint visitors) and you can alter that group to exclude the users you only want to access the limited part of the site.
If created correctly the new group shouldn't have access to the rest of the site.
If you are getting thrown off by the fact that the user/group is listed as having "Limited Access" on the ACLs on, say, the parent site/web. That's just a placeholder SharePoint uses to make sure people have access to at least the bare minimum set of objects (e.g. theme and other UI files and the parent web itself) to get to the list or item you actually want them to have access to.
As long as the group only has access on a single list, you should have to worry about them having access to anything else.