locked
Can i Stop Site collection administrator from accessing a site? RRS feed

  • Question

  • Hi All,

    one of our Departments have confidential documents and they dont want even site collection administrator to access the site created for their department.As per my knowledge we cannot  restrict site collection administrator.Is there any work around? i mean other then creating new site collection for those sites?.


    Thanks,
    Friend.  
    • Edited by Mike Walsh FIN Tuesday, February 17, 2009 5:36 PM (sighs) that should be "accept the speed of forums OR ring Microsoft ...
    Tuesday, February 17, 2009 4:40 PM

Answers

  • The only solution I can think of is to update the site collection administrators configuration within your Central Administration site so that they are populated with users  that you do want to be able to access the site (ie: the business users who are the only ones who should have that access). If that is just one person, you can leave the secondary role blank, but you at least need to specify a primary administrator.

    The important thing to keep in mind that you do not need to have a SharePoint administrator as your site collection's primary site collection administrator. It can be a normal business user who is allowed to have full control of your site collection, its just that the role needs to be configured by your SharePoint administrator.

    With WSS v3 and MOSS 2007, SharePoint's security model has been reconfigured so that situations like what you're looking for are now possible: your operational staff do not by default have access to your environment's sites. But, in the event that they do need access in order to fix a problem or error, they can use that site collection administrator setting in the Central Administration site to grant themselves that short-term access. The idea is that such an action would be logged by the system, creating an audit trail of the transaction.

    Does that help/make sense?

    John

    MCTS: WSS v3, MOSS 2007, and SCOM 2007 ******* Now Available on Amazon - the SharePoint 2007 Disaster Recovery Guide: http://is.gd/da9q
    • Marked as answer by Mike Walsh FIN Wednesday, February 18, 2009 7:00 AM
    Tuesday, February 17, 2009 10:17 PM

All replies

  • Hi,

    did you try to "stop inherit" permission and then explicetely remove Site Collection Administrator?

    (have never tried it but it migth work).

    Cheers,
    Daniel Bugday

    Web: SharePoint Forum Blog: Daniel Bugday's SharePoint Blog

    Tuesday, February 17, 2009 5:19 PM
  • My guess is that that won't work. I have the feeling that the site collection administrator can get at them, it's just other site administrators you can block.

    There's a recent (Jan and Feb issues) detailed two part article in TechNet magazine (or was it MSDN Mag) that the original poster should read as it might help him.

    Jan: http://technet.microsoft.com/en-us/magazine/dd297618.aspx

    Feb: http://technet.microsoft.com/en-us/magazine/2009.02.insidesharepoint.aspx

    Mar: http://technet.microsoft.com/en-us/magazine/dd424930.aspx

    (Feb and Mar was what I meant but Jan may help more)

    WSS FAQ sites: WSS 2.0: http://wssv2faq.mindsharp.com WSS 3.0 and MOSS 2007: http://wssv3faq.mindsharp.com
    Total list of WSS 3.0 and MOSS 2007 Books (including foreign language titles) http://wss.asaris.de/sites/walsh/Lists/WSSv3%20FAQ/V%20Books.aspx
    Tuesday, February 17, 2009 5:39 PM
  • Hi Mike,

    I am very much new to sharepoint .I have seen the links they speak more about security and credentials.In short can i assume that there is no straight way to stop site collection administrator from accessing the sites in the collection


    Friend.
    Tuesday, February 17, 2009 6:46 PM
  • The only solution I can think of is to update the site collection administrators configuration within your Central Administration site so that they are populated with users  that you do want to be able to access the site (ie: the business users who are the only ones who should have that access). If that is just one person, you can leave the secondary role blank, but you at least need to specify a primary administrator.

    The important thing to keep in mind that you do not need to have a SharePoint administrator as your site collection's primary site collection administrator. It can be a normal business user who is allowed to have full control of your site collection, its just that the role needs to be configured by your SharePoint administrator.

