locked
SP 2010 Personalization site permissions ignored, unwanted users have 'read' access RRS feed

  • Question

  • I'm a fairly new admin to SP 2010, and have put together a personalization site (My Host Site).

    In my area (/personal/amccollough) of the site, I have created a site "Foo" (/personal/amccollough/foo) for a team project. I have set site permissions manually. I have disabled inheritance. There are only three entries in the permissions list: Myself, the System Account (SHAREPOINT\system), and a SP group containing only the users (no groups) I want to have access to the site.

    The problem is, any authenticated user has access to the Foo site. They end up with 'read' permission, but they shouldn't be able to get in at all. I used the "Check Permissions" button in the permissions ribbon to check a user who should not have access, and the Check Permissions utility returns "None".

    So with inheritance disabled, and explicit permissions set, how are users not explicitly granted permission gaining read access?


    • Edited by amccollough Tuesday, March 13, 2012 5:10 PM
    Tuesday, March 13, 2012 5:09 PM

Answers

  •  

    Hi,

    As Chris said, there may be a permission policy of this web application granting read permission to all authenticated users.

    You can check this by going to Central Administration>Application Management>Manage web applications>select the web application you want check>User Policy. If the all authenticated users are granted read permission here, they would have read permission on your site.

    Thanks


    Pengyu Zhao

    TechNet Community Support

    • Marked as answer by amccollough Tuesday, March 20, 2012 5:50 PM
    Tuesday, March 20, 2012 7:10 AM

All replies

  • If you remove the SharePoint group from the permissions, does that remove access for the test user who shouldn't have read access?

    They way you've described your issue, it shouldn't be happening, so there must be something else going on here.


    - cawood

     blog |  twitter

    Tuesday, March 13, 2012 7:27 PM
  • No difference. I removed the SHAREPOINT\system user, then on a separate computer logged in as a user that should have no access to my Foo site, and was still able to get in with 'read' access.
    Wednesday, March 14, 2012 6:54 PM
  • And you tried removing the group as well?

    One way a user could get access without showing up in the site permissions would be in the user was a site collection administrator.


    - cawood

     blog |  twitter

    Wednesday, March 14, 2012 10:15 PM
  • The unwanted folks are not site collection admins, nor do they possess any elevated group memberships. Just a basic 'domain user'. And, removing groups/users made no diff. Going to Site Permissions, I took out all entries other than my own individual user account.

    Monday, March 19, 2012 6:39 PM
  • Do you know if there is a Web Application Policy granting all authenticated users Read access?  If so, this setting would override any setting made at the site collection and site levels.

    Chris Caravajal MCTS SharePoint911 Consulting & Support Services

    Monday, March 19, 2012 7:22 PM
  •  

    Hi,

    As Chris said, there may be a permission policy of this web application granting read permission to all authenticated users.

    You can check this by going to Central Administration>Application Management>Manage web applications>select the web application you want check>User Policy. If the all authenticated users are granted read permission here, they would have read permission on your site.

    Thanks


    Pengyu Zhao

    TechNet Community Support

    • Marked as answer by amccollough Tuesday, March 20, 2012 5:50 PM
    Tuesday, March 20, 2012 7:10 AM
  • Looking at "Policy for Web Application", it does show our domain users have "Full Read" permission. After I removed that setting, un-permissioned users are now prompted with the 'request access' page, which then behaves as expected. Thank you!


    • Marked as answer by amccollough Tuesday, March 20, 2012 5:48 PM
    • Unmarked as answer by amccollough Tuesday, March 20, 2012 5:48 PM
    • Edited by amccollough Tuesday, March 20, 2012 5:50 PM
    Tuesday, March 20, 2012 5:44 PM
  • Since my response was helpful, can I please get the response marked as well?

    Chris Caravajal MCTS SharePoint911 Consulting & Support Services

    Thursday, March 22, 2012 11:09 AM