locked
What is the minimum permission set required on a subsite to allow someone to navigate form the homepage to a sub-sub site? RRS feed

  • Question

  • MOSS2007 -

    We have a situation where we want to allow personnel to navigate from the homepage to a lower-level subsite using the tabs and/or the quick launch, but not allow them to access any of the data on the homepage or on intermediate sites.

    In the past, we were successful with creating a permission set with only two permission levels (View Pages  -  View pages in a Web site.  & Open  -  Allows users to open a Web site, list, or folder in order to access items inside that container.) which when applied to the homepage, allowed users in that group to see webparts on the homepage but nothing in the webparts, the tabs and the quick launch.

    Now we have a case where the users have access to a sub-sub site and we do not want them to have access to data on the homepage or the subsite.  So when I applied our two-level permission set to the subsite I was surprised that 1) the tab and quick launch navigation did not display for users in that group and 2) that they were denied acces to the subsite.  If I increase the group's access level to View, then of course they see the navigation and can get to the subsite, but also of course see the content of that subsite.

    Our backup plan is to try a table of contents webpart but I'm wondering if anyone has experienced this situation where they wanted personnel to navigate to a sub-sub site through a subsite, but did not want those personnel to have access to any data on the homepage or that subsite?  Or if there were any other recommendations for alternative solutions?  Thanks,

    -Richard.

    • Edited by Mike Walsh FIN Saturday, January 8, 2011 8:05 AM MOSS2007 - not needed in Title as default here. Put in text
    Friday, January 7, 2011 10:34 PM

All replies

  • Make sure that your subsite has inherited permission from main site.Sometimes it will not propegated properly to subsites then break the inheritance and add it again.

    You could also think about audience targeting for your navigation

    Sunday, January 9, 2011 4:48 PM
  • Thanks for the note.  The subsite unfortunately has broken inheritance, but the same group is applied with the same two-item permission level in both locations.  At the sub-sub site the group is applied with Contribute permissions.

    I was hoping that I would not have to resort to audiences, but I may have to if there isn't a fix for why the permission level works only at the root and does not work at a subsite level.

    Monday, January 10, 2011 9:43 PM
  •  

    "permission level works only at the root and does not work at a subsite level".

    I will say its not a correct statement.Permission level works same way whether it is root or sub site.If you have inherited permission from root then it will take that otherwise (Broken inheritance ) current site permission.

    You could read more about secuirity http://blogs.msdn.com/b/arpans/archive/2008/05/09/sharepoint-end-user-security.aspx

    Answering your question

    1. What is the minimum permission set required on a subsite to allow someone to navigate form the homepage to a sub-sub site?

    Should be in Restricted Readers group of sites and sub site in the navigation

    2. Now we have a case where the users have access to a sub-sub site and we do not want them to have access to data on the homepage or the subsite

    Answering your case:

    1.Create a sub site with unique permissions (Broken inheritance).During the creation it will ask for groups that you should specify a view group because by default it will show the same view group used by the parent site. 

    2.Go to the Navigation setting of the sub (site newly created) set global navigation (Top Menu) to Display the navigation items below the current site.

    3. Set current navigation (Quick Launch) to Display the navigation items below the current site.

    4. Add the user to view group(Created in the first step) of Sub Site.

    5.Make sure that home page is a published page because read only users can see only published contents.

    Step 2 and 3 are required because if the user doesn't have any permission to access the page specified in the navigation menu then user will get a access denied error.Reason Navigation menu internally try to access the link in the navigation.


     

    Tuesday, January 11, 2011 3:11 AM
  • Thanks for the info and link.

    However, I am still puzzled why the same set of permissions work in one case but does not work in the other.

    We do not want the users of the sub-sub-site to be able to read anything at the site and sub-site level.  So, we created a permission set (which we call Navigation Only) with only two permission levels (View Pages and Open).  If we want users to be able to navigate to their sub-site (where the permissions group is applied with Contribute access) from the homepage (where we don't want those users to have Read access to any content,) we apply our group with the Navigation Only permission set.  This works great as those users see only the Tabs and Quick Launch items that they have access to.  Web parts are empty except for a message that says that they do not have access to view the content.

    However, when we have users who have contribute access at a sub-sub-site, and apply the group with the Navigation Only permission set at the homepage and sub-site level, the users in that group can access the Homepage but they do not see the tab nor the quick launch navigation.  If I apply the group with the Read permission set to the sub-site, then the navigation on the homepage shows up, but of course now they have Read access to the sub-site content which we do not want.  All we want is for them to be able to access to Tab and quick launch navigation to be able to drill down to their sub-sub-site.

    I was hoping that there was something simple that I missed, but I guess not...

    Friday, January 21, 2011 9:43 PM
  • Sorry for the delay. I am confused by such a long thread. Anyway, my simple test shows that user don't need any permission on the sub-site to be able to open the sub-sub-site.
    Tuesday, February 8, 2011 8:20 AM
  • Well, our workaround is to give the visitors Read access at the Site permissions, then break permissions on every list, library and page in the site so that they can only navigate to the subsites.

    I hope that this is fixed in 2010...

    -Richard.

    Tuesday, April 12, 2011 4:47 PM