none
Sharepoint 2010 Permission level Full Control and explicit deny

    Question

  • I am facing a very frustating permission level issue with Sharepoint 2010. First, everything worked as expected up to few days ago.

    I have a user on my sharepoint 2010 env (publishing portal) named rjo who is site collection administrator and has also Full Control permission level.

    When I execute the Check Permission command from the ribbon I get the following:

    Permission levels given to xxxx\rjo

    Full Control
    Given through the "xxx Owners" group.

    The following factors also affect the level of access for xxx\rjo (xxx\rjo)

    Deny
    Manage Permissions
    Create and change permission levels on the Web site and assign permissions to users and groups.

    Deny
    Create Subsites
    Create subsites such as team sites, Meeting Workspace sites, and Document Workspace sites.

    etc.. Seems like all the individual permissions are set to deny.

    If I remove the user rjo from the Full Control permission level, all the deny permissions disappear. I have tried creating a brand new permission level with Allow permission on al items but I still get the deny when I check the permissions. Notice that this happens for all the users.

    Does anyone experienced a similar issue? I suspect some kind of Windows update to have messed up the permissions but I cannot find a way to get proper permissions to my users.

    Monday, May 21, 2012 12:23 PM

Answers

  • There are 4 Permission Policies defined by default at the Web applicaiton level in Central Admin.  Make sure that Deny All hasn't been assigned to the user or a group that they are a member or.  This is the one that would apply Deny permisisons to everything.  the Full Control permission level here isn't connected to the one that your site collection admin has.


    Paul Stork SharePoint Server
    MVP Senior Solutions Architect: BlueChip Consulting Group
    Blog: http://dontpapanic.com/blog
    Twitter: Follow @pstork
    Please remember to mark your question as "answered" if this solves your problem.

    • Marked as answer by Robert j-1 Tuesday, May 22, 2012 7:04 AM
    Monday, May 21, 2012 6:16 PM

All replies

  • The only place in SharePoint that you can apply a deny permission is at the Web Application level in Central Admin.  Those web app permissions take precedence over any permissions at the site collection level or below.  You need to check the permission policy that is applied to the web application in Central Admin.  That's where you will find the Deny permission level.

    Paul Stork SharePoint Server
    MVP Senior Solutions Architect: BlueChip Consulting Group
    Blog: http://dontpapanic.com/blog
    Twitter: Follow @pstork
    Please remember to mark your question as "answered" if this solves your problem.

    Monday, May 21, 2012 1:29 PM
  • This is indeed the first place I checked but unfortunatly all the permissions are set to Grant for the Full Control level.

    Monday, May 21, 2012 2:58 PM
  • There are 4 Permission Policies defined by default at the Web applicaiton level in Central Admin.  Make sure that Deny All hasn't been assigned to the user or a group that they are a member or.  This is the one that would apply Deny permisisons to everything.  the Full Control permission level here isn't connected to the one that your site collection admin has.


    Paul Stork SharePoint Server
    MVP Senior Solutions Architect: BlueChip Consulting Group
    Blog: http://dontpapanic.com/blog
    Twitter: Follow @pstork
    Please remember to mark your question as "answered" if this solves your problem.

    • Marked as answer by Robert j-1 Tuesday, May 22, 2012 7:04 AM
    Monday, May 21, 2012 6:16 PM
  • Thanks Paul, I have removed all the permission assignments in "Manage Permission Policy Levels" and recreated them.
    This seems to have solved my issue.

    Tuesday, May 22, 2012 7:04 AM
  • Hi,

    I have same issue but cannot remove "Deny all" from "Manage Permission Policy Level": how have done you? In this moment all permission management are blocked on my Site collection :(


    FabioA

    Wednesday, February 13, 2013 11:40 AM
  • Wednesday, February 13, 2013 12:01 PM
  • There is another reason this symptom (the inexplicable "deny" on everything, even though appropriate permissions are given) can happen...

    In my case, the site had become locked under the quotas and locks section of central admin.  I can't explain why this particular site got locked, because there wasn't enough content to exceed the storage quota, and no webparts had been configured that could have violated the sandboxed solutions quota.  Nevertheless, the site was locked and exhibited this behavior.


    Friday, August 09, 2013 3:19 PM
  • Awesome, Thank you, saved me so much time!  I don't know how the hell my quota got switched to the locked position, maybe when I did some upgrades last week, anyway, problem solved!

    I can now edit a page, now I need to figure out why I cant get the context menu when trying to edit a web part even though it no longer shows permission denied.

    I never seen the bottom 3 security groups that are set to limited access, its greyed out, so I cant remove that permission, but I added full control to it, and still cant edit the web part.


    Tuesday, December 31, 2013 9:33 PM
  • I had a similar issue.  When checking user permissions on any member of the site collection Owners group, the results were similar to those posted above.  Also noticed that some buttons on the ribbon were missing.  Also found that no user could add content to Library.  The Add button was missing.  Issue was only happening on one site collection in the web application, so it was not a Web App Policy issue.

    Eventually discovered that the site collection was locked as read-only.

    Central Administration > Application Management > Configure Quotas and Locks
    change the web application and site collection as needed to view setting for the affected site collection

    Found lock set to 'Read-only'  Changed to 'Not Locked'

    Monday, February 24, 2014 9:06 PM