locked
Custom Permission Levels: Subsite Access, Global Navigation and Webpart Permissions - Configuration Questions RRS feed

  • Question

  • We're running MOSS 2007 Enterprise with the Dec 2010 Cumulative Update (12.0.0.6550).  I am trying to get a tab to show up in the Global Navigation for users to click through so that they can get to their subsite.  The sticky point is that the personnel clicking through are not authorized to see the content on the site that they are clicking through.  It works just fine in a one-level scenario, but when we get into two-levels, the permissions do not work the way I'd think they should work, and I need a sanity check.

     

    Here's the one-level scenario that works:

    ·     Homepage - Custom Permission Level has Site Permissions: View Pages & Open checked

    ·     Subsite - Standard Contribute Permission level

     

    If your ID is in a SharePoint group applied to the Homepage with the Custom Permission Level, you see "empty" webparts (the message users see is "There are no items to show in this view of ..." which is acceptable to us) and only those tabs in the Global Navigation that you have Contribute access to.

     

    Here's the two-level scenario that does not work:

    ·     Homepage - Custom Permission Level has Site Permissions: View Pages & Open checked

    ·     Subsite - Custom Permission Level has Site Permissions: View Pages & Open checked

    ·     Sub-Subsite - Standard Contribute Permission Level

     

    I'd expect that if your ID is in a group applied to the homepage and subsite with the custom level you would see empty webparts on the homepage and the subsite, and be able to click tabs in the Global Navigation to navigate first to the subsite, then to the sub-subsite where you have Contribute permissions.  That is not the case.  First, you do not see the tab in the Global Navigation on the homepage.  Second, if you type in the URL of the subsite, you are denied access.  Of course, if you type in the full URL to the sub-subsite, you have Contribute access as expected.  If you change the subsite permissions to the standard Read Permission level, the tab shows up on the homepage and you have access to the subsite, but now you also see content in the webparts (which is what we are trying to avoid.)  So I played around with some other Custom Permission Levels, and here's where I'm stuck.

     

    All of the following two-level scenarios have the homepage permissions fixed with the Custom Permission Level described above (Custom Permission Level 1 below) and the sub-subsite permissions fixed with the standard Contribute Permission level, while the subsite permissions are tweaked with the Custom Permission Levels described below.  When I’m done here I will go back and try tweaking the homepage permissions as well, although I am doubtful that will change anything, and report back what I find out.

     

    Custom Permission Level 1: (listing the above for completeness)

    ·     Site Permissions: View Pages & Open - checked

    Personnel are denied access to the subsite and the link does not appear on the homepage.

     

    Custom Permission Level 2:

    ·     Site Permissions: View Pages, Browse User Information & Open - checked

    Personnel have access to the subsite and the webparts on the subsite are empty, but the link does not appear on the homepage.  The “Browse User Information” setting driving access to a site in Sharepoint does not seem intuitive to me!  (sanity check please)

     

    Custom Permission Level 3:

    ·     List Permissions: View Items - checked

    ·     Site Permissions: View Pages, Browse User Information & Open - checked

    Personnel have access to the subsite, and the link appears on the homepage, but the webparts on the subsite display content. 

     

    Custom Permission Level 4:

    ·     List Permissions: View Application Pages - checked

    ·     Site Permissions: View Pages, Browse User Information & Open - checked

    Personnel have access to the subsite and the webparts are empty, but the link does not appear on the homepage. 

     

    Custom Permission Level 5:  

    ·     List Permissions: View Items & View Application Pages - checked

    ·     Site Permissions: View Pages, Browse User Information & Open - checked

    Personnel have access to the subsite, and the link appears on the homepage, but the webparts on the subsite display content.  (same as scenario 3 above)

     

    What I am trying to achieve is personnel have access to the subsite, the link appears on the homepage, and the webparts on the subsite are empty.  I am not having much luck getting this configuration to work in our environment and am looking for help.

     

    -Richard.

     

     






    • Edited by _Richard_D_ Wednesday, August 10, 2011 7:51 PM update title again
    Wednesday, August 10, 2011 7:22 PM

Answers

  • Thank you for the update Richard.  I did some more research on this and it looks like "View items" list permission is mandatory on subsite level to render the navigation with all the nodes.
     
