• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1187
  • Last Modified:

Default groups and access to Site but not Site Collection


This is a 2 part SharePoint Server 2010 question.

1.- Is it possible to browse/navigate using the UI to _layouts/permsetup.aspx?
In MOSS this was done by click Groups > Settings > Setup Groups

2.- Is it possible to give a user access to: http://server/siteCol/DepSite BUT not access to http://server/siteCol/

Or do they always have to have access to the SiteCollection before they can access a site within that site collection?

We have numerous site collections with subsites. We have subsite Owners granting access to users from other site collections, but they're always been greeted with Access Denied, until they have some sort of access (view) to the site collection.

Since the subsite owners aren't able to give access to the site collection, it's kind of useless allowing them to give users access to their own site. And we also don't want these "Other site collection users" access to the site collection.


Bob is the owner of the site Pedals.
Pedals is a site in the site collection Bicycles.
Bob only has Viewing rights in Bicycles.

Bob has a friend "Jay" in another site collection "Skates Boards".
Bob would like to give Jay view only access to Pedals.
So Bob goes to  http://site/_layouts/user.aspx and adds Jay to the Visitors Group.
Jay receives an email from sharepoint@company.com saying Welcome to Pedal Visitos.
Jay clicks the link and receives ACCESS DENIED
Bob calls Sam (the SP administrator) saying Jay can't access Pedals.
Sam adds Jay to Bicycle Visitors.

Now Jay has access to Bicycles and Pedals.

Thanks :)
  • 2
  • 2
1 Solution
For creating such permissions where you dont want the users to see the top level site collection but see the subsites on which they have access, you will have to provide some access to the users on the site collection as well.

Alternatively, you can provide related links to the users which they can click directly and move to the individual sub sites without going to the site collections.

However,All the sites on which the user has or will have a foot print should have some access for that user.
raybiesAuthor Commented:
How do you propose I add a user to the site collection, without using a catch all group or specifically adding that user to the site collection.

It seems really stupid to have to give a user access to the whole site collection, just to look at; say 1 document of a subsite.

when you want the user to view a document in the document library and provide a specific permission to that user on the document library, Sharepoint by itself provides the "Restricted Read" permission to that user on the Sharepoint sub site on which the document library is physically located.

However, in your case the document library is located in the sharepoint sub site, so as soon as you provide the access to the user on the document library, he will get a default access on the sharepoint sub site.

Now as far as the parent site collection goes in, you can provide a read access to the user on the site collection, so that he can see the site collection and simultaneously move to the share point sub site from there itself.

In my experience, when I did not wanted users to have the read access on the parent site, I used to create a dummy list / library and provide contribute access to the user and hidden the list link from the site. this in turn would have provided him with the "Restricted Read" access on parent site collection as well.
I know what is your problem:
Your user have access to the Pedals site but cannot open some pages (maybe the default page, or all pages) because these pages are using resources of the Bicyles site.
(masterpage, images, xsl, css, webpart, ...)

Try to open the /Pedals/_layouts/viewlsts.aspx page to know if the problem is in the Pedals' masterpage.
If yes, remove all the Bicyles resources called in the masterpage.

If not, the problem is on your default page (or another) => look at the webparts, debug them if they are custom, or check their config to know which resources they are loading.

Good luck, this problem is hard to fix :)
raybiesAuthor Commented:
Nomoho: It was a good idea, but no. /_layouts/viewlsts.aspx Error: Access Denied
Even though the account has full control.

logideepak: The issue is we need to be able to allow Site Owners to control permissions to their site.

Our company has ~4000 users and we can't give all these users access to every single site collection just in case they need to access a subsite.

Within Bicycles there are 100's of sites and some are inheriting permissions while others have broken inheritance.

Anyway I tried your solution even though it's not elegant... giving domain users "Limited Access" on the site collection by granting them access to a List, and it works.

Have you got a solution for part 1 of the question? I need a way for site owners to be able to create the default groups after breaking inheritance.


Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now