We help IT Professionals succeed at work.

Sharepoint 2007 permission assignment

RHADMIN
RHADMIN used Ask the Experts™
on
Hi SharePoint Experts,

Context:
- I have over 100 SharePoint permission groups created with permissioned assigned to different section(subsites) under single site collection.

Objective:
I need to give a new super user with ALL Permissions as mine(as Site Collection Admin) except under Finance Section - How can I do it in an elegant/easy way?

Thank you,
-Rick
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®

Commented:
Just create a group Restricted add user account to this group, remove user's account from all standards groups in Finance.

Author

Commented:
Hi dyuburq:
It won't work, if the super user is a Site Collection Admin at the first place!
Thanks,
-Rick

Commented:
But you can break permission heritage and it will works

Author

Commented:
Site Collection Admin has FULL access of everything under the site collection, tring to set access permission on members of Site Collection Admin is futile! - Please correct me if I'm wrong on this! anyone?

Commented:
Just try

Author

Commented:
Sorry, it won't work. I can tell that you either don't understand the role of Site Collection Admin or my original question. But thank you anyway.
-Rick

Commented:
Hi,
if you make the user site collection admin, indeed he will have access to everything in the s.c.
One idea would be to make him only member of the groups (not sca).
Second one would be to move the section to a separate s.c. (wild, i know)
Another one would be to simply tell him to not access that section (maybe put him sign some papers), and turn on audit logging to be able to check that he is indeed not accessing it.

No other easy way, from what i know.


Author

Commented:
Thanks, Irinuc. I'd wait a bit longer for other inputs.
-Rick
Hide the whole site so that he wont see the links from UI side.

If the objective is to completely restrict the user, you need to write custom code to check what kind of user he is and restrict it.

Author

Commented:
I'd follow irinuc's "One idea would be to make him only member of the groups (not sca).
" - so are there any 3rd party tools/apps that can assign SP user(s) globally to ALL SP groups with a single click?

Thanks,
-Rick
Commented:
Hi,
i don't know a tool that could do that, but as a possible workaround, you could create a simple bat that could run the "stsadm -o adduser" command. Hope i have given the correct link:
http://technet.microsoft.com/en-us/library/cc262627%28office.12%29.aspx 

Or, if you like programming, you could maybe try this:
http://farhanfaiz.wordpress.com/2008/04/14/moss-add-user-to-site-through-code-programmatically/

Personally I would vote for stsadm :-) but maybe someone else has an easier way out.

Author

Commented:
Thanks, irinuc, here is what I found(not tested yet):  
http://mossusermembership.codeplex.com 
But I like your stsadm solution, which is easier to implement.

-Rick