none
Conflicts in permissions

    Question

  • Having some problems that I think are permission in nature.  I've looked on the net but can't seem to find an answer.  Should a user (whether an individual user or in a group) be on the permissions for the site only once?  In other words, should a site owner not be listed as an approver or member of the group as well?  If the permissions in the two instances conflict, how does SharePoint resolve the conflict?  If a person is a site collection administrator, do they even need to appear in the permissions list on a particular site, or do they automatically receive permissions?  Any helpful articles that address this issue directly would be helpful.  General permissions articles  that I have seen, don't really answer these questions.
    Wednesday, September 18, 2013 3:37 PM

Answers

  • With the exception of Web Application User Permission Policies (which aren't what you are asking about here), permissions in SharePoint are always additive.  So to answer your questions:

    1. There is no reason that requires a user to only be on a site once.  they might be a member of two groups that provide completely separate permissions.  for example, you might be a member of the Members group that gives you Contribute permission to the whole Web site and a member of the Style Resource Readers group that gives you Read access to the Style Resource Library within a Web site.
    2. A site owner can be listed as an approver also.  But in general they wouldn't need to be since they already have Full control permissions as the site owner.
    3. Permissions are always additive.  So if there are different permissions assigned by different group memberships then the effective permissions are the sum of all the permissions assigned.
    4. Site Collection Admins are automatically given full control, so they don't really need to be added as site owners.  But it doesn't hurt anything eitehr.

    Paul Stork SharePoint Server MVP
    Principal Architect: Blue Chip Consulting Group
    Blog: http://dontpapanic.com/blog
    Twitter: Follow @pstork
    Please remember to mark your question as "answered" if this solves your problem.

    • Marked as answer by DonCu Wednesday, September 18, 2013 6:30 PM
    Wednesday, September 18, 2013 5:36 PM

All replies

  • With the exception of Web Application User Permission Policies (which aren't what you are asking about here), permissions in SharePoint are always additive.  So to answer your questions:

    1. There is no reason that requires a user to only be on a site once.  they might be a member of two groups that provide completely separate permissions.  for example, you might be a member of the Members group that gives you Contribute permission to the whole Web site and a member of the Style Resource Readers group that gives you Read access to the Style Resource Library within a Web site.
    2. A site owner can be listed as an approver also.  But in general they wouldn't need to be since they already have Full control permissions as the site owner.
    3. Permissions are always additive.  So if there are different permissions assigned by different group memberships then the effective permissions are the sum of all the permissions assigned.
    4. Site Collection Admins are automatically given full control, so they don't really need to be added as site owners.  But it doesn't hurt anything eitehr.

    Paul Stork SharePoint Server MVP
    Principal Architect: Blue Chip Consulting Group
    Blog: http://dontpapanic.com/blog
    Twitter: Follow @pstork
    Please remember to mark your question as "answered" if this solves your problem.

    • Marked as answer by DonCu Wednesday, September 18, 2013 6:30 PM
    Wednesday, September 18, 2013 5:36 PM
  • Thank you very much.  A very clear answer and much appreciated.
    Wednesday, September 18, 2013 6:30 PM