    I followed the below steps on an environment with build version 12.0.6562(June2011 Cu):
     
    1.    Create a root site collection based on team site template  http://sharepoint2007/ and activated publishing feature (Site collection and site level)
    2.    Create a subsite under the root site collection based on team site template http://sharepoint2007/subsite select "Use unique permissions" and enabled site publishing feature
    3.    Create a subsite under the subsite based on team site template  http://sharepoint2007/subsite/subsubsite select "Use unique permissions" and enabled site publishing feature
    4.    Enable "Show subsites" from site navigation setting page
    5.    Access the root site collection http://sharepoint2007/ and go to Site setting >> Advanced permissions >>  Permission  levels under Setting dropdown
    6.    Create a custom permission level "View Pages-RootSite" by selecting site permission  "View pages and Open"
    7.    Create a custom permission level "View Pages-SubSite" by selecting site permission  "View pages  and Open" and list permission "View items"
    8.    Go to the root site's advanced permissions  http://sharepoint2007/_layouts/aclinv.aspx and add the user or group you wanted to have restricted permission and select "Give users permission directly" and select "View Pages-RootSite" permission and click Ok
    9.    Go to the subsite's advanced permissions  http://sharepoint2007/subsite/_layouts/aclinv.aspx and add the user or group you wanted to have restricted permission and select "Give users permission directly" and select "View Pages-SubSite" permission and click Ok
    10.    Added the user or group to the sub-subsite with contribute permission by accessing the link  http://sharepoint2007/subsite/subsubsite/_layouts/aclinv.aspx
     
    I am able to login with the user with restricted permission and  see the navigation. And the user is able to see the data in the list view webpart on the subsite(I have an annoucement webpart of the default.aspx page). But the user will not be able to access the list or library on the subsite and will get access denied.

    And if we uncheck the list permission "View items" permission on custom permission level "View Pages-Subsite", the  subsite will disappear from global navigation (Top navigation)
     
    Conclusion:
    Since the View list permission is needed on the subsite level to display the subsite in global navigation, then  the user will also see the items in the list view webpart. Alternate option is to set granular permission to the list/library or audience target the webpart.

    Thanks,
    Manas
    • Marked as answer by Seven M Thursday, August 25, 2011 5:22 AM
    Tuesday, August 23, 2011 11:41 AM

All replies

  • Hi,

     

    Thank you for your question.

     

    I am trying to involve someone familiar with this topic to further look at this issue. There might be some time delay. Appreciate your patience.

     

    Thank you for your understanding and support.

     

    Seven Ma

    TechNet Subscriber Support in forum

    If you have any feedback on our support, please contact tnmff@microsoft.com  

    Thursday, August 11, 2011 7:43 AM
  • I tested with the group applied to the Homepage with the same Permission Level as the group applied to the subpage with no changes in results, except now you had the expected outcome of additionally seeing content in the webparts on the homepage in scenarios 3 and 5.

    -Richard.

    Thursday, August 11, 2011 5:47 PM
  • Hello,

    Thank you for your post .Instead of giving users of this group access to "click through" the Subsite to reach the Sub-Subsite, you can skip the middle step all together (i.e. Give these users a direct link to the Sub-Subsite so they never have to go through the Subsite, which they are not authorized to see).  I tried this out in my test environment and it works great.  Below are the steps I took.

     

    For ease of explanation, I will use "Root" when referring to the main page, "Subsite" for its subsite, and "Sub-Subsite" for the subsite under that.

     

                    1. Created AD Security group named "PermGroup"

                    2. Created SharePoint group named "TestPerms" and added PermGroup into this group

                    3. Gave this group Read access to the Root site (and its subsites)

                    4. Broke inheritance at Sub-Subsite level and gave Contribute access to TestPerms group

                    5. Broke inheritance at Subsite level and removed all permissions for TestPerms group

                   

    At this point, Root, Subsite, and Sub-Subsite all have the desired permissions (Read, None, and Contribute, respectively).  However, the users in the TestPerms group still need to be able to navigate to the Sub-Subsite (as they will not be able to click through Subsite at all).

                   

                    1. From the Root site, clicked on Site Actions > Site Settings > Modify Navigation

                    2. On the Site Navigation Settings page, click Add Link

                    3. Enter the site name and the direct URL to the Sub-Subsite

                   

    The Sub-Subsite will now appear as a tab in the Global Navigation.  If you would like to restrict who is able to see this new tab, you can use Audiences to accomplish this.  Please see the following link for more information on targeting content to specific Audiences.  Specifically, see Section 3 "Target a navigation link to an audience". http://office.microsoft.com/en-us/sharepoint-server-help/target-content-to-specific-audiences-HA010169053.aspx 

     

    Thanks ,

    Manas

    Friday, August 12, 2011 3:03 PM
  • Thanks, but that is a workaround, not a fix to my original question. 

    I should have mentioned that there are several sets of subsites and sub-subsites, each protected by different groups.  By using the standard Sharepoint navigation capability "Show Sites," users only see the subsites that they have access to.  By implementing your recommendation, the manually added navigation links to the subsites would require applying Audiences to have the desired visibility.  This is an issue for us as new groups are added frequently, and thus would require continual maintenance of the audiences on those links.  The costs of reproducing the Navigation links manually, as well as maintaining the frequently changing Audiences was considered by us, but deemed too expensive an overhead.

    I believe this to be a issue, as the same permission level acts differently on the homepage (root) than on a subsite, not to mention that the Browse User Information setting is controlling whether someone has access to a subsite, which is not intuitive at all.

