Access Denied and strange item level permission behavior

Question

Hello,

I have got a big problem: basically I had no problem with the permission settings in sharepoint...all of my site collections are accessible with READ permissions. Document libraries have got unique permissions => there are active directory groups defined for READ permission. The item level permission for items is set for READ permission, but only for the document owner/creater (READ)...THIS WORKED ALL PERFECT

NOW if a create a new document library with unique permissons (again an AD Group for READ permission) the document library is inaccessible for members of this AD Group (Access denied when trying to go directly into the lib and the library is not visible in the all content listing of the site)

AND there is another library where I wanted to copy some items and set the item level permission manually => just these items are not visible for the users.

HOPE THAT SOMEBODY CAN HELP ME OUT! Thank you in advance.

BR, juvi

Answer 1

As per my understanding, you need to provide explicit access to document library. Providing access to items in a document library will not provide access to document library.

Also, SharePoint works with WYSIWYG rule. If a user don't have access to any item. User will not be able to see the item unless user has rights to see all.  

---

http://farhanfaiz.wordpress.com

Answer 2

Hi,

Can you create a SharePoint group, put those AD members in that group and try to grant permissions on this new SharePoint group?

Answer 3

Hi, if I assign the AD user directly to the document library it works ... if I try to assign the AD group to the document library (the AD user is member of that group) it does not work...

Answer 4

I know. I have set explicit access to the document library:

Site Collection => Read permission for AD group 'Site-Visitors-Read' with the following member: "Domain Users"

Document Library => Read permisson for the AD Group 'Doc-Visitors-Read' with the following member: "domain\sp-test"

Item => Read permission for "domain\sp-test"

Answer 5

I would take the approach already mentioned by babylonsr,

Create the granularity you need with SharePoint groups including roles and permissions, don't add anyone or anything into these groups except your AD security groups.

---

Paul Turner http://redmanta.co.uk/blog Twitter: @RedMantaUK MCTS:WSS,MOSS,2010 MCITP:2010.
Please remember to click "Mark As Answer" if a post solves your problem or "Vote As Helpful" if it was useful.

Answer 6

Thank you for your reply...tried this now...still not working => get an Access denied error when trying to open the document library and the doc library is not listed in the all content overview

BR,

juvi

Answer 7

OK, so to clarify you have the following;

• Site collection - access to "AD_Domain_Users"
• A library within a site with read access to "SharePoint_Group" whose member is "AD_Group" whose only member is "domain\sp_test"
• An item within the libary with read access to "SharePoint_Group" whose only member is "AD_group"

And you get an access denied when trying to access the library or item as the user "domain\sp_test", Is that correct?

---

Paul Turner http://redmanta.co.uk/blog Twitter: @RedMantaUK MCTS:WSS,MOSS,2010 MCITP:2010.
Please remember to click "Mark As Answer" if a post solves your problem or "Vote As Helpful" if it was useful.

Answer 8

Yes that is true. Tried now the "Check permissions" button and entered my "domain\sp_test" user => the result was none although the user is in the AD_group. The other library is in a site collection one level deeper in the forest (there it works and just shows me the AD_Group which member is the test user)

Answer 9

Just wanted to check, the AD group you have setup is infact a security group and not a distribution group?

---

Paul Turner http://redmanta.co.uk/blog Twitter: @RedMantaUK MCTS:WSS,MOSS,2010 MCITP:2010.
Please remember to click "Mark As Answer" if a post solves your problem or "Vote As Helpful" if it was useful.

Answer 10

It is group type "security"...

Answer 11

Something very strange going on, can you confirm that the AD groups are not "nested" within other AD groups and if possible have been created as a "Global" group?

---

Paul Turner http://redmanta.co.uk/blog Twitter: @RedMantaUK MCTS:WSS,MOSS,2010 MCITP:2010.
Please remember to click "Mark As Answer" if a post solves your problem or "Vote As Helpful" if it was useful.

Answer 12

yes really strange I have really no ideas => the AD groups are not nested and it is a global security group. But the test user has also no access if I create a sharepoint group for him with read permissions to the document library. If I assign the ad test user directly to the doc library it works...

Answer 13

I now created another ad group...suddenly this group is working now!? can the old group be corrupt? I have not so much experience with AD. . .

Answer 14

It's unlikely it's corrupted but I have seen forum posts where people have removed the groups and started again to remove any doubt.  You got the end result which is the main thing.

---

Paul Turner http://redmanta.co.uk/blog Twitter: @RedMantaUK MCTS:WSS,MOSS,2010 MCITP:2010.
Please remember to click "Mark As Answer" if a post solves your problem or "Vote As Helpful" if it was useful.

Answer 15

Thank you very much for your assistance! BR juvi

Answer 16

Hey,

I have found out something interest: the read permission on the items are working, but not on items, where the workflow is currently with status "in progress" ?? any ideas?

BR, juvi

Answer 17

That could depend on what the workflow actually does.  You might be better to ask a fresh question with more information about the issue Juvi.

---

Paul Turner http://redmanta.co.uk/blog Twitter: @RedMantaUK MCTS:WSS,MOSS,2010 MCITP:2010.
Please remember to click "Propose As Answer" if a post solves your problem or "Vote As Helpful" if it was useful.