none
Setting permissions for subsites RRS feed

  • Question

  • I am new to SPS2010 so this may be an easy question for someone else, but I haven't been able to find a clear answer yet.  I have a site created for our new intranet with separate team subsites for each business group (IT, HR, BoD, Sales, etc.).  What I am trying to figure out is how can I make certain subsites (or team sites) viewable to only certain groups?  Currently any user who is authenticated as AD user can view the home page, and all other pages even though their group does not have any permissions on the team site (yes, I made sure to disable inherit permissions),  For example...

    Bob is a regular user and has logged into his PC.  Bob is part of the Sales group in AD along with being a general user for the company.  He can view the home page of the intranet, http://intranet , he can view the HR page, http://intranet/hr  (he has rights to do this too), but he can also view the Board of Directors page ,http://intranet/BoD and the IT page, http://intranet/IT  (he should not see these two pages)

    If the inherit permissions for the subsites have been turned off, how do I correct what Bob has access to?  Should I just go back and delete all of the subsites and rebuild them making sure they never inherit the permissions from the home page from the very beginning? Just a bit confused on where I should start to try to fix this.

     

    Saturday, February 5, 2011 4:15 PM

Answers

  • The only way Bob can see those sites is if he has permissions to do so.  There has to be something giving him rights.  It's all very straightforward and works exactly how you set it up, but most of the time, people get confused about where they are setting permissions.  The only way Bob can see a site is if he has permissions via some explicit or implicit means.

    We can't see your permissions setup, so we can't really tell you what to do.  You definitely don't need to delete and remake subsites.  Just be fully aware that Bob can only see what you give Bob rights to see.  He's either getting it from a group within the subsite, from the Site Collection Administrator permission, or from the Web Application User Policy permissions (make sure you didn't accidentally add everyone here).


    SharePoint Architect || Microsoft MVP || My Blog
    Planet Technologies || SharePoint Task Force
    • Marked as answer by jtcrx Tuesday, February 8, 2011 1:05 PM
    Saturday, February 5, 2011 6:07 PM

All replies

  • The only way Bob can see those sites is if he has permissions to do so.  There has to be something giving him rights.  It's all very straightforward and works exactly how you set it up, but most of the time, people get confused about where they are setting permissions.  The only way Bob can see a site is if he has permissions via some explicit or implicit means.

    We can't see your permissions setup, so we can't really tell you what to do.  You definitely don't need to delete and remake subsites.  Just be fully aware that Bob can only see what you give Bob rights to see.  He's either getting it from a group within the subsite, from the Site Collection Administrator permission, or from the Web Application User Policy permissions (make sure you didn't accidentally add everyone here).


    SharePoint Architect || Microsoft MVP || My Blog
    Planet Technologies || SharePoint Task Force
    • Marked as answer by jtcrx Tuesday, February 8, 2011 1:05 PM
    Saturday, February 5, 2011 6:07 PM
  • I will try looking there to see if there are other permissions I might have missed.  :)
    Sunday, February 6, 2011 5:22 AM
  • The only way Bob can see those sites is if he has permissions to do so.  There has to be something giving him rights.  It's all very straightforward and works exactly how you set it up, but most of the time, people get confused about where they are setting permissions.  The only way Bob can see a site is if he has permissions via some explicit or implicit means.

    We can't see your permissions setup, so we can't really tell you what to do.  You definitely don't need to delete and remake subsites.  Just be fully aware that Bob can only see what you give Bob rights to see.  He's either getting it from a group within the subsite, from the Site Collection Administrator permission, or from the Web Application User Policy permissions (make sure you didn't accidentally add everyone here).


    SharePoint Architect || Microsoft MVP || My Blog
    Planet Technologies || SharePoint Task Force

    The problem was when I first set up the site collection permissions.  Because I set this up globally, it overrid the subsite permissions.  Once I broke the ineheritance further up the site, the permissions worked as they should with only certain people viewing subsites as they should while the main page everyone could view.  Thank you for your reply as it helped me think of other places to check.   :)
    Tuesday, February 8, 2011 1:07 PM
  • During site creation you can control whether the site inherits permissions or not (unique permissions or not).

    From site settings \ permissions (from within the subsite) you can SUBSEQUENTLY control whether the site inherits permissions or not.

    Depending on the options you select and from my recollection what you normally get is a site that has unique permissions but has copied the permissions from the site above hence why users still have access to it.

    Once the site definitately has unique permissions you can set about removing those permissions.

    A simple approach to make things less confusing to to ensure at site creation that you create completely unique SharePoint owner, member and visitor groups for each subsite (i.e. don't us sharepoint visitors).

    Then create corresponding AD groups for each of these and place people or groups into those AD groups so you don't have to continue to admin permissions in sharepoint.

    Tuesday, February 8, 2011 3:46 PM
  •  

    I had the same problem.

    NOTE: When you break inheritance permissions on a subsite, remember the default SharePoint groups (<site> Owners, <site> Visitors, <site> Members…) cannot be broken (they are created at the Site Collection level). If you put users into the default SharePoint groups they will appear within the parent and all subsites even if the inherit permissions has been broken.

    What I did was:
    I created a new permissions group at the parent site level, and this group didn't show up within the subsites when the inherit permissions was broken.
    OR
    Break the inheritance on the sub site then delete the unwanted default SharePoint group (within the subsite). The default groups are recreated when you re-inherit permissions from the parent site.

    I hope I haven't confused you it's easier to do then it is to explain.

    Friday, February 11, 2011 10:41 AM
  • No, if you break inheritance, the default groups do not affect the subsites unless you go add those groups to the subsites.  All groups are created at the site collection level, not just the default ones.  They all behave the same way.  Groups are not created at any level other than the top level even if you initiate the creation at a lower level.

    Groups are also not "recreated" when you re-inherit.


    SharePoint Architect || Microsoft MVP || My Blog
    Planet Technologies || SharePoint Task Force
    Friday, February 11, 2011 3:44 PM
  • CEStar is spot on!!! I removed inheritance and deleted all permissions by mistake and was not able to get to the subsite by anyway. I added my self to the <site> Owner at site collec level, and bingo! was able to access my subsite
    Monday, November 21, 2011 6:25 PM