Users permissions overridden when specifying special permissions on a document library?
- Hello,
Assume the following document library: http://moss-server/SiteDirectory/site1/Documents. I have a AD-group called EXAMPLE\Domain Users which have "Full Control" on site1. We then restrict a AD-users permissions (let's call the user EXAMPLE\Joe) on the document library Documents to "Contribute".
Now, when Joe tries to modify content on site1, he can't. SharePoint added permission "Limited Access" for Joe to site1, because it didn't see him there at all (though he was there, by the group Domain Users) and he needed to access the site in order to access the document library.
Is this by design, or am I doing something terribly wrong?
Thanks in advance!
Alle Antworten
Just to be sure: did you break the permission inheritance on the document library before you changed the permission? Otherwise you changed the permission on the site level, even if you where in the document library when you clicked on permissions.
Hope this helped...
Regards
Jenny- I don't think the first reply is the reason. I think it is just as the original poster posted namely that SharePoint is unaware when Joe is given rights to the document library that he is a member of Domain Users.
I can only think of workarounds either involving SharePoint Groups (as SharePoint is aware of the individual users added to them) OR an AD Group called "Domain Users + This Doc Lib" which would have the Full Control on the whole site that Domain Users has but would also be given access rights as Contributor to the Doc Lib.
What surprises me is that Joe only got Limited Access at site level. I think I remember when writing my book coming across a case where giving full rights to a user at doc lib level created a full right user at sites level (which wasn't the intention ....)
WSS FAQ sites: http://wssv2faq.mindsharp.com and http://wssv3faq.mindsharp.com
Total list of WSS 3.0 / MOSS 2007 Books (including foreign language) http://wssv3faq.mindsharp.com/Lists/v3%20WSS%20FAQ/V%20Books.aspx - Yes, permission inheritance is broken. If it were not, the user would have the same rights on the document library as on the site, which is not the case.
Even if I add "Full Control" to Joe on Documents, he still gets "Limited Access" on site1. Maybe that was fixed in a service pack? I'm tempted to call this a bug; why do Joe need permission on site1 to access a list on the site (if he goes directly to the list by URL that is)? Also, if I remove the "Limited Access" permission on site1 the "Full Control" permission is removed from Documents (which seems "dangerous", a site admin might think "oh, Joe has limited access, that isn't right" and remove the permission which would also remove the "Contribute" permission on the document library).
EDIT: It does not help creating a SharePoint group with "Full Control" containing Joe, "Limited Access" is till added. It helps if Joe has permissions directly on site1 though... this has to be a common problem?
EDIT2: Hmm, maybe it isn't a problem overall, seems it does not matter if Joe has "Limited Access", the other group he's in still gives him the correct permissions. It still "ugly" the permission "Limited Access" gets added though... Hi jos,
When an individual is given unique access to a library/folder/document, he/she then appears with Limited Access in all document libraries which inherit permissions from the site. But he/ she can view the other document libraries for which they don’t have sufficient permissions. It is by design.
In order to better troubleshoot the issue, I want to confirm the following information with you:
1. Does thesite1 have parent site or not?
2. Has the “EXAMPLE\Domain Users” be there by default in your AD? In other words, did you remove the Domain Users group which be there by default or not?
3. Check whether EXAMPLE\Joe is member of “EXAMPLE\Domain Users” group? If not, please join it into EXAMPLE\Domain Users group, and check the effect.
4. Which document did Joe modify? Post the document’s complete URL into the forum for analyze.
5. Does the document which Joe modified inherit permission from site1 or not?
Rock Wang
Rock Wang– MSFT- This has to exist so that the user can "pass through" the higher level (site) in order to get to the lower level (list). Having permissions through an AD group doesn't matter, because there's no way for SharePoint to know that a given user is part of a separate security group you've added. SP will only not give limited access if that user is specifically denoted as an individual or in a SharePoint group at the site level. This limited access give the person no rights to the rest of the site but does allow the pass-through rights to get to the list.
SharePoint Architect || My Blog - Thanks for the replies everyone, I'm having a bit of trouble reproducing this right now (a user reported it in our production environment), but if I see it again I will write in this thread.
