locked
Effective permissions for user assigned to multiple SharePoint Security Groups RRS feed

  • Question

  • I have several SharePoint Users who have been assigned to various SharePoint Security Groups all with different sets of permissions levels assigned to the various SharePoint Security groups.  Many of these users have been assigned Design or Full Control on the SharePoint site.  However, a number of the users have also been receiving error messages in SharePoint Designer when performing operations such as publishing a workflow stating that they do not have sufficient permissions to perform the operation.

    Therefore, is there a way to determine what are the overall effective permissions for a user when they have been assigned to multiple SharePoint security groups?  Does the lowest level security group (such as Limited Access or Read Only) take effect or does the highest level security group (such as Design or Full Control) take effect?

    Is there a recommended strategy or set of guidelines for assigning users to SharePoint security groups that must be followed in order to avoid such error messages?  Do I need to ensure that only a single user is assigned to a single SharePoint security group?

    Please advise.

    Friday, October 14, 2011 8:01 PM

Answers

  • > Does the lowest level security group (such as Limited Access or Read Only) take effect or does the highest level security group (such as Design or Full Control) take effect?

    Highest. I.e. if one group gives read, and another delete, then the user has read and delete.

     

    > Limited Access

    I wish Microsoft would have picked another name for this. "Limited Access" means custom access. If a user belongs to the Visitor group, but has Contribute permissions on one library, then the user is listed as having "Limited Access".

     

    > a number of the users have also been receiving error messages in SharePoint Designer when performing operations such as publishing a workflow stating that they do not have sufficient permissions to perform the operation

    The discussion here might help. Find the part about "Workflows document library is a hidden library".

     

    > Therefore, is there a way to determine what are the overall effective permissions

    For a site, go to Site Actions,Site Permissions, click Check Permissions in the ribbon and enter the user's name.

    For a list/library, go to the list/library, click the Library ribbon and then the Permissions button (far right).

     

     


    Mike Smith TechTrainingNotes.blogspot.com
    • Marked as answer by Seven M Thursday, October 20, 2011 1:43 AM
    Saturday, October 15, 2011 1:20 AM

All replies

  • > Does the lowest level security group (such as Limited Access or Read Only) take effect or does the highest level security group (such as Design or Full Control) take effect?

    Highest. I.e. if one group gives read, and another delete, then the user has read and delete.

     

    > Limited Access

    I wish Microsoft would have picked another name for this. "Limited Access" means custom access. If a user belongs to the Visitor group, but has Contribute permissions on one library, then the user is listed as having "Limited Access".

     

    > a number of the users have also been receiving error messages in SharePoint Designer when performing operations such as publishing a workflow stating that they do not have sufficient permissions to perform the operation

    The discussion here might help. Find the part about "Workflows document library is a hidden library".

     

    > Therefore, is there a way to determine what are the overall effective permissions

    For a site, go to Site Actions,Site Permissions, click Check Permissions in the ribbon and enter the user's name.

    For a list/library, go to the list/library, click the Library ribbon and then the Permissions button (far right).

     

     


    Mike Smith TechTrainingNotes.blogspot.com
    • Marked as answer by Seven M Thursday, October 20, 2011 1:43 AM
    Saturday, October 15, 2011 1:20 AM
  • I have several users which are part of a SharePoint Owners group with Full Control as well as a Contribute group.  My understanding is that the Owners group would allow them to manage permissions and groups on the site.

    However, when they log into the site, they can add/remove users to the "Owners" SharePoint group, but are unable to add or remove any users to any of the other SharePoint groups.  They do not even see the menu items to perform these actions when going into edit one of these other SharePoint groups.

    If they are supposed to be granted the highest level of privilege in SharePoint, based on their current group membership, they should be able to perform these permission operations on other SharePoint groups as well.

    What could be the cause of this problem?

    Please advise.

    Wednesday, April 11, 2012 7:32 PM