I want to have user rights split into two. Some of the policies at the client's side mention that we should have a seperate user who has only the rights to add users and nothing else, and the Site Administrator should not be able to add users.
As of now, the Site Admin is used to Add users and to manage other configuration. Can we remove the User Addition role from Site Admin?
Is there a way to create a new User Role by writing some code?
I don't think it is possible to remove any permissions from the site administrator. You could do something wild like add security code to your master page, however. That could detect the current user and the current page, and throw an error if the site administrator were in the wrong place.
You can create a custom permission level, provided your permission sets summarise to one of the options offered by the SPBasePermissions enumeration. Unfortunately there is no specific 'add user' permission, only ManagePermissions. For reference anyway, here's a basic code sample.
I think the best approach is that given by strongopinions where a piece of code runs to check who the user is if they visit the Add User page.
Related
I am building a site on Liferay 7. By default, all the authenticated users inherit the Guest permissions (anonymous users).
There is even a label in the permissions section:
"Under the current configuration, all users automatically inherit permissions from the Guest role."
Why do I need this?
I would like to display X content only for anonymous users and when the user logs in, then I would like to display different content.
This is how my content permissions for anonymous users are configured:
Although I agree with people that say this is not the best path, yes you can do it - just to address the question at hands.
Set this to true if resources should assume that all users have the Guest role. Set this to false if resources will not assume that all users have the Guest role and, thus, do not automatically inherit permissions that belong to the Guest role.
Setting this property to false may require users to grant permissions to roles like Site Member and User.
Defaults:
permissions.check.guest.enabled=true
Why do I need this?
Permissions are not the catch-all for showing different content. If a guest is not allowed to see something, but needs to log in - that's fine. It's authenticated content, and you'll need to sign in.
If an authenticated user has no permission to see certain content, but just needs to log out in order to see it: What kind of permission is that? Let me answer that for you: It's not permission. It's rather targeted content and while it might be mimicked with permissions, this mimicry is nothing more than mimicry.
One way to implement such a requirement is through structured Web Content (you sound as if you want to show different Web Content articles). The template has access to the full API and can check if the current user is signed in or not - and show different content based on this fact.
If you want to achieve role permission using code level as like in xxxlocalserviceImpl class.You can use below code for allow permission for the guest user.
In case of document and media allow permission to guest and registerUser in Liferay 7 using rest webservice you can use this code for allow permission to upload and download the document using this code.
ResourcePermissionLocalServiceUtil.setResourcePermissions(companyId,
DLFileEntry.class.getName(), ResourceConstants.SCOPE_INDIVIDUAL,
String.valueOf(dlFileEntry.getFileEntryId()), guestRole.getRoleId(),
new String[] { ActionKeys.VIEW });
To answer your question - you can not configure that per specific asset! By default an authenticated user can not have less permissions than an unauthenticated one. You can change that behavior for all assets using permissions.check.guest.enabled=false as #Victor correctly pointed out!
I need to give permissions to edit/create/destroy pages in a node to a group of users.
I've created a group and added a test user to that group.
I can't seem to give permission to the Pages application so see if i can see the node.
I also added game this role permissions at the node level too.
Ideally this editor role would be able to create new sub pages, which also means being able to upload media.
Your new user must have editor privilege level (you can edit user in Users application). If you want to provide ability to see content in Pages app you have to grant the user with Browse tree and Read permission (content module). To satisfy your scenario you need to grand user with Modify and Create permissions, too (maybe Design?).
Just FYI: The approach provided by Brenden (cloning the role) is very handy but there a is chance you grant the user with permission you don`t want to provide (inappropriate permissions for original role).
I've found the most efficient method is review the out of the box roles provided by Kentico and clone the one which fits closest to your needs. Then modify your cloned role to add/remove abilities and permissions.
If you're unsure of what each role can and cannot do, create a new test user with one of the roles assigned to them and log in as them. Do the same for all the roles you want to test until you find the one closest to what you're looking for.
I have a demo page for a web part, so I want a permission level where user can modify web parts using tool part but cannot delete it so other users will also be able to see it. And I also don't want them to access site settings and contents.
I think best way is to create target audience rules and compile them. As the rules may either ON security group membership or user profile property values.
In order to learn more check the Overview section in the following link :
https://support.office.com/en-us/article/Target-content-to-specific-audiences-33d84cb6-14ed-4e53-a426-74c38ea32293
what the title says. I am not the farm administrator so I guess i don't have access to the sharepoint power shell. I am allowed to use sharepoint designer though and I guess I can set up a webpart that executes code even though I have never done it. I am open to any solution.
Thank you very much.
One way to get all the groups an user belongs to is by checking site permissions of that user
like explained in the article below,
http://office.microsoft.com/en-in/sharepoint-server-help/check-permissions-for-a-person-or-site-HA101794808.aspx#_Toc288817126
Once you enter the user name and check permissions, it will display all the group that user belongs to but you need to be part of the Owner group to enumerate other users' permissions this way.
I am giving full control permission to a document under the shared library to a user that does not have any permission to the site. Sharepoint 2010 adds limited access to this user to the site itself, I believe so that user can login and see the the document.
However I can not login with this user's credentials.
What is wrong and what is the minimum access level that can be given to a user so that they only login, and see the documents they are supposed see?
You would have to provide Viewer rights to the user on document library so that user can open the document library and provide the user direct link to the view which you want to show him.
Second method is what ever rights you have provided is enough for the user just provide him direct link to the document Which would be <>/Documentname.extension
eg. http://sharepointserver:1234/shareddocuments/abc.docx
Limited access is a bit confusing because this permission level is only used to allow a user to traverse the site in order to access the items on which they have explicit (at least read) permission access. Traverse unfortunately doesn't mean browse the site, it's only used to avoid triggering the credentials prompt when accessing the ressource.
If it's just for a specific document, you should link straight to the document, like Ashutosh Singh suggested
Otherwise, if there are no sensitive information, you can add this user in the dedicated visitor group, that will grant him enough access to browse up to the relevant library and access the document.
Another solution is to create a document workspace sub site (with unique permission) and set this user as the owner / contributor. By doing so you'll allow him to have more freedom in his own little shell. While this seems like a big job, it's only a few click away and a few seconds / minutes of configuration if you have enough right on the site collection (which I presume is the case since you are able to give full right to an external user on a specific document).
Hope that helped :)