Alioqui quid limitatur Access?

UPDATE 11/03/08: Be sure to read the excellent and detailed comment from Dessie Lunsford to this post.

I’ve been working on a secret tech editing project for an up-coming book and it references this blog entry by Tyler Butler on the MSDN ECM blog. This is the first time I personally read a clear definition of the meaning of Limited Access. Here’s the meat of the definition:

In SharePoint, anonymous users’ rights are determined by the Limited Access permission level. Limited Access is a special permission level that cannot be assigned to a user or group directly. The reason it exists is because if you have a library or subsite that has broken permissions inheritance, and you give a user/group access to only that library/subsite, in order to view its contents, the user/group must have some access to the root web. Otherwise the user/group will be unable to browse the library/subsite, even though they have rights there, because there are things in the root web that are needed to render the site or library. Therefore, when you give a group permissions only to a subsite or library that is breaking permissions inheritance, SharePoint will automatically give Limited Access to that group or user on the root web.

This question comes up now and then on the MSDN forums and I’ve always been curious (but not curious enough to figure it out before today :)).

</finem>

Scribet ad mea blog.

Sequi me in Twitter ad http://www.twitter.com/pagalvin

Technorati Tags:

3 cogitationes on "Alioqui quid limitatur Access?

  1. Mike Gallagher

    HI Paulus,
    In our testing we’ve discovered an unfortunate consequence of adding "limited access" to the root site when unique permission are assigned to an item.

    You’d imagine that this permission would inherit in a linear manner – i.e. from the root down through the sub-site, doc lib, folder, to the item itself. Autem, in our tests, it seems that at the Doc library level, View permissions are granted horizontally.

    We have some team sites. If I have two doc libs – TestA and TestB – and I grant a user from outside the top-level group item-level access to a document within one of the libraries, he can also see the other libraries. They can’t view any documents within these libraries, but the fact that they can actually browse to them, is an unacceptable security breach for us. In facto, it seems to suggest that item-level security doesn’t really work in the strictest sense – i.e. you can manage at an item-level, but it also adds view permissions where you don’t want them.

    This is quite a big deal for us and we’re having no luck finding a solution. I’m hoping I’m missing something really obvious. 🙂

    Ideas?

    Mike

  2. Ajith George
    Paulus HI,
    Is it a must that a user added to a child site should have atleast some permissions on the top level site, if you say yes the is it a bug from sharepoint since for scenarios like 1000+ users newly adding to a child site the same process should be done for a top level site which will be a boring and hectic stuff. Wat do you say?
  3. Dessie Lunsford wrote:
    Paulus,
    I like the definition (seems pretty straight-forward).
    Generally when I get into a discussion regarding this subject with one of my users, I tend to look at it like this:
    "Limited Access" refers to a user having more than one set of permissions within the same site, and is applied by the system itself to the user. This occurs when part of the site (list or library, item or document) breaks the inheritance of permissions from its parent, resulting in a user either having lower or higher permissions in the part of the site that is no longer inheriting permissions.
    The way I normally describe it to my users is in the (literal) "Parent – Child" relationship (also helps to explain permission inheritance in itself).
    When a parent has a child, they live in the same house and the child must follow all the rules that the parent dictates (how many times have you heard the "As long as you live in my house, you’ll follow my rules!!" statement?). When the child moves out, as a gift from their parents, they get a copy of the parents permissions (kind of like a "Starter Set" of rules to live by…assuming they’ve been raised well) and literally "Break Away" to live their own life (breaking inheritance). They can always "move" back in later if needed (better be paying rent if so) and have to live by the parents rules once again (re-inheriting parent permissions), but on occasion, they get to work out a deal with the parents for "modified" rules ("As long as I’m paying rent, I can come and go as I please!!"), which may lead to the parents saying ("Fine…you can stay here, use our shower, sleep in your old room, but you need to buy your own food!), which leads to "Limited Access" in in amet 🙂
    Not that all parents would do this (mine let me move back in after college with only having to pay rent), but it normally gets the idea across to new users when attempting to understand how permission inheritance works, and what "Limited Access" means.
    – Dessie

Aliquam

Tua inscriptio electronica non editis. Velit sunt insignis *