    I guess I'd still like to know if the issues I have discovered are reproduceable in other MOSS 2007 Enterprise Dec 2010 Cumulative Update configurations, and/or in later configurations.  If an existing patch may fix us, that would be acceptable.  Otherwise, I believe this may be a bug?

    Thanks again,

    -Richard.

     


    Monday, August 15, 2011 4:24 PM
  • Hello Richard,

    After some additional research, I have found no evidence that this behavior is a reproducible  incident in any of the current versions of MOSS 2007.  We need to further investigate and analyze your environment to better understand what is going on here .Your question falls into the paid support category which requires a more in-depth level of support. Please visit the below link to see the various paid support options that are available to better meet your needs http://support.microsoft.com/default.aspx?id=fh;en-us;offerprophone. If you are a MSDN / TechNet subscriber, you can also contact our support by using your free support incidents.

    However, other members of the community may still have encountered the issue you're seeing, and have a solution to offer!

    Thanks ,

    Manas

     

    Wednesday, August 17, 2011 4:18 AM
  • Thanks for the response.  Your attention to this thread is important to me.

    I was very detailed with my configuration and test script to try to make it testable by others, as the research I performed did not uncover any documentation of this issue.  Can you please be a bit more specific about what you did?

    Did you create the sites, subsites, Custom Permission Levels and the associated Groups in a MOSS 2007 environment? If so, is the pass-through behavior the same at the root, as well as the subsite?  Also, please tell me if the Browse User Information setting is controlling or not controlling access at the site level. 

    I have reproduced this issue in our development environment, which is a completely different farm and still running 32 bit (the PRD farm is all 64 bit).  Did you test in a 32 or 64 bit Farm?

    Maybe this isn't a server-side issue but a desktop configuration...  We have an older version of IE as our desktop standard.  I don't think that could be the issue, but you never know unless you test.  What browser and version were you using?  I'll go test with a later IE version just to make sure on my end.

    We do not use virtual servers in our PRD environment, but we do use them in DEV, and because I can see this issue in both environments, I do not believe that using virtual servers or not could be the cause.  What was your environment, using virtual servers or not?

    I do not use Central Admin much (that responsibility is our SA's, not mine) but I do have access, so if there are any settings there I should look at, please let me know.  Also, are there any other configurations you recommend that I can go test?

    Thanks again,

    -Richard.

     

    Thursday, August 18, 2011 6:03 PM
  • Thank you for the update Richard.  I did some more research on this and it looks like "View items" list permission is mandatory on subsite level to render the navigation with all the nodes.
     
    I followed the below steps on an environment with build version 12.0.6562(June2011 Cu):
     
    1.    Create a root site collection based on team site template  http://sharepoint2007/ and activated publishing feature (Site collection and site level)
    2.    Create a subsite under the root site collection based on team site template http://sharepoint2007/subsite select "Use unique permissions" and enabled site publishing feature
    3.    Create a subsite under the subsite based on team site template  http://sharepoint2007/subsite/subsubsite select "Use unique permissions" and enabled site publishing feature
    4.    Enable "Show subsites" from site navigation setting page
    5.    Access the root site collection http://sharepoint2007/ and go to Site setting >> Advanced permissions >>  Permission  levels under Setting dropdown
    6.    Create a custom permission level "View Pages-RootSite" by selecting site permission  "View pages and Open"
    7.    Create a custom permission level "View Pages-SubSite" by selecting site permission  "View pages  and Open" and list permission "View items"
    8.    Go to the root site's advanced permissions  http://sharepoint2007/_layouts/aclinv.aspx and add the user or group you wanted to have restricted permission and select "Give users permission directly" and select "View Pages-RootSite" permission and click Ok
    9.    Go to the subsite's advanced permissions  http://sharepoint2007/subsite/_layouts/aclinv.aspx and add the user or group you wanted to have restricted permission and select "Give users permission directly" and select "View Pages-SubSite" permission and click Ok
    10.    Added the user or group to the sub-subsite with contribute permission by accessing the link  http://sharepoint2007/subsite/subsubsite/_layouts/aclinv.aspx
     
    I am able to login with the user with restricted permission and  see the navigation. And the user is able to see the data in the list view webpart on the subsite(I have an annoucement webpart of the default.aspx page). But the user will not be able to access the list or library on the subsite and will get access denied.

    And if we uncheck the list permission "View items" permission on custom permission level "View Pages-Subsite", the  subsite will disappear from global navigation (Top navigation)
     
    Conclusion:
    Since the View list permission is needed on the subsite level to display the subsite in global navigation, then  the user will also see the items in the list view webpart. Alternate option is to set granular permission to the list/library or audience target the webpart.

    Thanks,
    Manas
    • Marked as answer by Seven M Thursday, August 25, 2011 5:22 AM
    Tuesday, August 23, 2011 11:41 AM