Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Thursday, October 31, 2013 2:30 PM
In an Intranet site (SharePoint 2010) we have a Site Collection created using Publsihing template with Read access to all NTAuthenticated users and within this site collection there is a subsite (for a secured department) with broken inheritance from parent with access given to a group created with in this subsite - working as expected. We have created a folder in a document library of this subsite and has broken the inheritance on this folder to give 'read' access to user outside this department.
By giving the user account read permissions on the folder, they then have "limited access" permissions on the document library and the site. I believe this is by design.
We have shared the link to this folder in an email(did not sent email when granting access- it did not work too) But they still get an access denied error when viewing the folder. And when running the "check permissions" function on the specific folder permissions I see:
The user may not be able to access the item. The user may need to be granted access to the containing list or site. Permission levels given to User (AD\loginId) Read,Limited Access
Given directly
**Then for testing Purposes,
If I grant access to parent library but not subsite** they are able to access folder contents. (Of course we don't want to do this)
Also tested same test case by giving 'Contribute' access (all permission levels are OOTB not customized) but same result
This is happening in all site collections of this web application.
- I thing we do not anything suspicious in Web application's UserPolicy.
- No issues with Access mapping in terms of internal network (but could be something missing here? Is this related)
All replies (4)
Thursday, October 31, 2013 5:17 PM ✅Answered
Hi Harish, your problem is with the limited access. A user must have a minimum of read access in order to view items in the library (as you experienced). Limited access overrules the item level permissions. Fine grained permissions cause a lot of problems similar to this. I suggest you re-think your permissions structure. Perhaps use My Sites for item level permissions. They work much better for that application.
cameron rautmann
Thursday, October 31, 2013 7:44 PM ✅Answered
The problem is the permissions at the library level. They still need read there. It is because you are trying to link them to a specific folder. I don't know what they are exactly, but there are things that will be loaded (events maybe?) from the parent when you try to open a folder view. That is causing the access denied since they don't have read at the library level. It isn't really clearly stated, but if you have multiple folders in the library, those are items, so you are really trying to implement item level permissions. You would have to set read on the document library for everyone that should have read, then break inheritance on each folder and set the permissions you want on each. A huge hassle. My suggestion would be create another library, give that user read, and place whatever you want them to have read to there.
Monday, November 4, 2013 10:24 PM
Thanks for the reply guys.
Yes.. As a work around for now I have created a separate library and moved the folder and granted access as required, which is working.
So what you guys are saying is there is nothing wrong and this behaviour is by design...?
In order to have unique permissions on a folder in a library the users should have atleast read access to the library and becuase of a special folder break inheritance on all folders within this library and then remove or continue exisiting permissions from parent on all thes folders as required.
I doubt this is by design please correct me...
I guess this is a common requirement - Having a secured team site in a site collection (which is open for all employees) and within this subsite there may be a document/folder that has to be shared with few individuals who donot have access to the parent team site and library (with few more secured folders and documents).
Tuesday, November 5, 2013 1:03 PM
Yes, unfortunately this is the way it's designed. I handle permissions all the time and breaking inheritance is always troublesome. The best practice is to leave the inheritance intact. If you need to break it, do so at the highest level possible, or make a new site/page/library specifically for the purpose of breaking inheritance.
cameron rautmann