none
Restricting access to a library

    Question

  • Sharepoint is on a domain with 5K + users.  We have a library with some documents that we only want about 20 of these users to be able to access/read.  What do we need to do to accomplish this?

    Craig

    Friday, February 12, 2010 7:05 PM

Answers

  • Well I didn't understand much of the first reply so here's an answer in what I hope are simpler words.


    1. You can specify security at document library level.

    (Open the document library; go to List settings and then there's an option for permissions)

    2. You can create a SharePoint Group; add to it your 20 users and then amend the rights of the SharePoint Group so that they are exactly what you want them to be.


    Combining 1. and 2. you then add the SharePoint Group to the page you get in 1. to set permissions and remove all the other groups that originally had access rights.


    Provided the members of your SharePoint group have at least equivalent rights to the site in which the document library is contained, this will work fine and do what you seem to want to do.

    FAQ sites: (SP 2010) http://wssv4faq.mindsharp.com; (v3) http://wssv3faq.mindsharp.com and (WSS 2.0) http://wssv2faq.mindsharp.com
    Complete Book Lists (incl. foreign language) on each site.
    • Proposed as answer by Jerry Yasir MVPMVP Sunday, February 14, 2010 9:46 AM
    • Marked as answer by Lily Wu Friday, February 19, 2010 5:30 AM
    Saturday, February 13, 2010 7:33 AM
  • Make is really easy for Management and adding to Mike's solution.

    1. Ask the IT team to give you Active Directory Group that contains the 20 Users
    2. On Site Collection Root Site Create a Permission Level with the permissions you want to assign to this group.
    3. Goto your Lists Settings -> Permissions and Break the Inheritance
    4. Remove all other users
    5. Click Create Users and Enter Active Directory group name
    6. Select the permission Level you created in step 2 and click Ok.

    Done.  This way you dont have to manage the users yourself.  It is normal that these users will become 40 over time so leave it to IT Admins :) rather than adding a removing users from SharePoint.

    J:


    Jerry
    • Marked as answer by Lily Wu Friday, February 19, 2010 5:30 AM
    Saturday, February 13, 2010 12:40 PM

All replies

  • Hi,

    As a site owner, you can associate permissions with permission levels and also associate permission levels with users and SharePoint groups. Users and SharePoint groups are associated with securable objects such as sites, lists, list items, libraries, folders within lists and libraries, and documents.
     For more information about assigning permissions in different securable objects, see About controlling access to sites and site content.

    also refer to http://office.microsoft.com/en-us/help/HA101001491033.aspx


    Best Regards, Ammar MCT http://ahmed-ammar.blogspot.com Posting is provided "AS IS" with no warranties, and confers no rights.
    Friday, February 12, 2010 7:55 PM
  • Well I didn't understand much of the first reply so here's an answer in what I hope are simpler words.


    1. You can specify security at document library level.

    (Open the document library; go to List settings and then there's an option for permissions)

    2. You can create a SharePoint Group; add to it your 20 users and then amend the rights of the SharePoint Group so that they are exactly what you want them to be.


    Combining 1. and 2. you then add the SharePoint Group to the page you get in 1. to set permissions and remove all the other groups that originally had access rights.


    Provided the members of your SharePoint group have at least equivalent rights to the site in which the document library is contained, this will work fine and do what you seem to want to do.

    FAQ sites: (SP 2010) http://wssv4faq.mindsharp.com; (v3) http://wssv3faq.mindsharp.com and (WSS 2.0) http://wssv2faq.mindsharp.com
    Complete Book Lists (incl. foreign language) on each site.
    • Proposed as answer by Jerry Yasir MVPMVP Sunday, February 14, 2010 9:46 AM
    • Marked as answer by Lily Wu Friday, February 19, 2010 5:30 AM
    Saturday, February 13, 2010 7:33 AM
  • Make is really easy for Management and adding to Mike's solution.

    1. Ask the IT team to give you Active Directory Group that contains the 20 Users
    2. On Site Collection Root Site Create a Permission Level with the permissions you want to assign to this group.
    3. Goto your Lists Settings -> Permissions and Break the Inheritance
    4. Remove all other users
    5. Click Create Users and Enter Active Directory group name
    6. Select the permission Level you created in step 2 and click Ok.

    Done.  This way you dont have to manage the users yourself.  It is normal that these users will become 40 over time so leave it to IT Admins :) rather than adding a removing users from SharePoint.

    J:


    Jerry
    • Marked as answer by Lily Wu Friday, February 19, 2010 5:30 AM
    Saturday, February 13, 2010 12:40 PM
  • Jerry's solution is an equally valid approach.

    There are pluses but also minuses with using AD groups rather than SP groups.

    These include:

    AD groups: no work for the SP administrator in maintaining the group. But on the other hand it's out of his control and there may be a time gap between a (new) user asking an SP administrator to be given access to a site/library (etc.) and the user being added by the AD people who sometimes do these things once a week - the SP administrator meanwhile gets asked all the time why the user still can't access the site/library. Using SP groups the SP admin is asked and then he adds the user. Problem solved.

    AD groups also take time to set up. I.e. Jerry's 1. is not immediately followed by the AD group being available. An SP group as it is done by the SP administrator is setup immediately.


    So it's a matter of choice. I used to prefer AD groups as the technically better solution by keeping all access control in one place. But practically this isn't always the most conventient solution and you often end with a mix of SharePoint groups and AD Groups used for access to SP resources which is messy. The Best Practices book has a large chunk of text on the dilema and comes down I think in favor of using SP groups because of the sheer practicality of using them.

    FAQ sites: (SP 2010) http://wssv4faq.mindsharp.com; (v3) http://wssv3faq.mindsharp.com and (WSS 2.0) http://wssv2faq.mindsharp.com
    Complete Book Lists (incl. foreign language) on each site.
    Saturday, February 13, 2010 12:50 PM
  • I was expecting the same remarks from you on this.  You are very right.  SharePoint Admins are very responsive :) as compared to IT guys :). 

    J:


    Jerry
    Sunday, February 14, 2010 9:47 AM
  • I agree that using AD groups vs SharePoint groups both have advantages and disadvantages, and it really does depend on the specifics of what you are trying to achieve.

    One of the big deciding factors for me is whether or not a group will be re-used in many places. A SharePoint group is only defined at the site collection level, meaning it cannot be re-used across multiple site collections. In the case where a group needs to be defined for multiple sites or purposes, an AD group would then be a better choice.

    Paul.

    Sunday, February 14, 2010 1:56 PM