SharePoint Blogs / SharePoint University
SharePoint Blogs and SharePoint University - all in one place!
Chris Ogle's Down-home SharePoint Ruminations » When is a unique permission not a unique permission?
Need SharePoint Training? Attend a SharePoint Bootcamp!

Please delete cookies related to sharepointblogs.com and sharepointu.com to resolve login issues!

When is a unique permission not a unique permission?

When it's ajar.

Sorry, wrong punchline. The real answer: when it's in SharePoint.

I have a SharePoint site where I assigned a SharePoint Group "My Contributors" as Contributor for the page, and a second SharePoint Group "My Readers" as Reader for the page. Please withhold the applause for my creative naming scheme, I blush easily. Within the page is a document library with unique permissions: "My Contributors" has Contributor access to the library, but "My Readers" has no access whatsoever. Life is good, and I can sleep well at night knowing that my double-secret data is safe from mere Readers.

For reasons too grim to bear repeating, I had to remove "My Contributors" access from the page without removing their access to the library. "No perspiration!" I cried, and gleefully went to Site Actions > Site Settings > Advanced Permissions, checked "My Contributors", and selected "Remove User Permissions" from the Actions menu. "My Contributors" disappeared from the Permissions screen and I settled down to a pleasant afternoon contemplating how to afford railguns to protect my bulk freighters from Solian pirates.

Just as the creative fog was forming, my phone rang. I thought I had disconnected it. A member of "My Contributors" was complaining that she couldn't see the secret documents. To my astonishment, she was right. Even though the doclib had unique permissions, removing a Group from the containing page also removed it from the library.

Can anyone explain this to me? If not, can you at least explain why railguns cost so much?

Posted 09-30-2008 11:10 AM by cwogle

Comments

Jake wrote re: When is a unique permission not a unique permission?
on 09-30-2008 3:12 PM

Check your permissions for  the Contributers Group in the parent site. It should say "Limited Access", in which case you are not giving them access to view the pages / content / whatever on the parent site. It's some artifact of still needing to see the master page or something(tm). Remove that, and you have implicitly removed the ability of that group to view the non-inherited library.

Remove everything, add them just to the library that you want, and ignore the little "Limited Access" entry on the parent site.

Mike Walsh wrote re: When is a unique permission not a unique permission?
on 10-01-2008 2:09 AM

Think of the structure of a site.

A site contains a document library and the document library contains a document.

If A, B, C have rights at site level then you can restrict rights to the doc lib so that B and C can be given rights to it similarly you can restrict rights to the document to C.

D can't be given rights to access the doc lib.

and A can't be given rights to the document.

-------------

Once that is clear, it's also clear that if you remove C from accessing the doc lib (but keep access restriction in place) that then C can no longer access the document.

cwogle wrote re: When is a unique permission not a unique permission?
on 10-01-2008 7:48 AM

Thanks for the replies, guys. Ok, I get your point, but I must still be missing something. My page is created by OM code that assigns the groups to the page, breaks inheritance between the library and the page, and removes "My Readers" from the library. Looking at page permissions shows "My Contributors" with Contribute access (Limited Access does not even display). So far, so good.

If I should manually add Joe Newguy to a library, SharePoint automatically adds the required Limited Access rights to the page. Looking at page permissions shows the Joe with Limited Access, and the checkbox cannot be edited. So far, still good.

My goal is now to make "My Contributors" have the same access as Joe Newguy. I can't do it. Ideally, I would uncheck Contribute and leave Limited Access checked for "My Contributors", but since Limited Access does not display, that is not an option. I also tried editing permissions and unchecking all boxes, but SharePoint complained about that. Removing "My Contributors" from the page didn't work -- that's what prompted the original post.

Jake, your suggestion of removing My Contributors and adding them back to the library works, but ... ahem ... I didn't explain the whole problem. I have many libraries that need to be tweaked, and many pages containing similar libraries. Doing all this manually means I'll never have any time to buy railguns.

Am I missing something basic here?

ST Chiew wrote re: When is a unique permission not a unique permission?
on 05-11-2009 12:06 AM

I know this is a late post, but this just happened to one of our users as well. He assigned users all over the place in the site with unique permissions. Then one fine day, he looked at the permissions at the site level and decided he doesn't want to let them have the 'Limit Access' permissions on the site and removed them all. Lo and behold, the unique permissions in the individual lists and document libraries under the site were gone.

Sharepoint should just display the user at the Site level, and not allow the removal of the user, or at least pop up a warning that the action will remove all permissions within the site.

Add a Comment

(required)  
(optional)
(required)  
Remember Me?
Need SharePoint Training? Attend a SharePoint Bootcamp!
Posts (c) their respective authors. Everything else (c) 2009 SharePoint Experts, Inc.