    With WSS v3 and MOSS 2007, SharePoint's security model has been reconfigured so that situations like what you're looking for are now possible: your operational staff do not by default have access to your environment's sites. But, in the event that they do need access in order to fix a problem or error, they can use that site collection administrator setting in the Central Administration site to grant themselves that short-term access. The idea is that such an action would be logged by the system, creating an audit trail of the transaction.

    Does that help/make sense?

    John

    MCTS: WSS v3, MOSS 2007, and SCOM 2007 ******* Now Available on Amazon - the SharePoint 2007 Disaster Recovery Guide: http://is.gd/da9q
    • Marked as answer by Mike Walsh FIN Wednesday, February 18, 2009 7:00 AM
    Tuesday, February 17, 2009 10:17 PM
  • hi friendiamforu,

    to me, the solution to this situation is 1) create the site choosing "Use unique permissions"; only choose the users trusted into the  three new groups(dont use default ones); 2) as John described, change the site collectin admin, fill only primary blank with one of the users you choose for the site creation. But remember that this person has rights to see all the site collection site and has write permission over them. some other departments may not want this person as site collection admin ...


    allan
    Tuesday, February 17, 2009 11:23 PM
  • Hi John/allan,

     

    I got your point.As i told you i am new to sharepoint and the sharepoint was implemented by some one else in our organisation and i am just supporting it at site collection level.So from your comments i understand that i have to do something using central administration screen.But i dont have access to it.I got to esclate it to higher level and see.Thanks for you help and will update with progress.

    Friend.

    Wednesday, February 18, 2009 2:41 AM
  • Hi Friend


    Do you have the administrator privilages to your site collection ?

    If So, you can remove the users as Site Collection Administrators, By going to Site Actions > Site Settings > Under User and Permissions Group > Select  Site collection administrators.

    Here you will find all the Site collection Administrators names. As some body said in this thread we need atleast one site collection administrator name. Remove the unwanted name except one name (You have to decide :))

    Thanks
    Wednesday, February 18, 2009 5:35 AM
  • Hi Venkat,

    I am talking about access to a subsite ( example subsite 1 where root site is rootsite)and when i go to that subsite (susbsite1) i  dont have any site collection administrators under users and persmissions section but when i click to go to top level site settings under site sollection administration of subsite1 site settings it takes me to top level site settings where i can add remove site collection administrators but by removing here that particular person will not be able to access even other subsite (subsite2 for example). I want to restrict administrator only from accessing one subsite (exampel subsite1). Is my requirement is clear if not let me know i wll try to make it more clear.


    Friend.
    Wednesday, February 18, 2009 1:10 PM
  • Did you get the solution for this problem?
    i have same kind of scenario whre i have to restrict the site collection administrator to acces one of the subsite in the site collection.
    Friday, March 6, 2009 11:46 AM
  • SP User said:

    Did you get the solution for this problem?
    i have same kind of scenario whre i have to restrict the site collection administrator to acces one of the subsite in the site collection.


    Since SharePoint allows for thousands of Site Collections I would create a Site Collection for a site that had that level of Security Requirement. That way it is administered entirely separately. (I already have examples of this kind of issue in my organization and I don't think twice about creating a Site Collection to solve the problem.) Clearly there are branding issues with this choice, but it's relatively easy to deal with those compared to the administrative headaches of trying to deal with sub-site security vs. Site Collection security.

    Chris

    chris
    Friday, March 6, 2009 3:44 PM
  • Hi Oaksong,

    Thats a good way that you create new Site Collection but then also The Farm Administrator i.e. Main administrator who have access on SharePoint Server can always go and add second administrator from Central admin access the documents and remove its access. No one in organization will know that it was access by SharePoint Administrator.

    Thanks,

    SP Techie
    Friday, October 23, 2009 3:50 PM
  • Hi,

    There is a SharePoint Security module that blocks site collection administrators from accessing sensitive content. It works with SP2013 and SP2010. Info (at time of publishing) about it here: https://www.berkeleyit.com/enterprise-security-services-platform-for-sharepoint/

    Hope this helps.

    Scott

    Friday, March 6, 2015 9:48 AM