Solved

Default groups and access to Site but not Site Collection

Posted on 2011-03-02
5
1,125 Views
Last Modified: 2012-05-11
Hi.

This is a 2 part SharePoint Server 2010 question.

1.- Is it possible to browse/navigate using the UI to _layouts/permsetup.aspx?
In MOSS this was done by click Groups > Settings > Setup Groups

 
2.- Is it possible to give a user access to: http://server/siteCol/DepSite BUT not access to http://server/siteCol/

Or do they always have to have access to the SiteCollection before they can access a site within that site collection?

We have numerous site collections with subsites. We have subsite Owners granting access to users from other site collections, but they're always been greeted with Access Denied, until they have some sort of access (view) to the site collection.

Since the subsite owners aren't able to give access to the site collection, it's kind of useless allowing them to give users access to their own site. And we also don't want these "Other site collection users" access to the site collection.

Example

Bob is the owner of the site Pedals.
Pedals is a site in the site collection Bicycles.
Bob only has Viewing rights in Bicycles.

Bob has a friend "Jay" in another site collection "Skates Boards".
Bob would like to give Jay view only access to Pedals.
So Bob goes to  http://site/_layouts/user.aspx and adds Jay to the Visitors Group.
Jay receives an email from sharepoint@company.com saying Welcome to Pedal Visitos.
Jay clicks the link and receives ACCESS DENIED
Bob calls Sam (the SP administrator) saying Jay can't access Pedals.
Sam adds Jay to Bicycle Visitors.

Now Jay has access to Bicycles and Pedals.

Thanks :)
0
Comment
Question by:raybies
  • 2
  • 2
5 Comments
 
LVL 5

Expert Comment

by:logideepak
ID: 35024211
For creating such permissions where you dont want the users to see the top level site collection but see the subsites on which they have access, you will have to provide some access to the users on the site collection as well.

Alternatively, you can provide related links to the users which they can click directly and move to the individual sub sites without going to the site collections.

However,All the sites on which the user has or will have a foot print should have some access for that user.
0
 
LVL 16

Author Comment

by:raybies
ID: 35024653
How do you propose I add a user to the site collection, without using a catch all group or specifically adding that user to the site collection.

It seems really stupid to have to give a user access to the whole site collection, just to look at; say 1 document of a subsite.

Thanks
0
 
LVL 5

Accepted Solution

by:
logideepak earned 500 total points
ID: 35024831
when you want the user to view a document in the document library and provide a specific permission to that user on the document library, Sharepoint by itself provides the "Restricted Read" permission to that user on the Sharepoint sub site on which the document library is physically located.

However, in your case the document library is located in the sharepoint sub site, so as soon as you provide the access to the user on the document library, he will get a default access on the sharepoint sub site.

Now as far as the parent site collection goes in, you can provide a read access to the user on the site collection, so that he can see the site collection and simultaneously move to the share point sub site from there itself.

In my experience, when I did not wanted users to have the read access on the parent site, I used to create a dummy list / library and provide contribute access to the user and hidden the list link from the site. this in turn would have provided him with the "Restricted Read" access on parent site collection as well.
0
 
LVL 3

Expert Comment

by:Nomoho
ID: 35025621
I know what is your problem:
Your user have access to the Pedals site but cannot open some pages (maybe the default page, or all pages) because these pages are using resources of the Bicyles site.
(masterpage, images, xsl, css, webpart, ...)

Try to open the /Pedals/_layouts/viewlsts.aspx page to know if the problem is in the Pedals' masterpage.
If yes, remove all the Bicyles resources called in the masterpage.

If not, the problem is on your default page (or another) => look at the webparts, debug them if they are custom, or check their config to know which resources they are loading.

Good luck, this problem is hard to fix :)
0
 
LVL 16

Author Comment

by:raybies
ID: 35032994
Nomoho: It was a good idea, but no. /_layouts/viewlsts.aspx Error: Access Denied
Even though the account has full control.

========================================
logideepak: The issue is we need to be able to allow Site Owners to control permissions to their site.

Our company has ~4000 users and we can't give all these users access to every single site collection just in case they need to access a subsite.

Within Bicycles there are 100's of sites and some are inheriting permissions while others have broken inheritance.

Anyway I tried your solution even though it's not elegant... giving domain users "Limited Access" on the site collection by granting them access to a List, and it works.


Have you got a solution for part 1 of the question? I need a way for site owners to be able to create the default groups after breaking inheritance.
 

Thanks.




0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

There is one common problem that all we SharePoint developers share: custom solution deployment. This topic can't be covered fully in this short article, so all I want to do in this one is to review it from a development-to-operations perspectiv…
The vision: A MegaMenu for a SharePoint portal home page The mission: Make it easy to maintain. Allow rich content and sub headers as well as standard links. Factor in frequent changes without involving developers or a lengthy Dev/Test/Prod rel…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now