Get Even More Visitors To Your Blog, Upgrade To A Business Listing >>

SharePoint 2013 Publishing feature and limited access

Background:

We have upgraded out farm from 2010 to 2013 using the database attach method. We also have created site collections and sub sites after the migration. Our sites are team sites with the publishing feature activated. We have unique permissions for our libraries and sub sites.

Issue:

The issue I was tasked with overcoming is that users who have no permissions to the Library can still see the library in site contents, and in other sites not only can they see the library in site contents, but they can also access the library. They don't see any content, but can still load the library. This is not how I would expect this to work at all. I would expect them to get access denied and not see the library in site contents.

Scenario A:

  • We have a web application with a root site collection that has been deployed as a team site
  • We have activated the following feature at the site collection
    • SharePoint Server Publishing Infrastructure
    • Limited-access user permission lockdown mode
  • We have created a sub site that inherits permissions from the parent web.
  • We have activated the Site feature "SharePoint Server Publishing"
  • We have created a doc library
    • We have stopped inheriting permissions from the parent web
    • We have removed all permissions to this library via the UI

Result:

  • A user with read only access to the site collection is able to see details about the library in site contents (http://sp2013/_layouts/15/viewlsts.aspx)
    • The user is denied access to the library when attempting to access it via Site Contents and/or through the direct URL

Scenario B:

  • We have a web application with a root site collection that has been deployed as a team site
  • We have activated the following feature at the site collection
    • SharePoint Server Publishing Infrastructure
  • We have created a sub site that inherits permissions from the parent web.
  • We have activated the Site feature "SharePoint Server Publishing"
  • We have created a doc library
    • We have stopped inheriting permissions from the parent web
    • We have removed all permissions to this library via the UI

Result:

  • A user with read only access to the site collection is able to see details about the library in site contents (http://sp2013/_layouts/15/viewlsts.aspx)
  • If the user tries to access the library they are granted access to view the application page but not the actual contents of the library.       However, they are not presented with the access denied message.

Scenario C:

  • We have a web application with a root site collection that has been deployed as a team site
  • We have activated the following feature at the site collection
    • SharePoint Server Publishing Infrastructure
    • Limited-access user permission lockdown mode
  • We have created a sub site that has unique permissions and never inherits from the parent web.
  • We have activated the Site feature "SharePoint Server Publishing"
  • We have created a doc library
    • We have stopped inheriting permissions from the parent web
    • We have removed all permissions to this library via the UI

Result:

  • Users who do not have permissions to this library do not see the library in site contents
  • If they try to access the library directly they get access denied
  • This is the expected result

Cause:

  • The underlying cause here is "Limited Access" and the "Style Resource Readers" group.
    • "Use this group to give read permissions to the Master Page gallery and Style Library, which are required to browse this site. Do not delete this group.
  • The Limited Access permission level is designed to be combined with fine-grained permissions to give users access to a specific list, document library, item, or document, without giving them access to the entire site. However, to access a list or library, for example, a user must have permission to open the parent Web site and read shared data such as the theme and navigation bars of the Web site. The Limited Access permission level cannot be customized or deleted.
  • You cannot assign this permission level to users or SharePoint groups. Instead, SharePoint automatically assigns this permission level to users and SharePoint groups when you grant them access to an object on your site that requires that they have access to a higher level object on which they do not have permissions. For example, if you grant users access to an item in a list and they do not have access to the list itself, SharePoint automatically grants them Limited Access on the list, and also the site, if needed.

Scenario A:

  • When we have the publishing feature activated on the site collection we are introducing all the publishing features. This is usually done when a need for modifying the master page is present. With this we are introducing the style resource readers group that has default members of "NT AuthorityAll Authenticated Users" and the "Everyone" group.
  • When we start breaking permissions we are creating limited access to all the parent objects. This is by design.
  • The 'Limited Access' permission group has very limited permissions, but by design we have the 'Open' permission.
    • Open -       Allows users to open a Web site, list, or folder in order to access items inside that container.
  • Since the Style Resource Readers group has the Limited Access role as well as the default member "c:0(.s|true" this will grant everyone the ability to open the document library that has unique permissions
  • Since all our users have some sort of permission to the document library we will see it in site contents and the quick launch if it's present there. This is because we have permissions to the object so it's not being security trimmed.
  • We get access denied though because we don't actually have any permissions to the library.

Scenario B:

  • Same as Scenario B with the following exception:
    • Limited-access user permission lockdown mode
      • If this is not activated the role 'Limited Access' will be granted an additional permissions
        • View Application Pages - View forms, views, and application pages. Enumerate lists.
      • This will allow users to view application pages such as the 'AllItems.aspx' page
        • The user will not be able to see any items however

Scenario C:

  • This one is different because we created the sub site with unique permissions.
  • Technically this sub site has never inherited from the parent.
    • There are no groups with limited access and the 'Style Resource Readers' group has not been inherited
      • Note: Do not inherit permissions from the parent as you will replace all permissions for every child object which will grant the 'Style Resource Readers' group limited access to all child objects

Resolution:

  • First off there is no resolution to this issue only workarounds. 'Limited Access' and the 'Style Resource Readers' group is designed to function like this.

Note:

DO NOT MODIFY THE PERMISSIONS FOR THIS GROUP

  • The only potential workaround would be to follow 'Scenario C' however, this would only work for sub sites and not the root of the site collection

Scripts:

To validate web and list role assignments

Add-PSSnapin Microsoft.SharePoint.PowerShell
$web = get-spweb
$weburl = $web.Url
$list = $web.Lists["documents"]
Write-Host -ForegroundColor Cyan "Below are the Role Assignments for $list"
$list.RoleAssignments
Write-Host ""
Write-Host -ForegroundColor Cyan "Below are the Role Assignments for $weburl"
Write-Host ""
$web.RoleAssignments

Share the post

SharePoint 2013 Publishing feature and limited access

×

Subscribe to Msdn Blogs | Get The Latest Information, Insights, Announcements, And News From Microsoft Experts And Developers In The Msdn Blogs.

Get updates delivered right to your inbox!

Thank you for your subscription

×