locked
How we can restrict Web Application User to a Site Collection Access RRS feed

  • Question

  • I want to restrict those users who has full control access at Web Application level. Those users should not able to access one particular site collection

    So How I would restrict Web Application User (having full control permission) to access a site.


    • Edited by anuxps Friday, September 23, 2016 9:21 PM Typo
    Friday, September 23, 2016 9:21 PM

Answers

  • You're out of luck. You should have a discussion with those who set up policies that these are your choices, either remove the user from the Web App level and simply grant at the Site level or implement an HTTP module to send back a 401 based on the site they're visiting.

    Trevor Seward

    Office Servers and Services MVP



    Author, Deploying SharePoint 2016

    This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

    • Proposed as answer by Victoria Xia Thursday, September 29, 2016 10:23 AM
    • Marked as answer by Victoria Xia Tuesday, October 11, 2016 8:18 AM
    Friday, September 23, 2016 10:53 PM

All replies

  • Hi,

    Please check this link below.

    https://social.technet.microsoft.com/Forums/office/en-US/00120bae-a7b1-4403-91e3-6d37da1e2eb7/to-restrict-some-users-to-access-sharepoint-2010-site?forum=sharepointgeneralprevious


    Please remember to click Mark as Answer on the answer if it helps you

    Friday, September 23, 2016 9:52 PM
  • You can't. Once you give Full Read or Full Control at the Web Application User Policy level, they'll have access to all Sites in that Web Application. SharePoint does not have a concept of a Deny mask at the SharePoint Site level.

    The only real way to do this would be with an HTTP ISAPI Module that checked the path of the request and denied based on username (or whatever value you define).


    Trevor Seward

    Office Servers and Services MVP



    Author, Deploying SharePoint 2016

    This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.


    Friday, September 23, 2016 10:28 PM
  • That is a good idea Trevor.

    Same thought I am also having but some how I can't deploy HTTP Module or such due to policy restriction.

    What I can do maximum install a feature at Web Application Level which is allow in my scenario.

    Initially I thought to create an event receiver or something to restrict the user to add/delete/edit any item on a list (Must Requirement  even If user access the site, they would not have access the list) but as you know we can't deploy List Event Receiver as a web application scope feature.  

    So No I am eagerly looking a solution either by Permission or Custom Feature at Web Application level or some other alternative to resolve this issue : How to restrict a user to add an item in a list if user is having Web Application Level Full Control Access.

    Friday, September 23, 2016 10:51 PM
  • You're out of luck. You should have a discussion with those who set up policies that these are your choices, either remove the user from the Web App level and simply grant at the Site level or implement an HTTP module to send back a 401 based on the site they're visiting.

    Trevor Seward

    Office Servers and Services MVP



    Author, Deploying SharePoint 2016

    This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

    • Proposed as answer by Victoria Xia Thursday, September 29, 2016 10:23 AM
    • Marked as answer by Victoria Xia Tuesday, October 11, 2016 8:18 AM
    Friday, September 23, 2016 10:53 PM